Privacy Policy

At MatrixSentry, we take security seriously, starting with your data. This Privacy Policy explains how we collect, use, and protect your information when you visit our website, sign up for our services, or use our email security platform.

1. Information We Collect

We collect only the information necessary to provide our services and communicate with you:

• Personal Information: When you sign up for our waitlist or contact us, we collect your name, email address, and company name.
• Usage Data: We may collect anonymous metrics (such as page views or device type) to improve website performance and security.
• Message Data: When your organization uses our security platform, we access message metadata (sender, recipient, subject, headers, timestamps), message content (bodies and attachments), and mailbox or chat status information for the purpose of automated threat detection and remediation. This applies to email and, where enabled, Microsoft Teams chat messages.
• Identity and Behavior Data: We build a behavioral identity graph by analyzing interaction patterns between internal and external identities across connected platforms (e.g., linking email addresses to chat identifiers). This graph tracks communication frequency, sender relationships, and behavioral baselines to detect anomalous activity such as impersonation, lateral movement, or account compromise. No raw message content is stored in the identity graph — only metadata-derived behavioral signals.
• Authentication Data: When you sign in using a third-party identity provider (Google, Microsoft, or Okta), we receive your name and email address from the selected provider. We store this information along with a provider-specific account identifier to manage your account. We do not receive or store your password from any identity provider.

2. How We Use Your Information

For the purposes of data protection laws, MatrixSentry acts as the Data Processor for the email data analyzed on behalf of your organization. We act as the Data Controller only for the personal information collected directly from you when you create an account or contact us.

We use your data solely for the following purposes:

• To provide early access to the MatrixSentry platform.
• To send critical updates regarding our service or security alerts.
• To respond to your inquiries or support requests.
• To analyze inbound email for threats including phishing, malware, business email compromise, and spam.
• To take remediation actions (quarantine, move, or delete) on emails identified as threats.
• To generate threat reports and security analytics for your organization's dashboard.

3. Message Data Processing

All message analysis is performed by automated systems. Human access to message data is strictly limited to security diagnosis, troubleshooting specific system errors, or when explicitly requested by your organization's administrator for support. Data is retained according to the following schedule:

• Raw email content: Raw email bodies and attachments are retained for up to 14 days for processing and then permanently deleted.
• Raw chat content: Raw chat message content is retained for up to 7 days for processing and then permanently deleted. Chat metadata follows the same 30-day retention as email metadata.
• Message metadata: Identifiable message information (sender, recipient, subject, and remediation logs) is retained for up to 30 days to support investigation of recent threats.
• Identity behavior data: Behavioral baselines (communication frequency, sender relationships, and interaction patterns) are retained for up to 30 days on a rolling basis to support anomaly detection.
• Threat intelligence: Anonymized, derived data (such as file hashes, URL patterns, and threat signatures) that cannot be reverse-engineered to reveal user content is retained for up to 90 days to improve global detection capabilities.

Your organization's administrator may revoke MatrixSentry's access to your email environment at any time, triggering the deletion of identifiable data within 30 days.

4. AI-Assisted Security Analysis

MatrixSentry's core threat detection pipeline — including machine learning spam classification, prompt injection detection, and automated remediation — operates entirely within our Google Cloud Platform infrastructure using on-premises models. The optional AI-assisted analysis described below is the only circumstance under which redacted content leaves our infrastructure.

Separately, MatrixSentry uses third-party large language model (LLM) providers for two purposes, both using only PII-redacted content: (1) real-time semantic analysis to identify social engineering signals (tone, intent, and urgency patterns) during message classification, applied to a sampled subset of messages; and (2) AI-assisted rule tuning to improve detection accuracy over time. This applies to both email and Microsoft Teams messages when those pipelines are active. When enabled, these services may send the following to external AI providers:

• Email metadata: Sender domain, subject line, classification result, confidence score, and email authentication results (DKIM, DMARC, SPF).
• Redacted message content: Email or chat message body text with personally identifiable information removed. Before any content is sent externally, our automated redaction system replaces email addresses, URLs, domain names, phone numbers, Social Security numbers, credit card numbers, cryptocurrency wallet addresses, bank account and routing numbers, SWIFT/IBAN codes, street addresses, social media handles, and personal names detected in greetings, email headers, and signatures with typed placeholders (e.g., [EMAIL_1], [NAME_1]).

File attachments are never sent to third-party AI providers and remain exclusively within our Google Cloud Platform infrastructure.

