Privacy.

Four pots of personal data.

1. Essay waitlist signups

Drop your email at the bottom of an essay and we store five things: the email address itself, which essay you signed up from, the browser user-agent string the request came in with, the IP that sent it, and a created-at timestamp. Nothing else.

2. Audit orders

Buy an audit on matteh.uk and the intake form keeps a working file: email, name, brand’s domain, the question you want answered, the competitors you named, any free-form notes, the request’s user-agent, its IP, timestamps. The card itself never reaches us — Stripe handles payment and we get back the session ID, the payment intent, and the amount paid. That’s the whole payment-side surface.

3. Anything you email us

Email braeden@matteh.uk and the thread sits in the inbox. We don’t copy it elsewhere; it stays so we can pick the conversation up next time.

4. Cold-outbound prospect contacts

From late May 2026 onward, we send first-touch outreach emails to named individuals at UK clinics — owners, practice managers, and the people who run the front desk — whose work email and public role we’ve identified from the clinic’s own site, LinkedIn, or public company filings. The sender is braeden@anchor.matteh.uk (a subdomain we use specifically so cold outreach doesn’t share reputation with the editorial inbox).

For each prospect we hold: name, role, work email, clinic name, clinic domain, a brief per-prospect note relevant to their clinic (the thing we’d open the email with), and the sequence state for that contact (sent, replied, unsubscribed). No personal phone numbers, no consumer data, no enrichment-shop profiles. The list is built by us, not bought.

Every cold email carries the sender’s identity, postal address, a one-click unsubscribe header (RFC 8058), and a link back to this policy. Reply “unsubscribe” or click the mail-client native button and the row is suppressed within minutes. The legitimate-interests assessment behind this processing is documented internally and available on request.

What we don’t collect

On purpose: no analytics. No Google Analytics, no Plausible, no PostHog, nothing fingerprinting visits to these pages. The tradeoff is real — we lose funnel data that would be nice to have — but at our traffic level the calculus doesn’t favour exporting visitors to a third party for metrics neither of us needs. (The data sources our teardowns cite are your brand’s public surfaces, not your visitors.)

No advertising cookies. No tracking cookies. The only cookies set on this site are the strictly necessary session cookies the admin and client-portal areas need to work, and a public reader of the essays never encounters them.

No automated decision-making. The audit you’d buy is written by a human (Braeden), not generated by something silently scoring you in the background.

The six processors that touch your data.

We don’t sell anything to anyone. No advertiser, no broker, no enrichment shop. The third parties below are the infrastructure that actually runs the site — each operates as our processor under a written DPA. That’s the whole list.

Supabase

Our database and auth provider. Stores waitlist rows, audit-order rows, and admin/client-portal accounts. Hosted in the EU. supabase.com/privacy.

Stripe

Payment processing for audit orders. Stripe is a separate data controller for the payment information itself (card number, billing address, fraud signals); we receive only the session and payment IDs and the amount paid. stripe.com/gb/privacy.

Vercel

Hosts and serves matteh.uk. Sees request logs (IP, user-agent, path) for the duration of the access logs. vercel.com/legal/privacy-policy.

Resend

Sends transactional email (e.g. magic-link sign-in for buyers, audit-delivery notifications). Sees the recipient address and the email body we choose to send. resend.com/legal/privacy-policy.

Google Workspace

Hosts the braeden@anchor.matteh.uk mailbox we use for first-touch B2B outreach. Sees the messages we send and the replies we receive at that address. workspace.google.com/terms/dpa_terms.

Smartlead

The cold-outreach platform that holds our prospect contact list, sends the sequence from the Workspace mailbox above, detects replies, and stops the sequence the moment a reply arrives. Sees the prospect’s name, role, work email, clinic, the per-prospect note we open the message with, and the sequence state. US-domiciled. smartlead.ai/privacy.

Add a processor, this list grows. The footer always points back here.

What you can ask us to do.

Seven rights under UK GDPR. To exercise any of them, email braeden@matteh.uk. We act inside thirty days, usually the same day. No charge, no forms, no portal.

• →Access. Ask what we hold; we send you a copy.
• →Rectification. Anything wrong gets corrected.
• →Erasure. Deleted on request, with one carve-out: audit-order rows are kept seven years because HMRC requires it. Everything else can go.
• →Restriction. Pause processing while a question is being resolved.
• →Portability. Your data, in a machine-readable export, so you can take it wherever.
• →Object.If we hold something under legitimate interests, you can tell us to stop. If our reason to continue isn’t stronger than yours to stop, we stop.
• →Withdraw consent. For the waitlist: click the one-click unsubscribe link in the footer of any email we send you (or use your mail client’s native unsubscribe button — we send the RFC 8058 List-Unsubscribe header so Gmail and Outlook show it inline). One click marks the row unsubscribed and we stop sending. You can also reply to any email or write to us directly.

If we’ve handled your data badly and haven’t fixed it on request, the UK Information Commissioner’s Office takes complaints: ico.org.uk/make-a-complaint. We’d rather hear about it first — gives us a chance to put it right — but it’s your route either way.

What happens if you don’t give it.

Waitlist: skip it. Every essay reads end-to-end without giving us anything. The form is for people who want a heads-up when a new essay drops or a slot opens.

Audit order: brand domain, your question, your email — not optional. They’re what the work depends on. Skip them and we can’t deliver, in which case the payment gets refunded.