Privacy Policy

Manyger LLC ("Manyger," "we," "us," or "our") operates the Manyger platform at getmanyger.com and its associated mobile applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Service.

By using Manyger, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Authentication credentials (managed by Firebase Authentication)
• Profile photo (if provided via Google or Apple sign-in)
• Language preference

2.2 Business Information

To provide our services, we collect information about your business:

• Business name, type, and vertical category
• Business address, phone number, and website
• Operating hours and schedule
• Team size and staff member information (name, role, schedule)
• Service catalog (names, prices, durations)
• Revenue and expense data you enter or sync from connected tools
• Customer records (names, phone numbers, visit history, appointment data)

2.3 Customer Data You Manage

You may store your customers' information in Manyger, including names, phone numbers, email addresses, appointment history, and notes. You are responsible for obtaining any necessary consent from your customers before entering their data into Manyger, and for complying with applicable privacy laws regarding that data.

2.4 Communications Data

If you use our AI receptionist or messaging features, we process:

• Phone call recordings and transcripts (via Twilio and LiveKit). Call recording is subject to two-party (all-party) consent laws in the following states: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington. You are responsible for ensuring callers are informed that calls may be recorded and handled by AI, as required by applicable law.
• SMS messages sent and received (via Twilio)
• Social media direct messages (Instagram, Facebook, WhatsApp — via Meta APIs)
• Email communications (via Brevo)

The AI assistant identifies itself as an automated (AI) assistant at the start of each interaction. A customer-facing AI Assistant Terms & Disclosures notice is available for you to present to your customers.

2.5 Biometric Data

Manyger does not collect, extract, or store biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington Biometric Identifier law (RCW 19.375), or similar state laws. While our Service processes call audio for transcription and AI responses, we do not create, store, or analyze voiceprints, faceprints, or any other biometric template from this audio. Call recordings are stored as standard audio files only.

2.6 Financial Data

If you connect a point-of-sale system or enter financial data, we process:

• Transaction records from POS systems (Square, Clover)
• Expense records from accounting tools (QuickBooks, FreshBooks, Wave)
• Receipt images and extracted data
• Revenue figures you enter manually

We do not connect directly to your bank accounts. Manyger does not use Plaid, MX, or any bank-data aggregator.

2.7 Usage Data

We automatically collect:

• Device information (browser type, OS, screen size)
• Log data (IP address, access times, pages viewed)
• Feature usage and interaction patterns (via PostHog analytics)
• Error reports (via Sentry)
• Push notification token identifiers (via Firebase Cloud Messaging)

2.8 Health and Medical Data

Manyger is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). The Service is not designed to store, transmit, or process Protected Health Information (PHI). If your business is subject to HIPAA (e.g., medical spas, wellness clinics), you must not use Manyger to store, process, or transmit PHI. You are solely responsible for determining whether your use of the Service complies with HIPAA and other healthcare regulations.

We use the information we collect to:

• Provide, maintain, and improve the Service
• Generate AI-powered insights, briefings, and recommendations for your business
• Operate AI features including chat assistant, phone receptionist, and automated messaging
• Process and fulfill appointments, scheduling, and calendar management
• Send SMS reminders, review requests, and rebooking nudges to your customers on your behalf
• Generate review reply drafts, marketing content, and social media posts
• Process payments and manage your subscription
• Send you service-related notifications (briefings, alerts, system updates)
• Analyze aggregate usage patterns and feature interactions to improve the Service
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

4.1 AI Provider

Manyger uses Google Geminias its AI model, accessed via Google's AI API. All AI inference runs on Google Cloud infrastructure in the United States. Google's API Terms of Service state that API data is not used to train their models.

4.2 What AI Processes

Our AI processes your business data to provide:

• Chat responses and business recommendations
• Morning and closing briefings
• Phone call handling and appointment booking
• SMS and DM intent classification and auto-replies
• Review reply drafts and marketing content
• Financial analysis and scenario modeling
• Customer segmentation and lifecycle management
• Image generation for social media posts (via Ideogram API)

4.3 Human Oversight

Manyger operates on a Draft → Approve → Execute principle. All AI-generated actions that modify data, send messages, or interact with external systems require your explicit approval before execution (except the AI phone receptionist, which operates autonomously during live calls and books directly into your calendar).

