Privacy Policy

Last updated: 3 May 2026 · Effective: 3 May 2026

This Privacy Policy explains how Mantiqo ("Mantiqo," "we," "us," "our") handles personal data when you visit winpolish.app or its sub-domains, purchase a license, or use the WinPolish desktop application (collectively, the "Service").

WinPolish is a privacy- and locality-first product. The desktop app does its work entirely on your computer; we do not run analytics scripts on the website; we do not see the contents of any scan you perform; and we do not see your payment-card details. The data flows we do rely on are listed exhaustively below.

Contents

1. Who we are
2. Scope
3. Data we process
4. How we use the data
5. Legal basis (GDPR)
6. Sharing & sub-processors
7. Retention
8. Your rights
9. California (CCPA / CPRA)
10. Cookies & similar
11. Children
12. International transfers
13. Security
14. Changes to this policy
15. Contact

1. Who we are

The data controller is Mantiqo, operating the Service from the State of Washington, USA.

For privacy questions you can reach us at hello@mantiqo.com.

2. Scope

This Policy applies to the following touch-points:

The marketing site at winpolish.app (and www.winpolish.app).
The license, checkout, and activation server at licenses.winpolish.app.
The WinPolish desktop application installed on your Windows computer (NSIS installer, MSI, or portable build).
Transactional emails we send you (purchase receipts, license delivery, refund confirmations).

3. Data we process

3.1 When you visit winpolish.app

The marketing site is statically hosted on Vercel and runs no analytics scripts, no advertising tags, and sets no first-party cookies. Vercel, as our hosting provider, automatically logs standard request metadata (IP address, user-agent, requested URL, timestamp) for the purposes of operating, securing, and debugging the site. We do not enrich or link these logs to identifiable individuals.

3.2 When you purchase a license (licenses.winpolish.app)

Checkout is delegated to Stripe. We never see or store your full card number, CVC, or 3-D-Secure data. From the Stripe webhook we receive and store, for each completed purchase:

Your purchase email address.
Country (used for tax) and the last 4 digits / brand of the card, as Stripe surfaces it.
The Stripe Customer ID and Checkout Session ID.
The license key we generate and the license tier purchased.
A timestamp.

We use Resend to deliver transactional emails (license key, receipt, refund confirmation). Resend processes the recipient email address and the message body on our behalf.

3.3 When you activate or use the desktop app

The desktop app communicates with the outside world only as follows:

License activation - when you enter your license key in Settings → License, the app contacts licenses.winpolish.app with the license key and a stable, hashed device identifier (a non-reversible fingerprint derived from a per-machine value). The server returns whether the license is valid and how many activation slots remain. We store the device hash and a timestamp against the license record so the two-device limit can be enforced.
Microsoft account binding - if you choose to bind a license to a Microsoft account, the email address surfaced by your Microsoft sign-in is associated with the license record so you can recover the license without contacting us. We do not receive your Microsoft password or any other account details. You can use the product without binding to a Microsoft account.
Update checks - at the cadence configured in Settings (off / launch / daily / weekly / monthly) the app requests version metadata from the WinPolish releases endpoint on GitHub. GitHub, as the host of that endpoint, will see the request IP and user-agent. We do not log or aggregate this data on our side.
Local AI (optional) - if you choose to use the AI Insights feature with a locally installed Ollama instance, the app talks only to http://127.0.0.1:11434 on your own machine. No prompts, no scan results, and no other data leaves your device for this feature.

The app does not contain analytics SDKs, crash-reporting SDKs, or telemetry pings. Scans, cleanups, tweak changes, restore points, and the audit log live entirely on your machine.

3.4 When you contact us

If you write to us at hello@mantiqo.com we receive whatever information you include in your message (typically your name, email address, license key, and the description of the issue). We use it to reply to you and, where relevant, attach it to your license record so we can refer back to it during follow-ups.

4. How we use the data

We process the data above for these specific purposes:

To operate and secure the website and license server.
To take payment, deliver your license key, and let you activate it on up to two devices.
To enforce the device limit attached to a license.
To notify you of new versions of the desktop app (via the optional update-check).
To provide customer support and process refunds.
To comply with legal obligations (e.g. retaining invoice records).

We do not use your data for advertising, profiling, retargeting, or sale to third parties.

