MelMat™ is a B2B SaaS research intelligence platform operated by Vanja Todorovic LLC, a Florida limited liability company (EIN 41-2580551), doing business as MelMat, trademark serial no. 99725992. Our registered address is 1201 Ballard Green Place, Brandon FL 33511.
In processing Customer Data on your behalf, MelMat acts as a "service provider" or "data processor" as those terms are defined under applicable U.S. state privacy laws. You, as the subscribing entity, are the "controller" or "business" with respect to Customer Data.
- Email address (used for magic link authentication and communication)
- Name and organization (provided during onboarding)
- Subscription tier and billing information (processed by Stripe — MelMat does not store payment card data)
- Research queries submitted to the platform
- Focus area selections, query timestamps, and session tokens
- Number of queries used and remaining cap
- AI Output results returned to your session
- IP address and device fingerprint at time of TOS acceptance
- Aggregated, anonymized platform usage metrics (e.g., query volume, feature usage patterns)
- Error logs and system performance data
- To authenticate your identity and manage your session via magic link login
- To process and return AI research synthesis in response to your queries
- To track query usage against your subscription cap and enforce tier limits
- To send transactional emails (welcome emails, magic links, cap warnings, brief delivery)
- To maintain legally required records of TOS acceptance as described in our Terms of Service, Section 2.2
- To manage billing and subscription lifecycle in coordination with Stripe
- To maintain platform security and prevent abuse
- To improve platform performance using aggregated, de-identified Derived Data only
We do not use Customer Data for marketing profiling, behavioral advertising, or sale to third parties.
MelMat does not sell your data. We share Customer Data only with the following categories of sub-processors, strictly for the purpose of delivering the platform:
- Anthropic, OpenAI, Google — AI model providers that process your queries to generate research outputs. Queries are transmitted over encrypted connections and are subject to each provider's data processing terms.
- Airtable — Database platform used to store client records, session data, and query metadata.
- Stripe — Payment processor. MelMat does not store or access payment card data. Stripe's privacy policy governs payment data.
- Resend — Transactional email provider used to deliver magic links, welcome emails, and research briefs.
- Brave Search — Web search provider used to enrich research queries with live web context.
- Amazon Web Services (AWS) — Cloud infrastructure provider hosting the platform on EC2 in the US-East region.
Enterprise customers may request a full sub-processor list by contacting [email protected].
MelMat maintains a written Information Security Program that includes, at minimum:
- Encryption of Customer Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Access controls limiting Customer Data access to authorized personnel on a need-to-know basis
- Magic link authentication — no passwords are stored or transmitted
- Logging and audit trails for platform access and AI Output generation
- Annual security review and, upon request, SOC 2 Type II report or equivalent security documentation
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact [email protected] immediately.
Customer Data is retained for the duration of your active Subscription. Upon account termination or your written request, MelMat will delete or return Customer Data within thirty (30) days, except as required to be retained by law or for pending legal proceedings.
TOS acceptance records are retained for a minimum of seven (7) years as required under the E-SIGN Act and applicable law.
Derived Data (aggregated, anonymized operational metrics) may be retained indefinitely in de-identified form.
To request deletion of your data, email [email protected] with the subject line "DATA DELETION REQUEST."
Users shall not submit to the Platform any of the following without explicit written authorization from MelMat:
- Protected Health Information (PHI) as defined under HIPAA (45 C.F.R. § 160.103) without an executed Business Associate Agreement
- Payment card data subject to PCI-DSS
- Social Security Numbers, government-issued identification numbers, or financial account credentials
- Biometric data as defined under CCPA/CPRA or applicable state law
- Children's data subject to COPPA or any data relating to individuals under age 18
Submission of prohibited data in violation of this section may result in immediate account suspension and termination.
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Right to Access — Request a copy of the personal data we hold about you
- Right to Correction — Request correction of inaccurate personal data
- Right to Deletion — Request deletion of your personal data, subject to legal retention obligations
- Right to Portability — Request your data in a structured, machine-readable format
- Right to Opt-Out — Opt out of any sale or sharing of personal data (MelMat does not sell personal data)
- Right to Non-Discrimination — Exercise your privacy rights without receiving discriminatory treatment
To exercise any of these rights, contact [email protected]. We will respond within the timeframe required by applicable law (generally 30–45 days).
MelMat acts as a service provider or data processor under the following state privacy frameworks and processes Customer Data only as directed by User:
- California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code § 1798.100 et seq.
- Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq.
- Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq.
- Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq.
- Florida Information Protection Act (FIPA), § 501.171, Fla. Stat.
Users who are themselves "controllers" or "businesses" under these laws bear primary responsibility for ensuring that their collection and submission of data to the Platform complies with applicable privacy law.
For enterprise customers and any User who submits personal data of third parties to the Platform, MelMat will make available a standard Data Processing Agreement (DPA) upon written request. The DPA addresses: data subject rights, sub-processor disclosure, international data transfers, security obligations, breach notification, and data deletion.
Users subject to GDPR obligations due to serving EU-based clients should request the DPA addendum containing Standard Contractual Clauses (SCCs).
To request a DPA, email [email protected] with the subject line "DPA REQUEST."
In the event of a data security breach affecting Customer Data, MelMat will provide notification consistent with applicable state breach notification laws, including Florida's 30-day notification requirement under FIPA (§ 501.171(3), Fla. Stat.) and other applicable state statutes.
Notifications will be sent to the email address on file for your account. Enterprise customers with a DPA in place will receive notification per the terms of that agreement.
| Privacy Requests | [email protected] |
| Data Deletion Requests | Email [email protected] — subject: "DATA DELETION REQUEST" |
| DPA Requests | Email [email protected] — subject: "DPA REQUEST" |
| Legal / Compliance | [email protected] |
| General Support | [email protected] |
| Mailing Address | 1201 Ballard Green Place, Brandon FL 33511 |
This Privacy Policy is effective as of March 26, 2026 and applies to all users of the MelMat™ platform.
Brandon, Florida
March 26, 2026