Manor
Sign inSign up

Privacy Policy

Last updated: Tuesday, March 17, 2026

1. Introduction

Welcome to Manor™. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you visit our website and use our services, and tell you about your privacy rights and how the law protects you.

Some features, such as our device maintenance tool, are available without creating an account. When you use these features, we collect only the data described in the Technical Data and Usage Data sections below, plus any data you voluntarily provide (such as uploaded images). This policy applies equally to authenticated and unauthenticated use of our services.

2. Information We Collect

We may collect, use, store and transfer different kinds of personal data about you including:

Identity Data

First name, last name, username or similar identifier.

Contact Data

Email address and telephone numbers.

Property Data

Information about properties you manage including addresses, property type, year built, dimensions, and related documents.

Space Data

Information about spaces within your properties, such as rooms, areas, and their specifications.

Device Data

Information about devices and equipment in your properties, including device types, manufacturers, models, and serial numbers.

Task and Reminder Data

Maintenance tasks you create, including schedules, recurrence patterns, completion history, and reminder preferences.

Added Contact Data

Information about contacts and service providers you add, including names, contact information, and service history.

Cloud Storage Connection Data

If you connect a cloud storage provider (Google Drive or Dropbox), we store your provider account email address, encrypted OAuth tokens, sync status, and records of which documents have been synced. This data is deleted when you disconnect the provider.

Technical Data

Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Authentication Data

If you choose to use passkeys for authentication, we store WebAuthn credential identifiers and public keys associated with your account. We do not have access to your private keys, which remain securely stored on your device.

Session Data

When you sign in, we collect your IP address and device information (browser type, operating system) to create a session record. This data is used solely to help you manage your active sessions, detect unauthorized access to your account, and maintain security. Session data is automatically deleted 14 days after the session expires or when you revoke the session. You can view and revoke your active sessions at any time in your account settings.

Usage Data

Information about how you use our website, products and services.

3. How We Use Your Information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data:

  • To register you as a new customer and manage your account
  • To maintain session security by recording your IP address and device information, enabling you to view and manage active sessions
  • To provide and manage the property management services you have requested
  • To provide AI-powered features such as recommendations, search, and analysis (see Section 4 for details on AI features and how to control them)
  • To manage our relationship with you including notifying you about changes to our Terms of Service or Privacy Policy
  • To administer and protect our business and this website
  • To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

4. AI-Powered Features and Data Processing

Manor uses artificial intelligence to provide various features throughout the Service, including but not limited to recommendations, search, analysis, and content generation. This section explains how your data is processed when you use AI-powered features.

Lawful Basis for AI Processing

We process your data for AI-powered features based on our legitimate interest (GDPR Article 6(1)(f)). We have conducted a Legitimate Interest Assessment (LIA) as required by GDPR, documented below.

Purpose Test: Our legitimate interest is to provide you with AI-powered features that help you manage your property more effectively. This includes personalized recommendations, intelligent search, document analysis, and other features that directly benefit users.

Necessity Test: AI processing is necessary to achieve this purpose because:

  • Manual generation of personalized insights at scale is not feasible
  • AI enables analysis of property-specific factors that generic tools cannot address
  • Many of our features rely on AI to provide intelligent, contextual assistance

Balancing Test: We have weighed our legitimate interest against your rights and freedoms:

FactorAssessment
Data sensitivityLow—no PII sent to AI providers; only property/device metadata
User expectationsReasonable—users of a property management app expect intelligent features
Impact on usersMinimal—AI outputs are advisory only; no automated actions taken
User controlStrong—users can disable AI features at any time (see "Controlling AI Features" below) and delete AI history
SafeguardsRobust—data minimization, encryption, contractual protections with providers

Default-Enabled Justification: AI features are enabled by default because: (1) the processing involves only non-sensitive property metadata, not personal information; (2) users reasonably expect a property management service to provide intelligent features; (3) requiring opt-in would significantly diminish the service's utility for users who are unaware of the feature; and (4) users can easily disable the feature at any time with immediate effect.

Right to Object: If you are in the EU/EEA/UK, you may object to this processing at any time by disabling AI features in your account Settings (see "Controlling AI Features" below) or by contacting us.

Transfer Impact Assessment for AI Processing

Because our AI providers process data in the United States, we have conducted a Transfer Impact Assessment (TIA) as required for international transfers under GDPR Chapter V.

Legal Environment Assessment:

  • US law permits government access to data under FISA 702 and EO 12333, which may affect data held by US-based processors
  • The EU-US Data Privacy Framework (DPF) provides adequacy for participating companies, including our AI providers
  • Standard Contractual Clauses (SCCs) provide additional contractual safeguards

Risk Assessment:

  • Data transferred consists of property/device metadata only—no names, emails, addresses, or other PII
  • Re-identification risk is low because transferred data cannot be linked to individuals without access to our user database
  • AI providers process data transiently for inference; they do not retain prompts or responses for their own purposes under our data processing agreements

Supplementary Technical Measures:

  • Data minimization: We strip all PII before transmission; only property characteristics and device metadata are sent
  • Encryption: All data is encrypted in transit (TLS 1.3) and providers maintain encryption at rest
  • No model training: Our contracts prohibit providers from using our data to train or improve their models
  • Transient processing: Prompts and responses are processed in real-time and not persisted by providers beyond immediate processing needs
  • Access controls: API authentication ensures only our authorized systems can submit requests
  • Retention limits: We retain AI outputs only as long as your account is active; you can delete history at any time

Conclusion: Based on our assessment, the combination of legal safeguards (DPF, SCCs), contractual protections (data processing agreements, no-training clauses), and technical measures (data minimization, encryption, transient processing) provides adequate protection for the limited, non-personal data transferred to AI providers.

Automated Decision-Making

AI-powered features constitute automated processing of your property data. Under GDPR Article 22, you have rights regarding automated decision-making:

  • How it works: Our AI analyzes your property, device, and task information to provide various features. These are based on property characteristics, device types, usage history, and other relevant factors.
  • Nature of AI outputs: AI outputs are advisory only. They do not automatically create tasks, trigger payments, or take any action on your behalf. You decide whether to act on any AI-generated content.
  • Your rights: You may request human review of any AI output by contacting us. You can also disable AI features entirely in your account Settings.
  • Limitations: AI features may not account for all factors specific to your property or situation. Always consult qualified professionals before undertaking any work.

Data Sent to AI Providers

When you use AI-powered features, the following information may be sent to our AI service providers:

  • Property information: Property type (e.g., single-family home, apartment), year built, dimensions, postal code, and country
  • Device and space information: Device types, manufacturers, models, installation dates; room/space types and specifications
  • Task and usage history: Existing tasks, completion history, and relevant usage data
  • Uploaded images: Photos you provide for device identification (e.g., images of device model tags or nameplates)
  • Feature-specific data: Additional context relevant to the specific AI feature being used

Location data clarification:

  • Included: Postal code and country (used to provide region-appropriate responses, e.g., climate considerations)
  • Excluded: Street address, city, state/province, and geographic coordinates are never sent to AI providers

Personal information excluded: Your name, email address, phone number, and other personal identifiers are never sent to AI providers.

AI Service Providers

We use the following third-party AI providers to power AI features. These providers may process data in the United States and other jurisdictions outside your country of residence.

Anthropic (Claude AI)

  • Used for AI-powered features
  • Data processing location: United States
  • Transfer mechanisms: EU-US Data Privacy Framework; EU Standard Contractual Clauses (SCCs) for transfers from the EU/EEA/UK
  • Privacy information: anthropic.com/privacy

OpenAI

  • Used for AI-powered features and document processing
  • Data processing location: United States
  • Transfer mechanisms: EU-US Data Privacy Framework; EU Standard Contractual Clauses (SCCs) for transfers from the EU/EEA/UK
  • Privacy information: openai.com/privacy

Google (Gemini)

  • Used for AI-powered features
  • Data processing location: United States and global data centers; EU/EEA data processing available
  • Transfer mechanisms: EU-US Data Privacy Framework; EU Standard Contractual Clauses (SCCs) for transfers from the EU/EEA/UK
  • Privacy information: cloud.google.com/privacy

Safeguards and supplementary measures:

  • All data transmitted to AI providers is encrypted in transit using TLS
  • We minimize data sent to providers by excluding personally identifiable information
  • Access to AI services is controlled through secure API authentication
  • We maintain data processing agreements with each provider

For information about regional data processing options or to exercise your data rights regarding AI processing, please contact us.

Document Processing

When you upload documents to Manor, we may process them using AI services for features such as text extraction, search, and analysis. Only certain document categories are processed for AI features based on the category you assign when uploading. Sensitive document categories (such as financial records and legal documents) are excluded from AI processing.

It is your responsibility to select the appropriate category for your documents.

AI Data Retention

Uploaded images: Images you upload for device identification are processed in real-time and are not stored by Manor. They are sent to our AI providers for transient processing only and are not retained by Manor or our AI providers after processing is complete.

AI-generated content, including prompts and responses, are stored for the following purposes and durations:

  • AI history: Retained for up to 3 years from the date generated, then automatically deleted. This allows you to review past AI outputs while ensuring data is not kept indefinitely.
  • Document embeddings: Retained while the associated document remains in your account. Embeddings for documents not accessed within 2 years are automatically deleted. If you access or update a document, the retention period resets.

Automatic cleanup: Our systems periodically remove AI data that exceeds these retention periods. You do not need to take any action for automatic cleanup to occur.

Manual deletion: You can delete your AI history at any time from your account Settings without waiting for automatic cleanup (see "Controlling AI Features" below). To request earlier deletion of specific AI data or to adjust your retention preferences, contact us.

Account deletion: All AI-related data (outputs, prompts, responses, and document embeddings) is permanently deleted when you delete your account. To request account deletion, visit your account Settings or contact us.

Controlling AI Features

AI-powered features are enabled by default to help you manage your properties. You can control these features as follows:

  • Disabling AI features: You can disable AI-powered features at any time—either for your entire account or for individual properties—in your account Settings. When disabled, no additional property data is sent to AI providers. Additionally, all existing AI-generated content for the affected scope (your account or the specific property) will be automatically deleted within 24-48 hours. This deletion is irreversible; if you later re-enable AI features, previous AI content cannot be recovered.
  • Deleting AI data: You can delete your AI history at any time from your account settings. This removes stored AI outputs and associated prompts.
  • Document processing: You control which documents are processed for AI features by selecting the appropriate category when uploading. Documents categorized as sensitive (deeds, financial records, etc.) are never sent to AI providers.

If you have questions about AI features or need assistance managing your AI data, please contact us.

5. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Regular backups and disaster recovery procedures

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

6. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

7. Third-Party Services

We share your data with third-party service providers who perform services on our behalf. Below is detailed information about each provider, including the data shared, processing location, and transfer mechanisms.

Cloud Storage and Infrastructure

Hetzner

  • Purpose: Cloud hosting and infrastructure for application servers and databases
  • Data shared: All application data (account information, property data, tasks, documents)
  • Processing location: European Union (Germany, Finland)
  • Transfer mechanism: EU-based processing; no international transfer required
  • Privacy information: hetzner.com/legal/privacy-policy

Cloudflare

  • Purpose: Content delivery, DDoS protection, DNS, and file storage (R2)
  • Data shared: IP addresses, request metadata, uploaded files
  • Processing location: Global edge network; primary storage in EU
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: cloudflare.com/privacypolicy

Analytics and Monitoring

Umami

  • Purpose: Privacy-focused website analytics
  • Data shared: Anonymized page views and interactions; no personal identifiers or cookies
  • Processing location: European Union
  • Transfer mechanism: EU-based processing; no international transfer required
  • Privacy information: umami.is/privacy

Sentry

  • Purpose: Error tracking and application monitoring
  • Data shared: Error logs, stack traces, request metadata; may include user ID and IP address for error context (no passwords or sensitive data)
  • Processing location: United States
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: sentry.io/privacy

Email and Communications

Resend

  • Purpose: Transactional email delivery for account notifications, reminders, and updates
  • Data shared: Email address, name, email content
  • Processing location: United States
  • Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Privacy information: resend.com/legal/privacy-policy

Payment Processing

Stripe

  • Purpose: Payment processing and subscription management
  • Data shared: Payment card details, billing address, email, transaction history (collected directly by Stripe)
  • Processing location: United States and global
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: stripe.com/privacy

Note: When you subscribe to a paid plan, Stripe collects and processes your payment information directly. We do not store your full payment card details.

File Processing

All uploaded files are scanned for malware and processed for format compatibility on our own infrastructure. No uploaded file content is shared with third-party services for this purpose. Images uploaded for AI-powered features (such as device identification) are handled separately under Section 4.

Cloud Storage Sync

If you choose to connect a cloud storage provider, your documents are synced from Manor to your chosen provider. This is a one-way sync—Manor is the source of truth, and cloud copies serve as backups in your own account.

Google Drive

  • Purpose: Optional one-way document sync to your Google Drive account
  • Data shared: Uploaded documents and folder structure (property name, document category, document type); your Google account email is stored to identify the connection
  • OAuth scope: drive.file (access limited to files created by Manor only)
  • Processing location: United States and global data centers
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: policies.google.com/privacy

Dropbox

  • Purpose: Optional one-way document sync to your Dropbox account
  • Data shared: Uploaded documents and folder structure (property name, document category, document type); your Dropbox account email is stored to identify the connection
  • Processing location: United States
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: dropbox.com/privacy

Cloud storage sync safeguards:

  • Sync is opt-in and can be disconnected at any time from your account settings
  • OAuth access tokens and refresh tokens are encrypted at rest
  • When you disconnect a provider, tokens are revoked and all sync records are deleted
  • No personal data beyond your provider account email is collected from the connected provider

Security

Cloudflare Turnstile

  • Purpose: Bot protection and CAPTCHA services
  • Data shared: IP address, browser fingerprint, interaction patterns (no personal identifiers)
  • Processing location: Global edge network
  • Transfer mechanism: EU-US Data Privacy Framework; Standard Contractual Clauses (SCCs)
  • Privacy information: cloudflare.com/privacypolicy

AI Services

See Section 4 (AI-Powered Features and Data Processing) for detailed information on AI service providers (Anthropic, OpenAI, Google), including data shared, processing locations, and transfer mechanisms.

Our Commitments

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We maintain data processing agreements with each provider where required by applicable law.

8. Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data
  • Right to withdraw consent

If you wish to exercise any of the rights set out above, please contact us.

9. Cookies and Local Storage

Our website uses cookies and browser storage to provide and improve our service.

Cookies

We only use strictly necessary cookies:

  • Authentication cookies: Secure, HTTP-only cookies that maintain your login session. These are essential for the service to function and cannot be disabled.

Local Storage

We use your browser's local storage to remember your preferences, including but not limited to:

  • Theme preference (light/dark mode)
  • UI settings (sidebar state, display preferences)

Analytics

Our analytics provider (Umami) is privacy-focused and does not use cookies or collect personally identifiable information.

10. Children's Privacy

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us.

11. International Transfers

We may transfer your personal data outside your country of residence. Whenever we transfer your personal data out of your jurisdiction, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • Transfer to countries that have been deemed to provide an adequate level of protection
  • Use of specific contracts approved by relevant data protection authorities
  • Implementation of appropriate technical and organizational measures

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us.

You have the right to make a complaint at any time to your local supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.