MelMat™ is a B2B SaaS research intelligence platform operated by Via Logixs LLC, a Florida limited liability company doing business as MelMat™. We are based in Tampa, Florida.
In processing Customer Data on your behalf, MelMat acts as a "service provider" or "data processor" as those terms are defined under applicable U.S. state privacy laws. You, as the subscribing entity, are the "controller" or "business" with respect to Customer Data.
The Platform is intended only for users who are at least eighteen (18) years of age. We do not knowingly collect data from anyone under 18. If we learn that an account has been created by a person under 18, we will terminate the account and delete the associated data. By using MelMat, you represent and warrant that you are 18 or older.
- Email address (used for magic link authentication and communication)
- Name and organization (provided during onboarding)
- Subscription tier and billing information (processed by Stripe — MelMat does not store payment card data)
- Research queries submitted to the platform
- Focus area selections, query timestamps, and session tokens
- Number of queries used and remaining cap
- AI Output results returned to your session
- M² Chat and Dig Deeper conversation messages (stored solely to provide your chat history; never used for AI model training — see Section 4)
- IP address and device fingerprint at time of TOS acceptance
- Aggregated, anonymized platform usage metrics (e.g., query volume, feature usage patterns)
- Error logs and system performance data
This Privacy Policy applies equally to the MelMat web platform and the MelMat mobile application for iOS and Android. When you use the mobile app, the following additional handling applies:
- Your authentication session token is stored locally in your device's secure storage (Apple Keychain on iOS, Android Keystore on Android) so that you remain signed in. This token does not leave your device except when transmitted over an encrypted connection to authenticate your requests, and it is cleared from your device when you sign out.
- The mobile app does not access your contacts, photos, location, microphone, or camera.
- We do not use advertising identifiers (such as Apple's IDFA) and we do not track you across other companies' apps or websites.
- To authenticate your identity and manage your session via magic link login
- To process and return AI research synthesis in response to your queries
- To deliver M² Chat and Dig Deeper conversational responses, and to store your chat history for retrieval inside your account
- To track query usage against your subscription cap and enforce tier limits
- To send transactional emails (welcome emails, magic links, cap warnings, brief delivery)
- To maintain legally required records of TOS acceptance as described in our Terms of Service, Section 2.2
- To manage billing and subscription lifecycle in coordination with Stripe
- To maintain platform security and prevent abuse
- To improve platform performance using aggregated, de-identified Derived Data only
- To access, review, and process queries and AI Outputs on a need-to-know basis for service operations, support, troubleshooting, and quality control, subject to the confidentiality obligations described in this Policy and our Terms of Service (this does not permit use of Customer Data for model training, which is governed solely by Section 4)
We do not use Customer Data for marketing profiling, behavioral advertising, or sale to third parties.
MelMat may use de-identified, anonymized synthesis outputs from completed research briefs — stripped of all query content, uploaded documents, identifiers, and personally identifiable information — to train and improve MelMat's proprietary synthesis engine. This permitted use applies only to research brief outputs. It does not apply to your queries, your source documents, or any chat content.
Your M² Chat conversations and Dig Deeper conversations are never used to train any machine learning model, large language model, or AI system, by us or by any third-party provider. Chat content is processed solely to generate your responses and is stored solely to provide your chat history feature. Chat content is deleted upon your deletion of the chat or upon account termination.
To deliver multi-engine synthesis, MelMat routes your queries to multiple third-party AI providers, which may include Anthropic, OpenAI, Google (via Vertex AI), Perplexity, Mistral, Fireworks AI, Together.ai, and xAI. None of these providers use Customer Data to train their AI models on the API tiers used by MelMat. Each provider may briefly retain inputs and outputs (typically up to thirty (30) days) for abuse monitoring under their own service terms.
Aggregated, de-identified Derived Data — such as anonymized query volume statistics, latency metrics, and feature-usage counts — is not subject to the restrictions above and may be used for platform improvement and operational reporting purposes only. Derived Data does not include your query content, brief content, or chat content.
MelMat does not sell your data. We share Customer Data only with the following categories of sub-processors, strictly for the purpose of delivering the platform:
- Anthropic, OpenAI, Google (Vertex AI), Perplexity, Mistral, Fireworks AI, Together.ai, xAI — AI model providers that process your queries to generate research outputs and chat responses. Queries are transmitted over encrypted connections and are subject to each provider's data processing terms. None of these providers use your data to train their models on the API tiers used by MelMat.
- Airtable — Database platform used to store client records, session data, and query metadata.
- Stripe — Payment processor. MelMat does not store or access payment card data. Stripe's privacy policy governs payment data.
- Resend — Transactional email provider used to deliver magic links, welcome emails, and research briefs.
- Amazon Web Services (AWS) — Cloud infrastructure provider hosting the platform on EC2 in the US-East region.
- Amplitude, Google Analytics — Product and web analytics providers used to measure aggregated, de-identified feature usage and performance. These providers do not receive your query content, brief content, or chat content.
Enterprise customers may request a full sub-processor list by contacting [email protected].
MelMat maintains a written Information Security Program that includes, at minimum:
- Encryption of Customer Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Access controls limiting Customer Data access to authorized personnel on a need-to-know basis
- Magic link authentication — no passwords are stored or transmitted
- Logging and audit trails for platform access and AI Output generation
- Annual security review and, upon request, SOC 2 Type II report or equivalent security documentation
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact [email protected] immediately.
Customer Data is retained for the duration of your active Subscription. Upon account termination or your written request, MelMat will delete or return Customer Data within thirty (30) days, except as required to be retained by law or for pending legal proceedings.
M² Chat and Dig Deeper conversations are stored solely to provide your chat history feature. You may delete an individual chat at any time using the delete control inside the platform. Deleted chats are removed from active storage immediately and purged from backups within thirty (30) days. All remaining chat content is deleted within thirty (30) days of account termination.
TOS acceptance records are retained for a minimum of seven (7) years as required under the E-SIGN Act and applicable law.
Derived Data (aggregated, anonymized operational metrics) may be retained indefinitely in de-identified form.
To request deletion of your data, email [email protected] with the subject line "DATA DELETION REQUEST."
Users shall not submit to the Platform any of the following without explicit written authorization from MelMat:
- Protected Health Information (PHI) as defined under HIPAA (45 C.F.R. § 160.103) without an executed Business Associate Agreement
- Payment card data subject to PCI-DSS
- Social Security Numbers, government-issued identification numbers, or financial account credentials
- Biometric data as defined under CCPA/CPRA or applicable state law
- Children's data subject to COPPA or any data relating to individuals under age 18 (the platform is restricted to users 18 or older — see Section 1.1)
Submission of prohibited data in violation of this section may result in immediate account suspension and termination.
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Right to Access — Request a copy of the personal data we hold about you
- Right to Correction — Request correction of inaccurate personal data
- Right to Deletion — Request deletion of your personal data, subject to legal retention obligations
- Right to Portability — Request your data in a structured, machine-readable format
- Right to Opt-Out — Opt out of any sale or sharing of personal data (MelMat does not sell personal data)
- Right to Non-Discrimination — Exercise your privacy rights without receiving discriminatory treatment
To exercise any of these rights, contact [email protected]. We will respond within the timeframe required by applicable law (generally 30–45 days).
MelMat acts as a service provider or data processor under the following state privacy frameworks and processes Customer Data only as directed by User:
- California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code § 1798.100 et seq.
- Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq.
- Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq.
- Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq.
- Florida Information Protection Act (FIPA), § 501.171, Fla. Stat.
Users who are themselves "controllers" or "businesses" under these laws bear primary responsibility for ensuring that their collection and submission of data to the Platform complies with applicable privacy law.
For enterprise customers and any User who submits personal data of third parties to the Platform, MelMat will make available a standard Data Processing Agreement (DPA) upon written request. The DPA addresses: data subject rights, sub-processor disclosure, international data transfers, security obligations, breach notification, and data deletion.
Users subject to GDPR obligations due to serving EU-based clients should request the DPA addendum containing Standard Contractual Clauses (SCCs).
To request a DPA, email [email protected] with the subject line "DPA REQUEST."
In the event of a data security breach affecting Customer Data, MelMat will provide notification consistent with applicable state breach notification laws, including Florida's 30-day notification requirement under FIPA (§ 501.171(3), Fla. Stat.) and other applicable state statutes.
Notifications will be sent to the email address on file for your account. Enterprise customers with a DPA in place will receive notification per the terms of that agreement.
| Privacy Requests | [email protected] |
| Data Deletion Requests | Email [email protected] — subject: "DATA DELETION REQUEST" |
| DPA Requests | Email [email protected] — subject: "DPA REQUEST" |
| Legal / Compliance | [email protected] |
| General Support | [email protected] |
| Mailing Address | Tampa, Florida |
The Platform is not HIPAA-compliant. Company has not executed Business Associate Agreements (BAAs) with the third-party AI providers that process queries (which may include Anthropic, OpenAI, Google, Perplexity, Mistral, Fireworks AI, Together.ai, and xAI). The Platform is not designed for, configured for, or eligible for use as a HIPAA-covered platform. The Platform's data processing routes queries through multiple third-party AI providers operating in non-HIPAA-compliant infrastructure, with retention practices governed by each provider's service terms rather than HIPAA's privacy and security rules. Users in HIPAA-regulated roles (covered entities, business associates, and their workforce members) must not submit Protected Health Information (PHI) to the Platform under any circumstance.
