Privacy Policy

Maturo Ltd ("Maturo", "we", "us") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

This policy applies to the Maturo.ai platform (the "Service"). It does not apply to applications we generate for you — those applications are your responsibility to govern under your own privacy policy.

Maturo Ltd is the data controller for personal data processed through the Service. For enquiries, contact us at privacy@maturo.ai.

Account information

• Name, email address (via Auth0 authentication)
• Auth0 user identifier
• Subscription plan and billing status

Application data

• Natural-language descriptions of your application (onboarding chat transcripts)
• Application requirements, features, roles, and configuration
• Branding assets (logos, favicons, colour schemes)
• Email templates you create or customise

Technical data

• IP address and browser user agent (for rate limiting and security)
• Platform usage events (via Mixpanel — page views, clicks, feature interactions)
• Error reports and stack traces (via Sentry — no personal data included)
• Server-side request logs (request IDs, timestamps, API routes accessed)

Third-party credentials

• OAuth tokens for GitHub, Monday.com, and Atlassian/Jira (encrypted at rest)
• API keys you provide for Azure, Auth0, Stripe, Resend, Mixpanel, and Zendesk (encrypted at rest)

We process your data for the following purposes:

• Service delivery — generating applications, provisioning infrastructure, and managing your projects
• AI code generation — your application descriptions are sent to Anthropic's Claude API to generate code. Anthropic does not use API inputs for training.
• Authentication — managing your account and sessions via Auth0
• Billing — processing payments and managing subscriptions via Stripe
• Communication — sending transactional emails (build notifications, team invites) via Resend
• Analytics — understanding how the platform is used to improve the Service (Mixpanel)
• Error monitoring — detecting and resolving platform issues (Sentry)
• Security — rate limiting, CSRF protection, and abuse prevention

We process personal data under the following legal bases:

• Contract performance — processing necessary to provide the Service you have subscribed to (account management, code generation, infrastructure provisioning)
• Legitimate interest — analytics, error monitoring, security, and service improvement, balanced against your privacy rights
• Consent — non-essential cookies and analytics tracking (you may withdraw consent at any time)
• Legal obligation — retaining billing records as required by tax and accounting law

We share data with third-party services to deliver the Service. Each processor is bound by their own data processing agreements. See our Subprocessor List for the full list.

We do not sell your personal data to third parties. We do not share your data with third parties for their own marketing purposes.

• Account data — retained for the lifetime of your account, deleted upon account deletion
• Application data — retained while your project exists, deleted upon project teardown
• Chat transcripts — retained as part of application requirements for the lifetime of the project
• Encrypted credentials — deleted upon project teardown or when you disconnect a service
• Server logs — retained for 30 days in Azure Monitor
• Error reports — retained for 90 days in Sentry
• Analytics data — retained in Mixpanel according to their retention policy
• Billing records — retained for 7 years as required by law

We protect your data through:

• AES-256 encryption for stored credentials and API keys
• TLS encryption for all data in transit
• Auth0-managed authentication with HttpOnly, Secure, SameSite cookies
• CSRF protection on all mutation endpoints
• Content Security Policy headers
• Rate limiting on authentication and expensive operations
• Role-based access control with audit logging
• Automated dependency monitoring via Dependabot

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Access — request a copy of all personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data (subject to legal retention obligations)
• Portability — receive your data in a structured, machine-readable format
• Restriction — request that we limit processing of your data
• Objection — object to processing based on legitimate interest
• Withdraw consent — withdraw consent for analytics tracking at any time

To exercise any of these rights, contact us at privacy@maturo.ai. We will respond within 30 days.

Your data may be processed outside the UK/EEA by our subprocessors (see Subprocessor List). Where data is transferred internationally, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

The Maturo platform uses the following cookies:

• Authentication cookies (essential) — Auth0 session cookies for login state. HttpOnly, Secure, SameSite=Lax. Cannot be disabled.
• Analytics cookies (non-essential) — Mixpanel tracking for product analytics. Can be disabled via the cookie consent banner.

We do not use advertising cookies or share cookie data with advertisers.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when it was last revised.

For privacy-related enquiries, contact privacy@maturo.ai.

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority.