# Privacy Policy

Source: https://metadock.app/privacy

# Privacy Policy

Last Updated: June 27, 2026

Gammal Software, Inc. ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website metadock.app and use the MetaDock desktop application.

## Table of Contents

## 1\. Information We Collect

### Personal Information You Provide

-   **Email Address:** When you subscribe to our mailing list, contact us for support, or create an account
-   **Contact Information:** Name (optional) when provided in contact forms
-   **Payment Information:** Processed by Stripe (we only store Stripe identifiers, not your credit card details)

### Information Automatically Collected

-   **Website Analytics:** Via Microsoft Clarity (session recordings, heatmaps, click data). Clarity is loaded only after you accept analytics cookies.
-   **Application License Data:** Hashed hardware ID, license key, activation status
-   **Application Telemetry:** MetaDock periodically sends pseudonymous usage data to our servers to help us improve the product. Because this data includes your IP address and a persistent hashed hardware identifier used for de-duplication, we treat it as pseudonymous rather than anonymous. The full field list (kept in sync with the bundled EULA via `lib/legal-content.ts`):

    -   Edition (Explorer / MetaDock / MetaDock Pro / Beta) and application version
    -   Operating system version, CPU class, total system memory
    -   Aggregate feature-usage counts (e.g., profiles opened, automation scripts run) — counts only, never the contents of profiles, browsing history, scripts, or user data
    -   Application uptime and crash diagnostics
    -   IP address — used to derive country/region for aggregation only; not permanently stored linked to your license identifier

    Correlation: Hashed hardware ID (de-duplication only), never directly to email, name, or other identifying fields. You can disable telemetry in Settings > Privacy & Security > "Anonymous Usage Telemetry".

    Not collected via telemetry:

    -   Browsing history
    -   Sites visited inside MetaDock
    -   Bookmarks, passwords, or form data
    -   Wallet addresses, private keys, or cryptocurrency information
    -   Workspace configurations or browser profile data
    -   Script contents or automation payloads

What We Do NOT Collect

-   We do not collect or access your browsing history
-   We do not collect websites you visit using MetaDock
-   We do not collect bookmarks, passwords, or form data
-   We do not collect wallet addresses, private keys, or cryptocurrency information
-   Your workspace data and browser profiles remain LOCAL on your device

## 2\. How We Collect Information

-   **Directly from you:** When you create an account, subscribe to our mailing list, contact support, or make a purchase.
-   **Automatically:** Through website analytics (Microsoft Clarity), application telemetry, and standard server logs when you visit our website or use our application.
-   **From third parties:** Payment confirmation from Stripe.
-   **From your browser engine:** Microsoft WebView2 (the browser engine in MetaDock) sends standard diagnostics and telemetry to Microsoft as part of its normal operation. See Section 11 for details.

Legal Basis for Processing (GDPR)

-   **Contract performance:** Account creation, license management, subscription processing, support.
-   **Consent:** Marketing emails, analytics cookies (Microsoft Clarity).
-   **Legitimate interest:** Application telemetry for product improvement, fraud prevention, security.
-   **Legal obligation:** Tax records, compliance with applicable law.

## 3\. How We Use Your Information

To Provide Services

-   • Process subscriptions
-   • Verify licenses
-   • Provide customer support
-   • Send transactional emails

To Improve Services

-   • Analyze website usage
-   • Fix bugs and errors
-   • Develop new features
-   • Understand user behavior

To Communicate

-   • Marketing emails (opt-in only)
-   • Newsletters (if subscribed)
-   • Support responses
-   • Service updates

Legal & Security

-   • Comply with legal obligations
-   • Enforce Terms & Conditions
-   • Protect against fraud
-   • Maintain business records

## 4\. How We Share Your Information

We do not sell your personal information for money, and we do not share it with advertisers or data brokers. We share data only with the service providers listed in Section 5, and only as necessary to operate our business:

-   **Payment processing:** Stripe receives your payment details to process subscriptions.
-   **Email delivery:** Mailjet receives your email address to send transactional and marketing emails.
-   **Analytics:** Microsoft Clarity (with your consent) receives anonymized session recordings and interaction data from the metadock.app website only.
-   **Error monitoring:** Sentry (operated in the United States) receives crash and error diagnostics, including a hashed hardware identifier, to help us detect and fix defects. Retained for 90 days.
-   **Browser engine:** Microsoft receives standard WebView2 diagnostics and telemetry data sent directly by your device. We have no access to this data.
-   **Legal requirements:** We may disclose information if required by law, court order, or government request.