For purposes of this Privacy Policy and Section 11 of the AUP, Protected Health Information (PHI) means individually identifiable health information as defined under 45 C.F.R. § 160.103, including any information that: (a) relates to the past, present, or future physical or mental health or condition of an individual; (b) relates to the provision of healthcare to an individual; or (c) relates to the past, present, or future payment for healthcare. PHI includes the eighteen identifier categories enumerated in 45 C.F.R. § 164.514(b)(2)(i): names; geographic subdivisions smaller than a state; dates (other than year) directly related to an individual, including birth date, admission date, discharge date, and date of death; ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers; device identifiers; web URLs; IP addresses; biometric identifiers; full-face photographs; and any other unique identifying number, characteristic, or code.
Submission of any of the foregoing — alone or in combination — constitutes a prohibited submission under Section 8 of this Privacy Policy and Section 11 of the AUP.
Selection of the Clinical Research Focus does not change the data-handling practices that apply to your query. Clinical queries are routed to the same third-party AI providers, retained under the same retention practices, processed with the same security controls, and stored with the same architecture as queries in any other focus mode. Selecting "Clinical Research" does not invoke any enhanced privacy protection, additional encryption, restricted routing, HIPAA-compliant processing pathway, or special data-handling regime. If you require HIPAA-compliant processing for a query, the Platform is not the appropriate tool and you must use a HIPAA-compliant service instead.
Clinical queries are processed by the same third-party AI providers identified in Section 5 of this Privacy Policy and disclosed in the First-Login Acceptance Screen. Each such provider operates under its own service terms, retention practices, and abuse-monitoring practices. None of these providers use Platform queries to train their AI models, but providers may briefly retain inputs and outputs (typically up to 30 days) for abuse monitoring under their own terms. None of these providers has executed a Business Associate Agreement with Company. None of these providers is HIPAA-compliant for purposes of receiving PHI. By submitting a clinical query, you acknowledge and accept that your query will be transmitted to, processed by, and briefly retained by these third-party providers.
You bear sole responsibility for ensuring that every clinical query submitted to the Platform is de-identified to the safe-harbor standard under 45 C.F.R. § 164.514(b)(2), or, where applicable, has been subject to expert determination under 45 C.F.R. § 164.514(b)(1). Company does not screen, de-identify, anonymize, or otherwise modify your submissions. Your submission of identifiable content — whether intentional, accidental, or arising from inadequate de-identification — is your responsibility and may constitute a privacy breach under the laws governing your practice, including HIPAA's Breach Notification Rule (45 C.F.R. §§ 164.400–414) where applicable.
For users subject to the EU General Data Protection Regulation, UK GDPR, or any other data-protection regime that designates "special categories of personal data" (including health data, mental-health data, or data concerning the health of an identifiable person), the Platform is not configured for processing of such special-category data. You must not submit special-category data to the Platform. Where applicable law requires explicit consent, a documented lawful basis, or specific safeguards for special-category data processing, the Platform's data-processing practices do not satisfy those requirements.
If you have submitted, or become aware that you may have submitted, PHI or other prohibited clinical content to the Platform in violation of Section 8 of this Privacy Policy and Section 11 of the AUP, you must notify Company immediately at [email protected] with the subject line "CLINICAL CONTENT INCIDENT." Upon receipt of such notice, Company will: (a) attempt, on a reasonable-efforts basis, to identify and purge the submission from Company's systems; (b) coordinate with relevant third-party AI providers regarding their retention of the submission, recognizing that Company cannot guarantee deletion from third-party systems; (c) provide you with available logs and records to assist with any breach-notification obligation you may have under HIPAA's Breach Notification Rule, state privacy law, or your licensing body's rules; and (d) cooperate with your independent counsel as reasonably required. Such cooperation does not constitute admission by Company that any breach has occurred and does not modify the allocation of responsibility set forth in the Terms of Service or the AUP.
If your clinical practice triggers a mandatory reporting obligation (including reports of suspected child abuse, elder abuse, dependent-adult abuse, or threats to identifiable third parties), the Platform is not the appropriate venue for compiling, storing, or generating the content of such a report. Submission of mandatory-reporting content to the Platform may result in the content being transmitted to and briefly retained by third-party AI providers in non-confidential, non-privileged form, with attendant exposure to subpoena, discovery, and other legal process. Use a confidential and appropriate-purpose system for mandatory-reporting workflows.
Company may, at its sole discretion and without obligation, develop in the future a HIPAA-compliant tier of the Platform that would involve executed Business Associate Agreements with appropriate third-party providers, audited data-handling practices, and additional safeguards. References to such future capabilities, whether in marketing materials, sales conversations, or otherwise, do not modify the current scope of this Privacy Policy, do not create any present right to submit PHI to the Platform, and do not constitute a representation or warranty that such future capabilities will be developed, released, or made available on any specific timeline.
This Privacy Policy is effective as of June 5, 2026 and applies to all users of the MelMat™ platform.
Tampa, Florida
June 5, 2026