MatterMind Privacy Policy
1. Introduction
The MatterMind platform ("MatterMind" or the "Service") is owned and operated by Sundial Systems Inc. ("Sundial Systems", "we", "us", or "our"), a corporation incorporated under the laws of Alberta, Canada. Sundial Systems provides MatterMind as a software-as-a-service platform that helps solo and small-firm lawyers track matters, monitor workflow and financial signals, and prepare routine next steps for lawyer review.
This Privacy Policy describes how we collect, use, disclose, and safeguard Personal Information in connection with the Service. We are committed to handling Personal Information in accordance with applicable privacy legislation, including:
- the Personal Information Protection Act (Alberta) ("PIPA");
- the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"); and
- other applicable provincial and federal privacy legislation.
This Privacy Policy applies to Personal Information that we collect through the Service, our website at www.mattermind.io, and our customer support and marketing activities. By accessing or using the Service, you confirm that you have read this Privacy Policy and consent to our collection, use, and disclosure of Personal Information as described.
2. Definitions
- "Customer" means the law firm, professional corporation, sole practitioner, or other entity that has entered into an agreement with Sundial Systems for use of the Service.
- "Customer Data" means information that a Customer or its Users upload, input, or sync into the Service, including matter metadata, workflow data, financial figures, deadlines, and related operational information about the Customer's clients and practice.
- "Personal Information" has the meaning given in PIPA and PIPEDA, and includes information about an identifiable individual.
- "Service Provider" means a third party that processes Personal Information on our behalf under contract.
- "User" means an individual who accesses the Service under a Customer's account, including lawyers, paralegals, assistants, bookkeepers, and other authorized staff.
- "You" means a User accessing this Privacy Policy or the Service.
3. Information We Collect
3.1 Information You Provide
Account registration. When you create or are invited to a Customer account, we collect your name, email address, password (stored as a salted hash), professional role, and the Customer's firm name.
Billing information. If your Customer subscribes to a paid plan, we collect billing contact details and applicable tax identifiers. Payment card numbers are submitted directly to our payment processor and are not stored on MatterMind servers.
Support and feedback. When you contact us by email, web form, or other support channels, we collect your contact details, the content of your message, and any attachments you provide.
3.2 Information Collected Automatically
When you use the Service, we automatically collect:
- device and browser information, such as IP address, browser type and version, operating system, device identifiers, and screen resolution;
- usage information, such as pages viewed, features used, queue actions, sweep activity, and other interactions with the Service;
- diagnostic information, such as error logs, performance metrics, and security events; and
- cookie and similar tracking data as described in Section 13.
3.3 Information from Integrated Systems
If a Customer connects a practice management or accounting system to the Service through an authorized integration, we receive operational data from that system, which may include matter identifiers and metadata, time entries, billing and trust accounting figures, task and deadline data, and limited identifiers needed for the Service to function. We receive only the data needed to provide the Service and we honour the scope of access the Customer authorizes at the integration step.
3.4 Communications
We collect transactional communications you send to us, and we may collect your preferences for marketing communications. Marketing communications are handled under Section 14 (Marketing Communications and CASL).
4. How We Use Personal Information
We use Personal Information for the following purposes:
- Service delivery: to create and manage accounts, deliver the Service, sync data from integrated systems, surface practice signals, and prepare routine next steps for User review.
- Billing and accounts: to process subscription payments, manage renewals, handle taxes, and maintain accounting records.
- Support: to respond to inquiries, troubleshoot issues, and provide assistance.
- Security and integrity: to authenticate Users, prevent fraud and abuse, monitor for security incidents, and enforce our Terms of Service.
- Service improvement: to understand how the Service is used, diagnose performance issues, and develop improvements. Where practicable we use aggregated or de-identified information for these purposes.
- Communications: to send service notices, important account communications, and (where permitted) marketing messages about the Service.
- Legal and regulatory: to comply with applicable law, respond to lawful requests, and enforce our legal rights.
We do not sell Personal Information. We do not use Customer Data to train third-party general-purpose AI models. See Section 9 for more information on artificial intelligence and automated processing.
5. Lawful Basis for Processing
We process Personal Information on the following bases recognized under PIPA, PIPEDA, and other applicable law:
- Consent: We obtain express consent where required, and rely on implied consent where appropriate and permitted (for example, where the purpose is obvious and you voluntarily provide information for that purpose).
- Performance of a contract: Processing necessary to provide the Service to you or to the Customer that has invited you to the Service.
- Reasonable business purposes: Processing that a reasonable person would consider appropriate in the circumstances, including security, fraud prevention, and service improvement.
- Legal obligation: Processing required to comply with applicable law, regulation, or lawful order.
You may withdraw consent at any time, subject to legal or contractual restrictions and on reasonable notice. Withdrawing consent may prevent us from continuing to provide some or all of the Service.
6. Customer Data and Our Role as Service Provider
When a Customer is a law firm or other professional services provider, the Customer is responsible for the Personal Information about its own clients that appears in Customer Data. MatterMind processes Customer Data as a service provider on the Customer's behalf, under the Customer's instructions and the agreement governing the Service.
