Skip to main content
Datamata Studios

Security · privacy · data handling

Trust centre

How we handle browser tools, member uploads, AI-assisted features, payments and first-party analytics. This page summarizes our posture — see Privacy and Terms for legal detail.

Last reviewed: May 16, 2026

This page summarises how we think about security and data handling for free utilities, member tools and checkout. It is not a substitute for the Privacy Policy or Terms of Service.

Browser versus server processing

Many catalogue utilities run entirely in your browser: input you paste is transformed locally in the tab and is not sent to Datamata Studios for that formatting or conversion step. Network calls may still happen for normal page delivery, analytics you have allowed and fonts or assets.

When you are signed in, premium tools and APIs run on our servers or serverless functions. Those routes receive only what you submit for that request plus session and abuse-prevention metadata needed to operate the service.

Uploads, resumes and downloads

Features that accept files or long pasted text (for example resume builder, match engine uploads or data product delivery) need server-side storage or signed URLs to work. We retain those artefacts only as long as needed to provide the feature, resolve support tickets and meet legal obligations. Details sit in the Privacy Policy retention section.

Treat every field as sensitive until you have redacted names, tokens and employer identifiers you do not intend to share.

AI-assisted features

Some workflows call external model APIs (for example Anthropic Claude and optionally OpenAI when configured) with bounded payloads to produce suggestions, transforms or scores. Those requests leave our infrastructure for the provider you have enabled in deployment. We do not use your content to train providers' public foundation models; behaviour is governed by each vendor's enterprise and API terms.

If you are evaluating a feature that sends text to a model, assume the same care you would use when pasting into any third-party assistant.

First-party product analytics

We record a small set of product usage events in our own database (for example checkout started, tool started or completed, quota reached and freemium meter ticks). These rows help us see where trials stall and which tools drive engagement. They intentionally exclude pasted resume text, job descriptions and other large payloads — only ids, counts and short labels where needed.

There is no ad-tech pixel network in this path. Operators and security reviewers should read the event dictionary in the repository at docs/guides/PRODUCT_ANALYTICS_EVENTS.md (event names, fields and example SQL).

Payments

Subscriptions and one-off purchases are processed by Stripe. We receive billing metadata (for example customer reference and line items) rather than your full card number. See Stripe's security documentation for PCI scope and card handling.

Subprocessors and infrastructure

At a high level we rely on: hosting and edge delivery (Vercel), authentication and application data (Supabase), payments (Stripe) and, where configured, model providers as above. Operational logs from those layers may include IP address, user agent and request paths for reliability and abuse prevention.

Security contact

Report suspected vulnerabilities or misuse to hello@datamatastudios.com with the subject line "Security report". Include reproduction steps where possible. We do not run a public bug bounty programme today but we read every message.