Skip to main content
maivis
How It WorksRewardsSecurityAboutPricing
Sign inExplore demoGet started →
← maivis

Data Processing Agreement

Version 2.2 · Effective April 2026 · Mango Technologies Ltd. · DIFC Licensed CL5222

This Data Processing Agreement governs how Mango Technologies Ltd. (DIFC Licensed CL5222) processes personal data on behalf of its users, and how sub-processors process that data under instruction from maivis.

This agreement applies to: maivis users (individuals and families), and any B2B entity or organization integrating with maivis.

Controller: Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE. License CL5222.

Data Protection Officer: dpo@maiviswealth.com

To request a signed DPA for your organization: privacy@maiviswealth.com

1. Scope and Definitions

This agreement covers all personal data processed by Mango Technologies Ltd. in the operation of the maivis platform at maiviswealth.com. Personal data means any information relating to an identified or identifiable natural person, as defined under the DIFC Data Protection Law 2020.

Data Controller:
Mango Technologies Ltd. determines the purposes and means of processing.
Data Processor:
A third-party service provider that processes personal data under instruction from Mango Technologies Ltd.
Data Subject:
An individual whose personal data is processed, including maivis users, family members, and subscribers.

2. Data Controller

Mango Technologies Ltd.

DIFC Innovation Hub, Gate Avenue, Dubai, UAE

DIFC Licensed CL5222

Privacy contact: privacy@maiviswealth.com

Data Protection Officer: dpo@maiviswealth.com

3. Sub-Processors

The following sub-processors process personal data under instruction from Mango Technologies Ltd. Mango Technologies maintains a current sub-processor list and provides 30 days notice of material changes.

Google Cloud Platform(Google LLC)

PurposeInfrastructure: Cloud SQL (database), Cloud Run (compute), Cloud KMS (encryption), Cloud Storage, Firebase Authentication, Firebase Analytics, Cloud Functions, Gemini Enterprise Agent Platform (Gemini models)
Data locationUAE (Google Cloud), India (asia-south1), USA (us-east1), UK (europe-west2). Jurisdiction-matched per user residency.
Data categoriesAll user data including identity, financial, encrypted documents, authentication credentials
Transfer mechanismGCP Cloud Data Processing Addendum with EU Standard Contractual Clauses and UK IDTA
SecurityAES-256 at rest and in transit, CMEK via Google Cloud KMS, FIPS 140-2 HSMs

Stripe, Inc.(Stripe, Inc.)

PurposePayment processing for maivis subscriptions ($100/month or $1,000/year)
Data locationUnited States (Stripe infrastructure)
Data categoriesBilling name, email address, billing address, subscription metadata. Card data processed under Stripe's own PCI DSS controllership. maivis never receives raw card numbers.
Transfer mechanismStripe Data Processing Agreement with EU Standard Contractual Clauses and EU-US Data Privacy Framework
SecurityPCI DSS Level 1, 3D Secure 2, tokenized storage

Lean Technologies(Lean Technologies (UAE))

PurposeRead-only UAE bank account aggregation via CBUAE Open Finance Framework
Data locationUAE (Lean infrastructure, G42 UAE)
Data categoriesBank account identifiers, balances, transaction history, authentication certificates
Transfer mechanismManual DPA with DIFC Standard Contractual Clauses. Lean holds CBUAE Innovative Payment Authorisation.
SecurityADGM FSRA licensed, certificate-based API authentication

India open banking(India open banking (coming soon))

PurposeIndia open banking integration is not yet active. Indian assets can be added manually. Integration to be announced.
Data locationN/A — no integration currently active
Data categoriesNone — no data shared until integration is launched
Transfer mechanismN/A
SecurityN/A

Plaid, Inc.(Plaid, Inc. (US / UK / Canada))

PurposeRead-only banking aggregation via Plaid Link OAuth for US, UK, and Canadian accounts
Data locationUnited States (Plaid infrastructure)
Data categoriesBank account identifiers, balances, transaction history, encrypted authentication tokens
Transfer mechanismPlaid Data Processing Addendum with EU SCCs, UK SCCs (IDTA), and DIFC SCCs for UAE transfers
SecurityBank-grade encryption, Plaid Link OAuth, Data Transparency Messaging

Anthropic Claude (via Google Cloud Gemini Enterprise Agent Platform Model Garden)(Google LLC (Google Cloud Model Garden))

