MANTIS Privacy Policy
Effective date: 1 April 2026
Last updated: 15 May 2026
1. Who We Are
MANTIS is operated by Navio Maritime OÜ, a company registered in Estonia.
- Registered name: Navio Maritime OÜ
- Country: Estonia
- Contact: privacy@mantis-ihm.com
- Website: mantis-ihm.com
For the purposes of the General Data Protection Regulation (GDPR), Navio Maritime OÜ is the data processor. Your organisation (the vessel owner, manager, or operator subscribing to MANTIS) is the data controller.
Where users create individual accounts directly, Navio Maritime OÜ acts as a joint controller for account-related data.
2. What Data We Collect
2.1 Account Information
- Full name
- Email address
- Password (stored as a bcrypt hash; we never store or have access to plaintext passwords)
- Organisation membership and role
- MFA/TOTP enrolment status
2.2 Vessel Data
- Vessel name
- IMO number
- Flag state
- Gross tonnage (GT)
- Vessel type and classification
2.3 IHM Compliance Data
- Inventory of Hazardous Materials (IHM) Part I, II, and III records
- Material descriptions, locations, quantities, and hazard classifications
- Supplier declarations and supporting documentation
- Compliance status and check history
- Uploaded files (certificates, declarations, survey reports)
2.4 Usage Data
- Last login timestamp
- Pages viewed within the application
- Feature usage patterns (aggregated)
- Browser type and screen resolution (for compatibility purposes only)
We do not collect IP addresses for analytics purposes. Where analytics services are used, they operate in cookieless mode with no personally identifiable information (see Section 6).
3. Why We Collect This Data
| Data category | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account information | To create and manage your user account, authenticate you, and communicate service updates | Contract performance — Art. 6(1)(b) |
| Vessel data | To provide the IHM compliance management service | Contract performance — Art. 6(1)(b) |
| IHM compliance data | Core service functionality: tracking hazardous materials, generating compliance reports, maintaining audit history | Contract performance — Art. 6(1)(b) |
| Usage data | To maintain service reliability, identify bugs, and improve the product | Legitimate interest — Art. 6(1)(f) |
We do not process personal data for marketing purposes without separate, explicit consent.
4. Where Your Data Is Stored
All data is stored within the European Union.
- Database and authentication: Supabase, hosted on AWS eu-central-1 (Frankfurt, Germany)
- File storage: Supabase Storage, hosted on AWS eu-central-1 (Frankfurt, Germany)
- Application hosting: Cloudflare Pages, EU edge network
Your IHM and account data are not transferred outside the EU/EEA. The one exception is an optional marketing-site analytics tool (Microsoft Clarity), which loads only if you consent and is processed by Microsoft in the United States under the EU–US Data Privacy Framework — see section 6.
5. Data Retention
- Active accounts: Your data is retained for the duration of your subscription
- Cancelled accounts: Data is archived for 90 days following cancellation. During this period, you may request reactivation with all data intact
- After 90 days: Archived data is permanently deleted unless you request earlier deletion or we are legally required to retain it (e.g., for tax or regulatory compliance)
- Deletion requests: You may request immediate deletion of your data at any time by contacting privacy@mantis-ihm.com. We will process deletion requests within 30 days
6. Third-Party Sub-Processors
We use the following third-party services to operate MANTIS. Each processes data only as necessary to provide their service.
| Sub-processor | Service | Data processed | Location |
|---|---|---|---|
| Supabase Inc | Database, authentication, file storage | All application data | EU (Frankfurt) |
| Cloudflare Inc | Application hosting, CDN, DNS | HTTP requests, static assets | EU edge network |
| Sendinblue SAS (Brevo) | Transactional email | Email addresses, notification content | EU (Paris) |
| Stripe Payments Europe Ltd | Subscription billing, payment processing | Payment data (card details processed by Stripe directly — never seen by MANTIS) | EU (Dublin) |
| Sentry GmbH | Application error monitoring | Error events, stack traces (no personal data in payloads) | EU (Germany) |
| PostHog | Product analytics | Anonymous UUID only — no email, no name, no cookies, in-memory session only | EU |
| Plausible Insights OÜ | Aggregate web analytics (marketing site only) | Page views, referrers — no cookies, no personal data | EU (Estonia) |
| Microsoft Clarity | Heatmaps + session replay (marketing site only) | Anonymised interaction data — sets cookies; loaded only with your consent | US (Microsoft; EU–US Data Privacy Framework) |
We do not sell, rent, or share your data with any other third parties. We do not use advertising networks or third-party tracking services. Customers are notified at least 30 days in advance of any sub-processor change, with a right to object per the DPA.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate data
- Right to erasure (Art. 17) — Request deletion of your personal data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format (XLSX export is available within the application)
- Right to restrict processing (Art. 18) — Request that we limit how we use your data
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time
- Right to lodge a complaint — You may file a complaint with your national Data Protection Authority. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
To exercise any of these rights, contact privacy@mantis-ihm.com. We will respond within 30 days.
8. Cookies and local storage
The MANTIS application stores your authentication session in your browser’s localStorage, not in cookies, and its analytics (PostHog, in-memory) and traffic measurement (Plausible) are cookieless. We do not use advertising cookies or cross-site tracking. Cloudflare may set strictly-necessary performance cookies for DDoS protection.
On our marketing site only, Microsoft Clarity (heatmaps and anonymised session replay) sets cookies. It is not loaded unless you opt in via the cookie banner shown on your first visit. You can accept or reject it, and change your choice at any time using the “Cookie settings” link in the site footer. Rejecting means Clarity never loads and no Clarity cookies are set; the cookieless analytics above continue regardless.
9. International Data Transfers
All application data processing occurs within the EU/EEA. The one exception is Microsoft Clarity (optional, consent-gated, marketing site only), whose anonymised interaction data is processed by Microsoft in the United States under the EU–US Data Privacy Framework and Standard Contractual Clauses. If you do not consent to Clarity, no data leaves the EU/EEA.
If our other processing arrangements change in the future, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) and update this policy accordingly.
10. Security Measures
We implement the following technical and organisational measures to protect your data:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- PostgreSQL Row Level Security ensuring data isolation between organisations
- Multi-factor authentication (MFA/TOTP)
- Bcrypt password hashing with per-user salts
- Rate-limited authentication endpoints
- Session timeout after inactivity
- Audit trail for all data modifications
- Automated daily database backups with point-in-time recovery
11. Children’s Data
MANTIS is a business-to-business service for maritime compliance management. We do not knowingly collect data from anyone under the age of 16. If we become aware that we have collected personal data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes:
- We will notify all registered users by email at least 30 days before the changes take effect
- The updated policy will be published within the application with the new effective date
- Continued use of MANTIS after the effective date constitutes acceptance of the updated policy
13. Contact
For any questions about this privacy policy or our data practices:
Email: privacy@mantis-ihm.com
Company: Navio Maritime OÜ, Estonia
Web: mantis-ihm.com
For security concerns, contact security@mantis-ihm.com.