Privacy Policy

Hello, and welcome to our personal data policy. Here, we explain how we collect, use, share, store and transfer your information in connection with the operation of the "manta.fund" website (the "Site") and the rights you have over the information concerning you.

Before we begin, let us clarify that the terms "we" or "Manta" refer to MNT, a simplified joint-stock company (société par actions simplifiée) with share capital of €5,000, registered with the Paris Trade and Companies Register under number 100 098 490, with its registered office at 19, rue des Archives, 75004 Paris, responsible for all the uses detailed in this policy (with the exception of the features that involve uploading documents).

The organisation's contact person, with whom you may exercise your rights and to whom you may address any question, is Chloé Toubiana; you can reach her by email at dpo@manta.fund.

Conversely, the term "you" and its derivatives refer to you, the reader of this personal data policy.

We have structured our personal data policy as a series of questions you may be asking yourself, as follows:

• What information do we collect? How do we use it, and why?
• Do we share information with third parties or abroad?
• What is our cookie policy?
• What are your rights over your information?
• Is your information secure?
• How do you exercise your rights over your information?
• When did the personal data policy come into force?

1. What information do we collect? How do we use it, and why?

It is necessary to distinguish between the various roles and uses we have:

1.1. As data controller

• The uses of the data of any visitor to the site;
• The uses of the data of our prospects, our clients and the holders of a Manta account;
• The uses of the data contained in the Documents;
• The uses of your personal information within companies' legal information.

1.2. As data processor

• The uses of the data contained in the documents uploaded to Manta.

1.1. As data controller

1.1.1. The collection of data of any visitor

Every visitor to the Site reveals the following information, transmitted by default by their web browser, which we therefore collect automatically:

• The operating system of your device (Windows, Mac, Android, iOS, etc.);
• The web browser used and its language;
• Your IP address;
• The time at which the visit took place;
• Technical information about your device type (computer, smartphone, etc.);
• Where applicable, the website that referred you to manta.fund.

This information is collected automatically and is retained by our hosting provider AWS Paris, for a period defined in accordance with its terms of use and privacy terms available at the following address: https://aws.amazon.com/fr/privacy/. The legal basis for the collection and use of the aforementioned information is the necessity of this collection and processing in order to perform our Terms of Use (https://manta.fund/cgu).

We also collect all the information you provide to us through the use of the various forms that may be present on the site (contact, demonstration request, appointment request, webinar registration, etc.). The information concerning you is used in order to receive your message and to be able to respond to you. It is retained as part of our history of received messages until you exercise your right to erasure, or for a maximum of three years. In the contact forms, all the information requested is mandatory. Providing the number of lines in your portfolio is necessary because this information enables us to direct you to the sales team best able to respond to you, thereby ensuring more relevant handling of your request.

1.1.2. The uses of the data of our prospects, our clients and the holders of a Manta account

1.1.2.a. The use of your information as a prospect

We may use your contact details (surname, first name, email, telephone number, professional social networks) for commercial prospecting purposes, which you may object to at any time by email at dpo@manta.fund or, in the case of automated prospecting, by clicking the links provided for that purpose.

This data is collected either directly from you, or through specialised providers listed in the Transfers section of this policy, or from public sources such as the SIRENE directory or your website. We also retain our prospecting history (date and nature of the most recent exchanges). Finally, we may also collect and retain data relating to your company from LinkedIn or from your website.

The legal basis for this collection and processing is our legitimate interest in offering you our products and services (Recital 47 of the GDPR).

Use of the "Demonstration request" feature also requires the collection of the requested information and its retention for the purposes of organising the demonstration.

If you have consented to the placement of a Google Click ID cookie (glcid) in accordance with our cookie policy, we may use the information collected (your unique identifier and your conversion journey) in order to accurately track our marketing campaigns, to understand the conversion funnel of our visitors and to carry out targeted advertising. Indeed, having requested a demonstration on the Site following an advertisement on a third-party site, this information is imported into our commercial management tool (Hubspot). Removing the cookie does not delete the information collected. This information is retained for a period of three years from your last contact with our sales team (last telephone call, last meeting, or last click on your part on an email or an SMS), regardless of whether you delete the third-party cookie. To this end, we use LinkedIn's services to carry out targeted advertising on these social networks after a visit to our site. This advertising also uses cookies; you may refuse the placement of these cookies at any time.

The legal basis for this collection and processing is our legitimate interest in offering you our products and services (Recital 47 of the GDPR).

Finally, as part of prospecting and the monitoring of the commercial relationship, Manta wishes to record video-conference and telephone exchanges between you and its sales teams. This information is processed within the European Union and can only be consulted by the team responsible for training. The purpose of this collection and use is to ensure internal training and the quality of exchanges with you. You may object to it at any time by notifying your contact person.

The legal basis for this processing is Manta's legitimate interest in ensuring the training of its sales teams and in improving exchanges with you by focusing on the conversation rather than on note-taking.

Recordings are retained for a period of 3 months from the time of capture, while transcriptions are retained for a period of 6 months from the time of collection.

1.1.2.b. The use of your information as a client or as part of a client organisation

Where you are invited to create an account by the client Organisation, we collect and process your telephone number in order to ensure, on the one hand, better handling of our commercial relationship and, on the other hand, the management of training sessions. This data is retained until you delete your Account using the dedicated feature on the "Settings" page. In this case, the legal basis for the collection and processing of your telephone number is our interest, and yours, in reaching you by the most reliable means possible in order to ensure a good grasp of all the product's features and, consequently, to ensure the proper performance of our contractual obligations in accordance with our Terms and Conditions (https://manta.fund/cgv). Providing this information is not necessary in order to access the services.

In addition, where the contract with the client Organisation so provides, we communicate to the latter the statistics of your use of the Manta platform, including your personal information such as your surname, first name and email address, as well as your activity on the Site. This processing constitutes a re-use of the data collected as part of the use of the aforementioned features. The legal basis for the collection and processing of this information is our interest, and that of your Organisation, in enabling the proper performance of the contract that binds us to it, where the contract provides for such communication.

When subscribing to a subscription, we collect and transfer certain information concerning you to our electronic signature provider, Yousign, in order to manage the signing of the contract that binds us and to obtain timestamped proof of the contracting. The legal basis for this processing is the necessity of this collection and processing in order to perform our Terms and Conditions (https://manta.fund/cgv).

We also collect and use the payment information relating to the payment method you have chosen. This information is transferred to a secure payment provider (which also depends on the payment method chosen), as detailed in question 2. The legal basis for this collection and use is the necessity of this collection and processing in order to perform our Terms and Conditions (https://manta.fund/cgv). Your payment method is retained only by our provider (your payment data never passes through our servers) and only for the time necessary to process your payment or your recurring subscription.

We may also use several types of information in the event of non-payment of the sums due under the contract that binds us. In order to identify any person in a situation of unpaid debt, we may collect and use the information relating to the payment incident (date the unpaid debt arose, amount of the unpaid debt, purpose of the unpaid debt). In such a situation, in order to recover the sums due, we use the personal information collected at the time of subscription (surname, first name, profession, email address and billing postal address) to send you reminders by any means. The purpose of this use is the recording of confirmed unpaid debts by the unpaid-debt management service, and its legal basis is the necessity of this collection and processing in order to perform our Terms and Conditions (https://manta.fund/cgv). This information is retained until any settlement of the unpaid debt and/or for a maximum of 5 years from the date the unpaid debt arose.

1.1.2.c. The use of your information as an account holder

Access to our features as the holder of a manta.fund account

Access to Manta's features is conditional on the creation of an account, under the conditions detailed in the Terms and Conditions (hereinafter the "Account"). As specified in our Terms and Conditions (https://manta.fund/cgv), the Account may be linked to a subscription or to a free trial.

Creating an Account requires the provision of the following information, in order to verify your identity, enable your access to the Site and secure that access:

• Your surname and first name;
• Your professional email and your profession;
• Where applicable, the number of lines in your portfolio and your Organisation's AUM;
• Your password, which we store in an encrypted and secure manner; and
• Your telephone number.

Providing this information is necessary in order to access the service.

This information is retained for a period of one year after your last visit to the site or your last click on a link in our emails, or until your Account is deleted.

The deletion of your Account and of all the data linked to it occurs automatically one year after the termination of the subscription taken out by your organisation, or upon the express request of your organisation. Only your organisation may request the deletion of your Account. You may, however, request the deletion of the aggregated usage data in our database, and this deletion will take place within the month following your request, in accordance with the time limit set by Article 12.3 of the GDPR.

If you have begun creating an Account without completing it (failure to validate your telephone number), your Account will be deleted automatically one month after its creation. In all cases, we retain a hash (a cryptographic trace that does not allow the original data to be recovered) of your email and your telephone number in order to prevent attempts to create multiple trial accounts.

The legal basis for the collection and use of the aforementioned information is the necessity of this collection and processing in order to perform our Terms and Conditions (https://manta.fund/cgv).

The management of authentication on your manta.fund account

As part of the use of single sign-on authentication and in order to improve the security of your account, we collect the following information:

• your surname and first name,
• the name of the structure through which you operate,
• as well as your telephone number.

The legal basis for this use is the necessity of this collection and processing in order to perform our Terms and Conditions (https://manta.fund/cgv).

The provision of our services

Some of Manta's features inherently require the collection and use of the information concerning you. This is notably the case for the tasks assigned to you, the notifications you receive, the documents you upload, or the history of the changes you make.

This information is retained until your Account is deleted. The legal basis for the collection and processing of this data is the necessity of this collection and use in order to perform our Terms and Conditions (https://manta.fund/cgv).

Product improvement and error correction

In order to manage the feedback you give us, we collect certain information concerning you: your surname and first name, as well as your profession and, finally, the content of your feedback (suggestions for improving the product or errors observed).

During your use of the manta.fund site, we also collect certain information relating to your activity (when you browse the Site, when you scroll through the pages, when you click on a button, etc.). This information - pseudonymised beforehand - is transmitted to our provider Mixpanel for the monitoring and behavioural analysis of users and is accessible only to our team dedicated to the Product.

The purpose of this processing is to understand the lessons drawn from your use of the site in order to build the product accordingly.

Finally, we may also transmit information concerning you to our monitoring providers, Rollbar and Datadog, as well as Sentry, in order to contextualise, diagnose and efficiently resolve the errors reported to us.

The legal basis for the collection and use of this information is Manta's legitimate interest in building and improving its products thanks to your user feedback and the analysis of your behaviour on the site, as well as in correcting errors, in accordance with its freedom to conduct a business.

This information will be retained until you exercise your right to object.

The management of sharing

Your IP address is automatically transmitted by your web browser when you visit the manta.fund site. This information is re-used by our services for the purpose of ensuring that your Account is not shared with third parties.

This data is retained for a period of three years from your last contact with our sales team (last telephone call, last meeting, or last click on your part on an email or an SMS).

The legal basis for the use of the aforementioned information is the necessity of this processing in order to perform our Terms and Conditions (https://manta.fund/cgv), the licence of use granted being personal and non-transferable, and our legitimate interest in preventing third parties from benefiting from our paid Services without a subscription.

1.1.3. The uses of your personal information within companies' legal information

This notice is addressed to you if you are the director, legal representative or beneficial owner of a company, or if you are a third party mentioned in a legal-notice document. Manta has created Operator pages whose purpose is to make accessible to its clients all the legal and economic information of companies in order to follow the life of each legal entity, including information relating to their directors and their legal representatives.

1.1.3.a. What is the purpose of the page? What is its legal basis?

The purpose of the Operator page is to make accessible to its Clients all the legal and economic information of companies in order to follow the life of each legal entity, including in particular information relating to their directors, their legal representatives and their beneficial owners, or to any person mentioned in legal-notice documents, by compiling public information contained in the documents filed with the National Business Register (RNE), in the SIRENE directory or in the legal notices published in the BODACC. This page thus enables Manta clients to follow the life of an Operator and of the natural persons associated with it.

The legal basis for this collection and processing is twofold: the pursuit of the legitimate interest of Manta clients in accessing this information (freedom of expression and right to information), and the pursuit of Manta's legitimate interest in re-using public information.

1.1.3.b. Why was it created without my consent?

First of all, it should be recalled that the page reproduces public information about companies, which are not covered by the GDPR. Indeed, Recital 14 of the GDPR specifies that "This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person".

Article 6 of the GDPR provides that processing is lawful only "if and to the extent that at least one of the following applies", subsequently listing 6 different conditions. Consent is the first of these conditions, but is only one possibility among others for grounding the processing of personal data. The CNIL thus recalls on its website that consent does not have to be systematically obtained.

As specified above, the legal basis of the company page is a twofold legitimate interest. In accordance with Article 6(1)(f) of the GDPR, we have taken all measures to ensure that the implementation of this data processing on the grounds of legitimate interests was carried out with respect for the fundamental interests, rights and freedoms of the data subjects.

In accordance with the CJEU's Manni judgment (CJEU, Court, 9 March 2017, C-398/15), the public's interest in accessing the information persists beyond the removal of your company from the RNE.

1.1.3.c. What information is concerned? What are its sources? How long is it retained?

The page contains three broad categories of information concerning you:

• Your identity as a director, legal representative or beneficial owner of a company (your surname and first name, your date of birth and your age);
• The legal information concerning your position within the company, including your function, the date you took up your function within the company concerned, and the companies you manage or have managed. If you are mentioned as a beneficial owner, the extent of the capital you hold in the company;
• Any other personal information, the nature of which cannot be prejudged, contained in legal-notice documents.

All this information comes from a public source. Indeed, according to the CJEU's clarifications in the judgment cited, "it appears justified that natural persons who choose to participate in trade through [a public limited company or a limited liability company] are required to disclose the data relating to their identity and functions within that company, especially since they are aware of that obligation at the time they decide to engage in such activity" (paragraph 59).

It is extracted:

• from the RNE documents filed with the registry and made available to the public by the National Institute of Industrial Property (INPI), in accordance with Article L.411-1, 1°-2° of the Intellectual Property Code as amended by Article 60 of Law No. 2015-990 for growth, activity and equal economic opportunity, for re-use purposes. The documents correspond to the registration of companies, as well as to the filings and declarations they are required to make pursuant to Articles L. 123-1 et seq. of the Commercial Code. The information they contain is thus subject to subsequent processing by Doctrine.
• from the SIRENE database made available by INSEE, in accordance with Article R. 123-232 of the Commercial Code, as reference data.
• from the legal notices published in the BODACC and made available in accordance with the decree of 23 June 2015 on the free re-use of the economic databases of the Directorate of Legal and Administrative Information.

All the personal information contained in these documents is retained for as long as the Operator page is published on the Site, or until you exercise your right to object.

Legal-notice documents may contain special categories of personal data within the meaning of Article 9 of the GDPR. By "special categories of personal data" is meant any information that may reveal your racial or ethnic origin, your political opinions, your religious or philosophical beliefs and, in particular, your trade-union membership, as well as any information relating to your health, your biometric data or data concerning your sex life / sexual orientation. In this regard, Article 9 of the GDPR provides that processing is lawful only if it meets one of the 10 conditions laid down. As regards the possible use of sensitive data, our position is similar to and consistent with the case-law of the Court of Justice of the European Union in case No. C-136/17. Thus, Manta cannot be held responsible for the fact that certain legal-notice documents - which contain sensitive data - are made available to the public by INPI. We consider this to be an incidental collection. If you are concerned, you may notify us of the presence of sensitive data by sending an email to dpo@manta.fund. Where applicable, we undertake to redact your sensitive personal information.

1.1.3.d. On the masking of a company director's home address

Since the entry into force of Decree No. 2025-840 of 22 August 2025, company directors have the option of requesting the masking of their home address appearing in the Trade and Companies Register (RCS). The request is made solely through the business formalities one-stop shop. Once the masking has been carried out by the registry, it will be updated on the official databases, namely the RNE maintained by INPI and the SIRENE database maintained by INSEE.

Manta, which re-uses exclusively public data from these official databases, will automatically update its Operator pages to reflect the masking. Therefore, if you wish your home address to no longer appear on your Operator page, it is for you to initiate this masking procedure with the registry of your company.

1.2. As data processor

1.2.1. The uses of the data contained in the documents uploaded to Manta

This information notice is addressed to you if you believe your information may be contained in the documents uploaded to Manta.

If the documents you upload to Manta contain personal data, you or the organisation for which you operate acknowledge that you act as data controller; while Manta, for its part, acts as data processor in accordance with Article 10.2 of the Terms and Conditions (https://manta.fund/cgv).

This feature requires the collection and processing of documents that may contain personal data, without Manta being able to prejudge their nature.

The files transmitted and the analyses are collected and processed in order to provide and ensure the continuity of the service. Thus, the legal basis for the collection and processing is the necessity of this collection and use in order to perform our Terms and Conditions (https://manta.fund/cgv), including the data-processing contract between the client and Manta.

The documents are stored within your document database until an administrator of your organisation deletes them, or one year after the termination of your subscription. This storage is carried out on a dedicated AWS server located in Paris, in the European Union.

1.2.2. The uses of the features involving the processing and storage of private documents

The features involving the uploading and storage of documents make it possible to carry out search, extraction and analysis tasks within your working documents.

For all these features, you or the organisation within which you operate act as data controller.

These features require the collection and processing of documents that may contain personal data, without Manta being able to prejudge their nature.

The usage data, the files transmitted, the folders created, as well as the extractions and analyses are collected and processed in order to provide and ensure the continuity of the service. The legal basis for the collection and processing is the necessity of this collection and use in order to perform our Terms and Conditions (https://manta.fund/cgv), including the data-processing contract between the client and Manta.

This information is retained until the user deletes the document(s) transmitted or the operation. In any event, the documents and the associated usage data are automatically deleted one year after the termination of the subscription. Any other usage data is deleted upon the manual deletion of the account, or upon its automatic deletion after one year of inactivity.

Only authorised persons may access it, and for a period limited to what is strictly necessary, as provided for in the Terms and Conditions (https://manta.fund/cgv).

2. How do we share your information with third parties and abroad?

We collect and use the data mentioned in the first question only for our own needs and in no case resell it to third parties. It is transferred only to the providers listed below, whose services are used to provide ours. We have concluded personal-data processing contracts with each of these providers. Some of them are located outside the EEA, and we have therefore ensured that they offer sufficient guarantees for transfers (in particular the signing of the European Commission's standard contractual clauses, the revised version of which we will sign with all our providers). Following Decision No. C-311/18 of 16 July 2020 of the Court of Justice of the European Union, we are in contact with our providers carrying out transfers to the United States in order to determine whether additional measures are necessary, taking into account the nature of each processing operation. It should also be noted that certain companies certified under the Privacy Shield continue to honour their obligations as arising from that programme, although it no longer constitutes, on its own, a sufficient guarantee for transfers to the United States. Where standard contractual clauses have been signed, you have the right to ask us for a copy. You will find below the list of Manta's providers, their location, and the appropriate guarantees adopted, where applicable.