The Customer is responsible for:
- obtaining any consents required from its own clients for the use of practice management or operational tools;
- maintaining solicitor-client privilege and professional confidentiality obligations applicable to Customer Data;
- configuring the Service appropriately, including thresholds, integrations, and User access; and
- reviewing and approving any draft communications or other items the Service prepares before they are sent to clients or third parties.
Where Personal Information about a Customer's client appears in Customer Data, requests to access, correct, or delete that information should generally be directed to the Customer. We will reasonably cooperate with the Customer in responding to such requests in accordance with applicable law.
7. How We Share Information
We do not sell, rent, or trade Personal Information. We share information only as described below.
7.1 Service Providers
We engage Service Providers to perform functions on our behalf, including hosting, payment processing, email delivery, error monitoring, customer support, analytics, and (where applicable) AI processing. Service Providers are contractually required to use Personal Information only for specified purposes, implement appropriate safeguards, and comply with applicable privacy law. See Section 8 for a current sub-processor list.
7.2 Business Transfers
If Sundial Systems is involved in a merger, acquisition, reorganization, financing, asset sale, or insolvency, Personal Information may be transferred to the acquiring or successor entity as part of that transaction, subject to commercially reasonable safeguards. We will provide notice of any material change in privacy practices that results.
7.3 Legal and Compliance
We may disclose Personal Information where we reasonably believe disclosure is required or permitted under applicable law, including in response to a subpoena, search warrant, court order, or other lawful request; to enforce our agreements; to investigate suspected fraud, security incidents, or violations of our Terms of Service; or to protect the rights, property, or safety of Sundial Systems, the Service, our Users, or others.
7.4 With Your Direction or Consent
We may share Personal Information at your direction or with your consent, for example when you choose to share content with another User or send a prepared communication to a third party.
8. Service Providers and Sub-processors
The following categories of Service Providers process Personal Information on our behalf:
| Category | Purpose | Typical Data |
|---|---|---|
| Cloud hosting and infrastructure | Application hosting, storage, backup, and disaster recovery | All Service data, encrypted in transit and at rest |
| Payment processing | Subscription billing and payment processing | Name, email, billing address, payment card details (held by the processor) |
| Transactional email | Sending account, security, and operational emails | Email address, name, message content |
| Practice management integrations | Syncing Customer Data from authorized systems | OAuth tokens, matter metadata, operational data |
| AI providers | Drafting routine follow-ups and answering operational questions | Operational context only, minimized where possible |
| Error monitoring and analytics | Diagnostics, performance monitoring, security monitoring | Device and usage information, error logs |
We maintain a current list of sub-processors and require each to provide a level of privacy and security protection consistent with this Privacy Policy and applicable law. We will use reasonable efforts to notify Customers of material changes to our sub-processor list.
9. Artificial Intelligence and Automated Processing
MatterMind uses artificial intelligence ("AI") to assist with operational practice management. Specifically:
- AI is used to interpret operational signals, answer plain-English questions about a Customer's practice operations, and prepare draft follow-ups, prompts, and handoffs for human review.
- AI is not used to provide legal advice, generate substantive legal work product, or send client-facing communications without User review.
- Every client-facing communication that the Service prepares requires User review and approval before it is sent.
- Where reasonably practicable, we minimize the Personal Information sent to AI providers, and we configure AI provider settings to disable training on Customer Data where that option is available.
- We do not authorize AI providers to use Customer Data to train their general-purpose models.
If the Service performs automated processing that produces an output that meaningfully affects you, you may contact us as described in Section 19 to ask about the logic involved, request human review, or contest the result.
10. International Data Transfers and Data Location
We primarily store and process Personal Information on servers located in Canada. Certain Service Providers may process limited Personal Information in the United States or other jurisdictions. Where Personal Information is transferred outside of Alberta or Canada, we use contractual safeguards reasonably designed to provide a comparable level of protection.
You acknowledge that Personal Information processed outside of Canada may be subject to lawful access requests by foreign courts, law enforcement, and national security authorities. By using the Service, you consent to such cross-border transfers as described in this Privacy Policy.
11. Data Retention
We retain Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy and to meet our legal, tax, accounting, and regulatory obligations. Typical retention guidelines include:
- Active accounts: for the duration of the Customer's subscription.
- Inactive or cancelled accounts: a defined retention window (generally up to 90 days) during which the Customer may reactivate or export data, after which we delete or anonymize active stores of Customer Data.
- Backups: retained on a rolling basis for disaster recovery purposes, generally up to 90 days, after which backup copies expire.
- Billing and tax records: retained as required by Canadian tax and accounting legislation, typically up to seven years.
- Security and audit logs: retained for a reasonable period appropriate to the purpose.
You or the Customer may request earlier deletion of Personal Information subject to the limits set out in Section 15.
