Privacy Policy

Introduction

Welcome to Mangga.app, a business directory platform with AI-powered image generation and subscription services. We respect your privacy and are committed to protecting your personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (GDPR), and other relevant privacy legislation.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Services"). It also describes your rights regarding your personal data and how you can exercise them.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use Mangga.app. By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Data Controller Information

For the purposes of applicable data protection laws, the data controller of your personal data is:

Legal Basis for Processing

Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on include:

• Consent (Article 6(1)(a)): For optional services like WhatsApp verification, marketing communications, and certain analytics
• Contract Performance (Article 6(1)(b)): To provide our Services, process payments, and fulfill our contractual obligations
• Legitimate Interests (Article 6(1)(f)): For fraud prevention, security monitoring, service improvement, and business analytics
• Legal Obligation (Article 6(1)(c)): To comply with legal requirements such as tax obligations and regulatory compliance
• Vital Interests (Article 6(1)(d)): In rare cases where processing is necessary to protect someone's life

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.

Information We Collect

We collect different types of personal data depending on how you interact with our Services. The categories of personal data we collect include:

Account and Profile Information

• Registration Data: Email address, password (encrypted), date of birth, user type (client/business)
• Business Profile Data: Business name, description, website, address, city, country, categories, subcategories
• Contact Information: Phone number (optional), social media links (optional, displayed only for Gold/Diamond tier users)
• Verification Data: Phone verification status, identity verification status, verification timestamps
• Subscription Data: Subscription tier, billing information, payment history, subscription status

AI Image Generation Data

• Image Prompts and Keywords: Text prompts, selected keywords, and generation parameters you provide
• Generated Images: AI-generated images created through our Leonardo.ai integration
• Generation Metadata: Timestamps, AI model used, generation settings, success/failure status
• Usage Tracking: Number of generation attempts used per subscription period, story creation data
• Content Data: Business stories, descriptions, discount information, and promotional content

Technical and Usage Data

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Analytics: Pages visited, features used, time spent, click patterns, search queries
• Performance Data: Load times, error logs, system performance metrics
• Security Data: Login attempts, security events, fraud prevention data

Communication and Support Data

• Support Communications: Support tickets, chat logs, email correspondence
• Booking Data: Booking enquiries, service requests, communication between users and businesses
• Feedback Data: Reviews, ratings, survey responses, user feedback

Payment and Financial Data

• Payment Information: Processed securely by Stripe (we do not store card details)
• Billing Data: Subscription history, payment status, invoices, refund records
• Identity Verification: $6 payment verification for enhanced trust (optional)

Location and Geographic Data

• Business Location: City, country, and general area for business listings
• General Location: Approximate location based on IP address for analytics and service provision
• No Precise Tracking: We do not collect precise geolocation data unless explicitly authorized

How We Use Your Information

We process your personal data for specific purposes based on the legal bases described above. The table below outlines our main processing activities:

Service Provision and Contract Performance

Legal Basis: Contract Performance (Article 6(1)(b))

• Account Management: Create and maintain user accounts, authenticate users, manage subscriptions
• Business Directory Services: Display business profiles, facilitate customer-business connections
• AI Image Generation: Process prompts, generate images via Leonardo.ai, manage generation limits
• Payment Processing: Process subscription payments, manage billing, handle refunds via Stripe
• Customer Support: Respond to inquiries, resolve technical issues, provide assistance
• Service Delivery: Provide core platform functionality, story creation, booking facilitation

Security and Fraud Prevention

Legal Basis: Legitimate Interests (Article 6(1)(f))

• Account Security: Monitor for suspicious activity, prevent unauthorized access
• Fraud Detection: Identify and prevent fraudulent accounts, payments, and activities
• Platform Safety: Detect abuse, spam, and violations of our terms of service
• Data Protection: Implement security measures, backup systems, incident response

Optional Services with Consent

Legal Basis: Consent (Article 6(1)(a))

• Phone Verification: WhatsApp or SMS verification for enhanced account security (optional)
• Identity Verification: $6 payment verification for business trust enhancement (optional)
• Marketing Communications: Send promotional emails, feature updates, service announcements (opt-in)
• Enhanced Analytics: Detailed usage analytics for service improvement (where consent required)

Legal Compliance and Obligations

Legal Basis: Legal Obligation (Article 6(1)(c))

• Regulatory Compliance: Comply with data protection laws, consumer protection regulations
• Financial Compliance: Tax reporting, anti-money laundering, payment regulations
• Legal Requests: Respond to lawful requests from authorities, court orders
• Record Keeping: Maintain records as required by applicable laws

