Curralder Manifest — Privacy Policy
Last updated: 20 June 2026
Curralder (ABN 52 958 287 709) ("Curralder", "we", "us") operates Manifest, a delivery-forecasting analytics product for engineering teams. This policy explains what personal data we collect, why, how we share it, where it goes, and the rights you have — wherever you are. It applies globally; region-specific rights are set out in Your rights by region below.
1. Who we are and how to contact us
- Controller: Curralder (ABN 52 958 287 709), a sole trader in Australia. We do not publish a postal address; please reach us at privacy@curralder.com.
- Privacy contact: privacy@curralder.com.
- EU/UK representative (GDPR Art. 27 / UK GDPR): as a controller established outside the EU/UK, we will appoint a representative before we onboard EU/UK customers. This appointment is deferred pre-launch and tracked internally; until it is in place we are not offering the Service to EU/UK data subjects.
2. The personal data we collect
- Account data you provide: name, email address, organisation name.
- Authentication data: managed by our identity provider (see section 5); we store your user identifier.
- Connected work-tracking data: when you connect Jira, GitHub, or similar, we retrieve task metadata (issue types, statuses, resolution dates, sprint/board configuration, assignee identifiers) to compute team-level completion rates and forecasts. We do not retrieve the content of your issues beyond what is needed to identify task type and completion status.
- Payment data: collected and processed by Stripe; we do not store card details.
- Product analytics: captured via PostHog only after you grant cookie consent.
- Error / diagnostic data: captured via Sentry under legitimate interest for reliability and security.
- Email / waitlist data: your email address and delivery metadata when you join the waitlist or receive service emails.
We do not surface individual contributor performance. Assignee data is used only in aggregate to determine team composition and capacity; we will not build features that identify, rank, or compare individuals, and we do not provide individual-level data to your organisation or any third party.
3. Why we use it (purposes and lawful bases)
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide, operate, and secure the Service; manage your account | Performance of a contract |
| Process payments | Performance of a contract |
| Product analytics | Consent (withdrawable any time) |
| Error monitoring, reliability, fraud / abuse prevention | Legitimate interests |
| Service-related communications (e.g. verification, security, billing notices) | Performance of a contract / legitimate interests |
| Waitlist / marketing emails | Consent (double opt-in) |
| Comply with legal obligations | Legal obligation |
4. How we share it
We share personal data only with the sub-processors needed to operate the Service (section 5). We do not sell or share personal information for cross-context behavioural advertising, and we do not share data with advertisers. We may disclose information if required by law, such as in response to a court order or lawful request from a government authority.
5. Sub-processors, international transfers, and where your data sits
Our primary data plane is EU-resident (hosting, database, error data, product analytics). Three sub-processors are US-based and are disclosed as international-transfer carve-outs, each safeguarded by the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs).
| Sub-processor | Purpose | Location / residency | Transfer safeguard | Their privacy policy |
|---|---|---|---|---|
| Google Cloud Platform | Hosting / infrastructure | EU (europe-west1) | EU-resident — no transfer | cloud.google.com |
| Neon | Application database | EU | EU-resident — no transfer | neon.tech |
| Sentry | Error monitoring | EU | EU-resident — no transfer | sentry.io |
| PostHog | Product analytics | EU (eu.i.posthog.com) | EU-resident — no transfer | posthog.com |
| Atlassian / GitHub | Source of connected work-tracking data (at your direction) | Per provider | Per provider DPA | atlassian.com / github.com |
| Firebase Authentication (Google) | Identity / authentication | US | DPF + SCCs | firebase.google.com |
| Stripe | Payments | US | DPF + SCCs | stripe.com |
| Resend (Plus Five Five, Inc.) | Transactional & waitlist email delivery | US (primary processing; sends via EU eu-west-1) | DPF + SCCs | resend.com |
We give at least 30 days' notice of sub-processor changes where required by our customer agreements.
6. Retention
We retain personal data only as long as needed to provide the Service and to meet legal, security, dispute-resolution, and backup-retention needs. Data may persist briefly in encrypted backups before scheduled purge; residual backup copies are purged within the backup-rotation window and are not used to restore deleted accounts. Waitlist and email records are retained per the email provider's terms (e.g. deletion within 90 days of account termination).
You may request immediate deletion of your data at any time by contacting privacy@curralder.com; we will process immediate deletion requests within 5 business days.
7. Security
We use encryption in transit (TLS) and at rest, access controls, and least-privilege practices. Our EU-resident infrastructure and US carve-out providers maintain recognised security certifications (e.g. SOC 2, ISO 27001). No method of transmission or storage is completely secure; while we strive to protect your information, we cannot guarantee absolute security.
8. Cookies and analytics consent
The Service uses cookies and similar technologies for the following purposes:
- Strictly-necessary cookies: required for authentication and session management. These cannot be disabled without losing access to the Service.
- Display preference cookies:
tcr_locale_hintandtcr_tz_hintstore your browser's reported language tag and IANA timezone so dates and times render in your preferred format and zone. They are first-party, derived from your browser settings, are not identifiers, and are not shared with third parties. - Analytics (PostHog): collected only with your consent. Withdrawing analytics consent stops future capture and triggers deletion of previously-captured analytics events where the provider supports it. We do not use advertising cookies, tracking pixels, ad networks, or cross-site tracking.
You can change cookie preferences at any time.
9. Your rights by region
Everyone can request access, correction, export, or deletion of their personal data by emailing privacy@curralder.com. We respond to access and correction requests within 30 days.
EEA / UK (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction, data portability, and objection, and the right to withdraw consent at any time. Where we rely on legitimate interests, you may object. You have the right to lodge a complaint with your supervisory authority (e.g. your national data protection authority, or the UK ICO). Details of our international transfers and safeguards are in section 5.
United States — California (CCPA / CPRA)
You have the right to know, access, delete, and correct your personal information, and to not be discriminated against for exercising these rights. We do not sell or share your personal information. Submit requests to privacy@curralder.com.
Australia (Privacy Act 1988 / APPs)
We handle personal information in accordance with the Australian Privacy Principles, including open and transparent management (APP 1), notification of collection (APP 5), and cross-border disclosure safeguards (APP 8). You may complain to the Office of the Australian Information Commissioner (OAIC).
If you have visited Manifest without signing up and accepted cookies, you have a tcr_anon_id cookie that identifies your browser to us. To request a copy or
deletion of data we hold against this ID, email privacy@curralder.com quoting your tcr_anon_id. You can view or copy your ID at any time in Cookie Preferences; the
panel masks it until you choose to reveal it.
10. Children
The Service is intended for business and professional use and is not directed to children. We do not knowingly collect personal data from children. If we become aware that we have collected such information, we will take steps to delete it promptly.
11. Changes to this policy
We may update this policy from time to time. For material changes (e.g. a new sub-processor or a new purpose) we will record a new policy version and request renewed acceptance before continued use, and we will update the effective date at the top of this page.
12. Contact
If you have questions about this policy, or wish to make a privacy complaint, contact us at:
Curralder
Email: privacy@curralder.com
ABN: 52 958 287 709
If you are in Australia and are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Website: oaic.gov.au
Phone: 1300 363 992