Privacy Policy

Matter Desk ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using Matter Desk, you consent to the practices described in this policy.

We may collect the following types of personal information:

• Account information: name, email address, password hash, firm name, role, and billing details.
• Matter data: matter descriptions, documents you upload, AI-generated outputs, deadlines, time entries, and correspondence metadata.
• Usage data: pages visited, features used, timestamps, device type, browser, and IP address.
• Support communications: messages you send to our support team.

We use your personal information to:

• Provide, operate, and improve Matter Desk.
• Process AI-assisted legal research, document analysis, and memo generation linked to your matters.
• Send transactional emails (account confirmation, password resets, billing receipts).
• Monitor system security and prevent abuse.
• Comply with legal obligations.

Customer-controlled data is stored in Australia-first infrastructure. Databases, file storage, exports, logs, and queue records are hosted in Australian regions where available. We do not transfer your matter data outside Australia unless required to provide a specific feature you explicitly opt into.

Matter Desk uses AI infrastructure that may process data outside Australia to generate research answers, document summaries, and IRAC memos. This constitutes a cross-border disclosure of personal information under Australian Privacy Principle 8. We have taken reasonable steps to ensure our AI processing arrangements handle your data consistently with the APPs, including contractual data processing terms, preventing use of your data for model training, and limiting data sent to only the matter context required for the specific request.

Our database, file storage, and application hosting are located on Australian infrastructure. Payment processing is handled by a PCI DSS Level 1 compliant arrangement. Each processor is bound by their own privacy policy and our data processing agreements. Your matter data and documents are stored in Australia.

We do not sell your personal information. We may disclose it to:

• Third-party service providers who assist in operating Matter Desk (as described above).
• Law enforcement or regulatory bodies where required by law or court order.
• Professional advisers (lawyers, accountants) for legitimate business purposes.

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security on database access, signed URLs for document access, audit logging of all substantive actions, and regular security reviews.

We retain your data for as long as your account is active. If you close your account, we will delete or anonymise your personal information within 90 days, except where retention is required by law. Matter data deletion follows your firm's configured retention policy.

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or outdated information.
• Request deletion of your personal information.
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

We use essential cookies for authentication and session management. We may use analytics tools to understand usage patterns. You can control cookie preferences through your browser settings.

Matter Desk is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). This section describes our obligations and incident response process in full.

11.1 Scope: what triggers NDB obligations

The NDB scheme applies when an "eligible data breach" occurs: that is, unauthorised access to, unauthorised disclosure of, or loss of personal information that we hold, where it is likely to result in serious harm to any individual whose information is involved. Serious harm includes financial loss, physical harm, serious psychological distress, damage to reputation, or identity theft. Breaches involving legal professional privilege material, sensitive financial data, or confidential matter documents are assessed as high-risk.

11.2 Assessment, 30-day statutory window

Upon becoming aware of circumstances that suggest an eligible data breach may have occurred, we will take reasonable steps to assess whether a notifiable data breach has in fact occurred. Under s 26WH of the Privacy Act 1988 (Cth), that assessment must be completed within 30 days. We aim to complete initial triage within 24 hours and a substantive assessment within 72 hours of first becoming aware of the suspected breach.

11.3 OAIC notification

We will assess any suspected eligible data breach within 30 days and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable in accordance with Part IIIC of the Privacy Act 1988 (Cth). Our OAIC notification will include:

• The identity and contact details of Matter Desk and our Privacy Officer.
• A description of the breach: what happened, how it was discovered, and when.
• The kinds of personal information involved (e.g. account details, matter documents, billing data).
• The number of individuals likely to be affected (or our best estimate if not yet determined).
• The steps we have taken, or are taking, to contain the breach and reduce harm.

11.4 Individual notification

We will notify affected individuals as soon as practicable after notifying the OAIC, unless law enforcement requests a delay. Each notification will include:

• A plain-language description of the breach and the circumstances in which it occurred.
• The types of personal information involved and its likely sensitivity.
• Specific, practical steps you should take to protect yourself (e.g. change credentials, monitor financial accounts, place a credit alert).
• Contact details for our Privacy Officer and the OAIC (1300 363 992 / www.oaic.gov.au) for further assistance.

Where it is not reasonably practicable to notify every affected individual directly, we will publish a prominent notice on our website and notify via in-app alert where the individual's account remains accessible.

11.5 Incident response steps

• Contain: Immediately revoke affected credentials, rotate secrets, isolate affected systems, and block unauthorised access vectors.
• Assess: Determine the nature and scope of the breach, the personal information affected, and the likelihood of serious harm.
• Notify: Report to the OAIC and notify affected individuals as soon as practicable after the assessment concludes that an eligible data breach has occurred, in accordance with Part IIIC of the Privacy Act 1988 (Cth).
• Remediate: Patch the root-cause vulnerability, deploy additional controls, and restore affected systems from clean backups.
• Review: Conduct a post-incident review within 14 days, update controls and procedures, and retain incident records.

11.6 Record-keeping

We maintain an internal breach register recording all suspected and confirmed data breaches, assessment outcomes, notification actions taken, and post-incident review findings. Records are retained for a minimum of 5 years from the date of the incident. The register is available for review by the OAIC on request.

If you believe your data may have been compromised, or you wish to report a suspected security incident, contact us immediately at security@matterdesk.ai. You may also contact the OAIC directly at www.oaic.gov.au or on 1300 363 992.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification. Continued use of Matter Desk after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at privacy@matterdesk.ai.