M
Mandrel
← Back to Home

Privacy Policy

Last updated: February 11, 2026

1. Introduction

Welcome to Mandrel ("we," "our," or "us"). Mandrel is a content management platform designed to help organizations build, manage, and automate their data-driven applications. We are committed to protecting the privacy and security of all information processed through our platform.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding your personal information. By accessing or using Mandrel, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When your account is created by an administrator, we store the following:

  • Email address — used as your unique login identifier
  • First and last name — for display and identification within the platform
  • Password — stored in a securely hashed format; we never store plaintext passwords
  • Role and permissions — your assigned roles and collection-level access rights
  • Invitation status — whether your account was created directly or via invitation

2.2 Session and Authentication Data

When you log in and use the platform, we collect:

  • IP address — recorded for each session and login attempt
  • User agent (browser/device info) — to identify your device and browser
  • Session tokens — refresh tokens stored as secure, HTTP-only cookies to maintain your authenticated session
  • Login attempt records — including timestamp, IP address, and success/failure status for security monitoring

2.3 Cookies

Mandrel uses the following cookies:

  • refreshToken — a secure, HTTP-only cookie used to maintain your authentication session. This cookie is essential for the platform to function and cannot be disabled. Its duration depends on whether you select "Remember me" during login (up to 30 days) or use a standard session (24 hours).

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies.

2.4 Collection Data

The platform allows administrators to create dynamic data collections (e.g., customers, orders, invoices, projects). The data stored in these collections is determined entirely by your organization's administrators. This may include business data such as names, email addresses, phone numbers, financial records, or any other fields configured by your administrators.

2.5 AI Assistant & Chatbot Data

If you interact with the Mandrel AI Assistant, we collect:

  • Conversation messages — your queries and the AI-generated responses
  • Session and message identifiers — to maintain conversation context
  • Token usage and estimated cost — for monitoring AI resource consumption
  • Response performance data — response time, status, and retry counts
  • IP address and user agent — for security and auditing

2.6 Audit Logs

For security, compliance, and accountability, Mandrel maintains comprehensive audit logs that capture:

  • Authentication events — logins, logouts, and password resets
  • API access records — endpoints accessed, HTTP methods, status codes, and latency
  • Data operations — creation, modification, and deletion of records including before/after snapshots
  • Administrative actions — role changes, permission updates, and user management activities
  • System events — maintenance, errors, and automated tasks
  • Request metadata — IP address, user agent, and session identifiers

2.7 Automation Execution Data

When automations are triggered (e.g., on record creation, update, or deletion), we log execution details including trigger event, execution status, duration, and any error messages for troubleshooting purposes.

3. How We Use Your Information

We use the collected information for the following purposes:

  • Authentication and access control — to verify your identity and enforce role-based permissions
  • Platform functionality — to operate the CMS, serve your data collections, and provide the AI assistant
  • Security monitoring — to detect and prevent unauthorized access, brute force attacks, and suspicious activity
  • Audit and compliance — to maintain a verifiable record of all actions taken within the platform
  • Performance optimization — to monitor API response times and system health
  • Troubleshooting — to investigate errors, debug issues, and improve platform reliability

4. Data Storage and Security

4.1 Storage Infrastructure

All data is stored in a PostgreSQL database. The platform uses Prisma ORM for secure, parameterized database access, preventing SQL injection and other common attack vectors.

4.2 Security Measures

  • Password hashing — all passwords are securely hashed before storage
  • HTTP-only cookies — refresh tokens are stored in HTTP-only, secure cookies to prevent XSS attacks
  • Rate limiting — login endpoints are rate-limited to prevent brute-force attacks
  • Session management — sessions are regularly cleaned up, and users can view and revoke active sessions
  • Circuit breaker patterns — database connections use circuit breakers to prevent cascade failures
  • Role-based access control (RBAC) — fine-grained read, create, edit, and delete permissions per collection per role
  • Audit trail — all sensitive operations are logged with severity levels for review

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to any third parties. Data is shared only under the following circumstances:

  • AI service providers — conversation content is sent to Google Gemini for AI-powered responses; no personal account data is shared beyond the conversation content
  • Legal obligations — we may disclose data if required by law, regulation, or valid legal process
  • Service infrastructure — your data is hosted on our secured infrastructure (Hetzner VPS managed via Coolify)

6. Data Retention

  • Account data — retained for the lifetime of your account or until deleted by an administrator
  • Session data — active sessions expire after 24 hours (or 30 days with "Remember me"); expired sessions are cleaned up hourly
  • Login attempts — retained for security monitoring and automatically cleaned up
  • Audit logs — retained according to the configured expiration policy; logs may have individual expiration dates
  • AI conversations — retained to maintain conversation history; can be cleared by administrators
  • Collection data — retained until deleted by authorized users; soft-delete is supported for applicable collections

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data, subject to legal and operational requirements
  • Data portability — request your data in a structured, machine-readable format
  • Objection — object to certain types of data processing

To exercise any of these rights, please contact your organization's super administrator or reach out to us at support@mandrel.com.

8. Account Creation

Mandrel does not offer self-registration. All user accounts are created exclusively by super administrators. This ensures that only authorized individuals have access to the platform and its data.

9. Children's Privacy

Mandrel is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child's data has been collected, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Any material changes will be communicated through the platform or via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: