Skip to main content
Privacy policy

What we collect, how we use it, what you control.

Last updated: May 12, 2026. Version: 2026.05.12.

This document explains what data New Matrix Capital collects from you, how we use it, who we share it with, and what rights you have. We made this readable because legal documents nobody reads protect nobody. New Matrix Capital, Inc. operates newmatrix.capital and the related platform.

1. What we collect

Bank account data (Plaid)

When you connect a business bank account, we use Plaid to read transaction history, account balances, and account metadata. Access is read-only. We never see or store your online banking password. You can revoke the connection at any time from your account settings.

Credit data (Experian, Equifax, Dun & Bradstreet)

With your written authorization, we pull business credit reports from Experian, Equifax, and Dun & Bradstreet. These reports include trade lines, public records, and credit scores associated with your business and, where applicable, the guarantor.

Business documents

You upload documents such as tax returns, bank statements, voided checks, driver licenses, and articles of incorporation. We store these so you can route them to capital partners without re-uploading every time.

User profile

Your name, email, password (hashed with bcrypt), phone number, business EIN, legal business name, industry, state of formation, and year established. If you sign in through Google, we store the Google identifier returned by the OAuth handshake.

Communication metadata

Timestamps of messages you send our team, message content, support ticket history, and notification preferences. We also log basic device and browser information for security and fraud monitoring.

2. How we use it

Match merchants to capital partners

We use your bank data, credit data, and business profile to identify which lenders and capital products you actually qualify for. We do not run scattershot applications. We route based on fit.

Train Marvin on anonymized aggregate signals

Marvin is the in-product assistant that helps you read your numbers and pick offers. We improve Marvin using aggregate signals stripped of personally identifiable information. We do not feed your raw bank statements, credit reports, or tax returns into model training.

Prevent fraud

We compare submissions across the platform to flag stacked applications, identity mismatches, and document tampering. This protects honest operators from getting priced as if they were higher risk.

Operate billing and communication

We process subscription payments, send transactional email (signup confirmations, password resets, deal status updates), and respond to your support questions. We send marketing email only if you opt in, and you can opt out from any marketing email with one click.

3. Who we share it with

Capital partners you choose to apply to

When you submit a deal to a lender or capital partner, we share only the data relevant to that specific application. You see what is going to be shared before you click submit. We do not broadcast your file to a marketplace of buyers.

Stripe

Stripe processes our subscription billing. We send Stripe your name, email, and billing details. Stripe stores card numbers on its own infrastructure. We do not store full card numbers on our servers.

Resend

Resend delivers our transactional and marketing email. Resend receives your email address and the message we send you.

Supabase

Supabase hosts our primary database and authentication. Your account data, business profile, documents, and consents are stored in Supabase under encryption at rest.

Groq and Anthropic

Marvin runs on inference from Groq and Anthropic. We strip personally identifiable information from prompts where possible and we do not send raw bank statements, credit reports, or tax returns to inference providers. We do not authorize our inference providers to retain prompts for their own model training.

Legal process

We disclose data when a subpoena, court order, or other valid legal process requires it. We tell you when we receive such a request unless the law prohibits notice.

4. Your rights

Depending on where you live, you have specific legal rights over your data. We honor those rights for every user, regardless of state of residence, when the operational cost is reasonable.

CCPA (California)

California residents have the right to know what we collect, the right to delete non-required data, the right to opt out of any sale of personal information (we do not sell your data), and the right not to face discrimination for exercising these rights.

GDPR (EU and UK residents)

If you reside in the European Union or the United Kingdom, you have the right to access, correct, delete, restrict processing of, and port your data. You also have the right to lodge a complaint with your local data protection authority.

State-specific privacy laws (NV, CO, VA, CT, UT)

Nevada, Colorado, Virginia, Connecticut, and Utah have enacted state privacy laws that grant residents rights similar to CCPA. We honor verified requests under each of these statutes. To exercise any state-specific right, email info@newmatrix.capital with the subject line "Privacy Request" and the state where you reside.

5. Data retention

Financial records: 7 years

We retain financial records, including bank transaction history, credit pulls, and funded deal documentation, for 7 years. This is the regulatory minimum for financial-services recordkeeping under federal and state rules. We cannot delete these records before the retention window expires, even on request.

Marketing data: 24 months

Marketing engagement data (email opens, click history, page visits tied to marketing campaigns) is retained for 24 months from your last interaction. After that we purge it on a rolling basis.

Everything else: deleted on request

For data not subject to a regulatory hold, we delete it on request within 30 days. That includes your business profile, your uploaded documents that are not tied to a funded transaction, your support history, and your marketing preferences.

6. Data subject requests

You can request a full export of your data at any time. Visit your account settings and use the export tool, or call the export endpoint at /api/user/export. The export is delivered as a machine-readable JSON file.

To request deletion, email info@newmatrix.capital with the subject line "Delete my data". We verify your identity, confirm which records fall under regulatory retention, and delete the rest within 30 days. We send you a written confirmation when deletion is complete.

To correct inaccurate data, use the profile editor in your settings, or email us. We respond to correction requests within 10 business days.

7. Children

New Matrix Capital is for business operators 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account or submitted information, email info@newmatrix.capital and we will delete the account and associated data.

8. Contact

Privacy questions, data requests, and notices of suspected misuse go to info@newmatrix.capital. We respond within 5 business days.

See also our Terms of Service and our Cookie Policy.

Security note: data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted with AES-256. Bank tokens are encrypted with a service-side key that is never exposed in API responses. We are not SOC 2 certified at this time, and we do not claim to be.

We use essential cookies. No third-party ad pixels. Read policy