Privacy, in
plain English.

Matrib (“Matrib,” “we,” “us”) is a news reading service available on the web at www.matrib.com and as a mobile application on iOS and Android.

Matrib is built and run by the Matrib team — a small, independent group of friends, not a registered company. We are the data controller responsible for your personal information. For any privacy question or request, contact us at team@prodlis.com. The same address reaches the people responsible for handling data-protection requests under the GDPR, UK GDPR, and the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”).

This policy explains, in plain language, what we collect, how we use it, who we share it with, how long we keep it, and the rights you can exercise. It applies to both our website and our mobile applications, which share the same backend and the same privacy practices.

We collect the minimum information needed to operate the service. We do not ask for, or collect, your phone number, contacts, calendar, microphone audio, precise location, or any biometric data.

• Account information. Your email address, username, full name, optional bio, and an optional avatar colour preference. Your password is never stored in clear text — only a bcrypt hash (cost factor 12) used to verify future sign-ins.
• One-time codes (OTPs). When you sign up, sign in, or reset your password, we send a 6-digit code to your email. The code is stored as a SHA-256 hash, blocked after 5 failed verification attempts, and automatically deleted from our database by a 10-minute time-to-live index when it expires (and immediately on successful use).
• Profile picture (optional). If you upload a profile image, the file is stored in our object-storage subprocessor (Google Firebase Storage) under a path scoped to your account ID.
• Reading activity. The articles you have opened and the articles you have bookmarked, used to power your saved library, recent reads, and category-based personalisation. This is account-scoped and never shared externally or used for advertising.
• Preferences. Theme (light/dark) and whether you have opted in to notifications.
• Push notification tokens. If you enable notifications, we receive a device token from Apple, Google, or Expo so we can send you the alerts you have opted into. The token identifies the device, not you.
• Technical logs. When you interact with the service, our servers process standard request data (IP address, user agent, referring page, timestamps, request path). We use these for security, abuse prevention, and debugging. See section 09 — Retention for how long we keep them.
• Local storage on your device. A signed session token (kept in an HttpOnly-equivalent cookie on the web, and in the iOS Keychain / Android Keystore on mobile), plus a small cache of your profile, preferences, bookmarks, and recent search terms so the app works quickly on return visits. None of this is shared with third parties.

We do not use cross-app or cross-site tracking, advertising identifiers (IDFA, AAID), browser fingerprinting, session-replay scripts, or behavioural advertising pixels.

Under the GDPR and UK GDPR we must tell you the legal basis for each use of your data. Under the DPDP Act we must tell you the purpose. Both are listed below.

• Deliver the service — show you articles, save bookmarks, sign you in, sync your library across devices. Legal basis: performance of a contract (GDPR Art. 6(1)(b)); the purpose for which you provided your data (DPDP).
• Authenticate and secure your account — send OTPs, verify passwords, rate-limit attacks, detect abuse. Legal basis: performance of a contract and our legitimate interest in keeping the service secure (GDPR Art. 6(1)(b) and (f)).
• Personalise your editorial feed — remembering which categories you read most so we can rank our editorial content for you. This runs entirely on our servers; we do not sell or share signals. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). You can object at any time — see section 11.
• Send transactional emails — account verification, password reset, important security or service notices. Legal basis: performance of a contract.
• Send newsletter or product emails — only if you have specifically opted in. Every such email includes a one-click unsubscribe. Legal basis: your explicit consent (GDPR Art. 6(1)(a); DPDP s. 6).
• Comply with law and protect rights — respond to valid legal requests, enforce our terms, prevent fraud. Legal basis: legal obligation and legitimate interest (GDPR Art. 6(1)(c) and (f)).

This list is as important as the one above:

• We do not sell your personal information. To anyone. Ever.
• We do not rent, lend, or trade your data with data brokers.
• We do not share your data with advertising networks or use behavioural ad targeting.
• We do not use third-party analytics that profile you across the web.
• We do not currently use your personal data to train artificial-intelligence or machine-learning models. If we ever introduce features that require this, we will update this policy and, where the law requires, ask for your separate consent before using your data that way.
• We do not embed cross-site tracking pixels or fingerprinting scripts in our pages.
• We do not read articles you have not explicitly bookmarked or opened, infer health data, track your scroll behaviour, or build a behavioural profile.

