Privacy Policy for Mantaray Timesheets

Last updated: January 30, 2026

Introduction

This Privacy Policy ("Policy") describes how Mantaray Software Sàrl, a company incorporated in Luxembourg with registered address at 2C Rue Nicolas Bové, L-1253 Luxembourg ("Mantaray", "Company", "we", "us", "our"), collects, uses, stores, discloses, and otherwise processes Personal Data (as defined below) in connection with the Mantaray Timesheets mobile application (the "App") and related services (collectively, the "Service").

This Policy also explains the rights available to individuals whose Personal Data is processed in connection with the Service, including rights under Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

Scope; Enterprise Use

The Service is a mobile companion application to Mantaray CRM. The App is intended exclusively for enterprise/professional users whose organization is a licensed customer of Mantaray CRM and whose user account is preconfigured by the organization or its administrator. The App does not provide public registration, and external users without valid Mantaray CRM credentials cannot access the Service.

Definitions

"Account" means an authorized user account created and managed within the customer's Mantaray CRM environment to access the Service.

"Controller", "Processor", "Personal Data", "Processing", and "Supervisory Authority" shall have the meanings given to them under the GDPR.

"Customer Organization" means the entity (typically your employer or contracting entity) that licenses Mantaray CRM and provides you with access credentials.

"CRM Content" means data stored in or processed through the Mantaray CRM environment, including timesheets and related references to customers, jobs, tasks, and CSR items.

Roles and Responsibilities (Controller/Processor)

CRM Content

In most deployments, the Customer Organization determines the purposes and means of processing CRM Content (including timesheets and related records). In such cases, the Customer Organization acts as the Controller of CRM Content and Mantaray acts as a Processor with respect to such CRM Content, to the extent Mantaray processes it on the Customer Organization's behalf (for example, through support, maintenance, or hosting services, depending on the customer setup).

Mantaray Business Data

Mantaray acts as Controller for Personal Data processed for its own independent business purposes, such as handling contractual communications, invoicing/administration, or responding to inquiries sent directly to Mantaray.

If you wish to exercise rights related to CRM Content, you should generally contact your Customer Organization's administrator/controller first, as they control the CRM data and user permissions.

Categories of Personal Data Processed

Depending on configuration and permitted access, the Service may process the following categories of Personal Data:

Account and Profile Data (as configured in the CRM)

  • Identifiers such as initials, name (if stored in CRM), and email address (if stored in CRM);
  • Organization-related account identifiers required to authenticate and authorize access.

Authentication Data

  • Login credentials (account identifier and password) used for user authentication.
    Passwords are used for authentication and are not intended to be disclosed to Mantaray personnel except as strictly necessary for support under controlled procedures (if applicable).

Timesheet and Related Operational Data (CRM Content)

  • Timesheet entries (e.g., recorded time/hours, dates, optional descriptions/notes if used);
  • Associations/links to CRM entities such as customers, jobs, tasks, and CSR items;
  • Validation status indicators (e.g., validated/rejected) where enabled in the Customer Organization's CRM configuration.

Technical and Security Data (Minimal)

To operate the Service securely and reliably, limited technical data may be processed by server infrastructure or client-hosted systems, such as:

  • Request timestamps;
  • Security and diagnostic logs used to prevent unauthorized access and troubleshoot incidents (which may include IP address at time of access, depending on server configuration).

The Service is not designed as a web browsing service and does not collect browser history or website “pages visited” data as part of its normal operation.

User-Initiated Crash Report Data (Optional)

If the App experiences a crash, the App may present an option allowing the user to send a crash report to Mantaray by email to support@mantaray.lu. Such report includes only:

  • the error message; and
  • the error code.

The report does not include telemetry, analytics, or user-entered timesheet content.

Sources of Personal Data

Personal Data processed via the Service is obtained from:

  • the authorized user and/or the Customer Organization's Mantaray CRM environment (CRM Content and account/profile data);
  • technical systems involved in providing connectivity and security (minimal technical/security logs);
  • user-initiated communications to Mantaray (e.g., support emails, optional crash report emails).

Purposes of Processing

Mantaray processes Personal Data for the following purposes, as applicable:

  • (a) Provision of the Service: to authenticate users, provide access to the App features, and enable creation, modification, and viewing of timesheets synchronized with Mantaray CRM;
  • (b) Security and integrity: to protect the Service and connected systems, prevent unauthorized access, detect and address misuse, and maintain service integrity;
  • (c) Support and troubleshooting: to respond to technical issues, investigate errors, and provide customer support;
  • (d) Service improvement: to maintain and improve reliability, performance, and user experience (using non-advertising, non-tracking operational information as applicable);
  • (e) Legal and compliance: to comply with applicable legal obligations and enforce agreements.

Lawful Bases for Processing (GDPR)

Where the GDPR applies, Mantaray relies on one or more lawful bases under Article 6 GDPR, as appropriate to the specific processing activity.
These bases include:

Performance of a Contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of a contract to which the Customer Organization is a party, and/or to provide the Service to authorized users pursuant to the Customer Organization's agreement with Mantaray.

Compliance with a Legal Obligation (Art. 6(1)(c) GDPR)

Processing is necessary for compliance with legal obligations to which Mantaray is subject (e.g., obligations relating to recordkeeping, responding to lawful requests).

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing is necessary for Mantaray's legitimate interests in operating and securing the Service, preventing fraud and misuse, ensuring business continuity, and troubleshooting technical issues, provided such interests are not overridden by the interests or fundamental rights and freedoms of data subjects.

Consent (Art. 6(1)(a) GDPR) — Only Where Applicable

If Mantaray introduces optional features that require consent (e.g., non-essential processing), consent will be requested prior to enabling such processing and may be withdrawn at any time.

Disclosure of Personal Data

Mantaray does not sell Personal Data. We disclose Personal Data only as necessary for the purposes described in this Policy, including:

To the Customer Organization

CRM Content (including timesheets) is accessible to the Customer Organization and its authorized users/administrators according to its internal permissions and policies.

Service Providers / Sub-Processors

Mantaray may engage service providers that process Personal Data on Mantaray's behalf to support delivery and security of the Service (e.g., infrastructure, hosting, backups, support tooling), subject to contractual confidentiality and data protection obligations.

Legal Requirements and Protection of Rights

Mantaray may disclose Personal Data where required by law or legal process, or where necessary to protect the rights, property, or safety of Mantaray, Customer Organizations, users, or others.

Corporate Transactions

In connection with a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred as part of that transaction, subject to appropriate safeguards.

International Data Transfers

The Service is generally deployed with customer environments hosted on-premises or within the EU/EEA (commonly Luxembourg/EU). Mantaray does not operate the Service for customers outside the EU/EEA at this time. If an international transfer outside the EU/EEA becomes necessary in the future, Mantaray will implement appropriate safeguards as required under applicable data protection law (e.g., standard contractual clauses, where applicable).

Data Rentention

CRM Content Retention

Retention of CRM Content (timesheets and related CRM records) is primarily determined by the Customer Organization, which controls the CRM environment and its retention rules. Users should consult their Customer Organization for retention and deletion practices for CRM Content.

Mantaray-Controlled Data

Mantaray retains Personal Data under its control (e.g., support communications and user-initiated crash report emails) only for as long as necessary to fulfill the purposes described in this Policy, including providing support, resolving issues, meeting legal obligations, and enforcing agreements.

Security/Diagnostic Logs

Security and diagnostic logs are retained for a limited period appropriate for security monitoring and troubleshooting, and are then deleted or anonymized in accordance with Mantaray's internal procedures and applicable requirements.

Security

Mantaray implements reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission or storage is completely secure; therefore, Mantaray cannot guarantee absolute security.

Data Subject Rights (GDPR)

Subject to applicable law and any lawful limitations, individuals may have the right to:

  • Access Personal Data;
  • Rectify inaccurate Personal Data;
  • Request erasure of Personal Data;
  • Restrict processing;
  • Object to processing (in particular where processing is based on legitimate interests);
  • Receive Personal Data in a portable format (data portability);
  • Withdraw consent (where processing is based on consent);
  • Lodge a complaint with a Supervisory Authority.

Because the Service is provided through a Customer Organization and CRM Content is typically controlled by that organization, requests regarding CRM Content should generally be directed to the Customer Organization's administrator/controller. You may also contact Mantaray at info@mantaray.lu for assistance and we will respond as required under applicable law.

Supervisory Authority — Luxembourg

If you are located in Luxembourg (or the relevant supervisory authority is Luxembourg), you may lodge a complaint with the Luxembourg Supervisory Authority:
Commission nationale pour la protection des données (CNPD),
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg.

Children's Privacy

The Service is intended for professional use and is not directed to individuals under the age of 16. Mantaray does not knowingly collect Personal Data from children under 16.

Changes to the Policy

Mantaray may update this Policy from time to time. The “Last updated” date at the top indicates when this Policy was last revised. Material changes may be communicated through appropriate channels (e.g., within the App or by notice to Customer Organizations).

Contact

For privacy-related questions or requests:
Email: info@mantaray.lu

For technical support (including optional crash report emails):
Email: support@mantaray.lu