Skip to main content
Datamata Studios

Trust centre

Last updated: May 17, 2026

This page summarises how we think about security and data handling for free utilities, member tools and checkout. It is not a substitute for the Privacy Policy or Terms of Service.

Browser versus server processing

Many catalogue utilities run entirely in your browser: input you paste is transformed locally in the tab and is not sent to Datamata Studios for that formatting or conversion step. Network calls may still happen for normal page delivery, analytics you have allowed and fonts or assets.

When you are signed in, premium tools and APIs run on our servers or serverless functions. Those routes receive only what you submit for that request plus session and abuse-prevention metadata needed to operate the service.

Uploads, resumes and downloads

Features that accept files or long pasted text (for example resume builder, match engine uploads or data product delivery) need server-side storage or signed URLs to work. We retain those artefacts only as long as needed to provide the feature, resolve support tickets and meet legal obligations. Details sit in the Privacy Policy retention section.

Treat every field as sensitive until you have redacted names, tokens and employer identifiers you do not intend to share.

AI-assisted features

Some workflows call external model APIs (for example Anthropic Claude and optionally OpenAI when configured) with bounded payloads to produce suggestions, transforms or scores. Those requests leave our infrastructure for the provider you have enabled in deployment. We do not use your content to train providers' public foundation models; behaviour is governed by each vendor's enterprise and API terms.

If you are evaluating a feature that sends text to a model, assume the same care you would use when pasting into any third-party assistant.

Payments

Subscriptions and one-off purchases are processed by Stripe. We receive billing metadata (for example customer reference and line items) rather than your full card number. See Stripe's security documentation for PCI scope and card handling.

Subprocessors and infrastructure

At a high level we rely on: hosting and edge delivery (Vercel), authentication and application data (Supabase), payments (Stripe) and, where configured, model providers as above. Operational logs from those layers may include IP address, user agent and request paths for reliability and abuse prevention.

Security contact

Report suspected vulnerabilities or misuse to hello@datamatastudios.com with the subject line "Security report". Include reproduction steps where possible. We do not run a public bug bounty programme today but we read every message.