Privacy Policy
1. Scope
This policy covers mantaos.ai, the onboarding conversation, and the MantaOS service. It is written to meet the EU/UK GDPR because many of our customers are in Europe.
2. What we collect, and why
- Email address — when you request access. Purpose: create and verify your account, send you the sign-in link. Legal basis: taking steps toward a contract (Art 6(1)(b)).
- Onboarding conversation — what you tell our discovery chat about you and your business, and the profile derived from it. Purpose: qualify fit and build your MantaOS setup. Legal basis: Art 6(1)(b).
- Service data — the content, knowledge base, and agent activity inside your MantaOS tenant while you are a customer. Purpose: operating the service you bought. Legal basis: Art 6(1)(b).
- Billing data — handled by Stripe; we never see or store your card number. Legal basis: contract + legal obligations (Art 6(1)(b), (c)).
- Technical logs (IP address, timestamps, delivery events) — abuse prevention and rate limiting. Legal basis: legitimate interest (Art 6(1)(f)).
- Follow-up emails about an onboarding you started (e.g. a link reminder). Legal basis: legitimate interest; every email lets you object/stop.
3. What we don't do
No advertising, no sale of personal data, no tracking cookies, no third-party analytics on mantaos.ai. The only cookie is a functional, HttpOnly session cookie that keeps you signed in.
4. AI processing
Your onboarding conversation and your agents' work are processed by AI-model providers (currently Anthropic and OpenAI) under agreements that prohibit using your data to train their models. Your data is sent to them only to generate the responses and work you asked for.
5. Processors we use
Anthropic, OpenAI (AI models, US); Cloudflare (hosting/CDN/database, US/EU); Hetzner (servers, Germany/EU); Stripe (payments, US/EU); Resend (email delivery, US); Telegram (chat delivery, when you use a Telegram-connected agent). Each processes your data only on our instructions under their data-processing terms.
6. International transfers
We are a US company and some processors are US-based. Where personal data of EU residents is transferred outside the EEA, we rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses as implemented by each processor.
7. Retention
Lead data (email, onboarding chat) — kept while your sign-up is active and archived when clearly stale; deleted on request at any time. Customer tenant data — kept while you subscribe, exportable for 30 days after the subscription ends, then deleted. Billing records — kept as long as tax law requires. Technical logs — short-lived, rotation-based.
8. Your rights (GDPR)
Access, rectification, erasure, restriction, portability, and objection — write to [email protected] and we respond within one month. You can also complain to your local supervisory authority (in Denmark: Datatilsynet). Unsubscribing from any email: reply "stop" or use the link in it.
9. Security
Encrypted transport everywhere; secrets in encrypted vaults; per-customer isolated tenants; access limited to what operating your service requires.
10. Changes
Material changes come with email notice; the current version always lives at mantaos.ai/privacy.
Manta