We use a small set of strictly-necessary and functional storage items. None of them are advertising cookies.

• Authentication cookie (matrib_token) — a signed JWT keeping you logged in for 30 days. SameSite=Strict, scoped to our domain. Required to use account features.
• Theme preference (matrib-theme-v2, local storage) — remembers light/dark mode.
• Bookmark cache (matrib-bookmarks, local storage) — list of bookmarked article IDs so your saved list loads instantly.
• Profile cache (matrib-auth, local storage) — your basic profile (name, email, username, avatar colour) so the header renders without a round-trip.
• Recent searches (matrib_recent_searches, local storage) — up to 5 of your most recent search terms, kept only on your device.

Because all of these are strictly necessary for the service you have asked to use, or for functional preferences you have set, we do not require consent to set them under the GDPR or the EU ePrivacy Directive. We show a one-time, non-blocking notice on first visit to make their existence clear. You can clear all of them at any time by signing out and clearing your browser’s storage for our site.

We do not currently run any web analytics. Our website does not load Google Analytics, Plausible, or any other third-party analytics or measurement script, and sets no analytics cookies. If we introduce privacy-respecting, cookieless analytics in future, we will update this section before doing so and will never use a product that profiles you across other sites.

Our mobile applications include nothird-party analytics, no advertising SDKs, no crash-reporting SDK, and do not use Apple’s App Tracking Transparency framework because we do not track you across other companies’ apps or websites.

If your browser sends a Do Not Track or Global Privacy Control signal, we honour it.

We do not sell your personal information. We do work with a small, carefully chosen set of sub-processors to operate the service. Each receives only the data it needs and is bound by a written data-processing agreement.

We may disclose information if required by a valid legal process, to protect the safety of our users, or to enforce our terms. Where legally permitted, we will notify the affected user before complying.

A current list of sub-processors is maintained here. If we add a new sub-processor that handles personal data, we will update this section before doing so.

Push notifications are off by default. If you opt in, we use your operating system’s push notification service (APNs on iOS, FCM on Android) to deliver alerts about new editorial content, a daily morning briefing if you enable it, and important account or security notices.

You can turn notifications off at any time inside the app (Profile › Preferences) or in your device’s system settings. When you turn them off, your device token is removed from our backend on next sign-in.

We keep different categories of data for different periods:

• Account data (profile, preferences, bookmarks, reading history) — retained for as long as your account is active.
• Deleted accounts — when you delete your account, your user record, preferences, bookmarks, reading history, push tokens, and profile image are permanently removed immediately. No grace period. We retain a one-way hash (SHA-256) of your former email and user ID in an internal deletion audit log so we can prove the deletion happened, but the hash cannot be reversed to identify you.
• OTP codes — hashed and auto-deleted after 10 minutes by a database time-to-live index.
• Server access logs — kept for up to 7 daysfor security and debugging, then rotated and removed.
• Backups — encrypted database backups roll off on a short cycle (typically 30 days). After deletion, residual copies in backups are overwritten on the normal rotation.
• Email subscriptions— if you unsubscribe from the newsletter, we keep a minimal “do-not-contact” record (your email) so we honour your choice in the future. Required by anti-spam laws.

We protect your account with industry-standard practices:

• TLS (HTTPS) on every connection between our apps and our servers.
• Passwords hashed with bcrypt (cost factor 12). Plaintext passwords are never written to disk or logged.
• OTP codes hashed with SHA-256 and stored with a 10-minute TTL.
• On mobile, session tokens are stored in the iOS Keychain or Android Keystore — hardware-backed where the device supports it.
• On the web, session cookies are scoped to our domain with SameSite=Strict.
• Least-privilege access to production data; dependency vulnerability scanning; production secrets kept outside the codebase.
• Annual review of our data-processing agreements with sub-processors.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at team@prodlis.com.

Data-breach commitment. In the event of a personal data breach that affects you, we will notify the competent supervisory authority within 72 hours of becoming aware of it (as required by GDPR Article 33) and the Indian Data Protection Board as required by the DPDP Act. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay.

You have control over your data, regardless of where you live. You can exercise the following rights directly from your account or by emailing team@prodlis.com:

• Access — request a copy of the data we hold about you.
• Correction / rectification — update inaccurate information directly from profile settings.
• Deletion / erasure — delete your account and associated data. Available in-app and via /delete-account.
• Portability — request an export of your profile, preferences, bookmarks, and reading history in a structured, machine-readable JSON file by emailing us at team@prodlis.com.
• Object — opt out of personalised ranking and any optional processing.
• Restrict processing — ask us to limit how we use your data while a dispute is resolved.
• Withdraw consent — for any processing based on consent (e.g. newsletter), withdraw at any time without affecting prior lawful processing.
• Lodge a complaint — with your local data protection authority. See section 13 — Regional rights.

We do not use solely automated decision-making that produces legal or similarly significant effects on you (GDPR Article 22).

We respond to verified rights requests within 30 days (sooner where possible). If we need more time for a complex request, we will tell you and explain why. Identity verification is required to protect you from someone else attempting to impersonate you.

Matrib is intended for users aged 13 and over. We do not knowingly collect personal information from a child under 13.

European Union and UK users: in countries where the digital-consent age is higher than 13 (for example, 16 in some EU member states), users below that age must have verifiable consent from a parent or guardian. We do not currently offer a child-account flow; users below the local digital-consent age should not create an account without a parent or guardian acting on their behalf.

India: under the DPDP Act, processing of personal data of a child (under 18) requires verifiable parental consent, and we cannot undertake targeted advertising directed at children. As we do not run any targeted advertising, we treat all under-18 users as minors and ask parents or guardians to oversee their account use until India clarifies a workable parental-consent procedure.

If you believe a child has provided us their information, please contact team@prodlis.com and we will delete it promptly.

The rights listed in section 11 apply to everyone. Some regions grant additional rights — we honour all of them.

European Economic Area & United Kingdom (GDPR, UK GDPR). You have the rights of access, rectification, erasure, restriction of processing, portability, and objection. You may also lodge a complaint with your local Data Protection Authority (the ICO in the UK, or your member-state authority in the EU). Our legal bases for each use of your data are listed in section 03.

India (DPDP Act, 2023). You have the right to access, correct, and erase your personal data, to nominate another person to exercise these rights in case of incapacity, and to grievance redress. Our Grievance Officer can be reached at team@prodlis.com. Unresolved complaints may be escalated to the Data Protection Board of India.

California (CCPA / CPRA). California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing of personal information for cross-context behavioural advertising, and to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CCPA. We do not process sensitive personal information for any purpose other than providing the service you requested. You may exercise your rights by emailing team@prodlis.com. We will not discriminate against you for exercising any CCPA right.

Other US states. We extend equivalent access, deletion, correction, and opt-out rights to residents of Virginia, Colorado, Connecticut, Utah, and any other state with a comprehensive consumer-privacy law. Contact team@prodlis.com.

Our primary application servers and database are operated in India. Some sub-processors (listed in section 07) process data outside India — notably Google Firebase and Expo Push in the United States, and Hostinger in the EU.

Where data leaves the European Economic Area or the United Kingdom, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to guarantee a comparable level of protection. Where data leaves India, we ensure recipient countries meet the conditions of section 16 of the DPDP Act.

We may update this policy as the product or the law evolves. When we make material changes, we will:

• Revise the “Last updated” date at the top of this page.
• Show a one-time banner on the website and inside the mobile app on your next launch.
• For changes that affect how we use your data, notify you by email before they take effect, giving you the chance to delete your account first if you disagree.

Archived versions are available on request.

For any privacy question, request, or concern — including data subject requests, the appointment of an authorised representative, or complaints — write to:

• the Matrib team (the team behind Matrib)
• Email: team@prodlis.com

We aim to acknowledge requests within two business days and resolve verified requests within thirty.