Privacy Policy

Version 1.3 · Last updated: 14 April 2026

At Mango Technologies Ltd, we are committed to safeguarding the privacy and security of personal information. This Privacy Policy sets out the principles and practices governing the collection, processing, storage, disclosure, and protection of personal data in compliance with the DIFC Data Protection Law No. 5 of 2020, and, where applicable, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and other applicable data protection and privacy laws.

This policy applies specifically to the Mango DMA product operated at mangosuite.com and its subdomains (signup.mangosuite.com, dashboard.mangosuite.com, chat.mangosuite.com).

1. Who We Are / Data Controller

For the purposes of applicable data protection law, the data controller for personal data collected through Mango DMA is:

Mango Technologies Ltd
A company incorporated in the Dubai International Financial Centre (DIFC).
Parent company website: mangoserve.com
Product website: mangosuite.com

If you have any questions about this Privacy Policy or our processing of your personal data, you may contact us at hello@mangosuite.com.

2. Information We Collect

We collect and process the following types of personal and business data:

Account Information:

• Business email address (required; free email providers such as Gmail, Yahoo, and Outlook are rejected during signup)
• Company name and business description
• Company website URL
• Contact name and job title

Brand & Content Data:

• Brand bible configuration (voice adjectives, tone, target audience, banned words, competitors, brand colors) — stored as JSON in our database
• AI-generated marketing content (Instagram captions, LinkedIn posts, blog introductions, YouTube Shorts descriptions, reel briefs)
• Media assets (AI-generated images via FLUX.2, Ideogram, AI-generated videos via Veo 3) stored in Google Cloud Storage

OAuth Tokens for Social Platforms:

• Instagram / Meta OAuth tokens (via Facebook Login for Business) — encrypted via Fernet symmetric encryption (PBKDF2-HMAC-SHA256 key derivation) before storage
• Facebook Page tokens (via Meta Graph API) — encrypted via Fernet symmetric encryption before storage
• LinkedIn OAuth tokens (Community Management API, 60-day expiry with automated renewal warnings) — encrypted via Fernet symmetric encryption before storage
• YouTube API tokens — encrypted via Fernet symmetric encryption before storage
• TikTok OAuth tokens — encrypted via Fernet symmetric encryption before storage

Billing Information:

• Payment is processed exclusively through Stripe. Mango Technologies does not store, process, or have access to credit card numbers, CVVs, or full card details. Stripe handles all PCI-DSS compliance. We store only: Stripe customer ID, subscription ID, and price ID.

Usage & Analytics Data:

• Post engagement metrics (impressions, reach, engagement rate) collected from Instagram Insights API and LinkedIn Analytics API
• Platform interaction logs (publishing events, approval actions, content state transitions)
• Dashboard access logs

Intelligence API Usage Data:

• Consumer name and API key identifier
• Endpoint accessed (macro, micro, competitive, brand-health, synthesis)
• Client slug requested
• Response time and HTTP status code
• Timestamp of each request

Consumer Feedback Data:

• Questions submitted via Intelligence API feedback endpoint
• Content gap requests and suggestions
• Processed and deleted within 7 days of collection

Community Data:

• Comment and direct message content from connected social platforms (Instagram, LinkedIn, Facebook, TikTok)
• Read-only access for draft reply generation purposes
• Platform and creator handle information
• Public engagement context

Influencer Data:

• Public social profile information (follower counts, engagement rates)
• Public post content and performance metrics
• Audience demographics (from platform APIs where available)
• Engagement patterns and collaboration history

Website Usage Information:

• IP address, browser type, device type, and data on how you interact with our website
• On the marketing website (mangosuite.com), if you have accepted analytics and marketing cookies via our cookie banner, we collect pseudonymous visit data using Google Analytics 4 and the Meta (Facebook) Pixel. This data is used to measure website traffic and the effectiveness of our advertising on Facebook and Instagram. No analytics or advertising trackers load before you accept them, and the Meta Pixel is not loaded on the authenticated dashboard (dashboard.mangosuite.com). See our Cookie Policy for the full list of cookies and trackers.

The Child Digital Safety (CDS) Provision (UAE Law 26 of 2025):
In accordance with UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety, our website and services are not directed to children. We do not knowingly collect, process, publish, or share personal data of children under the age of 13 except where permitted by applicable law. If we become aware that such data has been collected in violation of applicable law, we will take steps to delete it.

3. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so, including:

(a) To take steps at your request before entering into a contract or to perform a contract with you (e.g., providing the Mango DMA service after you subscribe);

(b) To comply with legal or regulatory obligations;

(c) For our legitimate interests in operating, securing, and improving our platform and services, except where such interests are overridden by your rights; and

(d) Where required, on the basis of your consent.

4. How We Use Your Data

Your data is used for the following purposes:

• Service delivery: To generate and publish marketing content on behalf of your business across Instagram, LinkedIn, Facebook, TikTok, YouTube, and Blog/CMS channels using AI (Gemini Flash for research and copy, FLUX.2 and Ideogram for images, Veo 3 for video)
• Content approval: To send email approval requests (APPROVE/REJECT) before any content is published on your behalf
• Analytics & reporting: To collect engagement metrics and generate morning briefs, performance reports, and weekly CEO reports
• Brand compliance: To validate all generated content against your brand bible configuration
• Account management: To manage your subscription, process billing via Stripe, and provide customer support
• Intelligence API: We process market signals and expose aggregated intelligence to authenticated B2B consumers via our Intelligence API. Individual client data is never shared between consumers. All access is scoped by client_slug and API key permissions.
• Community Engine: When you connect social accounts, we read public comments and direct messages to generate draft replies. This content is processed by Gemini 2.5 Flash (Google Vertex AI) and is not stored permanently beyond the drafting workflow.
• Platform improvement: To improve our AI models’ prompt templates, optimize content generation quality, and enhance platform features through aggregated, anonymized usage data
• Marketing measurement (marketing website only, consent-based): If you accept marketing cookies on the mangosuite.com marketing website, we use Google Analytics 4 and the Meta (Facebook) Pixel to measure visits and the effectiveness of our paid advertising on Facebook and Instagram. We do not run any advertising or retargeting trackers on the authenticated dashboard (dashboard.mangosuite.com), and we do not use your content, brand bible, or customer data for advertising.
• Security: To protect against unauthorized access, fraud, and abuse

We do not sell your data to third parties, and we do not share individual client content with other clients. Each client’s data is isolated via PostgreSQL Row-Level Security (RLS) policies. The only advertising-related processing we carry out is consent-based visit measurement on the marketing website, as described above.

5. Data Storage and Infrastructure

All data is stored on Google Cloud Platform (GCP) infrastructure:

No data is stored on local servers or personal devices. No plaintext tokens exist in source code, environment files, or logs.

6. Data Sharing and Disclosure

We will not share your personal information with third parties, except in the following cases:

• Platform APIs: When you authorize us to post content on your behalf, we interact with Meta Graph API (Instagram/Facebook), LinkedIn API, YouTube Data API, and TikTok API using your encrypted OAuth tokens. Content is posted to your own social media accounts.
• Payment processing: Stripe processes all payment transactions. Stripe’s privacy policy governs their handling of payment data.
• AI service providers: We use the following third-party AI services to generate and evaluate marketing content on your behalf. No personally identifiable client data is included in AI prompts — only brand voice configuration, content themes, and industry keywords.

  Provider	Service	Purpose	Data Sent
  Google Cloud (Vertex AI)	Gemini 2.5 Flash	Copywriting, strategy, research, trend detection	Brand voice adjectives, tone parameters, content themes
  Google Cloud (Vertex AI)	Gemini 2.5 Pro	Long-form blog generation, complex editorial judgment	Brand voice, topic briefs, competitor themes
  fal.ai	FLUX.2 + LoRA	AI image generation with brand-trained style models	Text prompts describing desired imagery, brand style parameters
  Ideogram	Ideogram V3	Text-heavy social card and graphic generation	Text prompts, brand color palette, layout instructions
  Google Cloud (Vertex AI)	Veo 3	AI video generation (short-form social video)	Video scene descriptions, brand guidelines
  Google Cloud (Vertex AI)	Chirp 3	Text-to-speech for video narration	Script text (no PII)
  Perplexity AI	Sonar Pro	Audience intelligence research, trend detection	Industry keywords, topic queries — no client PII

  All AI processing is performed under data processing agreements with each provider. Prompts and outputs may be transiently processed outside the UAE (see Section 8, International Data Transfers).
• Analytics & marketing measurement (marketing website only, consent-based): If you accept analytics and/or marketing cookies on mangosuite.com, limited pseudonymous visit data is shared with Google (Google Analytics 4) and Meta Platforms, Inc. (Meta Pixel) for the purpose of measuring site traffic and the effectiveness of our paid advertising on Facebook and Instagram. No such data is sent before you accept cookies, and none of it is sent from the authenticated dashboard. You can withdraw consent at any time via “Cookie Settings” in the footer.
• Legal requirements: When required by law or regulatory authorities within the UAE or internationally.
• Corporate transactions: In the event of a merger, acquisition, or any other corporate transaction, subject to confidentiality agreements whereby the successor entity continues to honor this Privacy Policy.

7. Data Security

We take appropriate technical and organizational measures to protect your personal data:

• Encryption at rest: All data encrypted via Google Cloud managed encryption keys
• Encryption in transit: All connections use TLS 1.2+
• Token encryption: All OAuth tokens encrypted via Fernet symmetric encryption (PBKDF2-HMAC-SHA256 key derivation, 100k iterations) before storage in PostgreSQL
• Access control: PostgreSQL Row-Level Security (RLS) enforces per-tenant data isolation
• Secret management: All API keys stored in GCP Secret Manager — zero plaintext exposure
• Authentication: JWT-based sessions with TOTP 2FA, passkey (WebAuthn), and magic link support
• CI security scanning: Automated security agent scans every code push for hardcoded secrets, SQL injection patterns, and CORS misconfigurations
• Audit trail: Immutable publishing_events table logs every content state transition with timestamp and actor

However, no data transmission over the internet is entirely secure, and we cannot guarantee absolute security.

8. International Data Transfers

As a company based in the UAE, your personal data is primarily processed within the UAE (GCP me-central1 region). Where personal data is transferred outside the UAE (e.g., API calls to Google Cloud for AI content generation, fal.ai for image generation, Ideogram for text-heavy images, or Stripe for payment processing), we ensure that such transfers comply with applicable legal requirements, specifically Article 22 of the UAE PDPL, and are protected by appropriate safeguards, which may include transfers to jurisdictions recognised as adequate or the use of contractual safeguards required or recognised by applicable law.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our websites. The full list, purposes, and retention periods are documented in our Cookie Policy.

Summary:

• Strictly necessary cookies (session, CSRF, SSO state) are always active and cannot be disabled — they are required for the platform to function.
• Functional cookies remember dashboard preferences and are treated as strictly necessary for the authenticated dashboard.
• Analytics cookies (Google Analytics 4: _ga, _ga_*) and marketing cookies (Meta Pixel: _fbp, _fbc) are loaded only on the marketing website (mangosuite.com) and only after you accept them via our cookie banner. They are not loaded on the authenticated dashboard (dashboard.mangosuite.com) under any circumstances.
• HiMango chat widget stores a short-lived session identifier in localStorage (not a third-party cookie). On the marketing website the widget is optional and loads only after consent; on the authenticated dashboard it is part of the product and loads as strictly necessary.
• No advertising or retargeting trackers are used on the authenticated dashboard.
• No data is sold to cookie or advertising intermediaries, and we do not use cookies to build advertising profiles beyond those disclosed in the Cookie Policy.

You can change your cookie preferences at any time via “Cookie Settings” in the footer of mangosuite.com, or through your browser settings. Withdrawing consent to analytics or marketing cookies will stop all further data collection by those trackers.

10. Retention of Data

We retain your personal data as follows:

Upon account cancellation, your data will be exported and made available to you within 7 days. After export confirmation, data is permanently deleted within 30 days, except for audit trail records retained for legal compliance.

11. Your Rights

Subject to applicable law, you have the right to:

• Access: Request a copy of your personal data held by us
• Correction: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Portability: Request transfer of your personal data in a structured, machine-readable format (JSON export of brand bible, content, and analytics)
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, please contact us at hello@mangosuite.com. We will respond within 30 days.

12. Automated Decision-Making and Profiling

We use automated decision-making in the following areas of our service:

Content Quality Scoring: All AI-generated marketing content is automatically scored by Gemini Flash against your brand bible configuration and learned audience preferences. Content scoring determines the publishing workflow:

• Score ≥ 0.85: Content is automatically approved and scheduled for publication
• Score 0.50–0.84: Content is held for manual human review via email approval
• Score < 0.50: Content is automatically rejected and queued for regeneration

Performance Optimization (RORA Loop): Our Return on Robot Activity system automatically identifies underperforming published content, extracts winning patterns from high-performing posts, and regenerates improved content using those patterns. This process uses aggregated engagement metrics (impressions, reach, engagement rate) — not individual user data.

Prospect Intelligence: During the onboarding process, we generate a free intelligence report using automated analysis of publicly available market data, competitor information, and industry trends. This analysis does not involve profiling of individuals.

These automated processes do not produce legal effects or similarly significant effects on individuals. They operate on business content and brand data, not on personal data of individual persons. You may request human review of any automated content decision by contacting us at hello@mangosuite.com or by using the REJECT link in any approval email.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Any updates will be posted on our website at mangosuite.com/privacy with the effective date of the new policy. Material changes will be communicated via email to registered account holders.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Mango Technologies Ltd
Email: hello@mangosuite.com
Parent company: mangoserve.com
Product: mangosuite.com

Privacy Policy v1.3 · April 2026 · Mango Technologies Ltd · mangosuite.com