Butterfly Effect Pte. Ltd.

Singapore

Retention We generally retain personal information to fulfill the purposes for which we collected it, and for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we may consider factors such as the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. For team-related data (e.g., session logs, credit usage records), retention periods are also determined by the team Owner or Administrator in accordance with organizational needs and applicable laws. Browser Sandbox. If you use the Manus Browser’s sandbox (virtual machine) mode (the “Sandbox”), it operates as an ephemeral, isolated environment that may be reset. Sandbox data is stored separately from your regular sessions and is retained for up to 7 days from your last activity for free plans and up to 14 days for paid plans, after which it is automatically deleted (or sooner if the Sandbox is reset). Retention of End Users’ Personal Information. We store and retain End Users’ personal information collected by a Space Owner or a Manus API Customer solely in accordance with their instructions. In such cases, the applicable retention period is determined by the relevant Space Owner or Manus API Customer. We act only as a data processor and retain such personal information on their behalf. For Members in a Team Plan seeking to delete personal information related to team activities, please contact your team Owner or Administrator. Team Member Rights. If you are a Team Member and wish to exercise data subject rights (access, correction, deletion) regarding data processed within your Team Plan workspace, you should first contact your Team Owner or Administrator. If you do not receive a response within 30 days, or if your request relates to data that Manus controls independently (such as billing information or service usage data), you may contact us directly at privacy@manus.im and we will assist you to the extent permitted.

BUTTERFLY EFFECT PTE. LTD. maintains specific retention policies for data across various systems and applications. For the company's SaaS Products running on AWS, Customer Data is retained for up to 60 days after contract termination. The BUTTERFLY EFFECT PTE. LTD. AutoSupport system stores customer instance and metadata along with debugging data indefinitely. Similarly, Customer Support Tickets and Cases managed through helpscout are also retained indefinitely. Regarding security-related data, the BUTTERFLY EFFECT PTE. LTD. Security Event Data stored in S3, which includes security and system event and log data as well as network data flow logs, follows different retention periods depending on deployment location: On-Premise data is retained indefinitely, while AWS Instance data is kept for 1 year. Vulnerability Scan Data from Inspector, encompassing vulnerability scan results and detection data, is retained for 6 months. Security Policies are maintained for 1 year after archive. Temporary Files stored in AWS /tmp ephemeral storage are automatically deleted when the process finishes.

# Data Storage Policy ## Purpose The purpose of this policy is to establish the requirements for storing company and customer data in a secure and compliant manner, ensuring its confidentiality, integrity, and availability. ## Scope This policy applies to all company and customer data, regardless of its format or storage location. It covers all employees, contractors, and third-party vendors who have access to company data. ## General requirements All data must be stored in a manner that is consistent with its classification as defined in the Data Management Policy. Data owners are responsible for ensuring that data is stored in approved locations and protected with appropriate security controls. ## Data Storage Locations Data must be stored in one of the following approved locations: ### Cloud Storage - **Approved Cloud Providers:** All data stored in the cloud must be on company-approved cloud platforms (e.g., AWS, Google Cloud). - **Data Sovereignty:** Data must be stored in geographic regions that comply with legal and contractual requirements. - **Security Configurations:** Cloud storage services must be configured in accordance with company security standards, including the use of strong access controls and encryption. ### On-Premise Storage - **Data Centers:** On-premise data storage is restricted to secure data centers with controlled access. - **Physical Security:** Data centers must have adequate physical security measures in place, as defined in the Physical Security Policy. - **Network Security:** On-premise storage systems must be protected by firewalls and other network security controls. ### End-User Devices - **Laptops and Desktops:** Company data may be stored on company-issued laptops and desktops that are encrypted and protected with strong passwords. - **Mobile Devices:** Storing confidential or restricted data on personal mobile devices is prohibited. Company-issued mobile devices must be encrypted and password-protected. - **Removable Media:** The use of removable media (e.g., USB drives, external hard drives) for storing confidential or restricted data is prohibited unless explicitly approved by the IT Manager. ## Data Storage Security ### Encryption - **Data at Rest:** All confidential and restricted data must be encrypted at rest using strong, industry-standard encryption algorithms. - **Data in Transit:** All data must be encrypted in transit when transmitted over public networks. ### Access Control - **Least Privilege:** Access to data storage systems must be based on the principle of least privilege, granting users only the access they need to perform their job functions. - **Authentication:** All access to data storage systems must be authenticated using strong passwords or multi-factor authentication. - **Access Reviews:** Access to data storage systems must be reviewed on a regular basis to ensure that access rights are still appropriate. ## Data Backup and Recovery - **Backup Schedule:** All critical data must be backed up on a regular basis, in accordance with the business continuity and disaster recovery plan. - **Backup Storage:** Backups must be stored in a secure, off-site location. - **Recovery Testing:** Backup and recovery procedures must be tested on a regular basis to ensure that data can be restored in a timely manner. ## Data Retention and Disposal Data retention and disposal procedures are defined in the Data Management Policy. All data must be retained and disposed of in accordance with the requirements of that policy.

United States

All data resides on AWS Cloud.

AWS

yes

yes

ChatGPT, Claude, Gemini

We have signed a Zero Data Retention (ZDR) agreement with our model providers.

Every tenant's data is logically partitioned and access-controlled, ensuring that queries, operations, and transactions are confined exclusively to the authorized tenant's data scope.

All of our customer data is exclusively processed and stored within the AWS infrastructure located in the United States (US-EAST-1).

Upon receiving a formal data deletion request from a customer, all associated data will be permanently deleted within 30 days.

no

2025-09-29

yes

yes

yes

security@manus.ai

no

yes

yes

yes