Mahana

Privacy Policy

Effective date: March 25, 2026

Olomana Studios (“Company,” “we,” “us,” or “our”) operates the Mahana platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Your name and email address
  • Password (stored only as a one-way cryptographic hash — we never store your plaintext password)
  • Account role (owner, admin, or staff)

1.2 Business Information

During registration and through your use of the Service, we collect:

  • Business name, website, and description
  • Business type (sole proprietor or registered business)
  • Business Registration Number / EIN (encrypted at rest using AES-256-GCM)
  • Business contact information: name, phone number, street address, city, state, and ZIP code

1.3 SMS and Conversation Data

When your customers communicate with your business through the Service, we collect and store:

  • Inbound and outbound SMS message content (including AI-generated responses and staff replies)
  • Customer phone numbers
  • Customer names (if manually entered by your team)
  • Message metadata: timestamps, direction, sender type, AI confidence scores, and classification
  • Conversation status and folder assignments
  • SMS consent records and opt-in/opt-out status

1.4 Knowledge Base Content

We store the topics and content you add to your knowledge base, which is used to train the AI to respond accurately to your customers.

1.5 Payment Information

We do not directly collect or store your credit card number or banking details. Payment processing is handled entirely by Stripe. We store only your Stripe customer ID, subscription ID, and plan information to manage your subscription.

1.6 Usage Data

We automatically collect:

  • Monthly message counts and usage against plan limits
  • Workflow configurations and settings
  • Account activity related to the Service

2. How We Use Your Information

We use collected information to:

  • Provide the Service: Provision your toll-free number, deliver and receive SMS messages, run AI triage on incoming messages, and power your conversation dashboard.
  • AI-powered responses: Your knowledge base content, business description, and workflow configurations are provided to our AI provider (Anthropic) to generate automated responses to your customers. Inbound customer messages are also sent to the AI for classification and response generation.
  • Carrier compliance: Your business information is submitted to Twilio for toll-free number verification as required by telecommunications carriers.
  • Billing: Process subscription payments and manage your plan through Stripe.
  • Communications: Send you operational emails including urgent message alerts, daily summaries, usage limit notifications, verification status updates, and password reset links.
  • Support and improvement: Respond to your inquiries, troubleshoot issues, and improve the Service.

3. Third-Party Service Providers

We share information with the following third-party service providers, solely to operate the Service:

3.1 Twilio (SMS Infrastructure)

Twilio provisions your toll-free phone number, delivers and receives SMS messages, and handles carrier verification. We share your business name, contact information, address, EIN (if applicable), and SMS message content with Twilio.

3.2 Anthropic (AI Processing)

Anthropic provides the Claude AI language model that powers automated message triage and response generation. We send inbound customer messages, your knowledge base content, business description, and workflow trigger information to Anthropic for processing. This data is sanitized before transmission to remove potentially harmful content. Anthropic processes this data in accordance with their privacy and data handling policies.

3.3 Stripe (Payment Processing)

Stripe processes all subscription payments. Your payment method details are collected and stored directly by Stripe and are not transmitted to or stored on our servers.

3.4 Resend (Email Delivery)

Resend delivers operational emails on our behalf, including urgent alerts, daily summaries, usage notifications, and password reset links. Resend processes the email addresses and email content necessary for delivery.

3.5 Cloudflare (Security)

Cloudflare Turnstile is used on SMS consent pages to protect against automated abuse. Cloudflare may process your IP address and browser information during verification.

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We share information only as described in Section 3 above, or when required to:

  • Comply with applicable law, regulation, or legal process
  • Enforce our Terms of Service or protect our rights, property, or safety
  • Prevent fraud, abuse, or security threats to the Service

5. Data Security

We implement industry-standard security measures to protect your information:

  • Passwords are hashed using bcrypt and are never stored in plaintext
  • Sensitive fields (EIN, Twilio authentication tokens) are encrypted at rest using AES-256-GCM
  • All data in transit is encrypted via TLS/HTTPS
  • Twilio webhook requests are verified using signature validation
  • Stripe webhook events are verified using signature validation
  • Multi-tenant data isolation ensures each business can only access its own data
  • AI inputs and outputs are sanitized to mitigate prompt injection attacks

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Account and business data: Retained for the duration of your active subscription and for a reasonable period afterward for legal and operational purposes.
  • Conversation and message data: Retained for the duration of your active subscription as part of the core Service functionality.
  • SMS consent records: Retained as an append-only audit trail for regulatory compliance.
  • Password reset tokens: Automatically expire after one hour.
  • Upon cancellation: Your Twilio subaccount is closed and associated phone number credentials are removed from our systems.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information. You can update most account and business information directly through the dashboard.
  • Deletion: Request deletion of your personal information, subject to legal and operational retention requirements.
  • Data portability: Request your data in a structured, commonly used format.
  • Opt-out of communications: You can configure your notification preferences in account settings.

To exercise any of these rights, contact us at contact@heymahana.com. We will respond within 30 days.

8. Your Customers’ Privacy

As a Mahana user, you are the data controller for your customers’ information (phone numbers, SMS messages, names). Mahana acts as a data processor on your behalf. You are responsible for:

  • Maintaining your own privacy policy that discloses your use of third-party services including Mahana
  • Obtaining proper consent from your customers before they communicate with your business via SMS
  • Honoring opt-out requests (the Service handles STOP/START/HELP keywords automatically per carrier requirements)
  • Complying with all applicable privacy laws regarding your customers’ data

9. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such information.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

11. International Users

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer and processing.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

13. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at: contact@heymahana.com