PurposeAI language model processing for complex analysis via Claude models for portfolio analysis, succession assessment, and financial insights. Accessed through Google Cloud Model Garden (IAM auth, no direct Anthropic API key)
Data locationGlobal (contractual Zero Data Retention via Gemini Enterprise Agent Platform; no data stored by Google or Anthropic)
Data categoriesAnonymized financial data only: asset values, portfolio holdings, spending amounts, jurisdictions. No PII (names, emails, account numbers, government IDs stripped by Privacy Gateway before transmission)
Transfer mechanismFully covered by GCP Cloud Data Processing Addendum. Claude models processed under contractual ZDR: data transits Google infrastructure for processing but is not stored or used for training. No direct Anthropic API. GCP IAM auth only. No separate Anthropic DPA required.
SecurityGoogle Cloud Model Garden IAM auth, contractual Zero Data Retention, PII gateway filtering pre-transmission, no training on customer data

Gemini Enterprise Agent Platform (Gemini Flash)(Google LLC)

PurposePrimary AI inference: intelligence generation, briefings, document extraction, scoring analysis (~93% of AI requests)
Data locationGlobal (US/EU datacenters via Gemini Enterprise Agent Platform, contractual Zero Data Retention)
Data categoriesAnonymized financial data: asset values, portfolio holdings, spending amounts, jurisdictions. No PII stripped by Privacy Gateway
Transfer mechanismCovered by GCP Cloud Data Processing Addendum. Contractual ZDR: data processed but not stored or used for training.
SecurityGCP IAM auth, contractual Zero Data Retention, PII gateway filtering pre-transmission

Google Search Grounding(Google LLC (via Gemini Enterprise Agent Platform))

PurposeReal-time market intelligence and asset validation for portfolio context
Data locationGCP / EEA (Google infrastructure)
Data categoriesGeneric market queries only: anonymized asset classes, market conditions, and aggregate allocation percentages (no PII, no family financial details)
Transfer mechanismCovered by GCP Cloud Data Processing Addendum (Gemini Enterprise Agent Platform ZDR). No separate DPA required.
SecurityQuery-level PII filtering, no personal data transmission, 100% GCP ZDR, generic market context only

4. Data Subject Categories

maivis processes data belonging to: registered users (adults, age 18+); family members added by the account administrator; paying subscribers. maivis does not knowingly process data relating to children under 18.

5. Data Retention

Financial data: seven years (UAE Commercial Transactions Law). Identity data: account lifetime plus three years. Authentication logs: 90 days rolling. Encrypted vault documents: retained until explicit deletion request. Users may request deletion at any time: privacy@maiviswealth.com. Deletion is actioned within 30 days under Article 19 of DIFC Data Protection Law 2020.

6. International Transfers

Personal data is transferred internationally only where a lawful transfer mechanism exists. Mechanisms in use: EU Standard Contractual Clauses (EU SCCs 2021), UK International Data Transfer Agreement (IDTA), DIFC Standard Contractual Clauses, and adequacy decisions where applicable. Data is stored in the jurisdiction matching the user's residence by default and does not leave that jurisdiction without the user's consent.

7. Security Measures

AES-256-GCM encryption for all data at rest and in transit. Zero-knowledge architecture for the Document Vault: documents are encrypted client-side before upload; maivis stores only ciphertext. FIDO2 biometric authentication for user access. GCP Virtual Private Cloud (VPC) isolation. Cloud KMS key management with customer-managed encryption keys (CMEK). Regular penetration testing (pre-launch). DIFC DP Law 2020 breach notification obligations apply.

8. Self-Hosted Services

The following tools are self-hosted on maivis's own Google Cloud Platform infrastructure. No personal data is transmitted to external third parties for these services. No separate DPA is required as Mango Technologies Ltd. acts as both data controller and processor.

  • Native AI Chat (SSE): in-app chat widget and customer communication via native server-sent events implementation on Cloud Run within maivis VPC. Powered by Gemini Flash (via Gemini Enterprise Agent Platform), Claude Sonnet (via Google Cloud Model Garden), and Google Search Grounding (market queries) via PII gateway. No conversation data leaves maivis GCP infrastructure.
  • Cloud Scheduler + Cloud Functions: serverless workflow automation for email notifications and internal processes. GCP-native, no additional infrastructure.
  • PostHog: product analytics. Self-hosted on GCP within maivis VPC. No data transmitted to PostHog cloud.

9. Contact and DPA Requests

Privacy enquiries:
privacy@maiviswealth.com
Data Protection Officer:
dpo@maiviswealth.com
Enterprise or B2B DPA requests:
privacy@maiviswealth.com with subject line "DPA Request | [Organisation Name]"

Mango Technologies Ltd. will respond to DPA requests within 10 business days.

Data Processing Agreement v2.2 · April 2026.

See also: Privacy Policy | Terms of Service | Cookie Policy