Privacy Policy

1. Who We Are

Manaia is a home cybersecurity platform operated by Manaia Tech Pty Ltd (ABN 52 696 183 703), a company incorporated in New South Wales, Australia.

We are committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, hold, use, and disclose your personal information.

2. What Information We Collect

Information you provide directly

• Account details — your name and email address when you sign up
• Payment information — processed securely by Stripe (we never see or store your card number)
• Phone number — if you enable voice call alerts, your phone number is stored encrypted (optional, Guardian Pro only)
• Household and profile names — the names you choose for family member profiles
• Custom filtering rules — any websites you choose to allow or block
• Breach monitoring email addresses — if you choose to monitor email addresses for data breaches (Guardian plans and above)

Information collected automatically

• Website addresses (domains) that devices in your household look up — used to block harmful content
• Device information — such as operating system, app version, and a hardware identifier used for authentication
• Device fingerprint — a one-way hash of your device hardware characteristics, used to prevent duplicate registrations and detect tampering
• IP addresses — used to route your internet traffic securely and for rate limiting (not stored long-term)
• Screen time usage — if you enable screen time limits, we track daily usage per profile to enforce those limits
• Push notification tokens — if you enable push notifications, your device's notification token is stored to deliver alerts

Information from third parties

• Threat intelligence feeds — lists of known malicious websites, used to protect your family
• Sign-in providers — if you use Google Sign-In, we receive your name and email from Google

3. How We Use Your Information

We only use your information to deliver and improve the Manaia service. Specifically:

• Delivering the service — filtering harmful websites, enforcing your family's content rules, and providing parental oversight features
• Keeping your account secure — detecting compromised accounts, verifying device integrity, and preventing fraud
• Improving the service — using aggregate, anonymised statistics to improve our filtering accuracy and detect new threats
• Legal compliance — responding to lawful requests from authorities
• Communicating with you — sending security alerts, daily or weekly safety reports, and account notifications

4. How Website Lookup Data Is Handled

When a device in your household visits a website, it first asks Manaia to look up the website address. This is called a "DNS query" — think of it as looking up a phone number in a directory. Here is how we handle this data:

• We check the website address against known threats — if it matches a malicious, phishing, or scam website, we block it before your device can connect.
• We check it against your family's content rules — for example, if you have set a child profile to block adult content, we enforce that rule.
• We log the lookup for your safety reports — so you can review what websites were visited or blocked. You control how long these logs are kept.
• We do not read the content of websites— we only see the website address (e.g. "example.com"), not what you read, type, or download on that website.
• Lookup data is linked to your household profile, not to individual people — we do not track which specific person in your household made a request.

Aggregate statistics (such as "how many threats did we block across all households today") are used to improve the service. These statistics cannot be traced back to your household or any individual.

5. Data Retention

We keep your data only as long as necessary to provide the service or meet legal obligations.

When you delete your account, we initiate a 30-day grace period (in case you change your mind), after which all your personal data is permanently deleted from our systems, including backups.

6. Sharing With Third Parties

We do not sell, rent, or trade your personal information. We only share data with the following service providers ("sub-processors") who help us deliver the Manaia service:

Some services listed above operate in the United States. These transfers are necessary to provide the Service and are governed by each provider's data processing agreement. Where possible, processing occurs in the AWS Sydney region. For a complete register of all sub-processors, see manaia.io/legal/sub-processors.

Anonymised Threat Intelligence Sharing

To help protect the broader community from cyber threats, we may derive threat intelligence data from the operation of our service. This includes indicators of compromise (IOCs) such as malicious domain names, IP addresses, URL patterns, and behavioural signatures associated with phishing, malware, scams, and other online threats.

Before any sharing, this data is:

• Anonymised — all information that could identify you, your household, or any individual is permanently removed
• Aggregated — individual data points are combined into statistical patterns that cannot be traced back to any single household or device
• Stripped of personal context — no usernames, email addresses, IP addresses of our customers, device identifiers, or browsing histories are included

This anonymised threat intelligence may be shared with:

• Trusted cybersecurity organisations and threat intelligence sharing communities (e.g. ISACs, CERTs, MISP communities)
• Government cybersecurity agencies (e.g. the Australian Cyber Security Centre)
• Security researchers working to identify and disrupt online threats
• Other cybersecurity vendors, for the purpose of improving collective defences

We share this data using industry-standard protocols such as the Traffic Light Protocol (TLP) and STIX/TAXII formats where applicable. Our legitimate interest in processing this data is the improvement of cybersecurity for the wider community, consistent with the Australian Privacy Act 1988 and the recognised public benefit of threat intelligence sharing.

If you wish to opt out of contributing to anonymised threat intelligence sharing, you may do so via Settings > Privacy > Threat Intelligence Sharing in your Manaia dashboard, or by contacting us at support@manaia.io. Opting out does not affect the protection provided to your household.

AI-Powered Features

Manaia uses artificial intelligence (powered by Anthropic Claude via AWS Bedrock) to provide safety insights and analysis features. Here is what this means for your data:

• What data is processed by AI: Aggregated household statistics (query counts, threat counts, blocked categories), profile metadata (age group label such as "child" or "adult"), and threat event summaries. Raw DNS query logs, email addresses, names, and device identifiers are not sent to AI models.
• PII redaction: All data is passed through our PII redaction layer before being sent to AI models. This removes names, email addresses, and any other personally identifiable information.
• What AI generates: Daily safety insights, weekly narrative summaries, conversation starters for parents (discussion prompts about online safety), risk scores (0–100 per profile), and responses to questions in the chat assistant.
• No training on your data: Anthropic does not use data submitted via its API to train its models. Your data is processed and discarded.
• Available on: AI features are available on Guardian and Guardian Pro plans. The interactive chat assistant is available on all plans.

You may disable AI-powered insights via Settings > Privacy > AI Features in your Manaia dashboard. Disabling AI features does not affect DNS filtering or threat blocking.

Breach Monitoring

If you choose to enable breach monitoring (available on Guardian, Guardian Pro, and Grandparent Shield plans), you can add email addresses to be checked against the Have I Been Pwned (HIBP) database of known data breaches.

• What is sent: Individual email addresses are sent to the HIBP API over an encrypted connection. No other personal data is sent.
• What is returned: HIBP returns breach metadata (breach name, date, and categories of data exposed) — not the breached data itself.
• Opt-in only: You must explicitly add each email address you wish to monitor. We do not automatically monitor any email addresses.
• Opt-out: You can remove monitored email addresses at any time via Settings > Breach Monitoring.

Automated Decision-Making

Manaia uses automated systems to protect your household. These systems make real-time decisions without human intervention:

• DNS threat blocking: When a device in your household attempts to visit a website that matches a known threat (with a confidence score of 70 or above), the connection is automatically blocked. This happens in real time to protect you before harm occurs.
• Content filtering: Websites are automatically categorised and blocked or allowed based on the content rules you set for each profile.
• Rate limiting: If a device sends an unusually high number of DNS requests (over 100 per second), requests are temporarily refused to protect the service and detect potential malware.
• Behavioural signal detection: Our system evaluates daily patterns across your household (such as unusual spikes in threat detections or access to high-risk categories) and may generate alerts. These signals are used to inform your safety reports — they do not automatically block access or take punitive action.
• Device tamper detection: If a registered device stops communicating for an extended period, it may be flagged as offline or potentially tampered with. You are notified but no action is taken without your input.

Your recourse: You can override any automated blocking decision by adding a domain to your custom allow list. If you believe a domain has been incorrectly blocked, you can report it via the dashboard or contact support@manaia.io.

Push Notifications & Voice Alerts

If you enable push notifications, your device's push notification token (an opaque identifier managed by Apple or Google) is stored and used to deliver security alerts. Notification content includes threat type and severity only — no browsing history or personal data.

If you enable voice call alerts (Guardian Pro only), your verified phone number is sent to Twilio to place the call. Phone numbers are stored encrypted in our systems and masked in internal logs. Voice calls are rate-limited to a maximum of one call per four hours per household.

Bot Prevention at Signup

During account registration, we use Google reCAPTCHA v3 to prevent automated bot signups. This sends your IP address and a behavioural risk token to Google for verification. Google assigns a risk score — we do not receive any of your browsing data from Google. reCAPTCHA is only used during signup, not during normal use of the service.

7. Security Measures

We take the security of your personal information seriously. Our measures include:

• Encryption at rest — your email address and name are encrypted using AES-256-GCM before storage, managed through AWS Key Management Service
• Encryption in transit — all data transmitted between your devices and our servers uses TLS 1.3
• Australian-hosted infrastructure — all core infrastructure runs in the AWS Sydney region with Multi-AZ database redundancy
• Access controls — we use role-based access controls and audit logging for all administrative access
• Security monitoring — AWS GuardDuty, CloudTrail, and Web Application Firewall protect against threats
• Regular reviews — we conduct security audits and code reviews as part of our development process

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access your information — view your personal data via the Settings page in your Manaia dashboard, or request a data export
• Correct your information — update your name, email, or other personal details at any time
• Export your data — download a copy of your personal data in JSON format (Settings > Privacy > Download My Data)
• Delete your account — request permanent deletion of your account and all associated data, with a 30-day grace period (Settings > Privacy > Delete Account)
• Withdraw consent — you may withdraw consent for optional data processing at any time

To exercise any of these rights, you can use the self-service options in your Manaia dashboard or contact us at support@manaia.io. We will respond to your request within 30 days as required by the Privacy Act.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Visit oaic.gov.au/privacy/privacy-complaints or call 1300 363 992.

