Privacy Policy

Last Updated: 4 June 2025

Introduction

Welcome to Mangga.app, a business directory platform with AI-powered image generation and subscription services. We respect your privacy and are committed to protecting your personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), EU General Data Protection Regulation (GDPR), and other relevant privacy legislation.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Services"). It also describes your rights regarding your personal data and how you can exercise them.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use Mangga.app. By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Data Controller Information

For the purposes of applicable data protection laws, the data controller of your personal data is:

Mangga Ltd

Address: 195-197 Wood Street, Suite RA01

City: London E17 3NU

Country: United Kingdom

Phone: +44 07897 068640

Email: support@mangga.app

Data Protection Officer: support@mangga.app

Company registration details available upon request

Legal Basis for Processing

Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on include:

  • Consent (Article 6(1)(a)): For optional services like WhatsApp verification, marketing communications, and certain analytics
  • Contract Performance (Article 6(1)(b)): To provide our Services, process payments, and fulfill our contractual obligations
  • Legitimate Interests (Article 6(1)(f)): For fraud prevention, security monitoring, service improvement, and business analytics
  • Legal Obligation (Article 6(1)(c)): To comply with legal requirements such as tax obligations and regulatory compliance
  • Vital Interests (Article 6(1)(d)): In rare cases where processing is necessary to protect someone's life

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.

Information We Collect

We collect different types of personal data depending on how you interact with our Services. The categories of personal data we collect include:

Account and Profile Information

  • Registration Data: Email address, password (encrypted), date of birth, user type (client/business)
  • Business Profile Data: Business name, description, website, address, city, country, categories, subcategories
  • Contact Information: Phone number (optional), social media links (optional, displayed only for Gold/Diamond tier users)
  • Verification Data: Phone verification status, identity verification status, verification timestamps
  • Subscription Data: Subscription tier, billing information, payment history, subscription status

AI Image Generation Data

  • Image Prompts and Keywords: Text prompts, selected keywords, and generation parameters you provide
  • Generated Images: AI-generated images created through our Leonardo.ai integration
  • Generation Metadata: Timestamps, AI model used, generation settings, success/failure status
  • Usage Tracking: Number of generation attempts used per subscription period, story creation data
  • Content Data: Business stories, descriptions, discount information, and promotional content

Technical and Usage Data

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Analytics: Pages visited, features used, time spent, click patterns, search queries
  • Performance Data: Load times, error logs, system performance metrics
  • Security Data: Login attempts, security events, fraud prevention data

Communication and Support Data

  • Support Communications: Support tickets, chat logs, email correspondence
  • Booking Data: Booking enquiries, service requests, communication between users and businesses
  • Feedback Data: Reviews, ratings, survey responses, user feedback

Payment and Financial Data

  • Payment Information: Processed securely by Stripe (we do not store card details)
  • Billing Data: Subscription history, payment status, invoices, refund records
  • Identity Verification: $6 payment verification for enhanced trust (optional)

Location and Geographic Data

  • Business Location: City, country, and general area for business listings
  • General Location: Approximate location based on IP address for analytics and service provision
  • No Precise Tracking: We do not collect precise geolocation data unless explicitly authorized

How We Use Your Information

We process your personal data for specific purposes based on the legal bases described above. The table below outlines our main processing activities:

Service Provision and Contract Performance

Legal Basis: Contract Performance (Article 6(1)(b))

  • Account Management: Create and maintain user accounts, authenticate users, manage subscriptions
  • Business Directory Services: Display business profiles, facilitate customer-business connections
  • AI Image Generation: Process prompts, generate images via Leonardo.ai, manage generation limits
  • Payment Processing: Process subscription payments, manage billing, handle refunds via Stripe
  • Customer Support: Respond to inquiries, resolve technical issues, provide assistance
  • Service Delivery: Provide core platform functionality, story creation, booking facilitation

Security and Fraud Prevention

Legal Basis: Legitimate Interests (Article 6(1)(f))

  • Account Security: Monitor for suspicious activity, prevent unauthorized access
  • Fraud Detection: Identify and prevent fraudulent accounts, payments, and activities
  • Platform Safety: Detect abuse, spam, and violations of our terms of service
  • Data Protection: Implement security measures, backup systems, incident response

Optional Services with Consent

Legal Basis: Consent (Article 6(1)(a))

  • Phone Verification: WhatsApp or SMS verification for enhanced account security (optional)
  • Identity Verification: $6 payment verification for business trust enhancement (optional)
  • Marketing Communications: Send promotional emails, feature updates, service announcements (opt-in)
  • Enhanced Analytics: Detailed usage analytics for service improvement (where consent required)

Legal Compliance and Obligations

Legal Basis: Legal Obligation (Article 6(1)(c))

  • Regulatory Compliance: Comply with data protection laws, consumer protection regulations
  • Financial Compliance: Tax reporting, anti-money laundering, payment regulations
  • Legal Requests: Respond to lawful requests from authorities, court orders
  • Record Keeping: Maintain records as required by applicable laws

Business Operations and Improvement

Legal Basis: Legitimate Interests (Article 6(1)(f))

  • Service Analytics: Analyze usage patterns, feature adoption, performance metrics
  • Product Development: Improve existing features, develop new services, optimize user experience
  • Business Intelligence: Market research, competitive analysis, strategic planning
  • Quality Assurance: Monitor service quality, identify and resolve technical issues

AI Image Generation Processing

Legal Basis: Contract Performance (Article 6(1)(b)) and Legitimate Interests (Article 6(1)(f))

  • Image Creation: Process prompts and keywords to generate AI images via Leonardo.ai
  • Content Management: Store and manage generated images in user profiles
  • Usage Monitoring: Track generation attempts against subscription limits
  • Quality Control: Monitor generated content for appropriateness and policy compliance
  • Service Optimization: Improve AI generation quality and response times

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention periods are based on:

  • The nature and sensitivity of the personal data
  • The purposes for which we process the data
  • Legal and regulatory requirements
  • Legitimate business needs

Specific Retention Periods

Account and Profile Data

  • Active Accounts: Retained while account is active and for 2 years after account closure
  • Business Profiles: Retained while account is active and for 1 year after deactivation
  • Subscription Data: Retained for 7 years for tax and accounting purposes

Verification and Security Data

  • Phone Verification Codes: Automatically deleted after 24 hours
  • Verification Status: Retained while account is active and for 2 years after closure
  • Security Logs: Retained for 2 years for security monitoring and incident response
  • Consent Records: Retained for 7 years for compliance and audit purposes

AI Image Generation Data

  • Generated Images: Retained while account is active and for 1 year after account closure
  • Image Prompts and Keywords: Retained for 2 years for service improvement
  • Generation Metadata: Retained for 1 year for analytics and optimization
  • Usage Statistics: Aggregated data retained indefinitely (anonymized)

Communication and Support Data

  • Support Tickets: Retained for 3 years for quality assurance and training
  • Booking Communications: Retained for 1 year after booking completion
  • Marketing Communications: Retained until consent is withdrawn

Financial and Payment Data

  • Payment Records: Retained for 7 years for tax and regulatory compliance
  • Billing Information: Retained while subscription is active and for 7 years after termination
  • Refund Records: Retained for 7 years for accounting and dispute resolution

Automated Deletion: We have implemented automated systems to delete data according to these retention schedules. You can also request earlier deletion of your data by contacting us at privacy@mangga.app.

Data Deletion

You have the right to request the deletion of your personal data. You can delete your account at any time through your account settings or by contacting us. When you delete your account, we will remove your personal information from our active databases, though some information may be retained in our backup systems for a limited period.

Third-Party Data Processors

We work with trusted third-party service providers who process personal data on our behalf. All processors are bound by data processing agreements that ensure GDPR compliance and appropriate security measures.

Infrastructure and Hosting Processors

Database and Authentication Providers

  • Data Processed: User accounts, business profiles, subscription data, generated images
  • Location: EU/UK data centers with GDPR compliance
  • Purpose: Database hosting, user authentication, real-time features
  • Security: SOC 2 Type II certified, encryption at rest and in transit

Website Hosting and CDN Providers

  • Data Processed: Website analytics, performance data, CDN caching
  • Location: Global CDN with EU data processing
  • Purpose: Website hosting, performance optimization, content delivery
  • Security: Enterprise-grade security, DDoS protection

AI and Image Generation Processors

AI Image Generation Providers

  • Data Processed: Image prompts, keywords, generation parameters, generated images
  • Location: Various global locations with appropriate safeguards
  • Purpose: AI image generation, content creation, model optimization
  • Security: Industry-standard certifications, private generation through paid subscriptions
  • Data Rights: Users retain commercial rights to privately generated images

Payment and Financial Processors

Payment Processing Providers

  • Data Processed: Payment information, billing data, subscription management
  • Location: Global with EU data processing compliance
  • Purpose: Payment processing, subscription billing, identity verification
  • Security: PCI DSS Level 1 certified, no card data stored by Mangga Ltd

