Back to home

Privacy Policy

Last updated: March 2026

1. Information We Collect

We collect information you provide directly and data generated through your use of the Service:

  • Account information: name, email address, company name, billing information.
  • Cloud credentials: IAM access keys, role ARNs, or service account keys you provide for scanning (stored encrypted).
  • Scan data: cloud resource configurations, security findings, and metadata from your scanned environments.
  • Usage data: API call logs, scan frequency, feature usage, dashboard interactions.
  • Technical data: IP addresses, browser type, device identifiers, referrer URLs.

2. How We Use Your Information

  • Provide, operate, and improve the MANTIS platform.
  • Process cloud scans and generate security reports.
  • Send transactional emails (scan completions, billing receipts, alerts).
  • Respond to support requests and inquiries.
  • Detect and prevent abuse, fraud, or security incidents.
  • Comply with legal obligations.
  • Send product updates and security advisories (opt-out available).

We do not sell your personal information or scan data to third parties.

3. Scan Data Handling

Your cloud scan data (resource configurations, finding details, misconfigurations) is treated as confidential. We access this data solely to provide the Service.

MANTIS operates with read-only access to your cloud environments. Our scanners do not modify, create, or delete any resources. The credentials you provide are used only for scanning and are never shared with third parties.

Scan results are retained for the duration of your subscription plus 30 days. You may delete scan data at any time through the dashboard. Deleted data is permanently purged within 30 days.

4. Data Storage & Security

All data is stored in encrypted form using AES-256 encryption at rest. All data in transit is protected by TLS 1.3. Cloud credentials are encrypted using Fernet symmetric encryption with PBKDF2-derived keys — the encryption key is never stored alongside the encrypted data.

Our infrastructure is hosted on AWS in the us-east-1 region. Access to production systems is restricted to authorized personnel via MFA-protected accounts with least-privilege IAM policies. We maintain access logs and audit trails for all production access events.

5. Third-Party Services

We use the following third-party services to operate MANTIS:

  • Stripe — payment processing (we never store raw card numbers).
  • AWS — infrastructure hosting, database, object storage.
  • Resend — transactional email delivery.
  • PostHog — product analytics (anonymized usage data only).

Each third party is bound by data processing agreements and handles your data only as necessary to provide their service to us.

6. Cookie Policy

We use cookies and similar technologies to:

  • Essential cookies: maintain your authenticated session (cannot be disabled).
  • Preference cookies: remember your dashboard settings and preferences.
  • Analytics cookies: understand how the Service is used (anonymized, opt-out available).

We do not use advertising or tracking cookies. You can control cookies through your browser settings, though disabling essential cookies will prevent you from logging in.

7. Data Retention

We retain your data for as long as your account is active. After account deletion:

  • Scan results and findings: deleted within 30 days.
  • Cloud credentials: deleted immediately upon account deletion.
  • Billing records: retained for 7 years as required by law.
  • Account logs: retained for 1 year for fraud prevention.

8. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate personal data.
  • Erasure: request deletion of your personal data.
  • Portability: export your data in a machine-readable format.
  • Objection: opt out of certain processing activities.
  • Do Not Sell: California residents may opt out of any sale of personal information (we do not sell data).

To exercise these rights, contact hello@mantis.dev. We will respond within 30 days.

9. Children's Privacy

MANTIS is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice in the dashboard at least 14 days before changes take effect. The “Last updated” date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or to exercise your rights, contact: hello@mantis.dev. For security vulnerability disclosures, use security@mantis.dev.