Manifest Privacy Policy
Manifest is a self-reflection and practice product. This page explains the Online MVP privacy baseline and must receive final legal review before production launch.
Data The MVP May Store
- Account email and Supabase user id.
- Profile preferences such as display name, locale, and timezone.
- Seeds, practice logs, evidence logs, weekly reviews, belief reframes, inspired actions, completion reviews, and lightweight analytics events.
- Local import metadata only when a user explicitly previews and confirms a legacy import.
Data The MVP Must Not Store
- Payment card data or real subscription billing data.
- Real AI provider keys, prompts sent to a real model, or real model responses.
- Medical records, diagnosis data, crisis intervention records, or regulated health data.
- Service role keys, database passwords, Supabase access tokens, or platform secrets in frontend code or tracked repository files.
Use Of Data
MVP data is used to authenticate users, save and show practice state across sessions, support product quality checks, and handle export or deletion requests. Analytics should avoid storing private long-form text such as journal content, prompt text, scripts, or evidence body text.
Export And Deletion
Until an in-app workflow exists, users may request export or deletion through the published support process. Manifest must verify account ownership before exporting, deleting, or anonymizing account-owned records.
Local Storage Import
Legacy localStorage import is user-confirmed only. Manifest must not automatically import localStorage into cloud storage or silently overwrite existing cloud data.