MANTIS Privacy Policy
Effective date: 1 April 2026
Last updated: 13 April 2026
1. Who We Are
MANTIS is operated by Navio Maritime OÜ, a company registered in Estonia.
- Registered name: Navio Maritime OÜ
- Country: Estonia
- Contact: privacy@mantis-ihm.com
- Website: mantis-ihm.com
For the purposes of the General Data Protection Regulation (GDPR), Navio Maritime OÜ is the data processor. Your organisation (the vessel owner, manager, or operator subscribing to MANTIS) is the data controller.
Where users create individual accounts directly, Navio Maritime OÜ acts as a joint controller for account-related data.
2. What Data We Collect
2.1 Account Information
- Full name
- Email address
- Password (stored as a bcrypt hash; we never store or have access to plaintext passwords)
- Organisation membership and role
- MFA/TOTP enrolment status
2.2 Vessel Data
- Vessel name
- IMO number
- Flag state
- Gross tonnage (GT)
- Vessel type and classification
- Build year and shipyard
2.3 IHM Compliance Data
- Inventory of Hazardous Materials (IHM) Part I, II, and III records
- Material descriptions, locations, quantities, and hazard classifications
- Supplier declarations and supporting documentation
- Compliance status and check history
- Uploaded files (certificates, declarations, survey reports)
2.4 Usage Data
- Last login timestamp
- Pages viewed within the application
- Feature usage patterns (aggregated)
- Browser type and screen resolution (for compatibility purposes only)
We do not collect IP addresses for analytics. We do not use third-party analytics services.
3. Why We Collect This Data
| Data category | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account information | To create and manage your user account, authenticate you, and communicate service updates | Contract performance — Art. 6(1)(b) |
| Vessel data | To provide the IHM compliance management service | Contract performance — Art. 6(1)(b) |
| IHM compliance data | Core service functionality: tracking hazardous materials, generating compliance reports, maintaining audit history | Contract performance — Art. 6(1)(b) |
| Usage data | To maintain service reliability, identify bugs, and improve the product | Legitimate interest — Art. 6(1)(f) |
We do not process personal data for marketing purposes without separate, explicit consent.
4. Where Your Data Is Stored
All data is stored within the European Union.
- Database and authentication: Supabase, hosted on AWS eu-central-1 (Frankfurt, Germany)
- File storage: Supabase Storage, hosted on AWS eu-central-1 (Frankfurt, Germany)
- Application hosting: Cloudflare Pages, EU edge network
No data is transferred outside the EU/EEA during normal operation.
5. Data Retention
- Active accounts: Your data is retained for the duration of your subscription
- Cancelled accounts: Data is archived for 90 days following cancellation. During this period, you may request reactivation with all data intact
- After 90 days: Archived data is permanently deleted unless you request earlier deletion or we are legally required to retain it (e.g., for tax or regulatory compliance)
- Deletion requests: You may request immediate deletion of your data at any time by contacting privacy@mantis-ihm.com. We will process deletion requests within 30 days
6. Third-Party Sub-Processors
We use the following third-party services to operate MANTIS. Each processes data only as necessary to provide their service.
| Sub-processor | Service | Data processed | Location |
|---|---|---|---|
| Supabase Inc | Database, authentication, file storage | All application data | EU (Frankfurt) |
| Cloudflare Inc | Application hosting and CDN | HTTP requests, static assets | EU edge network |
| Sendinblue SAS (Brevo) | Transactional email | Email addresses, notification content | EU |
We do not sell, rent, or share your data with any other third parties. We do not use advertising networks or third-party tracking services.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate data
- Right to erasure (Art. 17) — Request deletion of your personal data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format (XLSX export is available within the application)
- Right to restrict processing (Art. 18) — Request that we limit how we use your data
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time
- Right to lodge a complaint — You may file a complaint with your national Data Protection Authority. For Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
To exercise any of these rights, contact privacy@mantis-ihm.com. We will respond within 30 days.
8. Cookies
MANTIS uses only essential cookies required for the application to function:
- Supabase session cookie: Maintains your authenticated session. Strictly necessary. Expires on logout or session timeout
- CSRF token: Prevents cross-site request forgery. Strictly necessary
We do not use:
- Tracking cookies
- Analytics cookies
- Advertising cookies
- Third-party cookies
No cookie consent banner is required because we only use strictly necessary cookies as defined by the ePrivacy Directive.
9. International Data Transfers
All data processing occurs within the EU/EEA. We do not transfer personal data to countries outside the EU/EEA.
If this changes in the future, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) and update this policy accordingly.
10. Security Measures
We implement the following technical and organisational measures to protect your data:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- PostgreSQL Row Level Security ensuring data isolation between organisations
- Multi-factor authentication (MFA/TOTP)
- Bcrypt password hashing with per-user salts
- Rate-limited authentication endpoints
- Session timeout after inactivity
- Audit trail for all data modifications
- Automated daily database backups with point-in-time recovery
11. Children’s Data
MANTIS is a business-to-business service for maritime compliance management. We do not knowingly collect data from anyone under the age of 16. If we become aware that we have collected personal data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes:
- We will notify all registered users by email at least 30 days before the changes take effect
- The updated policy will be published within the application with the new effective date
- Continued use of MANTIS after the effective date constitutes acceptance of the updated policy
13. Contact
For any questions about this privacy policy or our data practices:
Email: privacy@mantis-ihm.com
Company: Navio Maritime OÜ, Estonia
Web: mantis-ihm.com
For security concerns, contact security@mantis-ihm.com.