The AI providers we use for this service are:

• Anthropic (Claude API): Data is automatically deleted within 7 days. API data is never used for model training under commercial terms. Zero data retention is available by agreement. See Anthropic's data retention policy.
• Google (Gemini API, paid tier): Data is retained for up to 30 days for abuse monitoring only. Paid tier data is not used to improve Google products. Zero data retention is available. See Google's zero data retention policy.

This feature can be disabled entirely at the customer's request. When disabled, no email or chat content or metadata is sent to any external AI provider.

5. Model Training and Continuous Improvement

To improve threat detection accuracy across all customers, MatrixSentry may include excerpts of customer email and chat content in our model training corpus. Training data is used to retrain our spam, phishing, BEC, and prompt-injection classifiers on a periodic basis.

Before any content is included in a training corpus, it is processed through our automated PII redaction system — the same redaction described in Section 4 — which replaces email addresses, domain names, URLs, phone numbers, Social Security numbers, credit card numbers, cryptocurrency wallet addresses, bank and routing numbers, SWIFT/IBAN codes, street addresses, social media handles, and personal names detected in greetings, headers, and signatures with typed placeholders (e.g., [EMAIL_1], [NAME_1]). Where labeling assistance from a third-party AI provider is required during corpus assembly, only this redacted content is transmitted, subject to the same provider retention terms described in Section 4.

You may opt out of having your organization's email and chat content used for model training at any time by:

• Toggling "Use my data to improve detection models" off in the dashboard at Settings → Privacy & Data.
• Contacting [email protected].

Opt-out takes effect immediately and applies to all future training cycles. Machine learning model weights cannot be selectively un-trained from already-completed training runs; opting out prevents your content from being included in any subsequent retraining. We perform full retraining cycles approximately once per quarter, and the next retraining cycle following your opt-out will not include your content. Customers who opt back in will have their content included beginning with the following retraining cycle.

File attachments and binary content are never included in training corpora regardless of opt-in status. Only text body, subject lines, and authentication metadata may be used.

6. Data Protection

We implement enterprise-grade security measures to protect your personal information and email data. All data is stored in secure environments on Google Cloud Platform in the United States and is accessible only to authorized personnel. By using the Services, you acknowledge that your data will be processed in the United States.

To ensure the highest level of security, MatrixSentry enforces the following cryptographic standards:

• Data at Rest: All stored data, including email content, metadata, and customer configuration, is encrypted using AES-256, the industry standard for data-at-rest encryption.
• Data in Transit: All data transmitted between clients, services, and third-party integrations is protected using TLS 1.2 or higher, ensuring secure communication across all channels.

Authentication and access control data (account credentials, session tokens, and customer configuration) is stored on Cloudflare's infrastructure in the United States.

In the event of a data breach compromising your organization's email data or personal information, MatrixSentry will notify your designated account administrators without undue delay, and in no event later than 72 hours after becoming aware of the incident.

7. Third-Party Services

We do not sell, trade, or rent your personal identification information or email data to others. We do not use email data for advertising or marketing purposes. We use third-party subprocessors solely to provide the Services:

• Cloud Infrastructure: Google Cloud Platform for primary data storage, compute, and processing. All core email data processing remains within US-based cloud environments.
• Identity Providers: Google, Microsoft, and Okta for dashboard authentication via OpenID Connect (OIDC). These providers receive only a standard authentication request and return your name and email address. Login authentication does not grant MatrixSentry access to your email environment.
• Authentication & Edge Infrastructure: Cloudflare for authentication services, session management, and access control data storage.
• Managed Data Services: Redis Cloud for caching and deduplication, and Confluent Cloud for event streaming. These services process email metadata and processing state within US-based environments.
• AI Providers: Anthropic and Google Gemini for AI-assisted threat analysis and rule tuning, as described in Section 4 above. Optional and can be disabled.

A complete list of our authorized sub-processors, including data processing locations and DPA status, is available at our Sub-processors page.

We may share generic, aggregated threat statistics that are not linked to any specific user or organization.

8. Your Rights

Depending on your location, you may have rights under the GDPR, CCPA, or other regional privacy laws to access, correct, delete, or restrict the processing of your personal data. Organization administrators may request deletion of all email data associated with their account. To submit a data subject access request (DSAR) or exercise any of these rights, please contact us at [email protected].

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

MatrixSentry Support
[email protected]