Skip to main content
Matter Desk

Privacy Policy

Last updated: 7 May 2026

Matter Desk Pty Ltd (“Matter Desk”, “we”, “us”) provides an AI-powered legal workbench for Australian law firms. This Privacy Policy explains how we collect, use, store, and disclose personal information, and how it interacts with our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who this policy applies to

This policy applies to personal information we handle about visitors to our website, prospective customers, individual users of the Service (lawyers, paralegals, support staff), administrators of a firm workspace, and people whose details appear in customer content uploaded by a firm.

2. What we collect

We collect the following categories of personal information:

  • Account data: name, work email, role within the firm, profile preferences, and authentication credentials.
  • Firm data: firm name, billing email, business address, ABN where supplied, and the configuration choices the partner administrator makes.
  • Customer content: matter records, documents, notes, deadlines, draft correspondence, generated memos, search history, and other material a firm chooses to upload or generate inside the Service. This may include personal information about the firm’s clients, opposing parties, witnesses, or counterparties.
  • Usage telemetry: which features the user interacts with, error reports, performance metrics, and similar operational signals. We use this to keep the Service reliable and to improve it. We do not include the contents of customer documents in usage telemetry.
  • Payment data: Matter Desk does not store full card numbers. Our payment processor handles card capture and tokenisation. We retain a customer identifier, the last four digits of the card used, the card brand, and invoice history.
  • Support communications: emails, in-app chat, and screen-share sessions when a firm asks us for help.

3. How we use it

We use personal information to:

  • provide, maintain, and secure the Service;
  • respond to research, drafting, and matter management requests submitted by users on behalf of the firm;
  • manage subscriptions, billing, trials, invoices, and refunds;
  • send service notifications (deadline reminders, billing notices, security alerts) and product updates the firm has opted in to;
  • investigate misuse, enforce our terms, and meet legal and regulatory obligations including responses to lawful demands;
  • improve the Service: aggregate, de-identified usage analysis to find rough edges and prioritise upgrades.

We do not use customer content to train shared or third-party AI models, and we do not sell or rent personal information to advertisers or data brokers.

4. AI processing of customer content

Substantive AI features (research, document analysis, memo drafting, deadline calculation) send relevant excerpts of customer content to third-party AI providers under contracts that prohibit retention or training on the data we send. We choose AI providers that operate Australian or contractually equivalent data residency and that support enterprise no-training commitments.

Where AI Output cannot be verified, the Service returns the phrase “Authority not verified”. Treat that as a flag that independent verification is required before relying on the output.

5. Where we store data

Customer content, account data, and operational records are stored on Australian infrastructure located in Sydney. Backups remain on Australian infrastructure. Data in transit is protected by TLS 1.2 or higher; data at rest is encrypted with industry-standard ciphers. Access to production systems is gated by single sign-on, multi-factor authentication, and least-privilege role assignment.

A small number of operational tools (error tracking, product analytics, payments, and email delivery) are provided by reputable vendors that may process data in approved offshore regions. Where any vendor stores personal information outside Australia, we put contractual safeguards in place that meet APP 8 requirements before sending any data.

6. Disclosure

We disclose personal information only:

  • to the firm whose workspace the information lives in, scoped by the access controls the partner administrator configures;
  • to our service providers (hosting, AI processing, payments, email delivery, error tracking, product analytics, customer support tooling) under contracts that limit them to processing data on our instructions;
  • to law enforcement or regulatory bodies where compelled by valid legal process, and only to the extent compelled. We will tell the affected firm wherever the law allows; and
  • to a successor entity in the event of a corporate transaction (merger, acquisition, asset sale), under confidentiality obligations no less protective than this Policy.

7. Retention

We retain customer content for as long as the firm maintains an active workspace plus 30 days after termination, after which active-system copies are deleted. Backup cycles flush deleted material on the standard rotation, typically within 90 days. We retain account, billing, and audit records for the period required by Australian tax, anti-money-laundering, and consumer-protection law, typically seven years.

A firm may export its customer content at any time from the workspace settings. Export remains available for 30 days after a cancellation.

8. Your rights under the Privacy Act

Subject to limited exceptions in the Privacy Act, you can ask us to:

  • tell you what personal information we hold about you;
  • give you a copy of that information;
  • correct information that is inaccurate or out of date;
  • delete information where we no longer have a lawful basis to keep it; and
  • stop sending marketing communications (you can also opt out via the unsubscribe link in any marketing email).

Send requests to privacy@matterdesk.ai. We respond within 30 days. If we cannot grant a request in full, we will tell you why.

If you are unhappy with how we have handled your personal information, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

9. Cookies and similar technologies

The Service uses essential cookies for authentication, session management, and CSRF protection. We use a small number of non-essential cookies and similar local-storage entries for product analytics and to remember preferences (theme, recently viewed matters). Non-essential cookies activate only after a user gives consent in the cookie banner.

10. Children

The Service is not intended for individuals under 18 and we do not knowingly collect personal information from minors. If you believe a minor has signed up, contact us so we can remove the account.

11. International users

The Service targets Australian law firms. Where personal information about residents of other jurisdictions is processed through the Service, we do so under the contractual instructions of the firm and rely on the safeguards described above. Individuals in the European Union or the United Kingdom can exercise the rights described in section 8, which align with the access, rectification, and erasure rights provided under the GDPR.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to the firm’s billing email at least 30 days before they take effect. The “last updated” date at the top of this page records the most recent change.

13. Contact

Privacy questions or complaints can be sent to privacy@matterdesk.ai. General questions can be sent to hello@matterdesk.ai.