Skip to main content

Curralder Manifest — Privacy Policy

Last updated: 20 June 2026

Curralder (ABN 52 958 287 709) ("Curralder", "we", "us") operates Manifest, a delivery-forecasting analytics product for engineering teams. This policy explains what personal data we collect, why, how we share it, where it goes, and the rights you have — wherever you are. It applies globally; region-specific rights are set out in Your rights by region below.

1. Who we are and how to contact us

  • Controller: Curralder (ABN 52 958 287 709), a sole trader in Australia. We do not publish a postal address; please reach us at privacy@curralder.com.
  • Privacy contact: privacy@curralder.com.
  • EU/UK representative (GDPR Art. 27 / UK GDPR): as a controller established outside the EU/UK, we will appoint a representative before we onboard EU/UK customers. This appointment is deferred pre-launch and tracked internally; until it is in place we are not offering the Service to EU/UK data subjects.

2. The personal data we collect

  • Account data you provide: name, email address, organisation name.
  • Authentication data: managed by our identity provider (see section 5); we store your user identifier.
  • Connected work-tracking data: when you connect Jira, GitHub, or similar, we retrieve task metadata (issue types, statuses, resolution dates, sprint/board configuration, assignee identifiers) to compute team-level completion rates and forecasts. We do not retrieve the content of your issues beyond what is needed to identify task type and completion status.
  • Payment data: collected and processed by Stripe; we do not store card details.
  • Product analytics: captured via PostHog only after you grant cookie consent.
  • Error / diagnostic data: captured via Sentry under legitimate interest for reliability and security.
  • Email / waitlist data: your email address and delivery metadata when you join the waitlist or receive service emails.

We do not surface individual contributor performance. Assignee data is used only in aggregate to determine team composition and capacity; we will not build features that identify, rank, or compare individuals, and we do not provide individual-level data to your organisation or any third party.

3. Why we use it (purposes and lawful bases)

PurposeLawful basis (GDPR Art. 6)
Provide, operate, and secure the Service; manage your accountPerformance of a contract
Process paymentsPerformance of a contract
Product analyticsConsent (withdrawable any time)
Error monitoring, reliability, fraud / abuse preventionLegitimate interests
Service-related communications (e.g. verification, security, billing notices)Performance of a contract / legitimate interests
Waitlist / marketing emailsConsent (double opt-in)
Comply with legal obligationsLegal obligation

4. How we share it

We share personal data only with the sub-processors needed to operate the Service (section 5). We do not sell or share personal information for cross-context behavioural advertising, and we do not share data with advertisers. We may disclose information if required by law, such as in response to a court order or lawful request from a government authority.

5. Sub-processors, international transfers, and where your data sits

Our primary data plane is EU-resident (hosting, database, error data, product analytics). Three sub-processors are US-based and are disclosed as international-transfer carve-outs, each safeguarded by the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs).

Sub-processorPurposeLocation / residencyTransfer safeguardTheir privacy policy
Google Cloud PlatformHosting / infrastructureEU (europe-west1)EU-resident — no transfercloud.google.com
NeonApplication databaseEUEU-resident — no transferneon.tech
SentryError monitoringEUEU-resident — no transfersentry.io
PostHogProduct analyticsEU (eu.i.posthog.com)EU-resident — no transferposthog.com
Atlassian / GitHubSource of connected work-tracking data (at your direction)Per providerPer provider DPAatlassian.com / github.com
Firebase Authentication (Google)Identity / authenticationUSDPF + SCCsfirebase.google.com
StripePaymentsUSDPF + SCCsstripe.com
Resend (Plus Five Five, Inc.)Transactional & waitlist email deliveryUS (primary processing; sends via EU eu-west-1)DPF + SCCsresend.com

We give at least 30 days' notice of sub-processor changes where required by our customer agreements.

6. Retention

We retain personal data only as long as needed to provide the Service and to meet legal, security, dispute-resolution, and backup-retention needs. Data may persist briefly in encrypted backups before scheduled purge; residual backup copies are purged within the backup-rotation window and are not used to restore deleted accounts. Waitlist and email records are retained per the email provider's terms (e.g. deletion within 90 days of account termination).

You may request immediate deletion of your data at any time by contacting privacy@curralder.com; we will process immediate deletion requests within 5 business days.

7. Security

We use encryption in transit (TLS) and at rest, access controls, and least-privilege practices. Our EU-resident infrastructure and US carve-out providers maintain recognised security certifications (e.g. SOC 2, ISO 27001). No method of transmission or storage is completely secure; while we strive to protect your information, we cannot guarantee absolute security.

8. Cookies and analytics consent

The Service uses cookies and similar technologies for the following purposes:

  • Strictly-necessary cookies: required for authentication and session management. These cannot be disabled without losing access to the Service.
  • Display preference cookies: tcr_locale_hint and tcr_tz_hint store your browser's reported language tag and IANA timezone so dates and times render in your preferred format and zone. They are first-party, derived from your browser settings, are not identifiers, and are not shared with third parties.
  • Analytics (PostHog): collected only with your consent. Withdrawing analytics consent stops future capture and triggers deletion of previously-captured analytics events where the provider supports it. We do not use advertising cookies, tracking pixels, ad networks, or cross-site tracking.

You can change cookie preferences at any time.

9. Your rights by region

Everyone can request access, correction, export, or deletion of their personal data by emailing privacy@curralder.com. We respond to access and correction requests within 30 days.

EEA / UK (GDPR / UK GDPR)

You have the rights of access, rectification, erasure, restriction, data portability, and objection, and the right to withdraw consent at any time. Where we rely on legitimate interests, you may object. You have the right to lodge a complaint with your supervisory authority (e.g. your national data protection authority, or the UK ICO). Details of our international transfers and safeguards are in section 5.

United States — California (CCPA / CPRA)

You have the right to know, access, delete, and correct your personal information, and to not be discriminated against for exercising these rights. We do not sell or share your personal information. Submit requests to privacy@curralder.com.

Australia (Privacy Act 1988 / APPs)

We handle personal information in accordance with the Australian Privacy Principles, including open and transparent management (APP 1), notification of collection (APP 5), and cross-border disclosure safeguards (APP 8). You may complain to the Office of the Australian Information Commissioner (OAIC).

If you have visited Manifest without signing up and accepted cookies, you have a tcr_anon_id cookie that identifies your browser to us. To request a copy or deletion of data we hold against this ID, email privacy@curralder.com quoting your tcr_anon_id. You can view or copy your ID at any time in Cookie Preferences; the panel masks it until you choose to reveal it.

10. Children

The Service is intended for business and professional use and is not directed to children. We do not knowingly collect personal data from children. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Changes to this policy

We may update this policy from time to time. For material changes (e.g. a new sub-processor or a new purpose) we will record a new policy version and request renewed acceptance before continued use, and we will update the effective date at the top of this page.

12. Contact

If you have questions about this policy, or wish to make a privacy complaint, contact us at:

Curralder

Email: privacy@curralder.com

ABN: 52 958 287 709

If you are in Australia and are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au

Phone: 1300 363 992