Mandraki Mandraki
Започни
This document is available in English only.

Privacy Policy

Last updated: 5 February 2026

1. Data controller

The data controller for the Mandraki website (mandraki.cloud) and the Mandraki web application (app.mandraki.cloud) is Mandraki, operated by Mandraki AB on evroc cloud infrastructure within the European Union.

2. Data we collect

Website visitors

We collect minimal data from website visitors. We do not use advertising cookies, tracking pixels, or third-party analytics. Essential cookies are used only for session management and language preferences.

Application users

When you create an account, we collect:

  • Account information: Email address and a hashed password (we never store your password in plain text)
  • Organisation data: Organisation name and membership information if you join or create a team

During use of the application, we process:

  • Messages: Text messages, file attachments, and images you send (encrypted at rest, optionally end-to-end encrypted)
  • Call data: Call metadata (participants, duration, timestamps) and, if recording is enabled with consent, call recordings
  • Files: Documents and media you choose to share within your organisation

3. Data storage and residency

All data is stored and processed within the European Union on evroc cloud infrastructure. We do not transfer personal data outside the EU. Our servers are located in evroc data centres within EU member states.

4. Encryption

Data is encrypted at rest using AES-256-GCM with a three-tier key hierarchy (master key, organisation key, data encryption key). Our architecture supports end-to-end encryption using the MLS protocol for messaging and SFrame for media, ensuring that when enabled, content is encrypted on your device and cannot be decrypted by our servers.

5. Third-party services

Mandraki uses the following third-party services:

  • WebRTC: Industry-standard real-time communication protocol for video calls. Media is routed through our EU-based Selective Forwarding Unit (SFU).
  • TURN/STUN servers: Used for NAT traversal to establish peer connections. Operated on our own EU infrastructure.

We do not share your personal data with advertisers, data brokers, or any third parties for marketing purposes.

6. Analytics and conversion tracking

Server-side analytics

We collect aggregated business metrics server-side to operate and improve our service:

  • Account events (signups, subscription changes) - counts only, no personal details
  • Feature usage patterns - which features are used, not who uses them
  • Error rates - to improve reliability

What we do NOT collect

  • No advertising cookies or tracking pixels
  • No third-party analytics scripts (no Google Analytics)
  • No browser fingerprinting or device identifiers
  • No personal profiling or cross-site tracking

Advertising conversions

When you sign up or make a purchase, we may send a one-time conversion signal to advertising platforms (Google Ads) to measure campaign effectiveness. This data:

  • Is transmitted server-to-server (no browser involvement)
  • Contains only: timestamp, action type, value, and a one-way hash of your email
  • Is used solely for conversion measurement, not retargeting
  • Cannot be reversed to identify you

Legal basis

  • Service improvement: Legitimate interest (Article 6(1)(f) GDPR)
  • Conversion tracking: Legitimate interest in measuring advertising ROI

Data retention

Business event data is retained for 90 days maximum, then automatically deleted.

7. Your rights

Under the GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data
  • Restrict processing: Limit how we use your data
  • Data portability: Receive your data in a machine-readable format
  • Object: Object to processing of your personal data
  • Withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact privacy@mandraki.cloud. You may also export your data directly from the application settings.

8. Data retention

Account data is retained for the duration of your account. Messages and files are retained according to your organisation's retention policy. When you delete your account, personal data is removed within 30 days. Call recordings are deleted according to the retention period set by your organisation administrator. Anonymised usage statistics may be retained for service improvement.

9. Children's privacy

Mandraki is designed for professional and organisational use. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@mandraki.cloud and we will delete the information.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or through the application. The "Last updated" date at the top of this policy indicates when it was last revised.

11. Contact

For privacy-related enquiries, contact our Data Protection Officer at privacy@mandraki.cloud.

For general support, visit our contact page.