Privacy Policy

1. Information we collect

a. Information you provide

• Account identity — your preferred name, your function in your organization (e.g., Executive, Plant Manager, Engineer), and email address. When you create a ManuStride web account, these are stored in our secure cloud database so your profile and progress are available whenever and wherever you sign in. In the forthcoming mobile app (beta), the same details can be kept on your device and synced to your account if you enable cross-device sync.
• Launch list email, when you join the waitlist on manustride.com.
• Subscription metadata, when you upgrade to Pro or Enterprise. On the web, payments are processed by Stripe, and we store your Stripe customer and subscription identifiers, plan tier, status, and current-period end date. In the forthcoming mobile app (beta), in-app purchases are processed by the app store (Apple App Store or Google Play), and we store only a store-issued subscription identifier, tier, and status. In either case we never see or store your full card number or billing address; the payment processor handles the card.
• App content you create — assessment responses, 90-day journey progress, template session answers, quiz attempts, ROI calculations, bookmarks, and feedback. On the web, this content is stored in our secure cloud database under your account so it is available across your sessions and devices; every row is isolated to your account so only you can access it (see Section 5). In the forthcoming mobile app (beta), this content can be kept on your device by default and, if you enable secure cross-device sync, an encrypted copy is also stored under your account.

b. Information collected automatically

• Essential cookies. When you sign in to the web application, we set strictly-necessary cookies that keep you authenticated and protect against cross-site request forgery. These cookies are required for the Service to function, are never used for advertising or cross-site tracking, and — because they are strictly necessary — do not require consent. They are separate from the optional, consent-gated analytics described below.
• Anti-abuse signals. When you submit the waitlist form, we pass a verification challenge token to a third-party bot-protection service, which assesses whether the submission is automated. That service may collect your IP address, browser characteristics, and challenge-interaction signals to perform the check.
• Server logs. Our hosting provider records standard HTTP access logs (IP address, request path, user agent) for security and reliability.
• Website analytics — consent-gated. When (and only when) you click Accept on our consent banner, we load a privacy-focused, cookieless web analytics provider on manustride.com. It receives anonymous page-view, referrer, user-agent, and Core Web Vitals events for aggregate site-quality measurement. Your IP address is processed only transiently to derive a two-letter country code and a daily-rotating hashed visitor-bucket; the raw IP is not stored, no cookies are set, and no cross-site tracking occurs. If you click Reject or simply navigate the site without choosing, no analytics provider is loaded and no analytics events are sent.
• Mobile app analytics: no app-side analytics are sent from the mobile app today. We will update this section if that changes.

c. Categories of personal information (CCPA / CPRA)

Under the California Consumer Privacy Act, the personal information we collect maps to the following statutory categories:

• Identifiers — preferred name, organizational function, email address, the account identifier issued by our authentication provider when you sign in, and, if we later enable additional sign-in methods, the identifier from your chosen method. Today web sign-in is email and password; Google and Microsoft sign-in on the web, and Sign in with Apple in the forthcoming mobile app, are planned but not yet available.
• Commercial information — subscription tier and purchase metadata from Stripe (web) or app-store billing (forthcoming mobile app).
• Professional or employment-related information — your organizational function and any role-relevant information you enter into assessments or templates. We treat organizational role and function as Sensitive Personal Information under the CPRA when it is linked to an identified individual. We only use this information to provide and personalize the Service and do not sell, share, or use it for any other purpose.
• Internet / network activity — server access logs (IP address, request path, user agent); anti-abuse signals from our bot-protection provider on website forms; and, only after you accept the consent banner, anonymous page-view and Core Web Vitals events sent to our cookieless web analytics provider (no cookies, no cross-site tracking, raw IP not stored).
• Inferences — none. We do not create profiles or predictions from your data.

We do not collect geolocation data, biometric information, government identifiers, or financial account information. Web sign-in uses email and password: your password is hashed and stored by our authentication provider; we never see or store it in plain text. Should we later enable Google or Microsoft sign-in on the web, or Sign in with Apple in the forthcoming mobile app, we would never receive a password through them at all.

2. How we use information

• Account and app data: to provide the Service — authenticate you, store and sync your profile, assessments, journey progress, and sessions, enforce the entitlements of your subscription tier, and let you pick up where you left off across devices.
• Waitlist email: to send (i) a one-time launch notification when ManuStride becomes publicly available, (ii) occasional product milestone announcements (major release, significant new capability), and (iii) periodic invitations to provide product feedback.
• Bot-protection signals: to verify the submission isn't automated. Not used for advertising.
• Server logs: for security investigation, debugging, and abuse prevention. Retained only briefly (no more than 30 days), then automatically deleted.
• Web analytics (only after you accept the consent banner): to measure aggregate page-view volume, traffic referrers, device-type breakdown, and Core Web Vitals (loading, interactivity, layout stability). Not used for advertising, not used to identify individual visitors, and not shared with any third party beyond the analytics provider itself. You can revoke consent at any time by clearing site data from your browser; on next visit the banner will re-prompt and, until you accept, no analytics is loaded.

CAN-SPAM compliance (commercial email)

Where the messages described above are commercial in nature, we comply with the United States CAN-SPAM Act of 2003 (15 U.S.C. § 7701 et seq.):

• Every commercial email identifies the sender, uses accurate “From,” “To,” “Reply-To,” and subject lines, and includes our valid postal mailing address.
• Every commercial email contains a clear, conspicuous, working opt-out mechanism that does not require you to pay a fee, provide additional personal information beyond your email address, or take any step beyond clicking a single link or replying to a single email.
• We honor opt-out requests within ten (10) business days of receipt, and in any event no later than is required by applicable law. Once you opt out, you will not receive further commercial email from us.
• Even after opt-out, we may continue to send transactional or relationship messages — such as account-security notifications, password-reset emails, subscription receipts, or direct replies to a support ticket you initiated — as permitted by 15 U.S.C. § 7702(2)(B).
• We do not sell, rent, exchange, or transfer your email address to any third party for that party's own marketing purposes, and we do not use harvested, generated, or purchased lists to source new recipients.

California residents have an additional statutory right under California Business & Professions Code § 17529.5 et seq. to opt out of further commercial email by replying to any such email with “unsubscribe” in the subject line or by emailing hello@manustride.com with “Unsubscribe” in the subject. We will honor any such request within ten business days.

3. Third-party processors

We rely on a small number of third-party service providers (sub-processors), each under its own privacy policy and bound by a data-processing agreement, and we disclose them here by the category of service they provide. When you use the ManuStride web application, your account and app data are held by our cloud database provider and any paid subscription is processed by Stripe, as described below. The forthcoming mobile app (beta) can operate in a local-first mode in which, unless you enable cross-device sync, your app content stays on your device.