12. Data Security and Breach Notification
We implement administrative, technical, and physical safeguards that are reasonable in the circumstances to protect Personal Information against loss, theft, unauthorized access, disclosure, copying, use, or modification. Our safeguards include:
- encryption of data in transit using current TLS protocols;
- encryption of data at rest for sensitive stores;
- OAuth-based authorization for integrations and salted password hashing for account credentials;
- role-based access controls and least-privilege administrative access;
- logging and monitoring of security events;
- employee confidentiality obligations and privacy and security training; and
- physical safeguards provided by our hosting providers in their facilities.
No method of transmitting or storing information is perfectly secure. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.
Breach notification. If we determine that an incident has resulted in a real risk of significant harm under PIPA or PIPEDA, we will notify the affected Customer and the Office of the Information and Privacy Commissioner of Alberta or the Office of the Privacy Commissioner of Canada (as applicable) as required by law, and will reasonably cooperate with the Customer in providing notice to affected individuals where required.
13. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Service and to understand how it is used. The cookies we use fall into the following categories:
| Category | Purpose | Duration |
|---|---|---|
| Strictly necessary | Authentication, session continuity, security, and core functionality | Session or short-lived |
| Preference | Remembering interface and account preferences | Up to 1 year |
| Analytics | Aggregated usage analysis to improve the Service | Up to 2 years |
You can manage cookies through your browser settings or, where offered, in-product preference controls. Disabling strictly necessary cookies will prevent the Service from functioning. We do not currently respond to "Do Not Track" browser signals because there is no consensus industry standard.
14. Marketing Communications and CASL
Marketing communications we send to Canadian recipients comply with Canada's Anti-Spam Legislation ("CASL"). Specifically:
- we send commercial electronic messages only on the basis of express consent, implied consent permitted under CASL, or another lawful exemption;
- each commercial electronic message identifies MatterMind, provides a valid mailing address, and includes a clearly visible and functioning unsubscribe mechanism; and
- we honour unsubscribe requests promptly and at no cost.
Transactional and service-related messages (for example, billing notices, security alerts, account activity, and trial expiry notifications) are not marketing communications and may be sent regardless of marketing preferences for as long as your account is active.
15. Your Privacy Rights
Subject to applicable law, you have the following rights with respect to your Personal Information:
- Access: You may request information about whether we hold Personal Information about you and request a copy of that information.
- Correction: You may request correction of Personal Information that is inaccurate or incomplete.
- Withdrawal of consent: You may withdraw consent to the collection, use, or disclosure of Personal Information, subject to legal and contractual restrictions.
- Deletion: You may request deletion of Personal Information. We will comply unless we are required or permitted to retain the information by law (for example, for tax, accounting, or dispute resolution purposes).
- Portability: Where applicable, you may request that we provide your Personal Information in a structured, commonly used format. The Service also includes data export tools.
- Complaints: You may complain to MatterMind or, if dissatisfied with our response, to a privacy regulator (see Section 19).
To exercise any of these rights, contact our Privacy Officer using the details in Section 19. We will respond within 30 days, or such longer period as PIPA or PIPEDA permits where the request is complex. We may need to verify your identity before responding and may charge a reasonable cost-recovery fee for requests that are excessive or repetitive, in accordance with applicable law.
Where Personal Information forms part of Customer Data, you should generally contact the Customer first. We will support the Customer in responding to your request as described in Section 6.
16. Children's Privacy
The Service is intended for use by legal professionals and authorized staff and is not directed to children. We do not knowingly collect Personal Information from individuals under the age of 18. If we become aware that we have collected Personal Information from a child, we will delete it promptly. If you believe that we have collected Personal Information from a child, please contact our Privacy Officer using the details in Section 19.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to the Service, our practices, or applicable law. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. For material changes, we will provide additional notice, such as an in-app banner or an email to the account holder. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.
18. Accountability and Privacy Officer
Sundial Systems has designated a Privacy Officer who is responsible for our compliance with this Privacy Policy and applicable privacy legislation. The Privacy Officer:
- oversees the development and implementation of privacy policies and practices;
- responds to privacy inquiries, requests, and complaints;
- conducts or supervises privacy impact and risk assessments where appropriate; and
- provides privacy training to Sundial Systems personnel.
19. How to Contact Us and Lodge a Complaint
To contact our Privacy Officer or to exercise any of the rights described in this Privacy Policy:
Privacy Officer, Sundial Systems Inc.
Email: privacy@mattermind.io
Mailing address: available on request.
Re: MatterMind platform.
If you are not satisfied with our response, you may contact the applicable privacy regulator:
Office of the Information and Privacy Commissioner of Alberta
Suite 410, 9925 109 Street NW, Edmonton, AB T5K 2J8
Toll-free in Alberta: 1-888-878-4044
Website: www.oipc.ab.ca
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, QC K1A 1H3
Toll-free in Canada: 1-800-282-1376
Website: www.priv.gc.ca
This Privacy Policy is provided for transparency and is not legal advice. Customers and Users should consult their own legal advisors regarding their specific obligations.