Privacy Policy

SharpMatter is operated by NORDIMARK CONSULTANCY – FZCO, a company registered at IFZA Business Park, DDP, Dubai Silicon Oasis, PO Box 342001, Dubai, United Arab Emirates ("we," "our," or "us"). We operate the SharpMatter platform at sharpmatter.ai (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It also describes your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UAE Personal Data Protection Law (PDPL). Please read this policy carefully. By using SharpMatter, you agree to the practices described herein.

1. Data Controller

The data controller responsible for your personal data is:

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and an encrypted password managed by our authentication provider (Supabase Auth). We do not store your password in plain text.

2.2 Meta (Facebook) Ads Data

When you connect your Meta Ads account via OAuth, we receive and process:

• Your Meta OAuth access token (encrypted at rest)
• Your selected ad account IDs
• Ad performance data retrieved via the Meta Graph API (campaigns, ad sets, ads, insights, and metrics) — accessed in read-only mode

We do not view, manually access, or review your advertising data. Your data is fetched on-demand when you (or your AI client) make a request and is passed directly to the AI model for analysis. No SharpMatter employee or contractor has visibility into your ad account data during normal operation of the Service.

We request only the ads_read permission. We do not create, modify, or delete any of your ads, campaigns, or account settings. The Service operates in read-only mode.

2.3 Business Context

You may optionally provide business metrics such as average order value (AOV), profit margins, ROAS targets, and other context to improve analysis quality. This data is stored in your user profile and is only accessible by you.

2.4 Conversation and Decision Data

When you use the chat interface or MCP tools, we process your queries through an AI model. We may store:

• Decision logs — AI-generated recommendations and your recorded outcomes
• Checklist items — action items tracked within the platform

Conversation messages are processed in real time and are not permanently stored on our servers beyond the duration of your session, unless explicitly captured as decision logs by the AI at your direction.

2.5 Usage Data

We collect basic usage information including tool calls made, timestamps, and error logs. This data is used solely to operate, improve, and debug the Service.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for, including account creation, Meta data retrieval, and AI-powered analysis
• Consent (Art. 6(1)(a)) — when you explicitly authorize us to access your Meta Ads account via OAuth. You may withdraw consent at any time by disconnecting your Meta account in Settings
• Legitimate interest (Art. 6(1)(f)) — for service improvement, security monitoring, and debugging, where our interests do not override your fundamental rights
• Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable laws

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your account sessions
• Retrieve and analyze your Meta Ads data on your behalf
• Generate AI-powered insights, recommendations, and visualizations
• Store your business context to personalize analysis
• Track decisions and outcomes you choose to log
• Improve the Service, fix bugs, and develop new features
• Enforce our Terms of Service and prevent abuse

We do not use your data for advertising, profiling, or automated decision-making beyond providing the analysis features you explicitly request.

5. Third-Party Services (Sub-Processors)

We use the following third-party services to operate SharpMatter. Each processes data only as necessary to provide its specific function:

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We do not share your data with data brokers, ad networks, or marketing platforms.

We may share your information only in the following limited circumstances:

• With sub-processors listed above, solely to operate the Service
• To comply with legal obligations — if required by law, court order, or governmental request
• To protect rights and safety — to enforce our Terms, prevent fraud, or protect the security of our users
• With your explicit consent — if you authorize additional sharing

7. Meta Platform Data Use

In compliance with Meta's Platform Terms and Developer Policies, we commit to the following:

• We access Meta data only with your explicit consent via the OAuth authorization flow
• We use Meta data solely to provide the Service— analyzing your ad performance and generating insights for your use
• We do not sell Meta data or use it for advertising, profiling, or any purpose other than providing the Service to you
• We do not transfer Meta data to any data brokers, ad networks, or analytics providers unrelated to the Service
• We do not use Meta data to build or augment user profiles for advertising or marketing purposes
• We do not cache or store Meta data beyond short-lived operational caches (maximum 30 minutes) except for your encrypted access token
• We delete Meta data (including access tokens) upon account deletion or when you disconnect your Meta account
• Access tokens are encrypted at rest and transmitted only over HTTPS
• No human at SharpMatter reviews or has access to your ad account data during normal operation — data is processed programmatically and returned to you or your AI client

8. Data Security

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS/TLS
• Meta OAuth tokens are encrypted before storage
• Database access is controlled with Row Level Security (RLS) — users can only access their own data
• Passwords are hashed using industry-standard algorithms (managed by Supabase Auth)
• API endpoints require authentication via session tokens, OAuth Bearer tokens, or API keys
• OAuth 2.1 with PKCE is used for MCP client authentication, preventing token interception
• Refresh tokens are rotated on each use per OAuth 2.1 best practices

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

• Account data — retained until you delete your account
• Meta access tokens — retained (encrypted) until you disconnect your Meta account, the token expires, or you delete your account
• Meta ad data — not permanently stored; fetched on-demand and cached for a maximum of 30 minutes
• Business context — retained until you delete your account or remove it via Settings
• Decision logs and checklists — retained until you delete your account
• Usage logs — retained for up to 90 days for debugging and analytics
• Chat messages — processed in real time and not permanently stored

Upon account deletion, we will delete or anonymize all your personal data within 30 days, except where retention is required by law.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All Users

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and all associated data
• Portability — request your data in a machine-readable format
• Withdrawal of consent — disconnect your Meta account at any time from the Settings page

Additional Rights Under GDPR (EEA/UK/Switzerland)

• Restriction of processing — request that we limit how we process your data
• Object to processing — object to processing based on legitimate interests
• Lodge a complaint — with your local data protection authority
• Not be subject to automated decision-making — we do not make decisions with legal effects based solely on automated processing

To exercise any of these rights, contact us at hello@sharpmatter.ai. We will respond within 30 days (or sooner where required by law).

11. International Data Transfers

Your data may be processed and stored in the United States or other countries where our service providers operate. Our sub-processors (Supabase, Vercel, Anthropic) are US-based companies.

For users in the EEA, UK, or Switzerland, we ensure that international transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Sub-processors' own data protection commitments and certifications

By using the Service, you acknowledge and consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

12. Cookies and Local Storage

We use essential cookies only to manage your authentication session. These are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking pixels, third-party analytics cookies, or any form of cross-site tracking.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@sharpmatter.ai.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR)
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Take immediate steps to contain and remediate the breach

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will also send a notification to the email address associated with your account. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern, please contact us: