Privacy Policy

Last updated: November 29, 2025

Doddle Software Limited ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect your personal data when you use the Manifest productivity application, website, and related services (collectively, the "Service").

Our registered company details: Doddle Software Limited, 127 Foundry Lane, Fareham, SO15 3LD, United Kingdom.

By accessing or using the Service you agree to the collection and use of your information in accordance with this Policy. If you disagree, please do not use the Service.

1. Definitions & Key Terms

  • "Personal Data" means any information relating to an identified or identifiable natural person.

  • "Usage Data" means data collected automatically (for example: IP address, browser type, usage logs).

  • "Account" means your user account with us for accessing the Service.

  • "Workspace" means a user-created organizational container within Manifest for managing goals, tasks, and related content.

  • "AI Features" means the artificial intelligence-powered capabilities within the Service, including the AI assistant and automated task suggestions.

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data.

  • "Processor" means an entity which processes Personal Data on behalf of the Controller.

  • For the UK GDPR and the UK Data Protection Act 2018, we are acting as a Controller of Personal Data collected via the Service (unless otherwise stated).

2. What Personal Data We Collect

2.1 Data you provide

  • Registration & account information: name, email address, password (securely hashed), profile details, and profile picture.

  • Subscription & payment information (via Stripe, our third-party payment processor): billing address and payment method details. Note: we do not store full card numbers; this is handled securely by Stripe.

  • Productivity content you create: workspaces, goals, milestones, tasks, subtasks, focus timer sessions, calendar events, and notes.

  • AI interaction data: conversations with our AI assistant, prompts submitted to AI features, and AI-generated content you choose to save.

  • Customer support communications: your messages, correspondence with us (including via email or in-app support).

  • Feedback and feature requests: suggestions, bug reports, and other feedback you submit through the Service.

2.2 Usage & automatic data

  • IP address, device type, browser type, and operating system.

  • Timestamps of your interactions with the Service, pages visited, features used, and session duration.

  • Workspace activity metrics (number of workspaces, goals completed, tasks completed, AI sessions used).

  • Subscription usage data (plan type, usage against plan limits).

  • Cookies and tracking technologies (see section 7).

  • Logged errors, crash reports, or performance metrics (anonymised where possible).

2.3 Data from third parties

  • Authentication providers: If you choose to log in via Google OAuth, we receive your name, email address, and profile picture from Google in accordance with your permissions.

  • Analytics providers: We use PostHog for product analytics to understand how users interact with the Service.

  • Payment processor: Stripe provides us with transaction status, subscription status, and billing-related information.

3. How and Why We Use Your Personal Data

We process your Personal Data for the following purposes and on the following lawful bases (under UK GDPR / EU GDPR where applicable):

3.1 Providing & operating the Service

  • To register your account, authenticate your identity, and manage your access. Lawful basis: performance of a contract.

  • To enable your use of Manifest features including workspaces, goals, tasks, focus timer, calendar, and AI assistant. Lawful basis: performance of a contract.

  • To process payments, manage subscriptions (Pro and Premium plans), handle renewals, and process cancellations via Stripe. Lawful basis: performance of a contract / legal obligation.

  • To enforce usage limits based on your subscription plan (workspace limits, AI session limits). Lawful basis: performance of a contract.

3.2 AI-powered features

  • To provide AI assistant responses and offer intelligent task suggestions. Lawful basis: performance of a contract / your consent.

  • To improve AI model performance and response quality through aggregated, anonymised analysis. Lawful basis: legitimate interests.

  • Note: Your conversations with the AI assistant may be processed by our AI service providers (OpenAI, Google Gemini) subject to their respective privacy policies.

3.3 Improvements, analytics & research

  • To monitor usage of the Service, track performance, diagnose bugs, and improve the Service. Lawful basis: legitimate interests (our interest in improving our Service) provided your rights are protected.

  • To perform aggregate, anonymised analytics studies for product development.

  • To understand feature adoption and user engagement patterns.

3.4 Communications

  • To send you service-related communications (e.g., subscription confirmations, usage alerts, security notices). Lawful basis: performance of a contract / legitimate interests.

  • To send you product updates and marketing communications if you have opted-in. Lawful basis: consent.

  • You may opt-out of marketing communications at any time (see section 10).

3.5 Legal & compliance obligations

  • To comply with legal obligations, respond to lawful requests from authorities, prevent fraud, and protect rights and property. Lawful basis: legal obligation / legitimate interests.

4. Sharing & Disclosure of Your Personal Data

We will not share your Personal Data except in the following limited circumstances:

  • Service Providers & Processors: We engage third-party partners who process data on our behalf under contract:

    • Supabase: Database hosting and authentication services
    • Stripe: Payment processing and subscription management
    • Vercel: Application hosting and deployment
    • OpenAI / Google: AI model providers for assistant features
    • PostHog: Product analytics
    • ImgBB: Image hosting for user uploads

  • Affiliates or successors: In the event of a reorganisation, merger, or sale of all or part of our business (you will be notified).

  • Legal compliance: When required by law, regulation, court order, or to protect our rights, property, or the safety of users.

  • With your consent: If you have explicitly authorised a sharing.

We do not sell your personal data.

5. International Data Transfers

Because we operate globally and use international service providers, your data may be transferred to, processed in, or accessed from countries outside your country of residence (including outside the UK or European Economic Area).

Our primary data infrastructure is hosted via Supabase and Vercel, which may store data in various global regions. AI features are processed by OpenAI (USA) and Google (global).

We ensure that such transfers are subject to appropriate safeguards (for example, Standard Contractual Clauses or adequacy decisions) as required under UK GDPR/EU GDPR.

By using our Service you consent to such transfers.

6. Data Retention & Deletion

We keep your data only for as long as is necessary for the purposes set out in this Policy or as required by law. Specifically:

  • Account and subscription data: Retained for up to seven (7) years after account closure or last payment, to comply with tax and accounting requirements.

  • Productivity content (workspaces, goals, tasks, focus sessions): Retained for up to two (2) years following account inactivity or closure, after which it may be deleted or irreversibly anonymised.

  • AI conversation history: Retained for up to one (1) year after the conversation, or until you delete your account.

  • Monthly usage data: Retained for twelve (12) months for billing and analytics purposes.

  • Anonymised analytics data: May be kept indefinitely for product improvement.

Upon request, you may delete your account and associated data (see section 10). Once deleted, retrieval may not be possible.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect Usage Data and to improve and personalise the Service.

You will be asked to provide consent via a cookie banner where required (e.g., UK/EU).

Types of cookies we use:

  • Essential cookies: For authentication, security, session management, and core functionality.

  • Performance & analytics cookies: To understand how you use the Service (via PostHog).

  • Functional cookies: To remember your preferences (theme, workspace selection, sidebar state).

  • Marketing cookies: Where applicable and with your consent.

You can manage or disable cookies via your browser settings; note this may reduce the functionality of the Service.

8. Your Rights Under UK/EU Data Protection Law

If you are a resident of the UK or EU, you have certain legal rights in relation to your Personal Data:

  • Right to access: Request a copy of the data we hold about you.

  • Right to rectification: Correct inaccurate or incomplete data.

  • Right to erasure: Request deletion of your data (the "right to be forgotten"), subject to our retention obligations.

  • Right to restrict processing: Limit how we use your data in certain circumstances.

  • Right to object: Object to processing based on legitimate interests.

  • Right to data portability: Receive your data in a structured, machine-readable format.

  • Right to withdraw consent: Where we rely on consent, you may withdraw it at any time.

  • Right to lodge a complaint: File a complaint with the Information Commissioner's Office (UK) or your local data protection authority.

To exercise any of these rights, please contact us using the details in section 10. We may ask you to verify your identity before responding to requests.

9. Security of Your Personal Data

We adopt appropriate technical and organisational measures to protect your Personal Data:

  • Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest.

  • Authentication: Secure password hashing, OAuth 2.0 integration, and session management via Supabase Auth.

  • Access controls: Row Level Security (RLS) policies ensure users can only access their own data.

  • Infrastructure security: Hosted on enterprise-grade platforms (Supabase, Vercel) with regular security audits.

  • Payment security: Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider.

However, no transmission over the Internet or storage can be guaranteed 100% secure; we cannot promise absolute security.

10. Contact Information & How to Reach Us

If you have questions about this Policy or wish to exercise your rights, you can contact us:

Doddle Software Limited Email: contact@doddle.software Address: 127 Foundry Lane, Fareham, SO15 3LD, United Kingdom

To delete your account: You can request account deletion by contacting us at the email above or through the account settings within the Service.

If you believe we have not complied with this Policy or applicable data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (UK) or your local data protection authority.

11. Age Restrictions

Our Service is intended for users who are at least 18 years of age (or the applicable age of legal majority in your country). The Service is designed for solopreneurs and professionals managing their productivity.

If you are under 18, you must not use the Service. We do not knowingly collect Personal Data from children under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately, and we will delete that data.

12. Changes to This Privacy Policy

We may update this Policy from time to time. We will post the updated "Last updated" date at the top.

If we make material changes, we will notify you via:

  • Email notification to your registered email address
  • Prominent notice within the Service

Your continued use of the Service after such changes means you accept the updated Policy.

13. Scope & Global Use

While we operate from the United Kingdom and the law of England & Wales applies to our operations, the Service is accessible globally. This Policy applies to users worldwide.

If local data protection laws in your country provide greater protection, you may benefit from those rights in addition to what is stated here.

If you are using the Service outside the UK, you are responsible for complying with your local laws regarding data protection and privacy.

14. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

We encourage you to review the privacy policy of every site you visit.

15. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Because there is no common understanding of how to interpret DNT signals, the Service does not currently respond to DNT browser signals.

Thank you for trusting Manifest with your data. We are committed to keeping it safe and helping you achieve your goals.