Privacy Policy
Last Updated: 4 June 2025
Introduction
Welcome to Mangga.app, a business directory platform with AI-powered image generation and subscription services. We respect your privacy and are committed to protecting your personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (GDPR), and other relevant privacy legislation.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Services"). It also describes your rights regarding your personal data and how you can exercise them.
Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use Mangga.app. By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
Data Controller Information
For the purposes of applicable data protection laws, the data controller of your personal data is:
Mangga Ltd
Address: 195-197 Wood Street, Suite RA01
City: London E17 3NU
Country: United Kingdom
Phone: +44 07897 068640
Email: support@mangga.app
Data Protection Officer: support@mangga.app
Company registration details available upon request
Legal Basis for Processing
Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on include:
- Consent (Article 6(1)(a)): For optional services like WhatsApp verification, marketing communications, and certain analytics
- Contract Performance (Article 6(1)(b)): To provide our Services, process payments, and fulfill our contractual obligations
- Legitimate Interests (Article 6(1)(f)): For fraud prevention, security monitoring, service improvement, and business analytics
- Legal Obligation (Article 6(1)(c)): To comply with legal requirements such as tax obligations and regulatory compliance
- Vital Interests (Article 6(1)(d)): In rare cases where processing is necessary to protect someone's life
Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.
Information We Collect
We collect different types of personal data depending on how you interact with our Services. The categories of personal data we collect include:
Account and Profile Information
- Registration Data: Email address, password (encrypted), date of birth, user type (client/business)
- Business Profile Data: Business name, description, website, address, city, country, categories, subcategories
- Contact Information: Phone number (optional), social media links (optional, displayed only for Gold/Diamond tier users)
- Verification Data: Phone verification status, identity verification status, verification timestamps
- Subscription Data: Subscription tier, billing information, payment history, subscription status
AI Image Generation Data
- Image Prompts and Keywords: Text prompts, selected keywords, and generation parameters you provide
- Generated Images: AI-generated images created through our Leonardo.ai integration
- Generation Metadata: Timestamps, AI model used, generation settings, success/failure status
- Usage Tracking: Number of generation attempts used per subscription period, story creation data
- Content Data: Business stories, descriptions, discount information, and promotional content
Technical and Usage Data
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Analytics: Pages visited, features used, time spent, click patterns, search queries
- Performance Data: Load times, error logs, system performance metrics
- Security Data: Login attempts, security events, fraud prevention data
Communication and Support Data
- Support Communications: Support tickets, chat logs, email correspondence
- Booking Data: Booking enquiries, service requests, communication between users and businesses
- Feedback Data: Reviews, ratings, survey responses, user feedback
Payment and Financial Data
- Payment Information: Processed securely by Stripe (we do not store card details)
- Billing Data: Subscription history, payment status, invoices, refund records
- Identity Verification: $6 payment verification for enhanced trust (optional)
Location and Geographic Data
- Business Location: City, country, and general area for business listings
- General Location: Approximate location based on IP address for analytics and service provision
- No Precise Tracking: We do not collect precise geolocation data unless explicitly authorized
How We Use Your Information
We process your personal data for specific purposes based on the legal bases described above. The table below outlines our main processing activities:
Service Provision and Contract Performance
Legal Basis: Contract Performance (Article 6(1)(b))
- Account Management: Create and maintain user accounts, authenticate users, manage subscriptions
- Business Directory Services: Display business profiles, facilitate customer-business connections
- AI Image Generation: Process prompts, generate images via Leonardo.ai, manage generation limits
- Payment Processing: Process subscription payments, manage billing, handle refunds via Stripe
- Customer Support: Respond to inquiries, resolve technical issues, provide assistance
- Service Delivery: Provide core platform functionality, story creation, booking facilitation
Security and Fraud Prevention
Legal Basis: Legitimate Interests (Article 6(1)(f))
- Account Security: Monitor for suspicious activity, prevent unauthorized access
- Fraud Detection: Identify and prevent fraudulent accounts, payments, and activities
- Platform Safety: Detect abuse, spam, and violations of our terms of service
- Data Protection: Implement security measures, backup systems, incident response
Optional Services with Consent
Legal Basis: Consent (Article 6(1)(a))
- Phone Verification: WhatsApp or SMS verification for enhanced account security (optional)
- Identity Verification: $6 payment verification for business trust enhancement (optional)
- Marketing Communications: Send promotional emails, feature updates, service announcements (opt-in)
- Enhanced Analytics: Detailed usage analytics for service improvement (where consent required)
Legal Compliance and Obligations
Legal Basis: Legal Obligation (Article 6(1)(c))
- Regulatory Compliance: Comply with data protection laws, consumer protection regulations
- Financial Compliance: Tax reporting, anti-money laundering, payment regulations
- Legal Requests: Respond to lawful requests from authorities, court orders
- Record Keeping: Maintain records as required by applicable laws
Business Operations and Improvement
Legal Basis: Legitimate Interests (Article 6(1)(f))
- Service Analytics: Analyze usage patterns, feature adoption, performance metrics
- Product Development: Improve existing features, develop new services, optimize user experience
