Loi 25 + GDPR + DPA: how Manera handles your data

Manera Technologies Inc. is a Québec-incorporated company. Our default privacy regime is Quebec's Loi 25 (the Act to modernize legislative provisions as regards the protection of personal information), which is the strictest provincial-level privacy regime in North America and which post-dates the GDPR. Customers from any jurisdiction get Loi 25-grade handling by default. EU customers get GDPR layered on top via our standard DPA.

This article covers what we collect, where it lives, who can access it, and how to exercise your data rights.

TL;DR for procurement diligence

• Primary regime: Quebec Loi 25 (effective September 22, 2023; broader 2024-2025 amendments in force)
• Secondary regime: EU GDPR via standard Data Processing Addendum (DPA) signed at sign-up
• Data residency: Customer data stored in Canadian commercial cloud (Cloudflare R2 + Wise infrastructure for FX-execution data); EU residency available on request
• Sub-processors: Stripe (billing) · Wise (FX execution) · Anthropic (Claude API for synthesis only — no customer financial data sent to model) · Cloudflare (CDN + WAF + R2 storage) · Mailtrap (transactional email)
• DPA: signed at Stripe Checkout via shrink-wrap; long-form DPA for sovereign customers available on request
• Right to erasure: 90-day data-export window post-cancellation; permanent deletion thereafter
• SOC 2 Type II: in progress, target Q4 2026; pre-audit evidence packs available for procurement diligence today
• Data Protection Officer: [email protected] (founder; under Loi 25, the Person in Charge of the Protection of Personal Information)

What we collect (and don't)

What we collect

What we do not collect

• Browser fingerprints, IP-tracking pixels, third-party ad cookies. Zero. We use Cloudflare's first-party analytics with IP-anonymization. No Google Analytics, no Mixpanel, no Segment, no Hotjar.
• Device hardware specifications. We don't read user agents, we don't fingerprint, we don't do "machine ID".
• Your customer's PII. When you upload a hedge book or candidate pipeline, the file is encrypted-at-rest in your tenant. We never aggregate it across tenants. We never train models on it. We never share with sub-processors except as listed.
• Your financial transaction details. Wise executes the FX move under your direct OAuth grant; Manera sees the metadata (amount, currencies, timestamp) but never the intermediary banking data.
• Anything sent to Anthropic Claude API. When the synthesis layer calls Claude, the prompt contains the relevant fact cards (which you authored) plus the synthesis instructions (which we own). Customer financial data, identity records, candidate names, and other regulated data categories are explicitly stripped before the API call. See Anthropic sub-processor scope for the exact prompt-redaction rules.

Where data lives

Default residency: Canada

• Primary storage: Cloudflare R2 in ca-central-1 region (Toronto)
• Backup storage: Cloudflare R2 cross-region replicated to eastern-canada (Montréal)
• CDN edge: Cloudflare global edge network (TLS termination only; no application-layer data crosses the edge)
• Compute: PM2-managed Node/Python processes on a Canadian commercial cloud host

Optional residency: EU

EU customers can request EU-only residency. Storage flips to Cloudflare R2 eu-west-1 (Frankfurt), backups to eu-north-1 (Stockholm). FX-execution data continues through Wise's EU regulated entity (Wise Europe S.A., Belgium). The shift adds ~50ms of synthesis latency on the first call (subsequent calls cached at edge).

Optional residency: Sovereign

Sovereign Tier customers can request a dedicated tenant with custom residency (e.g. UK only, US only, AWS GovCloud, OVHcloud Sovereign). This is engineered per-customer; minimum quarterly commitment.

Sub-processors

The full sub-processor list is at /trust. New sub-processors are notified 30 days in advance via email and a posted update at /trust/sub-processors.

Loi 25 specifics

Quebec's Loi 25 is the strictest privacy regime in Canada and arguably stricter than GDPR on a few axes. Manera is built for Loi 25 compliance from the ground up:

• Article 4 — Person in Charge of Protection of Personal Information. Designated: Kao Manirath, Founder. Contact: [email protected].
• Article 8.1 — Privacy Impact Assessment (PIA). Maintained for the platform; updated quarterly. PIA available to customers on request.
• Article 9 — explicit consent. No data collection beyond what you configured at sign-up. No "implicit consent" patterns.
• Article 11 — automated decision-making. When a synthesis influences a decision (e.g. NEIP flagging a country as high-risk), we disclose the inputs and let you override. The synthesis is not the decision; you are.
• Article 17 — confidentiality incident notification. Within 72 hours of confirmed material breach, affected customers + the Commission d'accès à l'information are notified. The same threshold the EU GDPR uses.
• Article 23 — right to erasure. 90-day data-export window post-cancellation; permanent deletion thereafter, including from backups.
• Article 28 — data portability. All data exportable as JSON + CSV at any time, no fee, no friction. Self-serve from your billing portal.

GDPR specifics

For EU customers, our standard DPA is a Schedule 2 to the Stripe-checkout terms. It covers:

• Article 28 — controller-processor relationship. Customer is data controller; Manera is data processor. We act only on documented instructions (your configuration of the petals).
• Article 30 — records of processing activities. Maintained for the platform; available to customers on request.
• Article 32 — security of processing. Encryption-in-transit (TLS 1.3 minimum), encryption-at-rest (AES-256), access controls (single-tenant isolation), pseudonymization where feasible.
• Article 33 — breach notification. Within 72 hours of confirmed material breach.
• Article 35 — DPIA. Performed for the platform; updated quarterly.
• Article 44-49 — international transfers. EU customers' data stays in EU (with EU residency option). Non-EU data transfers to sub-processors covered by Standard Contractual Clauses (SCCs) executed at sign-up.
• Article 17 — right to erasure. Same 90-day window as Loi 25.
• Article 20 — data portability. Same self-serve export as Loi 25.

Common procurement questions

Q: Where do I find your DPA? Auto-attached to your Stripe Checkout receipt. Long-form DPA for sovereign customers: email [email protected].

Q: Do you allow data residency in my jurisdiction? Canada (default) and EU available today on the Mesh Tier. UK, US, and custom sovereign residency on Sovereign Tier.

Q: How do you handle a customer subject access request? Self-serve from billing portal: export-all-data button. Returns JSON + CSV in minutes. No founder intervention required.

Q: What is your incident-response time? Within 72 hours of confirmed material breach for notification (Loi 25 Art. 17 + GDPR Art. 33). Internal incident-response runbook tested quarterly.

Q: SOC 2 Type II? In progress. Target Q4 2026. Pre-audit evidence packs available now: email [email protected] with subject "SOC 2 evidence pack".

Q: ISO 27001? On the roadmap for 2027 (after SOC 2 Type II). Not pursuing 27001 ahead of SOC 2 because the buyer overlap is high.

Q: HIPAA / PHI? Manera does not currently process PHI. We are not a HIPAA Business Associate and we do not sign BAAs. If your use case requires PHI handling, the Sovereign Tier with dedicated tenant is the path; engagement scoping required.

Exercising your rights

To exercise any of the rights below, email [email protected]. Most rights are also self-serve from your billing portal.

Related articles

• Our SOC 2 Type II roadmap (in progress)
• Trust Doctrine
• Privacy Policy
• Acceptable Use Policy
• Data Protection Addendum

← Back to knowledge base · Trust · Privacy · Contact DPO