Manatan
Privacy policy

Plain language. No creepy surprises.

This policy explains what Manatan collects, why it is collected, how it is shared, and how you can control it. It is written for the website, Manatan accounts, membership billing, tracker linking, Discord perks, and Google Drive sync.

Short version

We do not sell your data. Manatan does not sell personal information and does not use it for third-party ad targeting.
You choose what to connect. Trackers, Google Drive, Discord, and billing providers are optional and only connect when you start them.
Backups stay direct. Google Drive sync is designed so backup files move between your app and Google Drive, not through Manatan servers.

Last updated: April 20, 2026.

This policy applies to Manatan websites and account services, including manatan.com, account settings, membership checkout, tracker account linking, Discord member perks, and Google Drive token brokering for app sync.

Who we are

Manatan is a language immersion app and account service. The account service lets you manage sign-in methods, memberships, tracker connections, supporter profile settings, and sync-related account links.

If you use a self-hosted or development deployment, the person operating that deployment may control its database, logs, environment variables, and connected service credentials. This policy describes the official Manatan deployment and the software defaults.

What we collect

Account and sign-in data

  • Manatan login email address, but only when you add it to your Manatan account or sign up with email.
  • Email verification status, account status, account creation time, and account deletion state.
  • Password hashes for email login. Manatan does not store plaintext passwords.
  • Session cookies, CSRF tokens, passkey records if you add passkeys, and login security events.
  • OAuth provider IDs, provider email addresses, and provider email verification status for Google or Discord when you link those sign-in methods.

Google and Discord may provide an email address during OAuth, but Manatan does not treat that provider email as your Manatan login email unless you separately add and verify an email address in your account.

Connected tracker data

If you connect tracker accounts, Manatan stores enough information to let your signed-in app instances reuse that tracker session. Depending on the tracker, this may include provider user IDs, usernames, OAuth access tokens, refresh tokens, token expiration times, or session tokens.

For trackers that use username/password login rather than OAuth, Manatan sends the credentials to that tracker during the connection attempt and stores the resulting session information. It is not intended to store the tracker password itself.

Google Drive sync data

If you connect Google Drive for Manatan sync, Manatan stores OAuth token data needed to issue short-lived access to your app. The app then talks directly to Google Drive for backup sync.

Membership, billing, and supporter data

  • Membership plan, tier, entitlement state, billing provider, billing status, and renewal-related metadata.
  • Stripe customer/subscription identifiers and limited transaction metadata, such as amount and currency.
  • Supporter profile display name and whether you opted into a public supporter listing.
  • Discord IDs, Discord usernames, guild membership, and mapped roles when Discord perks are enabled.
  • Legacy supporter records, such as supporter email, Discord username, tier, amount, and active status.

Technical and security data

Manatan may process IP addresses, request metadata, user-agent strings, rate-limit records, audit events, error logs, webhook delivery results, and account-operation records to operate and secure the service. These records help detect abuse, diagnose failures, and protect accounts.

How we use information

  • To create and secure Manatan accounts.
  • To verify email addresses, reset passwords, manage sessions, and prevent abuse.
  • To let you connect optional sign-in methods, tracker accounts, Discord perks, and Google Drive sync.
  • To process memberships, grant paid or legacy supporter perks, and handle billing webhooks.
  • To show public supporter names only when you opt into the public listing.
  • To investigate support requests and keep the service reliable.
  • To comply with legal, tax, accounting, security, and fraud-prevention obligations.

Who receives information

Manatan shares information only when needed to provide the service, when you ask us to connect another service, or when required for security or legal reasons.

  • Hosting, database, logging, email, and infrastructure providers that run the service.
  • Email providers such as Resend for verification, password reset, and account emails.
  • Stripe for checkout, subscriptions, billing status, and payment-related records.
  • Discord for linked account checks and member role syncing when you connect Discord.
  • Google for Google sign-in or Google Drive sync when you connect Google services.
  • Tracker services such as AniList, MyAnimeList, Kitsu, Shikimori, Bangumi, MangaUpdates, and Simkl when you connect them.
  • Law enforcement, regulators, or other parties if required by law or necessary to protect users and the service.

Payment card numbers and bank details are handled by payment processors. Manatan should not receive or store full card numbers.

Google Drive sync

Manatan's Google Drive sync is designed around least practical access. The server may store OAuth tokens so your signed-in Manatan apps can obtain short-lived access without asking you to sign into Google on every device. The actual .manatanbk backup payload is intended to move directly between the app and Google Drive.

This means Manatan may know that Drive sync is connected and may broker access tokens, but it should not proxy or inspect your backup file contents during normal sync.

Billing and legacy support

Memberships can be processed through Stripe, Ko-fi, Discord role matching, or manual support review. Manatan stores the minimum billing state needed to decide whether an account has member perks, show billing diagnostics, handle webhook retries, and avoid accidentally removing perks when a provider has a temporary outage.

Legacy supporter matching may compare account emails, verified emails, Discord usernames, Discord IDs, and uploaded supporter CSV records. Public supporter profile information is only shown publicly if you opt in.

Retention and deletion

Manatan keeps information while your account is active and as long as needed to provide the service, secure accounts, resolve disputes, and meet legal or accounting obligations.

  • Account deletion requests schedule the account for deletion after a 30-day waiting period.
  • Session records, verification tokens, reset tokens, rate-limit rows, and temporary OAuth states expire or are cleaned up over time.
  • Billing and transaction records may be kept longer where required for tax, accounting, fraud prevention, or dispute handling.
  • Backups stored in your Google Drive are controlled through your Google account and Drive settings.

Some information may remain in backups for a limited time after deletion, but it will not be restored into active systems unless needed for disaster recovery, security, or legal reasons.

Your choices and rights

  • You can log out from the account page and revoke active sessions.
  • You can add, change, verify, or remove your Manatan login email when your account has another recovery method.
  • You can disconnect linked sign-in methods, tracker accounts, Discord, and Google Drive where the account page provides controls.
  • You can opt in or out of the public supporter listing.
  • You can request access, correction, export, deletion, or restriction of personal information where applicable law gives you those rights.
  • You can also revoke OAuth access directly from Google, Discord, or tracker provider account settings.

If you are in a region with privacy laws such as the GDPR, UK GDPR, CCPA/CPRA, or similar laws, you may have additional rights. Contact us and we will handle the request according to the law that applies to you and to Manatan.

Security

Manatan uses security measures such as hashed passwords, CSRF protection, session cookies, rate limiting, OAuth state checks, token expiration, restricted access controls, and audit logs. No internet service can promise perfect security, but the goal is to keep sensitive data narrow, encrypted in transit, access-controlled, and removable when it is no longer needed.

Do not paste passwords, OAuth secrets, API tokens, or billing secrets into public issues, screenshots, or chat logs. If you accidentally expose a secret, rotate it with the provider.

Children

Manatan is not intended for children under 13. If you believe a child provided personal information without appropriate consent, contact us so we can delete it.

Changes to this policy

We may update this policy when Manatan changes, when new account or billing features are added, or when legal requirements change. The "Last updated" date will change when the policy changes. For material changes, we will make reasonable efforts to provide a more visible notice.

Contact

For privacy requests, account deletion questions, or data-access requests, contact privacy@manatan.com.

If that mailbox is not yet active on a new deployment, use the Manatan GitHub or Discord links from the homepage and include "Privacy request" in the subject or first line.

This policy is meant to be understandable and accurate for Manatan's current implementation. It is not a substitute for legal advice if you operate your own deployment or process data for other people.