Privacy Policy

Mango Technologies Ltd, registered at the Dubai International Financial Centre (DIFC Licence CL5222), is the data controller for personal data processed through the maivis platform. We are subject to and comply with DIFC Data Protection Law 2020 (“DIFC DPL”) and the associated DIFC Data Protection Regulations 2020.

We collect personal information you provide during account creation (name, email address, phone number, country of tax residence) and financial data you choose to connect or enter (asset values, account balances, transaction history, uploaded documents). Financial values — asset holdings, property values, spending amounts, jurisdiction details — are used to provide portfolio analysis, generate your Family Resilience Score, and power AI-generated Intelligence. Personally identifiable information (names, emails, account numbers, passport numbers) is stripped by our Privacy Gateway before any AI call and is never transmitted to external AI providers. Every AI call is logged to an immutable audit trail for DIFC compliance.

All data is stored on Google Cloud Platform in region me-central1, physically located in Doha, Qatar (GCP Middle East). Documents uploaded to the Vault are encrypted with AES-256-GCM. Encryption key management is provided by Google Cloud KMS in me-central1. Authentication uses FIDO2 WebAuthn passkeys. All connections are secured with TLS 1.3. Row-level security isolates each family’s records at the database layer, preventing cross-family data access even in the event of an application vulnerability.

We use PostHog for product analytics. Analytics are opt-in only — no tracking fires until you accept our cookie consent. We use Firebase Analytics for app performance measurement. Marketing measurement is provided by Meta Pixel, which is also opt-in only. You may withdraw consent at any time by visiting your account settings or by clearing cookies and declining consent on next visit. For full details on cookie categories, see our Cookie Policy.

You have the right to access, rectify, erase, restrict processing of, and receive a portable copy of your personal data. You may exercise these rights by emailing privacy@maiviswealth.com. We will respond within 30 days. Upon cancellation, your data is retained until you explicitly request deletion, after which it will be permanently erased within 30 days, subject to any legal retention obligations.

Documents stored in the Vault are encrypted with AES-256-GCM. A unique data encryption key (DEK) is generated per document and wrapped by Google Cloud Key Management Service (Cloud KMS) hosted in GCP me-central1 (Middle East). The plaintext DEK exists only in server memory during wrap and unwrap operations — it is never persisted. Only authenticated family members with a valid session can trigger an unwrap. A planned post-launch upgrade will migrate to WebAuthn PRF-based key derivation, at which point the DEK will be wrapped entirely client-side.

maivis uses AI to generate family intelligence. Your financial values (asset amounts, spending totals) are used for analysis. Personally identifiable information (names, emails, IBANs, passport numbers) is never sent to AI providers — our gateway strips PII before every AI call.

AI providers (all under contractual Zero Data Retention):

• Gemini 2.5 Flash via Gemini Enterprise Agent Platform — 93% of requests
• Claude Sonnet 4.6 via Vertex AI Model Garden — 5% of requests
• Google Search Grounding — 2% of requests (real-time market data)

Under DIFC DPL 2020 Article 38 and GDPR Article 22, you have the right to request human review of any AI-generated output that affects decisions about you. Contact dpo@maiviswealth.com to exercise this right.

We retain your data for as long as your account is active, plus 90 days post-deletion to allow for recovery. Banking access tokens are purged within 24 hours of you disconnecting a bank connection. Security logs are retained for 24 months. We comply with applicable financial record-keeping requirements including 5-year retention obligations under applicable AML law.

In addition to your DIFC DPL 2020 rights (access, rectification, erasure, restriction, portability, objection), you may also have the following rights depending on your residence:

• EU / UK: GDPR/UK GDPR rights, 1-month response time
• India: DPDPA 2023 rights, 7-day response time
• California: CCPA/CPRA rights including opt-out of sale (we do not sell data), 45-day response time
• Canada: PIPEDA rights, 30-day response time

To exercise any right: privacy@maiviswealth.com or dpo@maiviswealth.com

Data Protection Officer: dpo@maiviswealth.com

General privacy enquiries: privacy@maiviswealth.com