Matrix Requirements and Galen data join forces to become Matrix One
Matrix One Privacy Policy
Last updated: July 10 2025
We are strongly committed to protecting your personal data, which means any information related to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier (referred to as “personal data”, “data”, or “personal information”).
This Privacy Policy describes why and how we collect, process, and secure your personal data and provide information about your rights concerning your personal data. It provides information about our company and marketing efforts for Matrix One’s products and services (collectively referred to as “Services”) to our customers and visitors (“Customers”, “you” or “your”). It applies to our website https://www.matrixone.health/ (the “Website”), and other interactions (e.g. customer support) that you may have with Matrix One.
Matrix One is a unified brand under which Matrix Requirements GmbH and Galen Data, Inc. operate.
When you read “Matrix One”, “us”, “our”, or “we” below, it refers to Matrix Requirements GmbH and Galen Data, Inc., its affiliates and agents as data controllers for processing activities described in this Privacy Policy. For specific processing activities, the relevant Matrix One entity will be the primary data controller or they may act as joint controllers.
All individuals whose responsibilities include access to or processing of your personal data are required to adhere to our Privacy Policy.
If you have any questions about this Privacy Policy or our data practices, please do not hesitate to call us at +49 7802 931 4892 or contact us via our contact form, or email us at privacy@matrixone.health.
Please make sure to read this Privacy Policy when accessing or using Matrix One’s Services in any way, whether you have created your own Matrix One’s product instance (by subscribing to our Services), are invited to someone else’s site as a project member, or are just browsing around.
Table of Contents
What personal data do we collect and why?
Why do we process your personal data ?
Legal basis for processing personal data
How do we share and disclose your information?
Your rights concerning personal data
Links to the third-party websites
Questions you might have regarding your personal data
Who can see my password?
Who can see my credit card number?
Who can see my data?
How is my data protected from another customer’s data?
Have Matrix One’s Services ever been compromised so far?
Changes to this Privacy Policy
Data Protection Representative
What personal data do we collect and why?
We may process personal data provided to us for any purposes described in this Privacy Policy. We intend to collect only the personal data that is provided:
to enter and use the Matrix One’s products or Services;
voluntarily by online visitors so that we can offer information and/or Services to those individuals; or
to offer information about employment opportunities.
Matrix One collects and processes personal data through operation of its Services and Website, and other interactions with us. Such personal data may include:
Customer Data. We collect your name and email address for authentication in our Services. Contact details may also include telephone, state, province, ZIP/postal code, other contact details, and associated local time zone information.
Data for billing purposes. Customers’ payment details may include invoicing and credit-related data such as name, email address, billing address, optional phone number and Skype ID, and optional geographical location.
We do not collect credit card data directly. See “Who can see my credit card number?” below.
Cookie Data. We use cookies and similar tracking technologies to improve your experience on our Website and Services. Please be aware that your browser must be configured to accept cookies from https://www.matrixone.health/ for you to use Matrix One’s Services. For more information on how we use cookies and other technologies and how you can control them, please read our Cookie Policy.
Other Data. Emails and chat protocols may include data about prospects visiting the Website, whether initiated by customers or Matrix One.
Why do we process your personal data?
We may process your personal data for the following purposes:
To provide and maintain our Services, including monitoring the usage of our Service.
To manage your instance/account. As a Service user, your personal data gives you access to different functionalities of Services that are available to you as a registered user.
To investigate and help prevent security issues and abuse. We have legitimate interests in keeping Services secure to detect, prevent and address abuse (such as spam) and investigate and take action regarding suspicious activity on Services. Therefore, we may process personal data to better understand how Matrix One is used or to prevent spam or abuse.
For the performance of a contract. Including billing, account management, and other administrative matters, such as contract development, compliance, and undertaking the contract for products, items, or services you have purchased, or any other contract with us through our Services.
To get in touch with you. To contact you by email, telephone calls, or other equivalent forms of communication regarding updates or informative communications related to the functionalities, including Services updates, when necessary or reasonable for their implementation.
To provide you with news, special offers and general information about other events we offer that are similar to those you have already purchased or enquired about unless you have opted out of receiving such information.
To manage your requests. We may use your personal information to respond when you contact us with inquiries, comments or questions.
For other purposes. We may use your information for other purposes, such as data analysis, identifying usage trends, determining our promotional campaigns’ effectiveness, and evaluating and improving our Services, marketing and your experience.
Legal basis for processing personal data under GDPR
We closely monitor privacy regulators’ guidance on GDPR compliance and adjust our product features and contractual obligations accordingly. You can expect regular updates.
Matrix One may process personal data under the following conditions:
Consent. You have given your explicit consent to processing personal data for one or more specific purposes.
Performance of a contract. The provision of personal data is necessary for the performance of a contract with you and/or for any pre-contractual obligations thereof.
Legal obligations. Processing personal data is necessary for compliance with a legal obligation to which Matrix One is subject.
Vital interests. Processing personal data is necessary to protect your vital interests or those of another person.
Legitimate interests. Processing personal data is necessary for the legitimate interests we pursue. We have a legitimate interest in being able to contact you, communicate with you and cooperate with you on the conclusion and performance of contracts, as well as for direct marketing purposes, for ensuring the network and information security of our Information System Management System and fulfilling your requests, namely:
storage of documentation of our cooperation for invoicing, resolving any disputes and other administrative issues;
providing, updating, maintaining and protecting our product, Website and business;
development and provision of productivity tools and additional features of our product;
prevention and investigation of security issues;
sending marketing emails and other communications about new product features, promotional messages or other news about us;
communication with you by responding to your requests, comments and questions.
In any case, we will gladly help clarify the specific legal basis that applies to the processing, particularly whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract.
Data security and integrity
The security of your personal data is important to us. Therefore, Matrix Requirements GmbH is ISO 27001 certified and Galen Data, Inc. is HITRUST certified. Additionally, Matrix One follows the industry’s best practices and continuously improves our processes.
We only give access to our servers to senior Matrix One security experts; such persons have agreed to keep this information confidential.
We keep our servers always up to date with security fixes, have one-click ways to take down servers should they become infected/compromised, and create and deploy new clean ones. We always code-review security-related code internally before checking in and have an automated suite of tests against XSS attacks and more.
The entire matrixone.health domain uses HSTS to ensure browsers interact with us only over HTTPS. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. You can check for yourself these details on the Qualys SSL Labs service.
Although we take appropriate security measures once we receive your personal data, data transfers over the Internet (including by email) are never completely secure. Therefore, you should take particular care when deciding what data you provide to us. We strive to protect personal data but cannot guarantee the security of information transmitted to or by us.
Age limitations
Matrix One understands the importance of protecting children’s privacy, especially online. Our policy is to never knowingly collect or store information from anyone under 16 years of age. In case you learn that anyone younger than 16 has illegally provided us with personal data, you may notify us at privacy@matrixone.health. We will promptly take steps to delete such data and terminate the child’s account.
Data retention
We will retain your personal data only for as long as it is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
Data transfer
We do not share personal data with third parties except as necessary for our legitimate business needs, to carry out your requests, and as required or permitted by law or professional standards and requirements.
Matrix One uses third parties in other countries to help us run our business. As a result, personal data processed through Matrix One may be stored anywhere in the world, including the European Economic Area (EEA), the United States, Canada, the United Kingdom, and Ireland.
Our third parties and their general locations and activities, include:
| Sub-processor Name | Sub-processing Activities | Location |
|---|---|---|
| Amazon Web Services, Inc. (depends on customer location) | Data Center Hosting | United States, Europe, Australia, India, Indonesia, UAE |
| OVH Cloud (depends on customer location) | Data Center Hosting | United States, Canada, France, Germany |
| Google LLC | Data Center Hosting | Ireland |
| Contabo GmbH | Data Center Hosting | Germany |
| Hetzner GmbH | Data Center Hosting | Germany |
| LeapSwitch Networks Pvt. Ltd. | Data Center Hosting | India |
| Google Workspace | Productivity and communications services | United States |
| Mailgun Technologies, Inc. | Mailing Service | United States |
| Intercom, Inc. | Customer Support | Ireland, United States, Australia |
| Hubspot, Inc. | Customer Relationship Management | United States |
| Chargebee, Inc. | Billing | United States |
| Slack Technologies, LLC | Internal communications tool | Ireland |
| Lemlist SAS | Sales automation platform | France |
| AgileBits, Inc. (1Password) | Password Management | Canada |
| Productboard, Inc. | Product management platform | United States |
| Typeform | Online forms and surveys | Spain |
| Skyprep, Inc. | Online Training Management | Canada |
| Cognism | Marketing platform | United Kingdom |
| ForumBee, Inc. | Community Platform Service | United States |
| Docusign, Inc. | Electronic signatures | United States |
| Notion Labs, Inc. | Collaboration and productivity tool management platform | United States |
| Amazon Web Services, Inc. (Bedrock) (optional for customers that enable Matrix AI features) | AI services provided for intelligence product features | United States, Europe |
Some of the third parties mentioned above are based in other countries that may have different privacy and data protection laws equivalent to those of the country in which you reside.
Where we transfer personal data outside of the EEA to non-EU countries, we rely on adequacy decisions by the European Commission.
Suppose we transfer personal data outside of the EEA to a country or framework not determined by the European Commission as providing adequate protection for personal information. In that case, the transfers will be under an agreement that covers European Union requirements for such transfers, such as standard contractual clauses. You can find information about standard contractual clauses for data transfers between EU and non-EU countries here.
You can contact us at privacy@matrixone.health if you need more information about the legal mechanisms we rely on to transfer personal data outside the EEA.
By providing data to us, you consent to transferring and storing your personal data in these countries.
How do we share and disclose your information?
We restrict who at Matrix One can access customer data to only senior team members and never to outside parties.
We only do it in response to a customer support question.
We only do it to debug and fix the issue.
We never make changes to anything unless explicitly requested by a subscription owner.
If the subscription owner or a workgroup member asks us to look into a project to debug a software issue, we will go in and look at that project and possibly make minor edits to fix the issue.
We never share what we see with other customers or the general public.
We do not share personal data with third parties except as necessary for our legitimate professional and business needs, to fulfill your requests, or as required or permitted by law or regulatory standards.
We will not share the personal data you provide with third parties for use in direct marketing.
If you are a resident of a US state that provides for an opt-out of the "sale" or "sharing" of personal information (e.g., California), please note that Matrix One does not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under applicable US state privacy laws.
Under certain circumstances, we may be required to disclose your personal data if required by law or in response to valid requests by public authorities. We’ll try not to, but we don’t have the resources to fight the government. We will also inform your subscription owner to the extent legally permissible if this occurs.
Your rights concerning personal data
You may have certain rights under your local law regarding your personal data. This Privacy Policy aims to provide you with the comprehensive rights available under GDPR, which often exceed requirements in other jurisdictions.
The right to confirm whether we process personal data about you, receive a copy of your personal data, and obtain certain other information about how and why we process your data.
The right to rectification of your personal data. You have the right to have any incomplete or inaccurate personal data (for example, if you change your address) we hold about you corrected.
The right to erasure of your personal data when there is no good reason for us to continue processing it:
the personal data is no longer necessary concerning the purposes for which they were collected and processed;
our legal basis for processing is consent; you withdraw your consent, and we have no other legal basis for the processing;
our legal basis for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to the processing, and we do not have overriding legitimate grounds;
you object to the processing for direct marketing purposes or
your personal data must be erased to comply with a legal obligation to which we are subject.
The right to restriction of processing of your personal data in the following cases:
for a period enabling us to verify the accuracy of personal data where you contested the accuracy of the personal data;
your personal data have been unlawfully processed, and you request the restriction of processing instead of deletion;
your personal data are no longer necessary in relation to the purposes for which they were collected and processed, but you require the personal data to establish, exercise or defend legal claims; or
for a period enabling us to verify whether the legitimate grounds we relied on overriding your interests where you have objected to processing based on it being necessary to pursue a legitimate interest identified by us.
The right to object to the processing of your personal data in the following cases:
our legal ground for processing is that the processing is necessary for a legitimate interest pursued by us or a third party, or
our processing is for direct marketing purposes.
The right to transfer your personal data. We will provide you, or to a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to processing by automated means you initially provided consent for us to process or where we processed your personal data to perform a contract concluded with you.
The right to withdraw consent. Where we process personal data based on consent, you can withdraw consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Website and/or our products.
You can exercise your rights of access, rectification, erasure and objection by contacting us by an email at privacy@matrixone.health.
Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.
If you consider that processing your personal data infringes the law, you may have the right to lodge a complaint with a data protection supervisory authority. For more information, if you are located in the European Economic Area (EEA), please contact your local data protection supervisory authority in the EEA.
Links to third-party websites
Our Website may contain links to other websites that we do not operate. We encourage visitors to read the Privacy Policy of each website visited before disclosing any personal information. We have no control over and assume no responsibility for any third-party sites or Services’ content, privacy policies or practices. Visiting other websites or applications is at your own risk.
Questions you might have regarding your personal data
Who can see my password? No one. We store your password hashed so no one, not even us, can read it. For encrypting the passwords, we use bcrypt hashing and a unique random salt for each user.
You are responsible for keeping your username, password and other sensitive information confidential. If you become aware of any unauthorized use of your account or any other security breach, you shall notify Matrix One immediately.
If you forget your password, we can generate a new temporary password and send it to you by email. You will then be able to specify a new password.
User management is done inside Matrix Requirements products; additionally we support OAuth and SAML integration of external authentication systems. Subscription owners can assign passwords to staff and project members.
Matrix One staff will never change a password for you nor change the subscription owner unless requested.
Who can see my credit card number? No one at Matrix One, we use the Stripe payment service. Read about their security measures at http://mrq.ovh/stripe/security (in short, they encrypt your credit card info).
Once you sign up, Stripe will charge your card each month. Stripe has been audited by a PCI-certified auditor and is certified as PCI Service Provider Level 1. This is the most stringent level of certification available.
Who can see my data? The subscription owner can give access to registered users; nobody besides users who explicitly got the right and the authorized employees of Matrix One can see the data. To see data, the users must authenticate themselves.
It is possible to store attachments in Matrix One. These files have permalinks, which can be used to share attachments without authentication. These links are intentionally very long and hard to guess.
We use HTTPS to transfer all data. Besides passwords, data is not encrypted when stored in our database (to allow full-text search).
Only subscription owners can request the creation of new users.
How is my data protected from another customer’s data? Each customer instance contains its database. Each customer application can only access the data on the customer’s database, and no other databases are accessible.
Have Matrix One’s Services ever been compromised so far? No. Should our systems get compromised, we will replace the server(s) that have been hacked with new ones (we can do this with very few clicks). If this doesn’t stop the attack, we’ll shut down Services until we can fix the vulnerability. We will also hire experts to help us and verify that we’re safe to resume Services.
Changes to this Privacy Policy
We may update this Privacy Policy by publishing the revised version on this page to reflect our current privacy practices. When we make changes, we will revise the “Last updated” date at the top of this page. The newly modified Privacy Policy will apply from that revision date. Therefore, we encourage you to review this Privacy Policy periodically to be informed about how we protect your information.
Data Protection Representative
To communicate with our Data Protection representative, please email privacy@matrixone.health .
How to contact us
If you have any questions or comments about our privacy practices or complaints about handling your personal data, please contact us at privacy@matrixone.health. You may also use this email to communicate any concerns regarding compliance with our Privacy Policy.
To treat your request as quickly as possible, provide the information of
Your name;
Your email address;
Your relationship with Matrix One (e.g., a customer, an employee, a contractor, or another);
What do you want to do (e.g., obtain a copy of your personal data, update your personal data, restrict processing of your personal data, delete your personal data, other requests or comments);
Any other relevant details if needed.
We may accept your concern (and, in that case, implement one of the measures set out in the “Your rights concerning personal data” section above) or reject your concern on legitimate grounds.
In any event, you always have the right to complain to the relevant regulator for the protection of personal data.