Note on analytics and "sharing" under CCPA/CPRA

Under the broad definitions in the California Consumer Privacy Act (CCPA/CPRA), certain analytics activities may be classified as "sharing" of personal information for cross-context behavioral advertising purposes, even when no money changes hands for your data. Out of an abundance of caution, California residents can opt out of any such "sharing" at any time by rejecting the analytics consent banner, clearing analytics cookies, or by contacting us at [legal@metadock.app](mailto:legal@metadock.app).

We do not share your information with advertisers or data brokers.

## 5\. Third-Party Service Providers

The list below is the canonical source of truth for our subprocessors. It is rendered from `lib/legal-content.ts` and is identical to the subprocessor table in our [DPA](https://metadock.app/dpa) and to `/docs/privacy-policy.txt` §5.

### Stripe, Inc.

Payments

Subscription payment processing

Location: United States & global • [Privacy Policy](https://stripe.com/privacy)

### Mailjet

Email

Transactional and marketing email (subscription receipts, license keys, optional newsletter)

Location: France / European Union • [Privacy Policy](https://www.mailjet.com/legal/privacy-policy/)

### Microsoft Clarity

Analytics (Consent Required)

Website analytics: session replays, heatmaps, click maps on metadock.app (loaded only after analytics-cookie consent)

Location: United States, with global Microsoft infrastructure • [Privacy Policy](https://privacy.microsoft.com)

### Microsoft (WebView2 runtime)

Browser Engine

Browser engine inside the MetaDock desktop application; sends standard Edge diagnostics directly to Microsoft

Location: Global Microsoft infrastructure • [Privacy Policy](https://privacy.microsoft.com)

### Sentry (Functional Software, Inc.)

Error Monitoring

Application crash and error diagnostics (stack traces, application version, OS, hashed hardware ID); retained ~90 days

Location: United States • [Privacy Policy](https://sentry.io/privacy/)

## 6\. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your browsing experience and analyze website traffic.

### Essential Cookies

Required for the website to function properly. These cannot be disabled.

-   • Session management
-   • Security and authentication
-   • Cookie consent preferences

### Analytics Cookies (Optional - Requires Consent)

Help us understand how visitors use our website. Loaded only after you accept analytics cookies via our consent banner.

-   **Microsoft Clarity:** Session recordings, heatmaps, click patterns, scroll depth, and interaction data. Helps us understand how visitors navigate the site. Does not collect passwords or payment information.

You can accept or reject analytics cookies via the consent banner shown on your first visit. Your choice is stored in the `analytics-consent` cookie for 1 year.

Managing Cookies

You can control cookies through our cookie consent banner or your browser settings:

-   • Accept or reject analytics cookies via our consent banner
-   • Clear cookies through your browser settings
-   • Block cookies entirely (may affect website functionality)

Browser Cookie Controls:

-   • Chrome: Settings → Privacy and security → Cookies
-   • Firefox: Settings → Privacy & Security → Cookies
-   • Safari: Preferences → Privacy → Cookies
-   • Edge: Settings → Cookies and site permissions

## 7\. Data Retention

Active Accounts

We retain your information while your account or subscription is active

Inactive Accounts

Retained for 7 years after closure for tax and legal compliance, then deleted

Mailing List

Until you unsubscribe (removed within 10 business days, per CASL)

Support Communications

Retained for 3 years, then deleted

## 8\. Data Security

We implement reasonable technical and organizational measures to protect your personal information:

-   **Encryption:** All website traffic is encrypted via TLS/HTTPS. Payment processing is handled by Stripe (PCI-DSS Level 1 certified).
-   **Password security:** Account passwords and API keys are securely hashed and never stored in plain text.
-   **Access control:** API access is authenticated via bearer tokens with rate limiting and IP-based lockout after failed attempts.
-   **Local data:** Your workspaces, browser profiles, bookmarks, and browsing data are stored locally on your computer and are not transmitted to our servers.
-   **Infrastructure:** Our web infrastructure runs on hardened Linux servers operated by Gammal Software, Inc. in Canadian data centres.

No method of transmission or storage is completely secure. If we become aware of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law. Where GDPR Article 33 applies, we notify the competent supervisory authority within 72 hours of becoming aware of a breach; under PIPEDA, we report breaches that pose a real risk of significant harm to the Office of the Privacy Commissioner of Canada and to affected individuals as soon as feasible.

## 9\. Your Privacy Rights

Access

Request a copy of your personal information

Correction

Request correction of inaccurate data

Deletion

Request deletion of your data (subject to legal exceptions)

Opt-Out

Unsubscribe from marketing emails anytime

Object

Object to certain uses of your information

Portability

Get your data in a portable format

Restrict Processing

Request we limit how we use your data (GDPR Article 18)

To exercise any of these rights, contact:

[privacy@metadock.app](mailto:privacy@metadock.app)

We respond within 30 days

## 10\. Age Restriction & Children's Privacy

18+ Requirement

MetaDock is **intended for users 18 years of age or older**. By using MetaDock, you represent that you are at least 18 years old. If you are under 18, you may not use MetaDock.

### Children's Privacy

MetaDock is designed for adults and business use. We do not knowingly collect personal information from children.

-   **• No Collection from Minors:** We do not knowingly collect personal information from anyone under 18 years of age
-   **• No Marketing to Minors:** Our marketing materials and services are directed at adults
-   **• Age Requirement:** Users must be 18+ to use our services

### Parental Notice

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at:

[privacy@metadock.app](mailto:privacy@metadock.app)

We will promptly investigate and delete any personal information belonging to users under the age of 18 from our systems.

## 11\. Microsoft WebView2 Privacy Disclosure

Important Third-Party Disclosure

MetaDock uses Microsoft Edge WebView2 as its browser engine. WebView2 may send diagnostic and performance data to Microsoft, including crash reports, performance metrics, and feature usage statistics.

**Important:** Gammal Software, Inc. does NOT receive, access, or control the diagnostic data that WebView2 sends to Microsoft. This data is sent directly from your device to Microsoft's servers.

Microsoft's data collection is governed by [Microsoft's Privacy Policy](https://privacy.microsoft.com). You may have some control through Windows privacy settings.

## 12\. Contact Us

Person in charge of personal information protection (Quebec Law 25 / Privacy Officer)

Gammal Software, Inc. has designated a Privacy Officer responsible for compliance with applicable privacy laws — including Quebec's _Act respecting the protection of personal information in the private sector_(as amended by Law 25), Canada's PIPEDA, the EU GDPR, and the California CCPA/CPRA. The Privacy Officer is the point of contact for any question, complaint, or request to exercise your rights.

**Daniel Gammal**, Privacy Officer

Email: [privacy@metadock.app](mailto:privacy@metadock.app)

Mail: Daniel Gammal (Privacy Officer), Gammal Software, Inc., 303D-2967 Dundas Street West, Toronto, Ontario M6P 1Z2, Canada

Privacy Inquiries

privacy@metadock.app

General Support

support@metadock.app

Mailing Address & Telephone

Gammal Software, Inc.
303D-2967 Dundas Street West
Toronto, Ontario M6P 1Z2
Canada
Telephone: [+1 (647) 547-6803](tel:+16475476803)

## 13\. Privacy Rights for Specific Jurisdictions

### Canada (PIPEDA)

If you are a Canadian resident, you have specific rights under PIPEDA including:

-   • Right to access your personal information
-   • Right to correction of inaccurate data
-   • Right to withdraw consent
-   • Right to file a complaint with the Office of the Privacy Commissioner of Canada

Contact: [www.priv.gc.ca](https://www.priv.gc.ca) • Phone: 1-800-282-1376

### Quebec (Law 25 / Act respecting the protection of personal information in the private sector)

**Quebec availability.** MetaDock is not currently offered for sale to Quebec residents while we finalize French-language agreements and a Law 25 cross-border transfer assessment. The provisions in this section describe the protections we are putting in place and intend to honour; they reflect our intended compliance posture rather than a representation that every Law 25 obligation is fully operational today.

If you reside in Quebec, you have additional rights under Quebec's _Act respecting the protection of personal information in the private sector_, as amended by Law 25 (formerly Bill 64), in addition to your federal PIPEDA rights:

-   • Right to be informed, in clear and simple terms, of what personal information is collected and why
-   • Right to access, correct, and request deletion of your personal information
-   • Right to data portability — receive your personal information in a structured, commonly-used technological format
-   • Right to withdraw consent at any time
-   • Right to be informed of, and to object to, decisions based exclusively on automated processing
-   • Right to be informed of any cross-border transfer of your personal information and the associated risks (see below)
-   • Right to file a complaint with the _Commission d'accès à l'information du Québec_ (CAI)

Cross-border transfers

Some of our service providers store or process personal information outside Quebec — primarily in the United States and the European Union. Before transferring personal information outside Quebec, we assess whether the receiving jurisdiction provides protection equivalent to that offered under Quebec law, and we rely on contractual safeguards (Standard Contractual Clauses or equivalent) where necessary. The third-party processors involved are listed in Section 5 above.

**Risks associated with US-routed transfers.** Personal information processed in the United States (Stripe, Microsoft Clarity, Microsoft for WebView2 diagnostics) may be subject to access by US government authorities under US law, including the _Clarifying Lawful Overseas Use of Data Act_ (CLOUD Act) and _Section 702 of the Foreign Intelligence Surveillance Act_ (FISA 702). These laws can compel a US-based service provider to disclose data without notice to the data subject, regardless of where the data is physically stored. Mailjet (France/EU) is not subject to those US laws but may receive requests under EU member-state laws or mutual legal assistance treaties. We disclose this so you can make an informed decision; if these risks are unacceptable for your use case, please do not provide personal information to us.

Automated decision-making

We do not currently use automated decision-making (including profiling that produces legal or significant effects) on personal information of Quebec residents. If that changes, we will update this Privacy Policy and notify affected users.

Person in charge of personal information protection

Our Privacy Officer is responsible for ensuring compliance with Quebec Law 25 and is your point of contact for any privacy-related question, complaint, or request. See Section 12 for contact details.

Commission d'accès à l'information: [www.cai.gouv.qc.ca](https://www.cai.gouv.qc.ca)

### European Union (GDPR)

If you are in the EEA, UK, or Switzerland, you have specific GDPR rights including:

-   • Right of access and rectification
-   • Right to erasure (“right to be forgotten”)
-   • Right to data portability
-   • Right to object to processing
-   • Right to lodge a complaint with a supervisory authority

Transfers outside the EEA

Personal information processed by our US-based providers (Stripe, Microsoft Clarity, Microsoft for WebView2 diagnostics) is transferred to the United States. The US is not the subject of a current EU adequacy decision; we rely on Standard Contractual Clauses with those providers as the transfer mechanism (GDPR Art. 46(2)(c)). Per the _Schrems II_ judgment (CJEU C-311/18), US surveillance laws including the _CLOUD Act_ and _FISA Section 702_ may compel disclosure of data without notice to the data subject, regardless of where the data is physically stored. Mailjet (France) processes email in the EU and is not subject to those US laws. We surface this risk so you can decide whether to provide personal information to us; you may also exercise the rights above to limit or terminate that processing.

For material changes to this policy, we will request your explicit consent.

### California (CCPA/CPRA)

If you are a California resident, you have specific CCPA/CPRA rights including:

-   • Right to know what personal information we collect
-   • Right to delete your personal information
-   • Right to correct inaccurate information
-   • Right to opt-out of sale and "sharing" (see note below)
-   • Right to limit use of sensitive personal information
-   • Right to non-discrimination for exercising your rights

We do NOT sell your personal information to third parties for money.

"Sale" and "sharing" are defined broadly under the CCPA/CPRA. Some analytics activities we perform may fall within those definitions (see Section 4). You can opt out at any time by rejecting our analytics consent banner, clearing cookies, or emailing [legal@metadock.app](mailto:legal@metadock.app). We do not transfer your identity to advertisers or data brokers.

ACKNOWLEDGMENT

BY USING OUR WEBSITE OR APPLICATION, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY. WHERE THE LAW REQUIRES CONSENT — FOR EXAMPLE, ANALYTICS COOKIES OR MARKETING EMAILS — WE OBTAIN IT SEPARATELY THROUGH A CLEAR OPT-IN, NOT THROUGH YOUR USE OF THE SITE ALONE.

Copyright © 2026 Gammal Software, Inc. All rights reserved.

[Download full text version](https://metadock.app/docs/privacy-policy.txt)