5. Legal basis (GDPR)

Where the GDPR applies, the legal bases for our processing are:

Contract (Art. 6(1)(b)) - payment, license delivery, license activation, and core support communications. These are necessary to perform the agreement you enter when you purchase or start a trial.
Legitimate interest (Art. 6(1)(f)) - operating and securing our infrastructure, fraud prevention, debugging server logs, and processing your support email when you initiate it. Our legitimate interest is the integrity and continuity of the Service; we balance it against your privacy rights and process the minimum data necessary.
Legal obligation (Art. 6(1)(c)) - keeping invoice and tax records for the period required by applicable accounting law.
Consent (Art. 6(1)(a)) - only where we explicitly ask for it (currently we do not run any consent-gated processing).

We do not sell or rent personal data. We share it only with the sub-processors listed below, all of whom are bound by data-processing agreements that meet GDPR / UK GDPR requirements where applicable:

Provider	Purpose	Data shared	Region
Vercel Inc.	Static hosting, edge caching, server logs (winpolish.app, licenses.winpolish.app)	HTTP request metadata (IP, UA, URL, timestamp)	USA, with EU edge
Stripe, Inc.	Hosted Checkout, payment processing, refunds	Card data (Stripe acts as merchant), email, country, billing details, transaction history	USA, with EU processing
Resend, Inc.	Transactional email delivery (license key, receipt, support replies)	Recipient email, message body	USA
GitHub, Inc.	Hosting of release artifacts and update-metadata endpoint	HTTP request metadata when the app or your browser contacts the release URL	USA
Microsoft Corporation	Code-signing of binaries via Azure Artifact Signing	The binary file (no personal data)	USA / EU

We may disclose data without your specific consent only when required by law (court order, valid subpoena, regulatory request) or where necessary to protect the rights, property, or safety of Mantiqo, our users, or others.

7. Retention

License records (purchase email, license key, device hashes, Stripe IDs): retained for the lifetime of the license, plus the period required by tax / accounting law (typically 7 years).
Server logs (Vercel): retained per Vercel's standard retention window for our hosting plan, typically between 1 and 30 days.
Support email threads: retained for as long as needed to resolve your issue and reasonably anticipate follow-up, typically up to 24 months.
Marketing emails: not applicable. We do not send marketing email and do not maintain a marketing list.

8. Your rights

Depending on where you live, you have some or all of the following rights with respect to your personal data:

Access - receive a copy of the data we hold about you.
Rectification - correct inaccurate data.
Erasure - ask us to delete data we no longer need to retain by law or contract.
Restriction & objection - limit or object to certain processing.
Portability - receive your data in a structured, machine-readable format.
Withdraw consent - where we rely on consent.
Lodge a complaint with a supervisory authority (e.g. your national data-protection authority).

To exercise any of these, write to hello@mantiqo.com. We will respond within 30 days. We may need to verify your identity by matching the request to the email on file for your license.

9. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA: the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of the "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not "sell" or "share" personal information as those terms are defined under California law. You can exercise your CCPA / CPRA rights by emailing hello@mantiqo.com with the subject line "California privacy request".

10. Cookies & similar

The marketing site (winpolish.app) sets no cookies of its own and runs no analytics or advertising scripts.

The license server (licenses.winpolish.app) sets a short-lived session cookie when you go through Stripe Checkout; this is functionally necessary to complete the payment.

Stripe and other third parties may set their own cookies on pages they directly host (e.g. the Stripe-hosted checkout page) under their own privacy policies. See Stripe's Privacy Policy.

11. Children

WinPolish is a system-administration tool aimed at adults. We do not knowingly direct the Service to children under 16, and we do not knowingly process personal data of children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. International transfers

Several of our sub-processors are located in the United States. Where we transfer personal data outside the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses or, for the United States, the EU-US Data Privacy Framework (where the recipient is certified). The sub-processor table above identifies each provider's primary region.

13. Security

We protect personal data through reasonable technical and organisational measures: TLS for all network traffic, hashed device identifiers (we never store reversible machine fingerprints in plaintext), least-privilege access to the license database, infrastructure provided by SOC 2 / ISO 27001-aligned vendors (Vercel, Stripe, Resend), and code-signing of every released binary through Microsoft Azure Artifact Signing so you can verify the installer has not been tampered with.

No method of transmission or storage is perfectly secure. If you believe an incident has occurred, please contact us immediately.

14. Changes to this policy

We will revise this Policy when our practices change or when the law requires it. The "Last updated" date at the top reflects the most recent revision. Material changes that affect how we process your data will be communicated to you in advance through the email associated with your license.

15. Contact

Privacy questions and requests: hello@mantiqo.com.