9. Children's Privacy

Manaia is designed to help parents protect their children online. We do not knowingly collect personal information from children under 13 without verifiable parental consent. Here is how we handle data related to children:

• Children under 13 cannot create their own Manaia accounts — a parent or guardian creates and manages all child profiles
• Child profiles are used to apply age-appropriate content filtering rules chosen by the parent
• Children may access a limited "Kid Portal" view showing only their protection status, screen time, and a help button — no management, billing, activity logs, or household data is visible
• The Oversight feature allows parents to view browsing activity for child profiles — this requires explicit consent from the account holder
• Website lookup data (DNS queries) for child profiles is processed for content filtering only and is subject to the same encryption and retention policies as all profiles (see Section 4)
• We do not collect analytics, advertising identifiers, or marketing data from child sessions
• Data associated with child profiles is flagged for enhanced protection and follows accelerated deletion timelines
• Parental consent is recorded when a parent creates a child profile

For users in the United States:We comply with the Children's Online Privacy Protection Act (COPPA). We do not collect personal information directly from children under 13. All child accounts are created and managed by a verified parent or guardian. Parents may review their child's information, request deletion, or refuse further collection by contacting us.

For users in the European Economic Area: In accordance with GDPR Article 8, parental consent is obtained before processing data relating to children under 16 (or the applicable age in your member state).

If you are a parent and believe your child's information has been collected without your consent, contact us immediately at support@manaia.io and we will delete the information promptly.

10. Data Breach Notification

In accordance with Part IIIC of the Australian Privacy Act 1988 (the Notifiable Data Breaches scheme), we have procedures in place to detect, assess, and respond to data breaches that may affect your personal information.

If we become aware of a data breach that is likely to result in serious harm to you, we will:

• Notify the OAIC — we will notify the Office of the Australian Information Commissioner as soon as practicable, and in any event within 72 hours of becoming aware of the breach
• Notify you directly — we will notify you by email to the address associated with your account, as soon as practicable after becoming aware of the breach
• Describe what happened — our notification will include the nature of the breach, the types of personal information involved, and what we are doing to address it
• Provide guidance — we will include steps you can take to protect yourself from potential harm resulting from the breach
• Publish a statement — if we are unable to contact all affected individuals, we will publish a notice on our website

Our breach detection measures include real-time security monitoring via AWS GuardDuty, CloudTrail audit logging, automated alerting for suspicious access patterns, and regular security reviews.

11. Law Enforcement & Government Access

We believe transparency about government access to user data is essential for a security product. Here is how we handle requests from law enforcement and government agencies:

• Legal process required — we require a valid legal instrument (court order, warrant, or subpoena issued under Australian law) before disclosing any user data to law enforcement. We do not voluntarily provide user data to any government agency without legal process.
• No bulk or dragnet requests — we reject any request for bulk access to user data, mass surveillance, or "backdoor" access to our systems. We respond only to requests that identify specific accounts or data.
• User notification — unless prohibited by law or court order, we will notify you if your data is requested by a government agency, so you have the opportunity to seek legal advice.
• Minimum disclosure — when compelled to disclose data, we provide only the minimum information required to satisfy the legal obligation. We challenge requests we believe are overly broad.
• No backdoors — we do not build backdoors into our systems, weaken our encryption, or provide any government with the ability to access user data outside of lawful legal process.

12. What We Do NOT Collect

To be clear about the boundaries of our data collection, here is what Manaia does not collect:

• The content of web pages you visit (we see domain names only, not URLs, page content, or HTTPS traffic)
• Your location or GPS coordinates (the iOS/Android roaming agent does not access location services)
• Your passwords (stored as cryptographic hashes — we cannot recover your password)
• Your browsing history in third-party browsers (we only see DNS queries routed through our resolver)
• App usage or installed applications on your devices
• IMEI, IMSI, or other mobile network identifiers
• Biometric data (fingerprints, facial recognition, voice prints)
• Financial information beyond subscription status (Stripe handles all payment data)
• Health or medical information
• Microphone, camera, or sensor data from your devices

13. Right to Human Review of Automated Decisions

As described in Section 6, Manaia uses automated systems to block threats and filter content. If you believe an automated decision has adversely affected you — for example, if a website you need to access has been incorrectly blocked — you have the right to:

• Self-service override — add the domain to your custom allow list to immediately unblock it
• Request human review — contact us at support@manaia.io to request that a member of our team reviews the automated decision
• Receive an explanation — understand why the domain was blocked (threat category, confidence score, source intelligence feed)
• Challenge the decision — if you believe the block was incorrect, we will investigate and, if appropriate, add the domain to our global safelist to prevent future false positives

We aim to respond to human review requests within 48 hours.

14. Account Inactivity & Do Not Track

Account inactivity

If your account remains inactive (no login, no DNS queries from registered devices) for 12 consecutive months, we will send you a reminder email. If there is no response or activity within 30 days of the reminder, we may suspend your account and begin the data deletion process. You will be notified before any data is deleted, and you can reactivate your account by logging in during the notice period.

Do Not Track signals

Manaia does not track users across third-party websites. We do not engage in interest-based advertising or behavioural profiling for marketing purposes. As such, our service does not need to respond to browser Do Not Track (DNT) signals — the tracking that DNT is designed to prevent is not something we do.

15. How to Contact Us and Lodge Complaints

For any privacy-related questions, concerns, or requests, contact our Privacy Officer:

• Email: support@manaia.io
• Entity: Manaia Tech Pty Ltd
• ABN: 52 696 183 703
• Jurisdiction: New South Wales, Australia

We aim to resolve all privacy complaints within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001