4.4 AI Content Labeling

All AI-generated content is clearly identified in the interface. If you encounter inaccurate AI-generated content, you may report it to support@getmanyger.com.

We do not sell your personal information. We share data with third parties only as necessary to operate the Service:

5.1 Service Providers

We will notify you at least 30 days before adding any new sub-processor to this list, giving you the opportunity to object. If you object to a new sub-processor and we cannot reasonably accommodate your objection, you may terminate your account.

5.2 Integrations You Connect

When you connect third-party services (Square, Clover, QuickBooks, FreshBooks, Wave, Jobber, Google Calendar, Google Sheets, Meta/Facebook/Instagram), we exchange data with those services using OAuth tokens that you explicitly authorize. We encrypt all stored tokens using AES-256-GCM. You can disconnect any integration at any time from Settings.

5.3 Aggregated Insights

We may generate anonymized, aggregated industry benchmarks across businesses in the same vertical category and metro area. These insights are never generated from fewer than 20 businesses, never include individually identifiable data, and geography is rounded to the metro level. You can opt out of aggregated insights in Settings.

5.4 Legal and Law Enforcement Requests

We may disclose information in response to valid legal process, including:

• Subpoenas: We may produce non-content account information (name, email, IP addresses, account dates) in response to valid civil or criminal subpoenas.
• Court orders: We may produce account information and limited content data as specified by a court order issued under applicable law.
• Search warrants: We will produce account content (messages, call recordings, business data) only in response to a valid search warrant issued by a court of competent jurisdiction based on probable cause.
• Emergency requests: We may disclose information without legal process if we have a good-faith belief that an emergency involving imminent danger of death or serious physical injury requires immediate disclosure.

Unless prohibited by law or court order, we will notify you of any legal request that seeks your data so that you may challenge it. We will narrowly construe all requests and resist overbroad or vague demands.

5.5 Business Transfers

If Manyger is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice in the Service before your information is subject to a different privacy policy.

When you use Manyger to store and manage your customers' personal information, you are the data controller (or "business" under the CCPA) and Manyger is your data processor(or "service provider" under the CCPA). This means:

• You determine the purposes and means of processing your customers' data
• You are responsible for obtaining necessary consents from your customers
• You are responsible for responding to your customers' privacy rights requests
• We process your customers' data only on your instructions and solely to provide the Service
• We do not sell, share, or use your customers' data for our own purposes
• We will assist you in responding to data subject requests upon written request

If you require a formal Data Processing Agreement (DPA), contact us at support@getmanyger.com.

We use the following cookies and similar technologies:

• Essential cookies: Firebase authentication session tokens, locale preferences. These are required for the Service to function and cannot be disabled.
• Analytics: PostHog uses first-party cookies to track product usage events. You can opt out of analytics tracking in your browser settings or by enabling Global Privacy Control (GPC).
• Error monitoring: Sentry may set cookies to correlate error reports across sessions.

We do not use third-party advertising cookies. We do not participate in cross-site tracking or behavioral advertising networks.

We implement industry-standard security measures including:

• All data transmitted over HTTPS/TLS
• Integration tokens encrypted at rest using AES-256-GCM
• Firebase security rules enforcing deny-all default with member-scoped access
• Role-based access control (owner, manager, staff) with principle of least privilege
• Rate limiting on all API endpoints
• HMAC-signed OAuth state parameters with CSRF nonce and 10-minute expiry
• Timing-safe secret comparison for webhook signature verification
• Twilio signature verification on all SMS and voice webhooks

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8.1 Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users via email and in-app notification within 72 hours of becoming aware of the breach, as required by applicable law. We will also notify relevant regulatory authorities where required.

