Skip to main content
mawiloa

Privacy Policy

Effective date: June 7, 2026

Mawiloa (“we,” “us,” or “our”) operates a multi-tenant SaaS platform for portfolio management and AI-assisted business operations. This Privacy Policy explains what personal and business data we collect, how we use it, who we share it with, and what rights you have over it. By using Mawiloa, you agree to the practices described here.

1. Data We Collect

Account Data

When you register, we collect your name, email address, company name, and billing information. Tenant administrators also provide company details used to configure your workspace.

Financial Data

If you use our financial management features, we store invoices, ledger entries, expense records, client names, and payment amounts on your behalf. This data belongs to you and is processed solely to deliver the service.

Workforce and Task Data

We store workforce member profiles, project assignments, task records, and AI agent configurations including risk scores and execution logs associated with your tenant.

AI Agent Task Data

When you use AI-powered tools (document summarization, data extraction, classification, or report generation), the content you submit and the outputs generated are stored as task records tied to your tenant. Task content may be transmitted to Anthropic’s API for processing — see Data Sharing below.

Usage Data

We collect logs of actions taken within the platform (page visits, API calls, feature usage) for security monitoring, debugging, and service improvement.

Technical Data

We collect IP addresses, browser type and version, device identifiers, and timestamps associated with authenticated sessions. This data is used for security and fraud prevention.

2. How We Use Your Data

  • Delivering, operating, and improving the Mawiloa platform and its features
  • Processing billing and managing subscriptions through Stripe
  • Sending transactional communications (receipts, security alerts, platform updates)
  • Detecting, investigating, and preventing fraudulent or abusive activity
  • Generating anonymized, aggregated usage analytics to improve product quality
  • Complying with applicable laws, regulations, and lawful government requests

We do not sell your personal data. We do not use your data for advertising.

3. Data Sharing and Sub-processors

We share data only with trusted sub-processors required to operate the platform:

  • Supabase — PostgreSQL database and authentication. Your data is stored in Supabase-managed infrastructure.
  • Stripe — Payment processing for subscription billing. Stripe receives billing details only.
  • Anthropic — AI processing. When you invoke AI agent tools, the content of your request is transmitted to Anthropic’s Claude API to generate a response. Anthropic processes this data subject to their own privacy policy and API usage terms. Do not submit highly sensitive or regulated information to AI tools.
  • Vercel — Application hosting and edge delivery.

We may also disclose data as required by law, court order, or to protect the rights, safety, or property of Mawiloa, our customers, or the public.

4. Data Retention

  • Account data — Retained while your account is active, then deleted 90 days after account closure unless you request earlier deletion.
  • Financial records — Invoices, ledger entries, and expense records are retained for 7 years to comply with standard accounting and tax regulations.
  • Audit logs — System audit logs are retained for 2 years for security and compliance purposes.
  • AI task records — Agent task inputs and outputs are retained for the duration of the subscription, then deleted with account data.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate or incomplete data.
  • Deletion — Request deletion of your personal data, subject to legal retention obligations.
  • Portability — Request your data in a machine-readable format.
  • Opt-out — Opt out of non-essential communications at any time.

To exercise your rights, contact us at privacy@mawiloa.com. We will respond within 30 days.

6. Security

  • Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at rest — Data stored in Supabase is encrypted at rest using AES-256.
  • Access controls — Row-level security enforces tenant isolation at the database layer. Users can only access data belonging to their tenant.
  • Audit logging — All significant actions are logged with actor identity, timestamp, and affected resource.
  • Incident response — We maintain an incident response plan. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.

7. Cookies

We use session cookies required for authentication (managed by Supabase) and CSRF protection cookies required for security. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. See our Cookie Policy for full details.

8. Policy Updates

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

9. Contact

For questions, requests, or concerns about this Privacy Policy or our data practices, contact our privacy team at privacy@mawiloa.com.

Mawiloa · Memphis, TN · United States

Mawiloa — Enterprise Ecosystem