Privacy

A practical explanation of what data Matterkeep holds, how it is used, and what control you have over it.

What data Matterkeep collects

Account and firm data

  • Name and email address for each firm user
  • Password stored as a hashed value (never in plaintext)
  • Firm name and team membership role (administrator or staff)
  • Session identifiers stored in the database, expiring after 7 days
  • Email verification status and timestamps

Client and document request data

  • Client name and email address, as entered by the firm
  • Request titles, instructions, and document descriptions
  • Review decisions (approve, request changes) and written rejection reasons
  • Request status history and update messages
  • Portal link tokens stored as SHA-256 hashes

Uploaded files

  • File content (PDF, PNG, or JPG/JPEG) stored in Cloudflare R2
  • Original filename, MIME type, file size, and upload timestamp stored in the database
  • A randomly generated storage key (not derived from the original filename)
  • Previous file versions when a client replaces a document (retained, marked inactive)

Activity logs

  • Action type (sign-in, upload, review, portal link change, etc.)
  • Outcome of each action (success, failure, denied)
  • IP address of the request
  • Timestamp
  • Which firm user performed the action, where applicable

Failed sign-in events record the outcome and IP address but do not store the submitted email address in the log message.

How data is used

Matterkeep uses collected data solely to provide the document request and review service. Specifically:

  • Email addresses are used to send verification emails, portal upload links, review notifications, and completion notices via Resend.
  • Client names appear in request records and email communications on behalf of the firm.
  • Activity logs are used to give firm administrators visibility into what has happened in their workspace.
  • Stored files are held and served to the firm and, through scoped portal links, to the uploading client.

Data is not sold, shared with third parties for advertising, or used to train machine learning models.

Who can access data

Firm administrators and staffcan view all requests, documents, files, and activity logs within their firm workspace. Staff cannot access other firms' records.

Clientswith an active portal link can view and upload to the specific request that link was issued for. They cannot access other requests, other clients' data, or any firm records.

Matterkeep does not proactively access firm or client data. Access for operational troubleshooting would only occur at the explicit request of a firm administrator.

Third-party providers

Matterkeep relies on the following third-party services:

  • Cloudflare R2 — file storage. Files stored in R2 are encrypted at rest by Cloudflare's infrastructure.
  • PostgreSQL provider (Neon or configured host) — structured data storage, including accounts, requests, metadata, and activity logs.
  • Resend — transactional email delivery. Email addresses and names are shared with Resend only to send required emails.

Each provider operates under its own privacy and security practices. Matterkeep does not control their internal operations or subprocessors.

Data retention and deletion

Data is retained for as long as a firm workspace remains active. Matterkeep does not currently provide self-serve deletion for individual files, requests, documents, or firm accounts.

To request deletion of firm data or cancellation of your account, contact support@getmatterkeep.com. We process deletion requests manually and will confirm completion.

Client data held on behalf of a firm — including uploaded documents — will be deleted in the same process. Deletion is permanent.

Cookies and sessions

Matterkeep uses two cookies: a session cookie (HttpOnly, Secure in production, 7-day expiry) and a CSRF token cookie (readable by client JavaScript, same-site lax). No advertising or analytics cookies are used.

Contact

For privacy questions or data deletion requests, contact support@getmatterkeep.com.