Skip to main content
Manifest

Curralder Manifest — Privacy Policy

Last updated: March 2026

1. About this policy

This policy describes how Curralder ("we", "us", "our") collects, uses, stores, and discloses personal information in connection with Curralder Manifest ("the Service"). ABN: [insert ABN].

We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This policy is intended to satisfy our obligations under APP 1 (open and transparent management of personal information).

By creating an account or using the Service, you consent to the collection and use of your information as described in this policy. If you are using the Service on behalf of an organisation, you confirm you have authority to consent on behalf of that organisation's users.

2. What information we collect

We collect information in three categories:

Account information (provided by you)

When you create an account, we collect your name, email address, and organisation name. If you subscribe to a paid plan, payment information is collected by Stripe (our payment processor). We do not store your payment card details.

Project management data (retrieved from your connected tools)

When you connect your Jira account, we retrieve task metadata from your Jira instance. This includes issue types, statuses, resolution dates, resolution types, sprint information, board configuration, and assignee identifiers. We use this data to calculate team-level completion rates and generate delivery forecasts.

We do not retrieve or store the content of your Jira issues, such as descriptions, comments, or attachments, beyond what is necessary to identify task types and completion status.

Usage data (collected automatically)

We collect information about how you use the Service, including pages visited, features used, browser type, device information, and IP address. This data is collected through PostHog, our product analytics provider. We use this data to understand how the Service is used and to improve it.

We also collect error and performance data through Sentry to identify and fix technical issues. This may include browser information, the page you were viewing, and technical details about the error.

3. How we use your information

We use your information for the following purposes:

  • To provide and operate the Service, including generating forecasts and capacity insights from your project management data
  • To manage your account, process payments, and communicate with you about your subscription
  • To send you service-related communications (such as security alerts, billing notifications, and product updates)
  • To understand how the Service is used and to improve it
  • To identify and fix technical issues
  • To comply with legal obligations, including responding to lawful requests from authorities

We do not use your information for purposes unrelated to the Service without your consent.

4. Anti-surveillance commitment

Curralder Manifest is designed for team-level planning and forecasting. We have made a deliberate product decision not to provide features that identify, rank, or compare individual contributors' performance.

While we retrieve assignee information from Jira to calculate team-level completion rates, we do not expose individual contributor performance data to any user of the Service, including organisation administrators. Assignee data is used only in aggregate to determine team composition and capacity.

We will not build features that enable individual performance monitoring, and we will not provide individual-level data to your organisation or any third party.

5. How we share your information

We share your information with the following third-party service providers, solely for the purpose of operating the Service:

ProviderWhat they receiveWhyTheir locationTheir privacy policy
Atlassian (Jira)OAuth tokens, Jira API requestsSource data integrationUS/Globalatlassian.com
Google Cloud PlatformApplication data, server logsInfrastructure hosting (Sydney region)Australia (Sydney)cloud.google.com
NeonDatabase contents (account data, project data, completion data)Database hostingUnited Statesneon.tech
StripeName, email, payment detailsPayment processingUnited Statesstripe.com
PostHogUsage analytics, IP address, browser infoProduct analyticsEuropean Unionposthog.com
SentryError data, browser info, page contextError monitoringUnited Statessentry.io

We do not sell your personal information to anyone. We do not share your information with advertisers.

We may disclose your information if required by law, such as in response to a court order or lawful request from a government authority.

6. Cross-border data disclosure

In accordance with APP 8, we inform you that your personal information may be disclosed to recipients located outside Australia, specifically:

  • United States: Neon (database hosting), Stripe (payment processing), Sentry (error monitoring), Atlassian (Jira integration)
  • European Union: PostHog (product analytics)
  • Australia: Google Cloud Platform (application hosting, Sydney region)

We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs. This includes selecting providers with strong privacy practices and, where available, data processing agreements that provide appropriate protections.

Your application data is hosted on Google Cloud Platform in the australia-southeast1 (Sydney) region. Your database is hosted by Neon in the United States and is encrypted at rest and in transit.

7. Cookies and tracking

The Service uses cookies and similar technologies for the following purposes:

  • Essential cookies: Required for authentication and session management. These cannot be disabled without losing access to the Service.
  • Analytics: PostHog collects usage data to help us understand how the Service is used. PostHog is configured to respect Do Not Track browser settings.

We do not use advertising cookies or tracking pixels. We do not participate in ad networks or cross-site tracking.

8. Data security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

  • Encryption of data in transit (TLS) and at rest (database-level encryption)
  • Authentication via Firebase Auth with secure session management
  • Application-level access controls (organisation-based multi-tenancy)
  • Regular security updates to dependencies and infrastructure
  • Access to production systems limited to the founder (sole operator)

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Data retention

We retain your information for as long as your account is active and as needed to provide the Service.

If you delete your account, we retain your data for 30 days in case you wish to reactivate. After 30 days, your data is permanently deleted from our systems, including all project management data, completion history, and forecasts.

You may request immediate deletion of all your data at any time by contacting privacy@curralder.com. We will process immediate deletion requests within 5 business days.

Usage analytics data (PostHog) and error data (Sentry) are retained according to those providers' own retention policies. This data is not linked to your account after deletion.

10. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access: Request a copy of the personal information we hold about you (APP 12)
  • Correction: Request correction of inaccurate or out-of-date information (APP 13)
  • Deletion: Request deletion of your personal information (subject to any legal obligations to retain it)
  • Complaint: Make a complaint if you believe we have breached the APPs

To exercise any of these rights, contact us at privacy@curralder.com. We will respond to access and correction requests within 30 days.

If you are located in the European Union and the General Data Protection Regulation (GDPR) applies to you, you may also have additional rights including the right to data portability, the right to restrict processing, and the right to object to processing. Contact us to discuss how these apply to your situation.

11. Data breach notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

We will notify affected individuals as soon as practicable after becoming aware of a qualifying breach, and no later than 30 days after the breach is identified.

12. Children's privacy

The Service is intended for business and professional use. We do not knowingly collect personal information from individuals under 18 years of age. If we become aware that we have collected information from someone under 18, we will take steps to delete that information promptly.

13. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email at least 30 days before they take effect, and we will update the "Last updated" date at the top of this page.

14. Contact and complaints

If you have questions about this policy, or wish to make a privacy complaint, contact us at:

Curralder

Email: privacy@curralder.com

ABN: [insert ABN]

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au

Phone: 1300 363 992

Post: GPO Box 5218, Sydney NSW 2001

← Back to home