- Business Intelligence: Market research, competitive analysis, strategic planning
- Quality Assurance: Monitor service quality, identify and resolve technical issues
AI Image Generation Processing
Legal Basis: Contract Performance (Article 6(1)(b)) and Legitimate Interests (Article 6(1)(f))
- Image Creation: Process prompts and keywords to generate AI images via Leonardo.ai
- Content Management: Store and manage generated images in user profiles
- Usage Monitoring: Track generation attempts against subscription limits
- Quality Control: Monitor generated content for appropriateness and policy compliance
- Service Optimization: Improve AI generation quality and response times
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention periods are based on:
- The nature and sensitivity of the personal data
- The purposes for which we process the data
- Legal and regulatory requirements
- Legitimate business needs
Specific Retention Periods
Account and Profile Data
- Active Accounts: Retained while account is active and for 2 years after account closure
- Business Profiles: Retained while account is active and for 1 year after deactivation
- Subscription Data: Retained for 7 years for tax and accounting purposes
Verification and Security Data
- Phone Verification Codes: Automatically deleted after 24 hours
- Verification Status: Retained while account is active and for 2 years after closure
- Security Logs: Retained for 2 years for security monitoring and incident response
- Consent Records: Retained for 7 years for compliance and audit purposes
AI Image Generation Data
- Generated Images: Retained while account is active and for 1 year after account closure
- Image Prompts and Keywords: Retained for 2 years for service improvement
- Generation Metadata: Retained for 1 year for analytics and optimization
- Usage Statistics: Aggregated data retained indefinitely (anonymized)
Communication and Support Data
- Support Tickets: Retained for 3 years for quality assurance and training
- Booking Communications: Retained for 1 year after booking completion
- Marketing Communications: Retained until consent is withdrawn
Financial and Payment Data
- Payment Records: Retained for 7 years for tax and regulatory compliance
- Billing Information: Retained while subscription is active and for 7 years after termination
- Refund Records: Retained for 7 years for accounting and dispute resolution
Automated Deletion: We have implemented automated systems to delete data according to these retention schedules. You can also request earlier deletion of your data by contacting us at privacy@mangga.app.
Data Deletion
You have the right to request the deletion of your personal data. You can delete your account at any time through your account settings or by contacting us. When you delete your account, we will remove your personal information from our active databases, though some information may be retained in our backup systems for a limited period.
Third-Party Data Processors
We work with trusted third-party service providers who process personal data on our behalf. All processors are bound by data processing agreements that ensure GDPR compliance and appropriate security measures.
Infrastructure and Hosting Processors
Database and Authentication Providers
- Data Processed: User accounts, business profiles, subscription data, generated images
- Location: EU/UK data centers with GDPR compliance
- Purpose: Database hosting, user authentication, real-time features
- Security: SOC 2 Type II certified, encryption at rest and in transit
Website Hosting and CDN Providers
- Data Processed: Website analytics, performance data, CDN caching
- Location: Global CDN with EU data processing
- Purpose: Website hosting, performance optimization, content delivery
- Security: Enterprise-grade security, DDoS protection
AI and Image Generation Processors
AI Image Generation Providers
- Data Processed: Image prompts, keywords, generation parameters, generated images
- Location: Various global locations with appropriate safeguards
- Purpose: AI image generation, content creation, model optimization
- Security: Industry-standard certifications, private generation through paid subscriptions
- Data Rights: Users retain commercial rights to privately generated images
Payment and Financial Processors
Payment Processing Providers
- Data Processed: Payment information, billing data, subscription management
- Location: Global with EU data processing compliance
- Purpose: Payment processing, subscription billing, identity verification
- Security: PCI DSS Level 1 certified, no card data stored by Mangga Ltd
Communication Processors
SMS and WhatsApp Service Providers
- Data Processed: Phone numbers, verification codes, message delivery status
- Location: Global with EU data processing compliance
- Purpose: Phone verification, SMS delivery, WhatsApp Business API
- Security: Industry-standard certifications, automatic code deletion after 24 hours
Email Service Providers
- Data Processed: Email addresses, notification content, delivery status
- Location: EU regions for EU users
- Purpose: Email notifications, support communications, system alerts
- Security: Cloud security standards, encryption in transit
Data Processing Agreements
All third-party processors have signed comprehensive Data Processing Agreements (DPAs) that include:
- GDPR compliance requirements and obligations
- Data security and encryption standards
- Data retention and deletion procedures
- Incident notification and response protocols
- Regular security audits and compliance monitoring
- Subprocessor management and notification procedures
Cookies and Tracking Technologies
We use cookies and similar tracking technologies to provide and improve our Services. Our cookie usage is minimal and focused on essential functionality:
Essential Cookies
- Authentication Cookies: Required for user login and session management
- Security Cookies: Used for fraud prevention and account protection
- Preference Cookies: Store user settings and preferences
Analytics Cookies (Optional)
- Usage Analytics: Help us understand how users interact with our Services
- Performance Monitoring: Track website performance and identify issues
- Feature Analytics: Measure feature adoption and user engagement
You can control cookie settings through your browser preferences. Disabling essential cookies may affect the functionality of our Services. For detailed information about our cookie usage, see our Cookie Policy.
WhatsApp Phone Verification
When you register a business account on Mangga.app, we offer WhatsApp as an option for phone number verification to enhance security and prevent fraud. This service complies with WhatsApp Business Messaging Policy requirements.
Explicit Consent Required
- WhatsApp verification requires your explicit opt-in consent
- You must provide your mobile phone number voluntarily
- You must confirm you wish to receive verification messages from us via WhatsApp
- Alternative verification methods (SMS) are always available
Data Collection for WhatsApp Verification
- Phone number: Used solely for verification purposes
- Verification timestamp and status: To track verification completion
- Opt-in consent record and date: For compliance and audit purposes
- IP address and user agent: For security audit and fraud prevention
Data Usage for WhatsApp Verification
- Phone numbers are used exclusively for identity verification and account security
- Verification codes are temporary and automatically deleted after 24 hours
- We do not store WhatsApp conversation data or message content
- We do not use your phone number for marketing communications via WhatsApp
- Data is not used for any purpose other than supporting the verification process
Data Sharing for WhatsApp Verification
- Your phone number is shared with WhatsApp/Meta solely for verification message delivery
- Verification is processed through Twilio's secure WhatsApp Business API
- We do not share your phone number with third parties for marketing or other purposes
- No conversation data is shared with any third parties
Your Rights and Opt-out for WhatsApp Verification
- You can choose alternative verification methods (SMS) at any time
- You can request deletion of all verification data by contacting support@mangga.app
- You can opt-out of WhatsApp verification before or during the process
- We will honor all requests to discontinue WhatsApp communications immediately
- You have the right to access, correct, or delete your verification data
Data Retention for WhatsApp Verification
- Verification codes: Automatically deleted after 24 hours
- Phone verification status: Retained for security and fraud prevention purposes
- Consent records: Retained for compliance and audit purposes
- All data is secured with industry-standard encryption and access controls
- Data deletion requests are processed within 30 days
For detailed information about our WhatsApp verification process, please see our WhatsApp Verification Policy.
Third-Party Services
We may employ third-party companies and individuals to facilitate our services, provide services on our behalf, perform service-related services, or assist us in analyzing how our services are used. These third parties have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
WhatsApp Business API Services
We use WhatsApp Business API through Twilio to provide secure phone verification. This service is governed by:
By choosing WhatsApp verification, you consent to your phone number being processed by these services for verification purposes only.
Data Security
We implement appropriate technical and organizational measures to protect the security of your personal information. However, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure.
Your Data Protection Rights
Under applicable data protection laws (UK GDPR, EU GDPR, and other relevant legislation), you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, access to your personal data along with specific information about the processing.
- What you can request: Copy of your personal data, processing purposes, data categories, recipients
- How to request: Email support@mangga.app with "Data Access Request" in the subject line
- Response time: Within 30 days (may be extended by 60 days for complex requests)
- Format: Commonly used electronic format (PDF, CSV, JSON)
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete personal data completed.
- Self-service: Update most information through your account settings
- Assisted correction: Contact support@mangga.app for complex corrections
- Verification: We may request verification for significant changes
- Notification: We will inform third-party processors of corrections where applicable
Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to have your personal data erased in certain circumstances.