Business Operations and Improvement

Legal Basis: Legitimate Interests (Article 6(1)(f))

• Service Analytics: Analyze usage patterns, feature adoption, performance metrics
• Product Development: Improve existing features, develop new services, optimize user experience
• Business Intelligence: Market research, competitive analysis, strategic planning
• Quality Assurance: Monitor service quality, identify and resolve technical issues

AI Image Generation Processing

Legal Basis: Contract Performance (Article 6(1)(b)) and Legitimate Interests (Article 6(1)(f))

• Image Creation: Process prompts and keywords to generate AI images via Leonardo.ai
• Content Management: Store and manage generated images in user profiles
• Usage Monitoring: Track generation attempts against subscription limits
• Quality Control: Monitor generated content for appropriateness and policy compliance
• Service Optimization: Improve AI generation quality and response times

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention periods are based on:

• The nature and sensitivity of the personal data
• The purposes for which we process the data
• Legal and regulatory requirements
• Legitimate business needs

Specific Retention Periods

Automated Deletion: We have implemented automated systems to delete data according to these retention schedules. You can also request earlier deletion of your data by contacting us at privacy@mangga.app.

Data Deletion

You have the right to request the deletion of your personal data. You can delete your account at any time through your account settings or by contacting us. When you delete your account, we will remove your personal information from our active databases, though some information may be retained in our backup systems for a limited period.

Third-Party Data Processors

We work with trusted third-party service providers who process personal data on our behalf. All processors are bound by data processing agreements that ensure GDPR compliance and appropriate security measures.

Infrastructure and Hosting Processors

AI and Image Generation Processors

Payment and Financial Processors

Communication Processors

Data Processing Agreements

All third-party processors have signed comprehensive Data Processing Agreements (DPAs) that include:

• GDPR compliance requirements and obligations
• Data security and encryption standards
• Data retention and deletion procedures
• Incident notification and response protocols
• Regular security audits and compliance monitoring
• Subprocessor management and notification procedures

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve our Services. Our cookie usage is minimal and focused on essential functionality:

Essential Cookies

• Authentication Cookies: Required for user login and session management
• Security Cookies: Used for fraud prevention and account protection
• Preference Cookies: Store user settings and preferences

Analytics Cookies (Optional)

• Usage Analytics: Help us understand how users interact with our Services
• Performance Monitoring: Track website performance and identify issues
• Feature Analytics: Measure feature adoption and user engagement

You can control cookie settings through your browser preferences. Disabling essential cookies may affect the functionality of our Services. For detailed information about our cookie usage, see our Cookie Policy.

WhatsApp Phone Verification

When you register a business account on Mangga.app, we offer WhatsApp as an option for phone number verification to enhance security and prevent fraud. This service complies with WhatsApp Business Messaging Policy requirements.

Explicit Consent Required

• WhatsApp verification requires your explicit opt-in consent
• You must provide your mobile phone number voluntarily
• You must confirm you wish to receive verification messages from us via WhatsApp
• Alternative verification methods (SMS) are always available

Data Collection for WhatsApp Verification

• Phone number: Used solely for verification purposes
• Verification timestamp and status: To track verification completion
• Opt-in consent record and date: For compliance and audit purposes
• IP address and user agent: For security audit and fraud prevention

Data Usage for WhatsApp Verification

• Phone numbers are used exclusively for identity verification and account security
• Verification codes are temporary and automatically deleted after 24 hours
• We do not store WhatsApp conversation data or message content
• We do not use your phone number for marketing communications via WhatsApp
• Data is not used for any purpose other than supporting the verification process

Data Sharing for WhatsApp Verification

• Your phone number is shared with WhatsApp/Meta solely for verification message delivery
• Verification is processed through Twilio's secure WhatsApp Business API
• We do not share your phone number with third parties for marketing or other purposes
• No conversation data is shared with any third parties

Your Rights and Opt-out for WhatsApp Verification

• You can choose alternative verification methods (SMS) at any time
• You can request deletion of all verification data by contacting support@mangga.app
• You can opt-out of WhatsApp verification before or during the process
• We will honor all requests to discontinue WhatsApp communications immediately
• You have the right to access, correct, or delete your verification data

Data Retention for WhatsApp Verification

• Verification codes: Automatically deleted after 24 hours
• Phone verification status: Retained for security and fraud prevention purposes
• Consent records: Retained for compliance and audit purposes
• All data is secured with industry-standard encryption and access controls
• Data deletion requests are processed within 30 days

For detailed information about our WhatsApp verification process, please see our WhatsApp Verification Policy.

Third-Party Services

We may employ third-party companies and individuals to facilitate our services, provide services on our behalf, perform service-related services, or assist us in analyzing how our services are used. These third parties have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

WhatsApp Business API Services

We use WhatsApp Business API through Twilio to provide secure phone verification. This service is governed by:

• WhatsApp Business Terms of Service
• WhatsApp Privacy Policy
• Twilio Privacy Policy

By choosing WhatsApp verification, you consent to your phone number being processed by these services for verification purposes only.

Data Security

We implement appropriate technical and organizational measures to protect the security of your personal information. However, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure.

Your Data Protection Rights

Under applicable data protection laws (UK GDPR, EU GDPR, and other relevant legislation), you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to your personal data along with specific information about the processing.

• What you can request: Copy of your personal data, processing purposes, data categories, recipients
• How to request: Email support@mangga.app with "Data Access Request" in the subject line
• Response time: Within 30 days (may be extended by 60 days for complex requests)
• Format: Commonly used electronic format (PDF, CSV, JSON)

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

• Self-service: Update most information through your account settings
• Assisted correction: Contact support@mangga.app for complex corrections
• Verification: We may request verification for significant changes
• Notification: We will inform third-party processors of corrections where applicable

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to have your personal data erased in certain circumstances.

• Account deletion: Delete your account through account settings or contact us
• Selective deletion: Request deletion of specific data categories
• Limitations: Some data may be retained for legal compliance (e.g., tax records)
• Process: Deletion completed within 30 days, with confirmation provided

Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in certain circumstances.

• When available: During accuracy disputes, unlawful processing claims, or objection periods
• Effect: Data stored but not processed except for storage, legal claims, or with consent
• Duration: Until the restriction reason is resolved
• Notification: We will inform you before lifting any restrictions

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

• Scope: Data provided by you and processed based on consent or contract
• Format: JSON, CSV, or other structured formats
• Direct transfer: We can transfer data directly to another service where technically feasible
• Limitations: Does not include derived or inferred data

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing.

• Marketing objection: Absolute right to object to direct marketing
• Legitimate interest objection: Right to object unless we demonstrate compelling legitimate grounds
• Profiling objection: Right to object to automated decision-making and profiling
• Implementation: Objections processed immediately for marketing, within 30 days for other processing

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling.

• Current practice: We do not make solely automated decisions with legal or significant effects
• AI image generation: Considered a service tool, not automated decision-making about individuals
• Future changes: We will notify you if we implement automated decision-making

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

• Easy withdrawal: Use the same method as giving consent (e.g., account settings, unsubscribe links)
• Effect: Withdrawal does not affect the lawfulness of processing before withdrawal
• Alternative processing: We may continue processing based on other lawful bases

How to Exercise Your Rights

Complaints and Supervisory Authorities

If you believe we have not handled your personal data in accordance with data protection laws, you have the right to lodge a complaint with a supervisory authority.

• UK users: Information Commissioner's Office (ICO) - ico.org.uk
• EU users: Your local data protection authority or the Irish Data Protection Commission
• Other jurisdictions: Your local privacy or data protection regulator

Children's Privacy

Our services are not intended for use by children under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us.

International Data Transfers

As a global platform, we may transfer your personal data to countries outside the UK and EU. We ensure all international transfers comply with applicable data protection laws and provide appropriate safeguards for your personal data.

Transfer Mechanisms and Safeguards

Specific Transfer Details

• AI Image Generation Providers: Transfers to various countries protected by SCCs and comprehensive Data Processing Addendums
• Payment Processing Providers: Global transfers with appropriate safeguards and adequacy decisions where available
• Database and Hosting Providers: Data primarily processed in EU/UK regions with global backup systems
• Communication Service Providers: International transfers for SMS/WhatsApp delivery with contractual safeguards

Your Rights Regarding International Transfers

• Right to information about transfer safeguards and mechanisms
• Right to object to transfers in certain circumstances
• Right to request copies of transfer safeguards (where not commercially sensitive)
• Right to lodge complaints with supervisory authorities about transfer practices

For more information about our international transfer practices or to request copies of relevant safeguards, please contact support@mangga.app.

Related Policies and Information

This Privacy Policy should be read in conjunction with our other policies and business information:

• Terms of Service - Complete terms and conditions for using our platform
• WhatsApp Verification Policy - Specific privacy terms for WhatsApp phone verification
• Business Information - Official company details and contact information
• Frequently Asked Questions - Common questions about privacy, data protection, and platform features

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Support and Escalation

If you experience any issues with verification or have questions about this Privacy Policy, we provide multiple support channels: