Privacy Policy

1. What Mandaire Does

Mandaire is a personal AI thinking partner that connects to your digital services (email, messaging, calendar, contacts, photos, notes, docs, files, and AI conversation history) to help you manage your communication, commitments, and knowledge across platforms. To do this, Mandaire requires access to data from these services, which you authorize explicitly.

2. Data You Authorize

When you connect a service to Mandaire, we access data from that service solely to perform actions you have requested or that your Mandaire determines are helpful based on your preferences. The categories of data your Mandaire processes are:

• Email messages, calendar events, and contact records
• Messaging conversations (iMessage, WhatsApp, and others you connect)
• Notes from the note-taking apps you connect (Apple Notes, Google Keep, Obsidian, Notion, and similar)
• Documents from the document services you connect (Google Docs, Microsoft Word, Notion pages, and similar)
• Files from the file-storage services you connect (Google Drive, iCloud Drive, OneDrive, Dropbox, and similar). Binary content of files (images, video, audio, application binaries) is referenced from your existing storage and not retained by Mandaire; text content and metadata are processed.
• Photo library metadata, including timestamps, locations, and any face-tagging you have done. Photo binaries themselves are referenced from your existing storage and not retained.
• AI assistant conversation history and ongoing sessions you authorize, from providers such as ChatGPT, Claude, and Gemini
• Instructions, preferences, corrections, and feedback you provide

You connect sources one at a time, at your own pace. You can disconnect any source at any time.

3. How Your Data Is Stored

Isolation. Each user's data is stored in a completely isolated environment. There is no shared database between users. Your Mandaire knows nothing about any other user.

Encryption. Your data is encrypted at rest with a key derived from a secret you hold. During processing, your reasoning model decrypts the data it needs into memory to answer your queries; on disk, the data is encrypted whenever no query is in flight. In the managed-hosting configuration, Mandaire operations staff have SSH access to your server in order to install software, apply security patches, and respond when something breaks; this access is logged in your audit trail and is the trade-off for not having to administer the box yourself. If you require zero operational access by Mandaire staff, the self-hosted path provides that. Mandaire staff have no path to your data when no operational session is active.

Location and roles. Your data is processed and stored on infrastructure under your control. The two supported configurations are: (a) self-hosted on hardware you own, or (b) a cloud account in your name (DigitalOcean, Hetzner, Vultr, or similar) that you pay directly, with Mandaire operating the software stack on your behalf. In both configurations you are the data controller and legal custodian of your data; Mandaire acts as a processor on your documented instructions for the hosting and operational layer it runs on your behalf. Mandaire never holds the cloud bill and never has billing access. Your encryption keys remain yours.

4. What We Never Do

• We never sell your data. Not to advertisers, data brokers, or anyone else.
• We never train AI models on your data. Your conversations, emails, and personal information are never used to improve models for other users or any third party.
• We never share your data with third parties except when required to operate the service (for example, sending an email you asked us to send) or when required by law.
• We never access your data without your knowledge. Mandaire operates transparently. You can review what your Mandaire has done at any time.

5. Third-Party Services

The connection mechanism Mandaire uses to reach each source is the one that source's vendor supports for personal accounts:

• Google services (Gmail, Google Calendar, Google Contacts, Google Photos): OAuth 2.0 tokens scoped to the minimum read permissions required.
• Microsoft 365 (Outlook, Microsoft Calendar, Microsoft Contacts): OAuth 2.0 tokens, minimum scope.
• Apple sources (iMessage, Apple Photos, Apple Notes, Apple Reminders): a small local agent that you install on a Mac you own. The agent reads from the on-device databases that Apple already syncs to that machine and forwards to your Mandaire. Apple does not offer consumer OAuth for these sources; this is the route the platform supports.
• WhatsApp: your authorized WhatsApp session through a relay you control on your own infrastructure, paired the same way the official WhatsApp Web client pairs. WhatsApp does not offer consumer OAuth; this is the route the platform supports.
• AI conversation providers (ChatGPT, Claude, Gemini): one-time data export from each provider's official takeout/export tool, plus optional ongoing capture from a browser extension you install.

OAuth tokens are stored encrypted and can be revoked by you at any time through the connected service's settings. The local agent and the WhatsApp relay run on hardware you control and can be stopped, paused, or removed at any time.

Mandaire uses two distinct AI roles: a reasoning model (runs inside your Mandaire, sees your data, you choose the provider) and a rendering model (the chat client you use; only ever sees disclosure-filtered output, never raw data). Each role is governed by your direct relationship with the provider you choose for it. Mandaire itself does not log or retain your conversations with the rendering model. The technical architecture of this split is described on the architecture page.

6. Verifiable Privacy

Our privacy claims are designed to be verifiable rather than taken on trust. The encryption layer that handles your data will be released as open source with reproducible builds in Q3 2026, so that anyone can compile the code and verify the resulting binary matches what we distribute. Independent third-party security review of the encryption implementation and data handling is targeted for the same release window. The audit firm will be named on this site at engagement; the scope and report link will be published when the audit is complete.