• Cloud hosting & infrastructure — serves the website, routes requests, and records the short-lived server logs described above.
• Cloud database & authentication — stores, in a United States region, (a) your account (email and the email/password authentication record, plus any optional two-factor authentication factor, and any additional sign-in method we may enable later); (b) your profile and all web app data (assessments, journey, sessions, quizzes, ROI calculations, bookmarks, feedback); (c) the waitlist email list; and (d) the optional encrypted copy of mobile app data when cross-device sync is enabled. App data is encrypted at rest and isolated per account so that only your authenticated session can read or write your own rows.
• Payment processing — Stripe — for web Pro and Enterprise subscriptions (Checkout and the customer billing portal). Stripe receives and stores your card and billing details directly; we receive only your subscription status and the Stripe customer and subscription identifiers. See stripe.com/privacy.
• Sign-in providers — Google, Microsoft, and Apple — planned optional identity providers. Today, web sign-in uses email and password only. Google and Microsoft sign-in on the web, and Sign in with Apple in the forthcoming mobile app, are not yet available; if and when we enable them, the chosen provider would authenticate you and return your name and email to create or match your account, and we would update this policy before turning them on. Because email and password is currently the only sign-in method, no such provider receives any data today.
• Web analytics — consent-gated; loaded only after you click Accept on the consent banner. A privacy-focused, cookieless provider that receives anonymous page-view, referrer, user-agent, country (from a transient IP lookup; raw IP not stored), and Core Web Vitals events. No cookies, no cross-site tracking.
• Bot protection— a third-party service that verifies the waitlist form isn't being submitted by automated bots. It may receive your IP address and challenge-interaction signals for that check only.
• Rate limiting — transient per-IP accounting for the waitlist endpoint. Your IP address is stored for the duration of a 60-second sliding window only and is then automatically discarded. No request bodies, email addresses, or other personal data are sent — only the IP and a request count.
• App stores (forthcoming mobile app, beta) — the Apple App Store and Google Play handle app distribution and in-app-purchase subscription billing. This applies only to the mobile app; the web application is not distributed through an app store.

4. Data retention

• Waitlist emails: retained until the app launches plus 12 months, or until you request deletion — whichever is sooner.
• Account identity (preferred name, organizational function, email): on the web, retained in our database for as long as your account is active. You can delete your account — and all associated data — at any time from your account settings, or by emailing us. We also remove accounts after 24 months of continuous inactivity, emailing a 30-day deletion notice first. In the forthcoming mobile app (beta), local account details live on your device until you delete the app.
• App data: on the web, retained with your account until you delete the individual item or your whole account (same triggers as Account identity above); deleting your account removes it immediately. In the forthcoming mobile app (beta) it is stored on your device for as long as the app is installed, and any synced copy is removed within 30 days of disabling sync, deleting the app, or emailing hello@manustride.com.
• Subscription metadata: retained for the duration of your subscription plus the period required for tax, accounting, and financial-reporting purposes (currently 7 years under US tax law).
• Server logs: retained only briefly (no more than 30 days) by our hosting provider, then automatically deleted.

5. Security practices

Encryption. All network traffic between ManuStride and our backend uses TLS. Your account and app data are encrypted at rest (AES-256) in our cloud database, which is hosted in a United States region.

Authentication. On the web you sign in with email and password, Google, or Microsoft, and can optionally enable time-based one-time-password (TOTP) two-factor authentication for an additional layer of protection. For email-and-password accounts, your password is salted and hashed by our authentication provider — we never see or store it in plain text. The forthcoming mobile app (beta) additionally offers Sign in with Appleon iOS; if you choose Apple's “Hide My Email” option there, we receive only Apple's private relay address (e.g., a randomized address ending in @privaterelay.appleid.com) and never your real email.

Isolation. Every row is tagged with your user ID and protected by row-level access controls enforced in the database. Other users — and our own employees, except as required for incident response — cannot read your data.

Control. On the web you can review and update your profile, manage or cancel your subscription, and permanently delete your account and all associated data from your account settings — deletion is immediate, irreversible, and also removes your authentication record. In the forthcoming mobile app (beta) you can disable cross-device sync from Settings → Data & Sync. You can also email hello@manustride.com to request access to, an export of, or deletion of your data; we'll confirm within 30 days.

Breach notification. If we discover a security breach affecting your personal information, we will notify you in accordance with applicable law and, where feasible, within 72 hours of confirmation. Notification will be sent by email to the address associated with your account (if sync is enabled) and posted as an in-app banner on next launch.

6. Your rights

Regardless of where you live, you can email hello@manustride.com to request access to, correction of, deletion of, or a portable copy of your personal information. We will respond within 30 days.

No sale or sharing of personal information

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not use your personal information for targeted advertising, cross-context behavioral advertising, or any analogous purpose.