Communication Processors

SMS and WhatsApp Service Providers

  • Data Processed: Phone numbers, verification codes, message delivery status
  • Location: Global with EU data processing compliance
  • Purpose: Phone verification, SMS delivery, WhatsApp Business API
  • Security: Industry-standard certifications, automatic code deletion after 24 hours

Email Service Providers

  • Data Processed: Email addresses, notification content, delivery status
  • Location: EU regions for EU users
  • Purpose: Email notifications, support communications, system alerts
  • Security: Cloud security standards, encryption in transit

Data Processing Agreements

All third-party processors have signed comprehensive Data Processing Agreements (DPAs) that include:

  • GDPR compliance requirements and obligations
  • Data security and encryption standards
  • Data retention and deletion procedures
  • Incident notification and response protocols
  • Regular security audits and compliance monitoring
  • Subprocessor management and notification procedures

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve our Services. Our cookie usage is minimal and focused on essential functionality:

Essential Cookies

  • Authentication Cookies: Required for user login and session management
  • Security Cookies: Used for fraud prevention and account protection
  • Preference Cookies: Store user settings and preferences

Analytics Cookies (Optional)

  • Usage Analytics: Help us understand how users interact with our Services
  • Performance Monitoring: Track website performance and identify issues
  • Feature Analytics: Measure feature adoption and user engagement

You can control cookie settings through your browser preferences. Disabling essential cookies may affect the functionality of our Services. For detailed information about our cookie usage, see our Cookie Policy.

WhatsApp Phone Verification

When you register a business account on Mangga.app, we offer WhatsApp as an option for phone number verification to enhance security and prevent fraud. This service complies with WhatsApp Business Messaging Policy requirements.

Explicit Consent Required

  • WhatsApp verification requires your explicit opt-in consent
  • You must provide your mobile phone number voluntarily
  • You must confirm you wish to receive verification messages from us via WhatsApp
  • Alternative verification methods (SMS) are always available

Data Collection for WhatsApp Verification

  • Phone number: Used solely for verification purposes
  • Verification timestamp and status: To track verification completion
  • Opt-in consent record and date: For compliance and audit purposes
  • IP address and user agent: For security audit and fraud prevention

Data Usage for WhatsApp Verification

  • Phone numbers are used exclusively for identity verification and account security
  • Verification codes are temporary and automatically deleted after 24 hours
  • We do not store WhatsApp conversation data or message content
  • We do not use your phone number for marketing communications via WhatsApp
  • Data is not used for any purpose other than supporting the verification process

Data Sharing for WhatsApp Verification

  • Your phone number is shared with WhatsApp/Meta solely for verification message delivery
  • Verification is processed through Twilio's secure WhatsApp Business API
  • We do not share your phone number with third parties for marketing or other purposes
  • No conversation data is shared with any third parties

Your Rights and Opt-out for WhatsApp Verification

  • You can choose alternative verification methods (SMS) at any time
  • You can request deletion of all verification data by contacting support@mangga.app
  • You can opt-out of WhatsApp verification before or during the process
  • We will honor all requests to discontinue WhatsApp communications immediately
  • You have the right to access, correct, or delete your verification data

Data Retention for WhatsApp Verification

  • Verification codes: Automatically deleted after 24 hours
  • Phone verification status: Retained for security and fraud prevention purposes
  • Consent records: Retained for compliance and audit purposes
  • All data is secured with industry-standard encryption and access controls
  • Data deletion requests are processed within 30 days

For detailed information about our WhatsApp verification process, please see our WhatsApp Verification Policy.

Third-Party Services

We may employ third-party companies and individuals to facilitate our services, provide services on our behalf, perform service-related services, or assist us in analyzing how our services are used. These third parties have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

WhatsApp Business API Services

We use WhatsApp Business API through Twilio to provide secure phone verification. This service is governed by:

By choosing WhatsApp verification, you consent to your phone number being processed by these services for verification purposes only.

Data Security

We implement appropriate technical and organizational measures to protect the security of your personal information. However, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure.

Your Data Protection Rights

Under applicable data protection laws (UK GDPR, EU GDPR, and other relevant legislation), you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to your personal data along with specific information about the processing.

  • What you can request: Copy of your personal data, processing purposes, data categories, recipients
  • How to request: Email support@mangga.app with "Data Access Request" in the subject line
  • Response time: Within 30 days (may be extended by 60 days for complex requests)
  • Format: Commonly used electronic format (PDF, CSV, JSON)

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

  • Self-service: Update most information through your account settings
  • Assisted correction: Contact support@mangga.app for complex corrections
  • Verification: We may request verification for significant changes
  • Notification: We will inform third-party processors of corrections where applicable

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to have your personal data erased in certain circumstances.

