Privacy & Security
Manaia is a family safety product — we take privacy seriously. This guide explains how your data is handled, what protections are in place, and your rights.
Australian-Hosted Infrastructure
All Manaia infrastructure runs in AWS Sydney (ap-southeast-2) with disaster recovery in AWS Melbourne (ap-southeast-4). Your data never leaves Australian data centres.
DNS queries are resolved by servers in SydneyAccount data is stored in Australian databasesBackups are replicated to MelbourneWe do not use data centres in the US, EU, or any other region for production data.
Encryption
Data in Transit
All DNS queries are encrypted via DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)All dashboard and API connections use TLS 1.2+ (HTTPS only)The roaming app encrypts DNS traffic between the device and Manaia's serversData at Rest
Database encryption using AES-256 managed by AWS KMSPersonally identifiable information (email, phone, names) is field-level encrypted using envelope encryption with a dedicated KMS keyEmail addresses are stored only as encrypted blobs and SHA-256 hashes (for lookup) — plaintext email is never stored in the databaseDNS query logs stored in S3 are encrypted with KMS-managed keys and tiered to Glacier after 90 daysWhat Data We Collect
Account Data
Email address (encrypted)Name (encrypted)Phone number (encrypted, optional)Household name and member rolesDNS Query Data
Domain names queried by your devicesTimestampsDevice identifiers (hashed MAC addresses)Block/allow decisionsThreat detection resultsWhat We Don't Collect
The content of web pages you visitPasswords or form dataFiles you downloadChat messages or emailsGPS location dataBrowsing history beyond DNS queriesData Retention
| Data Type | Retention Period |
|-----------|-----------------|
| DNS query logs (hot) | 7 days in fast-access storage |
| DNS query logs (archive) | 30 days standard, then Glacier for 90 days, deleted after 365 days |
| Threat detections | 90 days |
| Account data | Until account deletion |
| AI-generated reports | 90 days |
| Activity statistics | 365 days |
Your GDPR Rights
Even though Manaia is an Australian company, we honour GDPR rights for all users:
Right to Access
You can export all your data at any time from Settings > Privacy > Export My Data. The export includes your account data, profiles, device list, query logs, and threat detections in a machine-readable format.
Right to Deletion
You can request complete deletion of your account and all associated data from Settings > Privacy > Delete My Account. After confirmation:
1. A 30-day grace period begins (you can cancel during this time)
2. After 30 days, a cascade deletion removes your data from all 26 data stores
3. This includes: database records, query logs, cached data, and your authentication account
4. Deletion is irreversible after the grace period
Right to Rectification
Update your personal information at any time from Settings > Account.
Right to Portability
The data export feature provides your data in standard JSON format, suitable for transfer to another service.
Account Security
Passwords
Minimum 12 characters requiredPasswords are hashed by AWS Cognito (never stored in plaintext)We check against known breached password lists during signupMulti-Factor Authentication (MFA)
Manaia supports multiple MFA methods:
Passkeys (FIDO2/WebAuthn) — the most secure option, uses biometrics or hardware keysEmail OTP — a 6-digit code sent to your emailRecovery codes — one-time backup codes in case you lose access to your MFA methodWe strongly recommend enabling at least one MFA method, especially for account owners.
Session Security
Authentication tokens are stored in secure, domain-scoped cookies (not localStorage)Tokens expire after 24 hours (access) or 30 days (refresh)Global sign-out revokes all sessions across all devicesMulti-tab session sync ensures logging out in one tab logs out everywhereEmail Breach Alerts
All plans include email breach alerts (the number of monitored addresses varies by plan):
We check email addresses against known data breach databasesIf a breach is detected, you receive an immediate notificationThe notification includes which service was breached and recommended actionsChecks run automatically — no action required from youChildren's Privacy
Manaia is designed to protect children, not surveil them:
No content inspection — we see domain names only, not page contentAI reports focus on patterns, not individual page visits (e.g. "increased social media usage this week" not "visited instagram.com/specific-page")Conversation starters are designed to encourage open family dialogue, not to catch children outAccess requests give children agency — they can ask for access rather than trying to bypass filtersOversight consent — for older children, Manaia supports consent-based oversight where the child acknowledges and agrees to monitoringIncident Response
In the unlikely event of a security incident:
We will notify affected users within 72 hours as required by the Notifiable Data Breaches schemeOur status page at app.manaia.io will show real-time service statusWe maintain a documented incident response procedure reviewed quarterlySecurity Certifications
All infrastructure runs on AWS, which holds SOC 2, ISO 27001, and IRAP certificationsManaia follows the Australian Privacy Principles (APPs) under the Privacy Act 1988We comply with the Online Safety Act 2021 requirements for family safety services
Read our full Privacy Policy and Terms of Service. For questions, contact support@manaia.io.
