How we handle your data.

This notice explains what personal information MainMan Ltd ("we", "us", "our") collects when you visit this website, create an account, or use our software, why we collect it, how long we keep it, who we share it with, and what rights you have over it. We've tried to keep it short and honest.

If anything here is unclear, email support@mainmanhub.com and a real person will answer.

1. Who we are

MainMan Ltd is a company registered in England and Wales (company number 17240730), with its registered office at Ferriby Road, Hessle, HU13 0RG. We are the "data controller" for personal information collected through this website and any early-access onboarding that follows.

2. What information we collect

We only collect what we genuinely need. Specifically:

2.1 When you create an account

• Your name and email address
• A password (stored hashed — we never see the plain-text)
• Your role within the organisation (admin, manager, technician, viewer)
• The name of your organisation

2.2 When you subscribe to a paid plan

• Card details: processed directly by Stripe — we never see or store your full card number, expiry, or CVC. Stripe gives us back a customer ID and the last 4 digits / card brand for your records.
• Billing email and address: for invoices and VAT compliance, where you provide them at Stripe Checkout.
• Subscription state: which plan you're on, when your current period ends, whether your card is healthy.
• Optional onboarding answers: portfolio size, marketing-consent preference — both asked once after first payment and editable from Settings.

2.3 When you use the MainMan app

• Data you enter: assets, work orders, inspections, hazards, tenancies, contacts, photos, documents. Includes any personal information about your tenants, staff, or contractors that you choose to log. You are the data controller for this — see §11.
• Usage telemetry: which pages you visit, which features you use, how long sessions last. Used to understand what's working and what to improve.
• Error reports: if something crashes, technical context (the URL, browser, JavaScript stack trace, your user and organisation IDs) is sent to our error tracker so we can fix it.

2.4 When you simply browse the website

Our hosting provider (Netlify) records technical access logs — your IP address, the pages requested, your browser type, and the timestamps — for security, performance monitoring, and abuse prevention.

2.5 If you correspond with us

If you email or otherwise contact us, we keep that correspondence (including your email address and any information you choose to share) so we can respond and follow up.

3. Why we collect it, and what we do with it

• To provide the service. So your account works, your data persists, you can log in from multiple devices, and your team can collaborate.
• To bill you. Process subscription payments, send invoices, handle failed payments, and let you self-manage your subscription.
• To support you. Reply to emails, investigate issues you report, and contact you about anything affecting your account.
• To improve the product. Aggregated, anonymised patterns about which features get used (and which don't) inform what we build next.
• To keep the service secure. Access logs, error reports, and abuse-detection help us spot and block intrusions.
• To meet our legal obligations. Keep tax/accounting records, respond to legitimate requests from regulators, comply with data-protection law.

4. Legal basis for processing (UK GDPR)

• Legitimate interest — for responding to enquiries, running and securing the service, and improving the product.
• Performance of a contract — once you become a customer, processing necessary to deliver MainMan to you.
• Consent — for any optional marketing communications. You can withdraw consent at any time.
• Legal obligation — where we have to keep records to comply with tax, accounting, or other UK law.

5. Who we share it with (sub-processors)

We use a small number of trusted third-party processors. Each handles only what's necessary, under a data-processing agreement, and never for their own purposes:

• Supabase (Singapore Pte Ltd) — hosts the MainMan application, your tenant data, your account, and your subscription state. EU region (Frankfurt).
• Stripe (Stripe Payments UK Ltd / Stripe Inc.) — processes subscription payments and stores your card details. Stripe is PCI-DSS Level 1 certified; we never see your full card data. UK / EU / US under Stripe's standard data-protection terms.
• Anthropic (Anthropic PBC) — powers the in-app AI features (drafting work orders, summarising hazards, extracting data from documents) when you opt in. Data sent to Anthropic for processing is not used to train their models per our zero-retention API agreement. US-based.
• PostHog (PostHog Inc.) — product analytics: which features get used, how sessions flow. EU region. We do not record passwords, full form contents, or anything you've marked as sensitive.
• Sentry (Functional Software, Inc.) — error tracking. When the app crashes, technical context is sent so we can debug. EU region.
• Netlify (Netlify Inc.) — hosts this marketing website and processes any web-form submissions. EU/US under standard data-protection safeguards.
• Google Workspace (Google Ireland Ltd) — handles email to and from support@mainmanhub.com. EU region.

We do not sell, rent, or trade your personal information. We do not share it with advertisers. If we add a new sub-processor that materially affects you, we'll update this notice and email you in advance.

6. How long we keep it

• Early-access enquiries — kept for up to 24 months from your last contact with us, then deleted, unless you become a customer (in which case see below).
• Customer tenant data — kept for as long as you have an active MainMan account, plus 90 days after closure to allow for re-activation or export, then deleted.
• Email correspondence — kept for up to 36 months for support and continuity, then deleted.
• Web server logs — kept for 90 days.
• Records we are legally required to retain (e.g. for tax) — kept for the statutory period and then deleted.

7. International transfers

Most of your personal information stays in the UK or EU. Where any third party processes data outside the UK/EU (for example, some Netlify infrastructure), we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or another safeguard approved by the ICO.

8. Your rights

Under UK GDPR you have the right to:

• Ask us what personal information we hold about you (right of access)
• Ask us to correct anything that is wrong (right to rectification)
• Ask us to delete your personal information (right to erasure / "right to be forgotten")
• Ask us to restrict how we use your information
• Ask us to provide your information in a portable format (right to data portability)
• Object to our processing of your information where we rely on legitimate interest
• Withdraw any consent you have given us, at any time

To exercise any of these rights, email support@mainmanhub.com. We aim to respond within 7 working days and must respond within 30. We won't charge you for it.

If you're unhappy with how we've handled your information, you can complain to the UK Information Commissioner's Office at ico.org.uk or by phone on 0303 123 1113. We'd appreciate the chance to fix it first — but it's your call.

9. Security

We take security seriously. We use HTTPS across the site, application-level access controls, tenant isolation in our database, and routine reviews. No system is perfectly secure — if we ever have a personal-data breach that puts your rights at risk, we will notify the ICO within 72 hours of becoming aware of it, and we will tell you without undue delay.

10. Cookies and similar technologies

Marketing website (mainmanhub.com): no analytics cookies, no advertising pixels, no behavioural tracking. Some essential cookies may be set by Netlify for security purposes.

MainMan application: we set the cookies necessary to keep you logged in (Supabase Auth session token). We also use PostHog for product analytics, which sets a small number of first-party cookies to count unique users and measure feature uptake. PostHog is configured to not record passwords, full form contents, or text marked as sensitive. You can opt out of analytics via your browser's Do-Not-Track setting — we'll respect it.

11. AI features and your data

MainMan uses AI (large language models) for selected features: drafting work orders from a description, proposing asset structures from a spreadsheet, summarising hazard reports, extracting data from tenancy agreements. When you use these features, the data necessary to perform that task — and only that data — is sent to our AI provider (currently Anthropic) for processing.

Specifically: we do not send your full database to the AI. We send only the inputs you provide (the text you typed, the document you uploaded, the row context for the action) and receive back the AI's response, which we show you to review before saving.

Our agreement with Anthropic operates on zero-retention terms: data sent for processing is not stored by Anthropic beyond the request, and is not used to train their models. If you prefer to use your own Anthropic or OpenAI API key, you can configure that in Settings — in that case, your AI provider's terms apply to the data instead of ours.

12. Children

MainMan is a tool for organisations. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we'll delete it.

13. Changes to this notice

We'll update this notice when our practices change or when we add new processors. The "last updated" date at the top reflects the most recent change. If a change materially affects you, we'll tell you directly — we won't bury it.