Hosting

• AWS Paris: Hosting of the site - Provider located in Paris.

Site security and analytics

• Sentry: Error tracking - Provider located in the United States and certified under the Data Privacy Framework. The European Commission's standard contractual clauses have been signed.
• Google Analytics and Search Console: Measurement of site audience - Provider located in the United States and certified under the Privacy Shield. The European Commission's standard contractual clauses have been signed.
• Datadog: Site security - Provider located in the United States and certified under the Data Privacy Framework.

Product utility

• Google Cloud (Gemini): Generative AI model - Deployed in Europe.

Commercial prospecting

• Brevo: Sending of emails - Provider located in France.
• Hubspot: Email marketing campaigns and CRM - Provider located in the United States. The standard contractual clauses have been signed, and certified under the Data Privacy Framework.
• Outreach: Multichannel marketing campaigns - Provider located in the United States. The standard contractual clauses have been signed, and certified under the Data Privacy Framework.
• Lemlist: Multichannel marketing campaigns - Provider located in France.
• Lusha: CRM enrichment - Provider located in the United States. The standard contractual clauses have been signed.
• Mailjet: Sending of emails - Provider located in France.
• MySendingBox: Sending of postal mail - Provider located in France.

Payment

• Stripe: Payment by bank card and SEPA direct debit - Provider located in the United States. The standard contractual clauses are incorporated by reference into the contract, and certified under the Data Privacy Framework.

Monitoring of the client relationship and commercial profile

• Typeform: Forms - Provider located in Spain.
• Fireflies: Recording and transcription of video-conference exchanges - Provider located in the United States and certified under the Data Privacy Framework.
• Yousign: Electronic signature - Provider located in France.

Targeted advertising and retargeting

• LinkedIn: Targeted advertising and retargeting on LinkedIn - Provider located in the United States. The standard contractual clauses are incorporated by reference into the contract, and certified under the Data Privacy Framework.

3. What is our cookie policy?

We use a few cookies and trackers in order to provide you with our services and to measure the use of our site. All the information on our use of cookies and on the possibilities of objecting to them is detailed on our page relating to cookies.

4. What are your rights over your data?

The personal data regulations grant you the following rights:

• 4.1. The right to access your data;
• 4.2. The right to the portability of your data;
• 4.3. The right to rectify any errors;
• 4.4. The right to erasure, under certain conditions;
• 4.5. The right to object to processing, under certain conditions;
• 4.6. The right to the restriction of processing;
• 4.7. The right to decide what we will do with your data in the event of death;
• 4.8. The right to withdraw consent;
• 4.9. The right to a remedy before the CNIL or the courts.

4.1. Right of access (Article 15 of the GDPR)

You may have access to all the information concerning you that we use by sending us a request, to which we will respond by providing you with a copy of all your personal data as well as all the legally required information, including:

• The types of information collected and used;
• The purposes of this use;
• The categories of recipients to whom the information concerning you has been or may be communicated;
• The retention period of the information concerning you; and
• Information concerning your rights with respect to your personal data.

4.2. Right to portability (Article 20 of the GDPR)

Where we use your information on the basis of your consent or because it is necessary for the performance of a contract, you have the right to the portability of your information. This right differs from the right of access to information in that (i) it concerns only the data you have provided to us (excluding, in particular, the aggregated statistics produced on the basis of this data and the data we have collected ourselves) and (ii) it makes it possible to obtain this data in a structured, machine-readable format.

Unlike the right of access, the right to the portability of information does not require the file transmitted and containing your information to be human-readable. This file will contain, strictly speaking, only your personal data without any other information whatsoever.

The right to the portability of your personal data also opens up the possibility that it may be transmitted to another data controller, in accordance with your choices, provided that this is technically possible.