• Account data: Retained while your account is active. Upon account deletion, your data is permanently and immediately removed. We recommend exporting your data before requesting deletion.
• Business and customer data: Retained while your subscription is active. You may export your data at any time from Settings. Deletion is permanent and immediate.
• Call recordings and transcripts: Retained for the duration of your subscription.
• Chat conversation history: Retained while your account is active.
• Billing records: Retained as required by applicable tax and financial regulations.
• Undo log: Reversible action snapshots are automatically deleted after 24 hours.
• Analytics data: Usage events are retained in PostHog per their retention policy.

10.1 All Users

You have the right to:

• Access and export your data
• Correct inaccurate information
• Delete your account and associated data
• Disconnect any third-party integration
• Opt out of aggregated platform insights
• Opt out of non-essential communications

10.2 Universal Opt-Out Signals

We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal. If your browser or device sends a GPC signal, we will treat it as a request to opt out of the sale or sharing of personal information, as required by applicable state laws including the CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Montana Consumer Data Privacy Act, Delaware Personal Data Privacy Act, Minnesota Consumer Data Privacy Act, New Jersey Data Privacy Act, and Nebraska Data Privacy Act.

10.3 California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You can request what personal information we collect, use, disclose, and sell.
• Right to Delete: You can request deletion of your personal information.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to Limit Use of Sensitive Information: We use sensitive personal information (financial data, precise geolocation) only as strictly necessary to provide the Service and for no secondary purpose.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality, or service levels.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise your rights, contact us at support@getmanyger.com. We will verify your identity before processing requests and respond within 45 days.

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written proof of authorization.

10.4 Additional US State Privacy Rights

If you reside in any of the following states, you may have additional privacy rights under your state's consumer data privacy law:

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Tennessee: Right to access, correct, delete, and obtain a copy of your personal data. Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
• Texas (TDPSA), Oregon (OCPA), Montana (MCDPA): Same rights as above, plus right to opt out of the processing of personal data for profiling. We honor universal opt-out signals (GPC) as a valid opt-out mechanism.
• Delaware (DPDPA), New Jersey (NJDPA), New Hampshire, Nebraska: Right to access, correct, delete, and data portability. Right to opt out of targeted advertising, sale of personal data, and profiling.
• Minnesota (MCDPA): All rights above, plus the right to question the result of an automated decision, including profiling, and to be informed of the reason for any AI-driven decision that produces legal or similarly significant effects on you.
• Maryland (MODPA): Right to access, correct, delete, and restrict processing. We process sensitive personal information only when strictly necessary to provide the Service as requested by you — not for advertising, profiling, or secondary purposes.

To exercise rights under any state law, contact us at support@getmanyger.com. We will respond within the timeframe required by your state's law (typically 45 days, extendable by an additional 45 days with notice). If we deny your request, you have the right to appeal — we will provide instructions with any denial.

10.5 SMS and Phone Communications

Manyger sends SMS messages to your customers on your behalf (appointment reminders, review requests, rebooking nudges, win-back offers). These messages are sent only with proper consent:

• SMS and WhatsApp require explicit opt-in from the customer
• Email allows communication unless the customer has opted out
• All outbound messages respect quiet hours (timezone-aware)
• Customers can reply STOP to any SMS to opt out immediately

10.6 Meta Platform Data

If you connect your Facebook or Instagram account to Manyger, we process data from those platforms in accordance with Meta's Platform Terms. You may request deletion of your Meta-sourced data at any time by disconnecting the integration in Settings or by contacting us at support@getmanyger.com. Upon disconnection or deletion request, we will delete all Meta-sourced data within 30 days, except where retention is required by law.

Manyger is designed for business owners and operators. The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly.

Manyger is operated from the United States. All data is processed and stored in the United States using Google Cloud (Firebase), Vercel, and our service providers' US-based infrastructure. By using the Service, you consent to the transfer of your information to the United States.

We may update this Privacy Policy from time to time. For material changes, we will notify you by sending an email to the address associated with your account and posting a notice in the Service at least 30 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or your data, contact us at:

• Email: support@getmanyger.com
• Website: getmanyger.com