Legal

Privacy Policy

How Manuva collects, uses, discloses, and protects your personal information — and the rights you have over it under the Australian Privacy Principles.

Effective: 12 May 2026 Version: 1.1 Last updated: 12 May 2026

1. Introduction & scope

The Manuva service is operated by Pac Technologies Pty Ltd (ABN 99 113 680 443; ACN 113 680 443), a company registered in Victoria, Australia, trading as Manuva. Registered office: 10–20 Gwynne St, Cremorne VIC 3121.

Pac Technologies Pty Ltd, trading as Manuva, is committed to managing personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth).

This Privacy Policy explains how Manuva collects, uses, discloses, stores, and protects personal information. It applies to all personal information Manuva holds about you, whether collected online or offline, and regardless of how it is stored.

What this policy covers

  • The Manuva marketing site (manuva.app)
  • The Manuva web application (app.manuva.app)
  • All associated services and integrations

What this policy does not cover

  • Third-party websites linked from Manuva — each has its own privacy policy
  • Shopify's handling of customer data — Shopify's Privacy Policy applies
  • Stripe's handling of payment information — Stripe's Privacy Policy applies
  • Other integrated service providers — each governed by their own privacy policies

2. Personal information we collect

We collect personal information only when necessary to provide our services.

App users

When you create a Manuva account we collect:

  • First name and last name
  • Email address
  • Your role and permission level within your organisation
  • Records of your activity and actions within the platform (activity logs)
  • IP address and login information (managed by Supabase Auth)

Supplier contacts

If you add suppliers to Manuva, we store the following about supplier contacts:

  • Contact name and job title
  • Email address and phone number
  • Business address
  • Your notes about the relationship

Order data (Shopify integration)

When you connect your Shopify store to Manuva, we import:

  • Order ID and order date
  • Order total and line item details (product names, quantities, prices)
  • Shipping and billing addresses associated with the order
  • Order fulfilment status
Important. We do not currently collect end-customer names, email addresses, or personal details from your Shopify orders — that information stays in Shopify. This is planned for a future release; see the Roadmap below.

Staff data

If you use Manuva's staffing and costing features, we collect:

  • Employee names and job titles
  • Department assignments
  • Availability schedules (days/hours available to work)
  • Cost rates and payroll information

Analytical & operational data

We automatically collect:

  • Usage analytics (feature adoption, page views, session duration)
  • Dashboard metrics (sales trends, inventory levels, order counts)
  • System events and error logs
  • Metadata about your use of the platform

We do not collect intrusive analytics such as keystroke logging or mouse tracking.

3. How & why we use your information

Providing the service

  • Create and manage your account
  • Authenticate your identity and manage access to the platform
  • Process and display your orders, inventory, and operational data
  • Calculate costs, generate invoices, and manage billing
  • Provide customer support and respond to your inquiries
  • Send service-related notifications (billing alerts, security updates, system status)

Improving the platform

We use aggregated and anonymised data to:

  • Analyse how Manuva is used (feature adoption rates, common workflows)
  • Identify bugs, performance issues, and areas for improvement
  • Test new features and improvements
  • Personalise your user experience based on usage patterns

Your activity logs are not used for marketing or profiling.

Communication & support

We use your email address to:

  • Send invitations to join workspaces
  • Provide support responses to your inquiries
  • Send billing notifications and invoices
  • Notify you of important updates to our service or this policy
  • Send transactional emails (order confirmations, account changes)

You can manage email preferences in your account settings.

Compliance & legal obligations

We may use your information to:

  • Comply with Australian tax and accounting laws
  • Respond to legal requests, subpoenas, or court orders
  • Investigate fraud, abuse, or unauthorised access
  • Enforce our Terms of Service and other agreements
  • Protect the security and integrity of our platform and users

What we do not do

We do not use your personal information for:

  • Marketing or advertising outside the Manuva platform
  • Selling your data to third parties
  • Automated decision-making or profiling that affects your access
  • Purposes beyond those described in this policy

4. Who we share your information with

Service providers (data processors)

We share information with trusted third parties who process it on our behalf:

Provider Purpose Data shared
Supabase Authentication, database, backend infrastructure Account data, activity logs, operational data
Shopify Order synchronisation, product data OAuth token (read-only access to orders), product data
Stripe Payment processing and billing Billing information, subscription data, invoice records
Resend Transactional email delivery User email addresses, email content for notifications
Xero Accounting data synchronisation Order totals, financial transaction data

All service providers are contractually required to maintain confidentiality and security of your information.