California (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect and how we use it.
• Delete personal information we have collected.
• Correct inaccurate personal information.
• Data portability — receive a portable copy of your personal information.
• Opt out of the sale or sharing of personal information — we do not sell or share, so this is automatic.
• Limit the use of Sensitive Personal Information to what is necessary to deliver the Service.
• Non-discrimination — you will not be treated differently for exercising any of these rights.

To exercise any right, email the address above.

European Union & EEA / United Kingdom (GDPR / UK GDPR)

Although ManuStride primarily serves customers in the United States, we respect the privacy rights of all our users to the extent that the General Data Protection Regulation applies to any personal data we process. We will comply with its requirements.

If you access the Service from the European Union, European Economic Area, Switzerland, or United Kingdom, the General Data Protection Regulation (or UK GDPR) applies. Our lawful basis for processing your personal information is performance of a contract (Article 6(1)(b)) — the contract being the Terms of Service you accept by using the Service. For account-recovery and security-related processing, our lawful basis is legitimate interest (Article 6(1)(f)).

You have the rights enumerated under Articles 15–22 of the GDPR, including:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure (“right to be forgotten”).
• Restriction of processing.
• Data portability.
• Objection to processing.
• The right not to be subject to automated individual decision-making — we do not engage in any.

You also have the right to lodge a complaint with your national supervisory authority.

International transfers of your personal data outside the EU/EEA/UK occur because our hosting providers operate in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms as the transfer mechanism.

7. Age requirement & minors

ManuStride is intended for adults aged 18 or older using the Service in a professional manufacturing capacity. The Service is not directed to, marketed to, or intended for anyone under 18.

In particular, the Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA). If we learn that we have collected personal information from a child under 13, we will delete it promptly.

We do not knowingly collect personal information from individuals under 18 (including anyone under 13). If you are under 18, please do not use the Service or submit any information through it. If we become aware that we have collected personal information from someone under 18, we will delete that information promptly. If you believe a person under 18 has provided us with personal information, please contact hello@manustride.com and we will investigate and remove it.

8. International transfers

ManuStride is operated from the United States, and your personal information is primarily stored and processed in the United States. Where we transfer the personal data of residents of the European Union, European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses and the equivalent UK and Swiss mechanisms described in Section 6 as the lawful transfer mechanism.

9. Changes to this policy

We may update this policy as the product evolves. Non-material changes (clarifications, typo fixes, formatting) will be reflected on this page with an updated “Last updated” date.

For material changes — such as adding a new category of personal information we collect, a new processor with access to your data, or a new use of your data — we will provide reasonable advance notice by (a) email to the address associated with your account if sync is enabled, (b) an in-app banner on next launch, and (c) an updated date on this page. Continued use of the Service after the effective date of a material change indicates acceptance.

10. Accessibility

We are committed to making manustride.com and the ManuStride mobile app usable by the broadest possible audience, including people who use assistive technology. We target conformance with the Web Content Accessibility Guidelines (WCAG) 2.2 Level AA published by the W3C, and we apply each mobile platform's accessibility features (screen readers, dynamic text sizing, reduced motion, and high-contrast modes) in the mobile app.

Our ongoing accessibility work covers keyboard-only operation, compatibility with screen readers (VoiceOver, NVDA, JAWS), minimum color-contrast ratios for body and interface text, visible focus indicators, descriptive alternative text for non-decorative imagery, respect for the prefers-reduced-motion media query, and the absence of content that could trigger seizures or vestibular discomfort.

Accessibility is iterative. If you encounter a barrier on the website or in the app, or if you need an alternative way to access any information or functionality, please email hello@manustride.com with “Accessibility” in the subject line. We will respond within five (5) business days, work with you in good faith to provide a comparable alternative, and use the feedback to prioritize further accessibility improvements.

This statement was last reviewed on the “Last updated” date shown at the top of this page.

11. Contact

Questions about this policy or your data? Email hello@manustride.com.