Manuel Mobile App – Privacy Policy
Last updated: 20 May 2025
1. Who we are
For account, security, telemetry and support data we act as controller. For customer Content in the App (e.g., manuals/knowledge items) we act as processor on behalf of your organisation. Rights requests about such Content should be directed to your employer; we support them under our DPA.
2. Scope of this policy
This Policy explains how we collect, use, share and secure information about you when you:
- install or use the App (iOS / Android);
- interact with notifications or in-app messages;
- contact us via the App’s support features.
It does not cover data processed on websites outside the App. We do not use IDFA and we do not engage in cross-app or cross-site tracking.
3. What data we collect
| Category | Examples | Collected by | Linked to you? |
|---|---|---|---|
| Account details | name, email address, phone number, company, user role | Manuel backend | Yes |
| Identifiers | device ID, IP address, app-generated user ID | Manuel backend | Yes |
| Usage data | screens visited, buttons tapped, time on page, crash logs | Microsoft Clarity (SaaS), Manuel backend | No (aggregated unless required for support) |
| Knowledge-items (internal) | answers or documents you mark as Keep in the “Kenniscentrum” | Manuel backend | Yes (visible only to your company) |
| Communications | support tickets, survey responses | HubSpot, Survicate | Yes |
| Diagnostics | crash traces, performance metrics | Firebase Crashlytics | No |
| Push-notification token | OneSignal device token | OneSignal | Yes |
No precise geolocation is collected. The App does not request GPS permission. Session replay/analytics (Microsoft Clarity) is in-app only, opt-in where required, and does not capture document content. For Knowledge items/Content we act as processor; your organisation is the controller.
4. Why we process your data and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create & maintain your user account | Contract (Art. 6 (1)(b)) |
| Provide core App functions incl. document search & knowledge-items | Contract |
| Deliver push notifications | Legitimate interest (Art. 6 (1)(f)); you can disable in your OS settings |
| Analytics & product improvement | Legitimate interest; we pseudonymise / aggregate where possible |
| Marketing emails (opt-in) | Consent (Art. 6 (1)(a)) |
| Compliance & security | Legal obligation / Legitimate interest |
You may withdraw consent at any time; this does not affect prior processing.
5. Third-party processors
We share data only with vendors that act on our behalf under a Data Processing Agreement (DPA) and offer GDPR-compliant safeguards: We do not allow our processors (including AI providers) to use your data to train their models for their own purposes.
| Vendor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Cloud Platform (europe-west4 – Amsterdam) | Hosting & storage | All backend data | EU |
| OpenAI (LLM API – Azure West EU) | Generative AI answers | Prompt text & anonymised metadata | EU |
| Anthropic Claude (LLM API – AWS eu-central-1) | Generative AI answers | Prompt text & anonymised metadata | EU |
| Google AI Gemini (LLM API – europe-west9) | Generative AI answers | Prompt text & anonymised metadata | EU |
| HubSpot Inc. | CRM & in-app chat | Account & support data | EU Data Centre (Frankfurt) |
| Microsoft Clarity | Session analytics | Usage data (pseudonymised) | EU |
| Survicate Sp. z o.o. | In-app surveys | Survey responses | EU |
| OneSignal Inc. | Push notifications | Device token, basic identifiers | USA ⇢ SCCs |
We do not sell personal data and we do not allow third parties to use it for their own purposes.
6. Data retention
| Data set | Retention period |
|---|---|
| Account & content | While account is active + 12 months, then anonymised |
| Knowledge-items | Processed as processor; retention per customer instructions. Deleted within 90 days after contract end (see DPA) or on request via your organisation. |
| Analytics & crash logs | 26 months (Google default), then aggregated |
| Marketing consents | Until withdrawn + 24 months (audit) |
| Support tickets | 6 years (statutory limitation) |
After expiry, data is securely erased or irreversibly anonymised.
7. International transfers
Where we transfer data outside the EEA, we rely on:
- Adequacy decisions (EU–US Data Privacy Framework), or
- Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary measures.
Some EU-hosted vendors are US-headquartered; remote support access may occur. In such cases we apply SCCs + Transfer Impact Assessment and supplementary measures.
8. Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Network isolation & firewalling in Google Cloud VPC.
- Role-based access (RBAC) with MFA for all operators.
- Regular penetration tests and vulnerability scans.
- Continuous monitoring & automated incident alerts.
Our security programme is aligned with ISO/IEC 27001.
9. Your privacy rights
You can exercise the following rights free of charge:
- Access your data
- Rectification
- Erasure (“right to be forgotten”)
- Restriction of processing
- Data portability (JSON/CSV)
- Objection to processing (incl. direct marketing)
- Lodge a complaint with the Dutch DPA
Send requests to info@manuel.chat – we will respond within 30 days. For Content we process as processor, please submit requests via your organisation; we support them under our DPA.
10. Children
The App is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us so we can delete it immediately.
11. Changes to this Policy
We may update this Policy to reflect technical or legal changes. We will notify you in-app or by email and post the new version here at least 7 days before it takes effect.
12. Contact
Questions?
Email: Info@manuel.chat
Post: (KvK: 96013540), Burgemeester Bosmastraat 3, Winterswijk, The Netherlands
By installing or using the App you acknowledge that you have read and understood this Policy.
.png)
.avif)
%201.avif)