Data controllers and processors

You are the data controller for:

  • Data about your own account and activities
  • Supplier contact data you add to Manuva
  • Staff and payroll information you enter

Manuva is the data controller for:

  • App user account data (name, email, login history)
  • Activity logs of your actions in the platform
  • Analytics and aggregated usage data
  • Billing and subscription information

Disclosure without consent

We may disclose your information without consent in limited cases:

  • Law enforcement: when legally compelled by warrant, subpoena, or court order
  • Government requests: compliance with tax authorities, regulators, or legal proceedings
  • Emergency: to protect life, health, or safety in urgent situations
  • Business transfer: if Manuva is acquired or merged, your data may be transferred (you will be notified)

Where legally permitted, we will provide you with notice before any such disclosure.

We do not sell, rent, or trade personal information. Your data is not a commodity for us.

5. Data retention & deletion

Default retention

Active accounts. Personal information is retained while your account is active so we can provide ongoing service and maintain your records.

Closed accounts. After you delete or close your account, personal data is retained for 12 months to support dispute resolution, account recovery, and compliance audits. After 12 months, the data is permanently deleted.

Activity logs

Activity logs are retained for 12 months and used for security audits, troubleshooting, and compliance verification. After 12 months they are permanently deleted.

Legal & compliance exceptions

Despite the 12-month default, we may retain data longer where required by law:

  • Tax records: 5 years (Australian Taxation Office requirements)
  • Accounting records: per accounting standards and legal obligations
  • Fraud investigations: for the duration of the investigation
  • Court orders: as ordered
  • Contractual disputes: until the dispute is resolved

Requesting deletion

You can request deletion of your personal information at any time:

  1. Email [email protected] with "Data Deletion Request" in the subject line.
  2. Include your name, email, account details, and the specific data you want deleted.
  3. We will action your request within 30 days, or explain why we cannot.

Limitations. We cannot delete records required by law, data needed to investigate fraud or abuse, or data already removed.

Data portability

You have the right to receive your personal data in a portable format. Email [email protected] with "Data Portability Request" in the subject line and we will provide your data in CSV or JSON format within 30 days.

6. Your rights

Right to access (APP 12)

You can request access to the personal information Manuva holds about you. Email [email protected] with "Access Request" in the subject line and include proof of identity. We will respond within 30 days. Access is normally free; for very large requests we may charge reasonable cost-recovery fees.

Right to correction (APP 13)

You can request correction of information that is inaccurate, incomplete, or out-of-date. If we decline to correct, you have the right to add a statement of disagreement, which we will note alongside the information.

Right to deletion

See Data retention & deletion above.

Right to opt out of direct marketing

Click "Unsubscribe" on any marketing email, or update your preferences in your account settings. We action opt-out requests immediately.

How to exercise your rights

We acknowledge requests within 10 business days and provide a full response within 30 days.

7. Security & data protection

Technical safeguards

  • Encryption in transit: all traffic uses TLS/HTTPS (minimum TLS 1.2)
  • Encryption at rest: sensitive database data is encrypted
  • Password security: passwords are hashed with bcrypt and random salts
  • Access controls: role-based access for authorised staff only
  • Regular updates: security patches applied within 30 days of release
  • Firewalls & intrusion detection: continuous monitoring for unauthorised access

Organisational safeguards

  • Annual privacy and confidentiality training for all employees
  • Confidentiality agreements signed by all staff
  • Need-to-know access only
  • Quarterly review of privacy and security practices

Vendor security

  • Data Processing Agreements with critical providers (Supabase, Stripe, Resend, Xero)
  • Annual security audits of critical vendors
  • Breach notification from vendors within 24 hours

Data breach response

If a data breach occurs we will:

  1. Immediately investigate the scope and impact
  2. Contain the breach and prevent further access
  3. Notify affected individuals within 30 days where legally required
  4. Notify the Office of the Australian Information Commissioner (OAIC) for eligible data breaches
  5. Provide advice on steps you can take to protect yourself
What we cannot guarantee. No security measure is completely secure. We take reasonable precautions but cannot guarantee absolute security. You are responsible for protecting your password and login credentials — do not share them.

8. Roadmap & planned changes

End-customer data import (planned, Q3 2026)

We plan to expand Manuva to collect customer data directly from Shopify:

  • What: customer names, email addresses, and phone numbers from Shopify orders
  • Why: to power better customer management and communication features
  • When: planned for Q3 2026 (subject to change)
  • Notification: email and in-app notice at least 30 days before launch
  • Consent: requires explicit opt-in; not auto-enabled for existing customers
  • Policy update: a new version of this policy will be published and become effective before launch

International expansion (planned, 2027)

  • EU (GDPR): a separate privacy policy aligned with the General Data Protection Regulation
  • California (CCPA): an addendum for California customers
  • Other regions: regional policies will be added as we expand

How we communicate changes

For material changes to this Privacy Policy:

  1. Email notification to all active users
  2. In-app banner shown on login for 30 days
  3. Effective date no earlier than 30 days after notification
  4. Account deletion remains available if you object to the changes

Your continued use of Manuva after the effective date means you accept the updated policy.

9. Contact & complaints

Privacy officer

For questions about this policy or how your personal information is handled:

We acknowledge inquiries within 10 business days and provide a full response within 30 days.

Lodging a complaint

If you believe Manuva has breached the Australian Privacy Principles, you have the right to lodge a complaint.

  1. Contact Manuva: email [email protected] with your name, contact details, a description of the concern, relevant dates, and any supporting documentation.
  2. We investigate: we acknowledge within 10 business days, investigate, may contact you for clarification, and provide a written response within 30 days.
  3. Resolution: our response sets out whether we believe a breach occurred, what we are doing about it, and your options for next steps.
  4. OAIC escalation: if you are not satisfied, you can lodge a complaint with the Office of the Australian Information Commissioner.

Office of the Australian Information Commissioner

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Address: GPO Box 5218, Sydney NSW 2001

You can lodge directly with the OAIC even if you have not contacted Manuva first, though the OAIC prefers organisations have an opportunity to resolve complaints internally before escalation.

Have a privacy question?

Email [email protected] and we will respond within 10 business days.

10. Definitions

  • Personal information — information about an identified individual or reasonably identifiable individual (e.g., name, email, phone, address, identification numbers).
  • Sensitive information — a subset of personal information requiring extra protection, including health information, religious beliefs, criminal record, political opinion, and membership of professional associations. We minimise collection of sensitive information.
  • Data subject — an individual whose personal information is collected (e.g., app user, supplier contact, staff member).
  • Data controller — an organisation that decides the purposes and means of processing personal information.
  • Data processor — an organisation that processes data on behalf of a controller.
  • Activity log — a record of actions taken by a user in Manuva (login, created order, updated inventory, etc.) including timestamp and user identity.
  • Breach — unauthorised access to, disclosure of, loss of, or damage to personal information.
  • Cookie — a small file stored on your device. Manuva uses cookies for authentication and site functionality, not tracking.
  • Metadata — information about information (e.g., when a file was created, its size) rather than the content itself.

Version history

Version Date Changes
1.0 12 May 2026 Initial privacy policy (MVP launch)
1.1 12 May 2026 Filled entity details (ABN, ACN, mailing address); added cross-reference to Terms of Service.

This Privacy Policy is effective immediately upon publication. Manuva reserves the right to update this policy at any time. Material changes will be communicated via email and in-app notification with at least 30 days' notice.