MTRX Privacy Policy
Version 1.0 — Effective 10 July 2026 (2026-07-10)
This policy explains how DIVERGENT SOFTWARE LTD (company number 17324678, registered office Tagus House, 9 Ocean Way, Southampton, England, SO14 3TJ — "MTRX", "we", "us") handles personal data in connection with the MTRX platform (the "Service"). We are committed to handling personal data in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
1. The two roles we play
Where we are the controller. For the personal data of people who use MTRX — account holders, organisation members, and people who contact us — we decide how and why the data is processed, and this policy applies in full.
Where we are a processor. The Service retrieves event and ticket sales data from ticketing providers at our customers' instruction. That data may include personal data about ticket buyers and event attendees. For that data, the customer (the event organiser) is the controller and we process it only on their behalf, under our Data Processing Addendum. If you are a ticket buyer with questions about your data, please contact the event organiser you bought from; sections 2–5 of this policy do not describe that processing.
2. Personal data we collect (as controller)
- Account data — name, email address, and password (held by our authentication provider; we never see your password), and optional multi-factor authentication enrolment.
- Organisation data — the organisations you belong to, your role and permissions, invitations you send or receive.
- Billing data — subscription plan, billing status, and invoice history. Card details are collected and held by Stripe, not by us.
- Usage and log data — actions in the Service (including a security audit log), device and browser information, IP addresses, and error reports.
- Support data — messages you send via the in-app support form or otherwise.
We do not collect special category data and ask that you do not submit any.
3. Why we process it and our lawful bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing the Service: accounts, organisations, syncing, dashboards, reports | Contract (6(1)(b)) |
| Billing and subscription management | Contract (6(1)(b)); legal obligation (6(1)(c)) for tax/accounting records |
| Service emails: invitations, security, payment-failure and sync-failure alerts | Contract (6(1)(b)); legitimate interests (6(1)(f)) in keeping you informed about your account |
| Security: audit logging, access control, fraud and abuse prevention | Legitimate interests (6(1)(f)) in securing the Service |
| Error monitoring and service improvement | Legitimate interests (6(1)(f)) in running a reliable service |
| Responding to support requests | Contract (6(1)(b)); legitimate interests (6(1)(f)) |
| Complying with law and legal process | Legal obligation (6(1)(c)) |
We do not sell personal data, and we do not use it for third-party advertising.
4. Cookies
The Service uses essential cookies only: authentication session cookies (set by our authentication provider, Supabase) and short-lived cookies used to complete provider OAuth connections. We do not use advertising or cross-site tracking cookies. Because these cookies are strictly necessary to provide the Service, they do not require consent under UK law.
5. Who we share data with
We use a small number of service providers ("subprocessors") to run MTRX:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, and file hosting |
| Render | Application hosting |
| Stripe | Payment processing |
| Resend | Transactional email delivery |
| Sentry | Error and performance monitoring |
We also disclose data where required by law, to enforce our terms, or as part of a corporate transaction (with notice where required). Ticketing providers (e.g. DICE, Skiddle, SEE Tickets, Gigantic, Ticketmaster, Eventbrite, Universe) are data sources we read from at your instruction, under your own agreements with them — we do not send your personal data to them.
6. International transfers
We host the Service and its database in the UK/EEA where available. Some of our subprocessors are US companies, and processing by them may involve transfers outside the UK. Where personal data leaves the UK, we rely on UK adequacy regulations (including the UK–US Data Bridge where applicable) or the ICO's International Data Transfer Agreement / Addendum to EU Standard Contractual Clauses.
7. How long we keep data
- Account and organisation data — for as long as your account or organisation exists. When an organisation is deleted, its data is removed from live systems within 30 days.
- Billing records — retained for 6 years as required by UK tax law.
- Audit logs — retained while the organisation exists, as a security record for both you and us.
- Support messages — retained while relevant to your account.
- Backups — purge on a rolling cycle after live deletion.
8. Security
Provider credentials are envelope-encrypted at rest and never displayed back once saved. Access to customer data within MTRX is controlled by row-level security in the database, organisation-scoped permissions, and audited staff access controls (staff access to tenant data requires a time-boxed, logged support grant). Data is encrypted in transit (TLS).
9. Your rights
Under the UK GDPR you have the right to access your personal data, correct it, delete it, restrict or object to its processing, and receive a copy in a portable format. You can exercise these rights via the in-app support form or by writing to our registered office. We will respond within one month.
You also have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk, or by phone on 0303 123 1113. We would appreciate the chance to address your concerns first.
10. Children
The Service is for business use and is not directed at anyone under 18. We do not knowingly collect data from children.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified via the Service or email before they take effect. The version and effective date at the top identify the current policy.
12. Contact
DIVERGENT SOFTWARE LTD (company number 17324678)
Tagus House, 9 Ocean Way, Southampton, England, SO14 3TJ
You can also reach us via the in-app support form in your organisation's settings.
