Privacy Policy

1. Introduction

Manu Labs, LLC ("Manu Labs," "we," "our," or "us"), the company behind Dasher, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our website, messaging bot integrations (Telegram, Slack), and related features. This policy applies to all users regardless of location and is designed to comply with applicable data protection laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and an encrypted password hash (managed securely via Supabase Auth). We do not store plaintext passwords.

2.2 Integration and Authentication Data

When you connect third-party services (Anthropic Claude, OpenAI Codex, Telegram, Slack, Google), we store the OAuth tokens necessary to facilitate these integrations. Tokens are stored using Supabase Vault with encryption at rest. We do not store your third-party account passwords.

2.3 Usage Data

We collect information about your interactions with the Service, including messages sent to the AI assistant, token usage metrics, workspace activity, and feature usage patterns. This data is used to provide, maintain, and improve the Service.

2.4 Conversation and Workspace Data

Your prompts, AI-generated responses, and files created within your workspace are stored in isolated, per-user environments. This data is necessary to maintain conversation context and provide continuity between sessions.

2.5 Technical Data

We automatically collect certain technical information when you access the Service, including IP address, browser type, device information, and referring URLs. This data is used for security, analytics, and service improvement purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Dasher service
• To process your requests and deliver AI assistant responses
• To manage your account, integrations, and workspace
• To monitor usage and enforce service limits
• To improve, personalize, and optimize the Service
• To communicate with you about service updates, security alerts, and account activity
• To detect, prevent, and address fraud, abuse, and security issues
• To comply with legal obligations and enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing your personal data include:

• Contract performance — Processing necessary to provide you with the Service as agreed in our Terms
• Legitimate interests — Service improvement, security, fraud prevention, and analytics
• Consent — Where you have given explicit consent for specific processing activities
• Legal obligation — Where processing is required to comply with applicable laws

5. Data Isolation and Security

We implement robust security measures to protect your data:

• Workspace isolation — Each user's workspace runs in an ephemeral, sandboxed container via Modal, fully isolated from other users
• Row-level security — Database access is enforced at the row level, ensuring users can only access their own data
• Encrypted credential storage — OAuth tokens and sensitive credentials are stored in Supabase Vault with encryption at rest
• JWT authentication — All API requests are authenticated using JSON Web Tokens validated against Supabase Auth
• HTTPS everywhere — All data in transit is encrypted using TLS
• Ephemeral execution — AI task sandboxes are created per-request and destroyed after completion; no persistent compute state is shared

6. Cookies and Tracking

We use the following types of cookies and similar technologies:

• Essential cookies — Required for authentication, session management, and core Service functionality. These cannot be disabled.
• Analytics cookies — Used to understand how users interact with the Service and to identify areas for improvement. We use privacy-respecting analytics where possible.

We do not use third-party advertising trackers. You can manage cookie preferences through your browser settings, though disabling essential cookies may impair Service functionality.

7. Third-Party Services and Sub-processors

We share data with the following categories of third-party services to operate the Service:

• AI providers — Anthropic (Claude) and OpenAI (Codex) receive your prompts and conversation context to generate responses
• Messaging platforms — Telegram and Slack process messages as part of their platform functionality
• Infrastructure providers — Supabase (database, auth), Modal (compute sandboxes), Vercel (web hosting), Railway (API hosting)
• Productivity integrations — Google (Calendar, Gmail) when you explicitly connect these services

We only share the minimum data necessary to facilitate each integration. Your use of third-party services is also subject to their respective privacy policies. We maintain appropriate data processing agreements with our sub-processors.

8. International Data Transfers

Your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms, to protect your data in accordance with applicable law.

9. Data Retention

We retain your data according to the following practices:

• Account data — Retained for as long as your account is active, plus a reasonable period after deletion for backup and legal compliance
• Conversation data — Stored in your persistent workspace volume; may be periodically cleared based on storage limits
• Usage logs — Retained for up to 12 months for analytics and billing purposes
• OAuth tokens — Deleted immediately when you disconnect an integration or delete your account

You can request deletion of your account and associated data at any time (see Section 10).

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete personal data
• Deletion — Request deletion of your personal data ("right to be forgotten")
• Portability — Request your data in a structured, machine-readable format
• Restriction — Request that we limit processing of your personal data
• Objection — Object to processing based on legitimate interests
• Withdraw consent — Where processing is based on consent, withdraw it at any time

For California Residents (CCPA)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell your personal information to third parties. To exercise your CCPA rights, contact us at the address below.

Exercising Your Rights

You can disconnect third-party integrations at any time through the Settings page. For other data rights requests, contact us at support@dashercode.com. We will respond to verified requests within 30 days.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

12. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with applicable law. Notification will be sent to the email address associated with your account and will include the nature of the breach, the data affected, and steps you can take to protect yourself.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, for significant changes, by sending a notification to the email address associated with your account. Continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at support@dashercode.com.