- Account deletion: Delete your account through account settings or contact us
- Selective deletion: Request deletion of specific data categories
- Limitations: Some data may be retained for legal compliance (e.g., tax records)
- Process: Deletion completed within 30 days, with confirmation provided
Right to Restrict Processing (Article 18)
You have the right to restrict the processing of your personal data in certain circumstances.
- When available: During accuracy disputes, unlawful processing claims, or objection periods
- Effect: Data stored but not processed except for storage, legal claims, or with consent
- Duration: Until the restriction reason is resolved
- Notification: We will inform you before lifting any restrictions
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Scope: Data provided by you and processed based on consent or contract
- Format: JSON, CSV, or other structured formats
- Direct transfer: We can transfer data directly to another service where technically feasible
- Limitations: Does not include derived or inferred data
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing.
- Marketing objection: Absolute right to object to direct marketing
- Legitimate interest objection: Right to object unless we demonstrate compelling legitimate grounds
- Profiling objection: Right to object to automated decision-making and profiling
- Implementation: Objections processed immediately for marketing, within 30 days for other processing
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling.
- Current practice: We do not make solely automated decisions with legal or significant effects
- AI image generation: Considered a service tool, not automated decision-making about individuals
- Future changes: We will notify you if we implement automated decision-making
Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time.
- Easy withdrawal: Use the same method as giving consent (e.g., account settings, unsubscribe links)
- Effect: Withdrawal does not affect the lawfulness of processing before withdrawal
- Alternative processing: We may continue processing based on other lawful bases
How to Exercise Your Rights
Contact Methods
- Email: support@mangga.app (preferred method)
- Subject line: Include the specific right you wish to exercise
- Information required: Account email, specific request details, identity verification
- Response time: Within 30 days (may be extended to 90 days for complex requests)
Identity Verification
To protect your privacy, we may request additional information to verify your identity before processing requests. This may include account verification questions or documentation.
No Cost
Exercising your data protection rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.
Complaints and Supervisory Authorities
If you believe we have not handled your personal data in accordance with data protection laws, you have the right to lodge a complaint with a supervisory authority.
- UK users: Information Commissioner's Office (ICO) - ico.org.uk
- EU users: Your local data protection authority or the Irish Data Protection Commission
- Other jurisdictions: Your local privacy or data protection regulator
Children's Privacy
Our services are not intended for use by children under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us.
International Data Transfers
As a global platform, we may transfer your personal data to countries outside the UK and EU. We ensure all international transfers comply with applicable data protection laws and provide appropriate safeguards for your personal data.
Transfer Mechanisms and Safeguards
Adequacy Decisions
Where possible, we transfer data to countries with adequacy decisions from the UK or EU, ensuring equivalent data protection standards.
Standard Contractual Clauses (SCCs)
For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission and UK authorities, providing contractual safeguards for your personal data.
Data Processing Agreements
All third-party processors have signed comprehensive Data Processing Agreements that include international transfer provisions and security requirements.
Specific Transfer Details
- AI Image Generation Providers: Transfers to various countries protected by SCCs and comprehensive Data Processing Addendums
- Payment Processing Providers: Global transfers with appropriate safeguards and adequacy decisions where available
- Database and Hosting Providers: Data primarily processed in EU/UK regions with global backup systems
- Communication Service Providers: International transfers for SMS/WhatsApp delivery with contractual safeguards
Your Rights Regarding International Transfers
- Right to information about transfer safeguards and mechanisms
- Right to object to transfers in certain circumstances
- Right to request copies of transfer safeguards (where not commercially sensitive)
- Right to lodge complaints with supervisory authorities about transfer practices
For more information about our international transfer practices or to request copies of relevant safeguards, please contact support@mangga.app.
Related Policies and Information
This Privacy Policy should be read in conjunction with our other policies and business information:
- Terms of Service - Complete terms and conditions for using our platform
- WhatsApp Verification Policy - Specific privacy terms for WhatsApp phone verification
- Business Information - Official company details and contact information
- Frequently Asked Questions - Common questions about privacy, data protection, and platform features
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.
Support and Escalation
If you experience any issues with verification or have questions about this Privacy Policy, we provide multiple support channels:
Mangga Ltd
Address: 195-197 Wood Street, Suite RA01
City: London E17 3NU, United Kingdom
Phone: +44 07897 068640
General Support: support@mangga.app
Billing Inquiries: billing@mangga.app
General Information: info@mangga.app
Business hours: Monday - Friday, 9:00 AM - 6:00 PM GMT
Support response time: Within 8 hours during business hours
Company registration details available upon request