4.3. Right of rectification (Article 16 of the GDPR)

You may request that the information concerning you be corrected, completed or updated if it proves to be inaccurate, incomplete or out of date. This request must be justified.

4.4. Right to erasure (Article 17 of the GDPR)

You may request that the information concerning you be deleted if one of the following cases applies:

• if your personal information is no longer necessary in relation to the purposes for which it was collected or processed;
• if you have withdrawn your consent to the use of the information concerning you, provided that prior consent was the legal basis for its collection and use and that there is no other legal basis justifying it;
• if you have objected to the collection or use of the information concerning you and we have not overridden this request, as specified in the "Right to object" section;
• if the use of the information concerning you is unlawful,
• if we must delete your information in order to comply with a legal obligation imposed on us, or
• if you were a minor at the time your information was collected. For this last case, and provided that you are a minor at the time of the request, the holders of parental authority may also submit a request for the deletion of your personal data.

4.5. Right to object (Article 21 of the GDPR)

You may object to the use of your information if the following two conditions are met: (i) you can demonstrate grounds relating to your particular situation and (ii) the legal basis of our use is the pursuit of a legitimate interest.

We may override your objection by demonstrating that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

You may also always object, without any obligation to give reasons, to the use of your personal information for the purposes of prospecting directed at you.

4.6. Right to the restriction of processing (Article 18 of the GDPR)

You may request the restriction of the use of the information concerning you:

• in the event that you contest the accuracy of the information concerning you, for the period necessary to enable us to verify it,
• if the use of the information concerning you is unlawful and you wish to restrict it rather than request its deletion,
• if you wish us to retain your information where it is necessary for the establishment, exercise or defence of legal claims,
• if you have objected to the use of the information concerning you, during the period in which we verify whether we do not have other overriding legitimate grounds to continue its use.

4.7. Right to define directives concerning the fate of your data after your death (Article 85 of the French Data Protection Act)

You may give us directives concerning the methods of retention, erasure and communication of the information concerning you to take effect after your death.

4.8. Right to withdraw consent (Article 7 of the GDPR)

For all the uses, among those above, that have your consent as their legal basis, you have the right to withdraw that consent at any time, without having to justify it to us.

4.9. Right to a remedy

If necessary, and should any dispute not result in an amicable resolution, you always have the option of contacting the competent personal-data protection authority to lodge a complaint (in France, the CNIL).

You may also always, and without first referring the matter to the CNIL, bring an action before the competent court.

5. Is your data secure?

Yes. At Manta, we attach great importance to the security and confidentiality of data. We use the HTTPS protocol with TLS 1.2: all your searches are encrypted before being transmitted to our servers so as to prevent anyone from intercepting them. We use the AES 256 encryption algorithm, the best standard on the market. Your login credentials are highly secure (our authentication provider uses the bcrypt encryption algorithm). In addition, our servers are secure and hosted in the European Union, in Paris. Our provider AWS meets the highest physical and software security guarantees and is certified ISO/IEC 27001:2013, 27017:2015, 27018:2019 and 9001:2015. Finally, we have put in place internal technical and organisational measures in order to ensure the security and confidentiality of your data. In particular, we segment access to data according to roles and favour the use of pseudonyms: only persons with a legitimate reason may access the personally identifying data we hold. We also minimise the data we send to our various providers so as to send them only the data genuinely necessary for their activity.

These same security measures apply to the documents you upload to Manta.

6. How do you exercise your rights over your data?

Should you have any question relating to this personal data policy, or wish to exercise any of the aforementioned rights, you are invited to send an email to the following address: dpo@manta.fund.

In accordance with Article 12 of the GDPR, we may ask you for additional information necessary to confirm your identity in the event of doubt about it. We make our best efforts to respond to you as quickly as possible and, in any event, within the legal time limit of one month.

7. When did the personal data policy come into force?

This version of the personal data policy came into force on 5 December 2025.