1. What MantaRay is
MantaRay is a client application built on top of MantaRay-Core. It allows users to:
- Connect to their own VPN/proxy servers (VLESS, VMess, Trojan, Shadowsocks, Hysteria2, etc.)
- Import server configurations via subscription URLs, deep-links, QR codes, or LAN handoff from another device
- Route traffic through user-configured servers, with global, per-country, per-domain, and (Windows / Android) per-application split tunneling
- Optionally control an OpenWrt router running
mantaraydover the local network, applying the same routing rules at the router level
Mantatech Ltd does not operate any VPN servers, subscription servers, or proxy infrastructure. Users are fully responsible for the servers they connect to.
2. No account required
The app does not require registration, login, or any personal information. There are no MantaRay user accounts.
3. Data we collect
3.1 We do not collect user data on our servers
We do not operate backend servers that collect, store, or process VPN traffic, profiles, or session metadata. The app works entirely on the user's device.
The only Mantatech-operated endpoint is api.mantatech.ltd, which serves: (a) update manifests for the desktop / Android self-updater, (b) TV pairing handshakes, and (c) crash report ingestion. None of these endpoints receive any VPN traffic, server configurations, or browsing data.
3.2 Data stored locally on your device
The following data is stored only on your device and is never sent to us:
- Server profiles — VPN server addresses, ports, UUIDs, encryption parameters (stored in encrypted storage / Keychain)
- Subscription URLs — links to third-party servers that provide server lists
- App preferences — DNS settings, routing rules, selected profile, per-app routing maps
- Connection statistics — session duration, bytes transferred (stored locally, never transmitted)
- Device identifier — a randomly generated UUID used for subscription authentication
3.3 iCloud sync (iOS / iPadOS / macOS only, optional)
If the user is signed into iCloud and "iCloud Drive" is enabled for MantaRay, the app uses Apple's NSUbiquitousKeyValueStore to sync the following across the user's own Apple devices:
- The list of subscription URLs (so a fresh install on a new iPhone can rehydrate)
- A pointer to the last-active profile
The data is end-to-end encrypted by Apple and never reaches Mantatech servers. Users can disable this in System Settings → Apple ID → iCloud → Apps Using iCloud.
3.4 Data sent to third-party subscription providers
When you add a subscription URL and the app fetches server configurations, the following technical data is sent to the subscription provider you configured (not to us):
- Device identifier (UUID)
- Device model and OS version
- App version
- FCM token (Android only, if push notifications are enabled)
This data is sent solely to authenticate your device with the subscription provider. We have no access to this data.
3.5 Crash reports (optional)
If a native crash occurs, the app may send a sanitised crash report to api.mantatech.ltd/client/crash-reports. The report contains:
- App version, OS version, device model
- A symbolicated stack trace
- The error message and breadcrumb log (with user-supplied URLs, hostnames, IP addresses, and configuration secrets stripped by
LogSanitizerbefore upload)
Crash reports never include the contents of VPN traffic, server configurations, or browsing history.
3.6 Push notifications (Android only, optional)
If you enable notifications on Android, the app uses Firebase Cloud Messaging (FCM) to receive updates from the subscription provider. The FCM token is:
- Stored locally on your device
- Sent to your subscription provider (if configured)
- Processed by Google Firebase for message delivery
You can disable notifications at any time in your device settings.
4. Data we do not collect
- We do not log, monitor, or analyse your internet traffic — the app is a client tool, not a VPN service
- We do not operate VPN servers — we cannot see your traffic even in theory
- We do not collect browsing history, DNS queries, IP addresses, or visited websites
- We do not use analytics SDKs (no Google Analytics, no Firebase Analytics, no Crashlytics, no Mixpanel, no Amplitude, no Segment)
- We do not display advertisements and embed no advertising or tracking SDKs
- We do not use IDFA, IDFV, AAID or any cross-app tracking identifier
- We do not sell, rent, or share user data with anyone for advertising, analytics, or behavioural profiling
5. Third-party services
5.1 Apple services (iOS / iPadOS / macOS)
- NetworkExtension — for the on-device VPN tunnel (PacketTunnel Provider)
- iCloud Key-Value Store — optional, for syncing subscription URLs across the user's own Apple devices
- TestFlight crash reports (during beta testing only)
See Apple Privacy Policy.
5.2 Firebase Cloud Messaging (Android only)
Used solely for push notification delivery from the subscription provider. See Google's Privacy Policy and Firebase Privacy.
5.3 Subscription providers (configured by user)
The app connects to subscription URLs that the user adds. These are third-party servers not operated or controlled by us. Users should review the privacy practices of their subscription providers.
5.4 VPN servers (configured by user)
All VPN traffic passes through servers chosen and configured by the user. We have no control over, access to, or responsibility for these servers.
6. Data security
- Server profiles and sensitive identifiers are stored in encrypted storage on the device (iOS / macOS Keychain, Android EncryptedFile, Windows DPAPI, OpenWrt SQLite with restricted file permissions)
- The bundled MantaRay-Core engine uses industry-standard cryptographic primitives only (TLS 1.3, AES-256-GCM, ChaCha20-Poly1305, X25519, SHA-256), no proprietary algorithms
- Subscription responses can be protected with RSA-4096 + AES-256-GCM hybrid encryption when the provider supports it
- Subscription fetches over fake-SNI follow a TOFU SPKI pin to prevent MITM via DNS hijacking
- The app includes runtime integrity checks against tampering
7. Permissions
| Permission | Platform | Purpose |
|---|---|---|
| Internet | All | VPN connection and subscription updates |
| VPN Service / Network Extension | All | Creating a VPN tunnel on the device |
| Foreground Service | Android | Keeping the VPN active in the background |
| Local Network | iOS / macOS | mDNS-based LAN handoff and router discovery |
| Camera | Mobile | QR code scanner for importing configurations |
| Notifications | All | Optional service status updates |
| Boot Completed | Android | Optional — restore VPN after device restart |
8. Your rights
- Delete all data— clear app storage in device settings or uninstall the app. On iOS, also remove the "MantaRay" VPN profile from Settings → General → VPN & Device Management.
- Revoke permissions — in your device settings at any time
- Remove subscriptions, profiles, and paired routers — from within the app
Since we do not store any user data on our servers, there is nothing to request deletion of from our side. If you have written to our support address, you may request deletion of that correspondence by emailing privacy@mantatech.ltd; we will erase the thread within 30 days.
See also our dedicated account / data deletion guide.
9. Children's privacy
The app is not directed at children under 13. We do not knowingly collect personal information from children.
10. International transfers
Crash reports and update manifests are processed on Mantatech servers located in the European Union. iCloud-synced data is processed by Apple under their published privacy regime.
11. Changes to this policy
We may update this policy from time to time. Material changes will be indicated by the "Last updated" date and announced in-app on next launch.
12. Contact
- General privacy questions: privacy@mantatech.ltd
- Legal / DPO: legal@mantatech.ltd
- Security disclosures: security@mantatech.ltd
Postal address: Mantatech Ltd, 167-169 Great Portland Street, Fifth Floor, London, England, W1W 5PF.