  • Account deletion: Delete your account through account settings or contact us
  • Selective deletion: Request deletion of specific data categories
  • Limitations: Some data may be retained for legal compliance (e.g., tax records)
  • Process: Deletion completed within 30 days, with confirmation provided

Right to Restrict Processing (Article 18)

You have the right to restrict the processing of your personal data in certain circumstances.

  • When available: During accuracy disputes, unlawful processing claims, or objection periods
  • Effect: Data stored but not processed except for storage, legal claims, or with consent
  • Duration: Until the restriction reason is resolved
  • Notification: We will inform you before lifting any restrictions

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

  • Scope: Data provided by you and processed based on consent or contract
  • Format: JSON, CSV, or other structured formats
  • Direct transfer: We can transfer data directly to another service where technically feasible
  • Limitations: Does not include derived or inferred data

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing.

  • Marketing objection: Absolute right to object to direct marketing
  • Legitimate interest objection: Right to object unless we demonstrate compelling legitimate grounds
  • Profiling objection: Right to object to automated decision-making and profiling
  • Implementation: Objections processed immediately for marketing, within 30 days for other processing

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling.

  • Current practice: We do not make solely automated decisions with legal or significant effects
  • AI image generation: Considered a service tool, not automated decision-making about individuals
  • Future changes: We will notify you if we implement automated decision-making

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

  • Easy withdrawal: Use the same method as giving consent (e.g., account settings, unsubscribe links)
  • Effect: Withdrawal does not affect the lawfulness of processing before withdrawal
  • Alternative processing: We may continue processing based on other lawful bases

How to Exercise Your Rights

Contact Methods

  • Email: support@mangga.app (preferred method)
  • Subject line: Include the specific right you wish to exercise
  • Information required: Account email, specific request details, identity verification
  • Response time: Within 30 days (may be extended to 90 days for complex requests)

Identity Verification

To protect your privacy, we may request additional information to verify your identity before processing requests. This may include account verification questions or documentation.

No Cost

Exercising your data protection rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Complaints and Supervisory Authorities

If you believe we have not handled your personal data in accordance with data protection laws, you have the right to lodge a complaint with a supervisory authority.

  • UK users: Information Commissioner's Office (ICO) - ico.org.uk
  • EU users: Your local data protection authority or the Irish Data Protection Commission
  • Other jurisdictions: Your local privacy or data protection regulator

Children's Privacy

Our services are not intended for use by children under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us.

International Data Transfers

As a global platform, we may transfer your personal data to countries outside the UK and EU. We ensure all international transfers comply with applicable data protection laws and provide appropriate safeguards for your personal data.

Transfer Mechanisms and Safeguards

Adequacy Decisions

Where possible, we transfer data to countries with adequacy decisions from the UK or EU, ensuring equivalent data protection standards.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission and UK authorities, providing contractual safeguards for your personal data.

Data Processing Agreements

All third-party processors have signed comprehensive Data Processing Agreements that include international transfer provisions and security requirements.

Specific Transfer Details

  • AI Image Generation Providers: Transfers to various countries protected by SCCs and comprehensive Data Processing Addendums
  • Payment Processing Providers: Global transfers with appropriate safeguards and adequacy decisions where available
  • Database and Hosting Providers: Data primarily processed in EU/UK regions with global backup systems
  • Communication Service Providers: International transfers for SMS/WhatsApp delivery with contractual safeguards

Your Rights Regarding International Transfers

  • Right to information about transfer safeguards and mechanisms
  • Right to object to transfers in certain circumstances
  • Right to request copies of transfer safeguards (where not commercially sensitive)
  • Right to lodge complaints with supervisory authorities about transfer practices

For more information about our international transfer practices or to request copies of relevant safeguards, please contact support@mangga.app.

Related Policies and Information

This Privacy Policy should be read in conjunction with our other policies and business information:

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Support and Escalation

If you experience any issues with verification or have questions about this Privacy Policy, we provide multiple support channels:

Mangga Ltd

Address: 195-197 Wood Street, Suite RA01

City: London E17 3NU, United Kingdom

Phone: +44 07897 068640

General Support: support@mangga.app

Billing Inquiries: billing@mangga.app

General Information: info@mangga.app

Business hours: Monday - Friday, 9:00 AM - 6:00 PM GMT
Support response time: Within 8 hours during business hours
Company registration details available upon request