What you can verify today, ahead of the open-source release:

• The threat model and architectural commitments, on the architecture page: two-AI separation, deterministic disclosure engine, canonical-store pattern, sovereignty model, key-custody model, and prompt-injection defenses.
• The cryptographic primitives in use (key derivation, at-rest encryption, transport encryption, mutual-TLS for key forwarding).
• The disclosure-engine schema and the audience-tier policy primitives that mediate every external query.
• The data-export format: a complete export of everything your Mandaire holds, in machine-readable form, on demand and at any time.
• The connection mechanism for every supported source, including the read-only-by-default scopes used for OAuth providers.
• This privacy policy and the operational practices that follow from it, as written commitments you can hold us to.

The repository link for the encryption module will be published here when the module is released. Until then, the architecture and threat model above describe the running system that handles your data.

7. Subprocessors and Third-Party Services in Detail

The subprocessors that have access to any of your data, and the role of each, are listed below. We add to this list only as needed and we notify you in advance of changes.

• Cloud infrastructure provider (the cloud account you own and authorize us to operate, e.g. DigitalOcean, Hetzner, or Vultr): hosts your Mandaire stack. The data on disk is encrypted with a key derived from your secret, so the cloud provider cannot read at-rest data without that key. During an active reasoning session, your data is decrypted into the VM's memory; the cloud provider has hypervisor-level access to that VM and could in principle snapshot RAM. The mitigations are: choose a provider in a jurisdiction matching your threat model; or run on hardware you own (the self-hosted path), where there is no third-party hypervisor.
• Reasoning model provider (the AI provider you choose for the inside-your-Mandaire model, e.g. a local model on your hardware, or a cloud provider you select): processes your prompts and your data on your behalf, governed by your direct relationship with them. We do not stand between you and them.
• Rendering model provider (the chat client you choose, e.g. Claude, ChatGPT, Gemini): sees only the disclosure-filtered outputs of your reasoning model. Governed by your direct relationship with them.
• Source providers (governed by your direct relationship with them, with per-source connection mechanism as described in §5): Google and Microsoft sources via OAuth 2.0 with minimum scopes; Apple sources via a small local agent on a Mac you own (no consumer OAuth available); WhatsApp via your authorized Web-protocol session through a relay you control on your own infrastructure (no consumer OAuth available); AI conversation providers via takeout exports plus optional browser-extension capture.

We never act as a data broker, never resell access, never share your data with advertisers, and never use your data to train models for anyone but you.

8. What We Log About How You Use Mandaire

Operating the service requires us to retain a minimal set of operational logs. These are kept on the same infrastructure you own and are accessible to you.

• Authentication events (sign-in attempts, MFA, session creation and revocation).
• Request metadata (which tool was called, when, with what status code; not the contents of the request or response).
• Errors and exceptions (so we can diagnose failures).

We do not log your queries, your AI conversations, the contents of emails or messages, or the bodies of any tool responses.

9. Data Export Format

You may request a complete export of all data your Mandaire holds at any time. Exports are provided as a structured archive (JSON for structured data plus the underlying source files where applicable). The archive is encrypted with a key you supply at export time. Export is provided in machine-readable form per GDPR Article 20 and CCPA right to know.

10. EU Representative and Data Protection Officer

For users in the European Union and United Kingdom: you are the controller of the personal data your Mandaire processes (your messages, contacts, calendar, photos, and AI conversation history). Mandaire acts as a processor under Article 28 of the GDPR, on your documented instructions, for the operational layer of the service. Inquiries from EU/UK supervisory authorities, and data-protection inquiries from EU/UK users, should be addressed to [email protected]. You always have the right to lodge a complaint with your local supervisory authority.

11. Data Retention

Your data is retained for as long as your account is active. If you close your account, all data associated with your Mandaire is deleted within 30 days. Backups are purged within 90 days.

12. Your Rights

You may at any time:

• Request a complete export of all data your Mandaire holds, in machine-readable form (GDPR Article 20 right of data portability; CCPA right to know)
• Correct any inaccurate or incomplete data (GDPR Article 16; CCPA right to correct)
• Delete your account and all associated data (GDPR Article 17 right to erasure; CCPA right to delete)
• Restrict or object to specific processing activities (GDPR Articles 18 and 21)
• Revoke access to any connected service
• Ask what data we hold and how it is being used

To exercise any of these rights, contact [email protected]. We respond within 30 days.

Mandaire's role with respect to your personal data is described in section 10. You always have the right to lodge a complaint with your local supervisory authority.

13. Security

Your data is encrypted at rest on the server you own with a key derived from a secret you hold. During processing, the reasoning model decrypts data into memory to answer your queries. Per-user isolation means another Mandaire user's reasoning model has no path to your data. The encryption layer between client and server uses TLS with modern cipher suites. Security reviews happen on a regular cadence; the dates and scope of completed reviews will be published when each review concludes. If we discover a breach that affects your data, we will notify you within 72 hours.

14. Minors

Account holders must be at least 18 years old. Mandaire does not knowingly create accounts for anyone under 18, and the service is not designed for children's use of their own accounts.

An adult account holder may, where local law permits, choose to include records about their own minor children in their personal Mandaire (for example, school schedules, medical appointments, contact information). This is treated as the adult's personal information about their own family, not as a separate profile of a minor. Adult account holders are responsible for any consents required by their local jurisdiction (COPPA in the United States for children under 13; GDPR Article 8 in the European Union; UK Children's Code; and equivalent laws elsewhere).

We do not knowingly collect data from children outside this household-record context.

15. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you through your Mandaire or by email. Continued use of the service after changes constitutes acceptance.

16. Contact

For questions about this privacy policy or your data, contact us at [email protected].