Privacy Policy

Section 01

who we are

MYNAH ("we", "us", "our") is a personal knowledge instrument operated by Offsite Camp LLC, a Delaware limited liability company. Our primary contact address for privacy matters is privacy@hello-mynah.com.

This policy applies to all MYNAH products and services: the iOS app, the Chrome browser extension, our website at hello-mynah.com, and any SMS-based capture features. When we refer to the "Service," we mean all of the above.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, MYNAH acts as the data controller for the personal data described in this policy. For data processed on your behalf (such as article content), MYNAH acts as a data processor on your instruction.

Section 02

information we collect

We collect information in two ways: information you give us directly, and information generated automatically when you use the Service.

Information you provide

Phone number. Required to create and authenticate your account. We use phone OTP (one-time password) via SMS. We do not collect your name, email address, or social login credentials.
Content you save. The full text, title, author, URL, and publication date of articles and essays you capture via the extension or share sheet. Podcast episode titles and metadata you save or that are auto-detected.
Voice notes. Audio recordings you create within the iOS app. These are processed and stored as transcribed text.
Queries. The questions and prompts you type into the recall interface.
Display name. An optional name you may set in settings. Not required.
URLs submitted via SMS. If you text a URL to the MYNAH ingest number, we receive that message content and your phone number's hash as a lookup key.

Information generated automatically

Vector embeddings. Mathematical representations (1024-dimensional vectors) derived from your saved content. These are used for similarity search. They cannot be reversed to reconstruct the original text by any party other than you.
Usage metadata. Timestamps of when items are saved, when queries are made, and when the app is opened. We do not record granular session data or build behavioural profiles.
IP address. Logged by our infrastructure provider (Supabase) for security and abuse prevention. Not retained beyond 90 days.
Device identifiers. An anonymous identifier used to associate the iOS app with your account. Not linked to your identity beyond MYNAH.
App crash reports. If the app crashes, anonymised diagnostic data may be sent to Apple (iOS) or logged locally. We do not use third-party crash analytics SDKs.

What we do not collect

We do not collect your browsing history beyond pages you explicitly save.
We do not collect the contents of pages you visit but do not save.
We do not collect contact lists, location data, camera access, or microphone access outside of voice note recording.
We do not track you across other websites or apps.
We do not use advertising identifiers (IDFA, GAID).

Section 03

how we use your information

We use the information we collect only to provide, maintain, and improve the Service for you. We do not build advertising profiles, train general AI models on your personal data, or use your content for any purpose other than operating your personal knowledge base.

Purpose	Legal basis (GDPR)	Data used
Authenticate you and maintain your session	Contract performance	Phone number, device identifier
Store and index your saved content	Contract performance	Article text, podcast metadata, embeddings
Answer your recall queries using your corpus	Contract performance	Query text, embeddings, saved content chunks
Send welcome and ingest SMS messages	Contract performance	Phone number
Detect podcast episodes currently playing	Contract performance / consent (toggle)	Now Playing metadata (local, on-device only)
Security and fraud prevention	Legitimate interest	IP address, usage metadata
Diagnosing bugs and service errors	Legitimate interest	Anonymised crash/error logs
Complying with legal obligations	Legal obligation	As required by applicable law

We do not use your data for automated decision-making that produces legal or similarly significant effects on you.

Section 04

sub-processors and third parties

We use a small number of carefully selected third-party services ("sub-processors") to operate MYNAH. We do not sell or share your data with any third party for their own commercial purposes. The complete list of sub-processors is below.

Provider	Purpose	Data shared	Location
Supabase	Database, authentication, edge functions, file storage	All stored data (encrypted at rest)	United States (AWS us-east-1)
Anthropic (Claude API)	AI response generation for recall queries	Your query + relevant content chunks	United States
Voyage AI	Generating vector embeddings from article text	Article text chunks (no PII)	United States
Twilio	SMS authentication and URL ingest	Phone number, inbound SMS content	United States
Apple	iOS App Store distribution, push notifications	Standard App Store data; anonymised crash reports	United States
Google	Chrome Web Store distribution	Standard Web Store data	United States

We enter into Data Processing Agreements (DPAs) with each sub-processor where required. Sub-processors are contractually prohibited from using your data for any purpose other than providing the service to MYNAH.

AI processing — important note

When you submit a recall query, your question and relevant excerpts from your saved content are sent to Anthropic's Claude API to generate a response. Anthropic's privacy policy and API usage terms govern that processing. As of the effective date of this policy, Anthropic does not train models on API inputs and outputs submitted by users.

Similarly, article text is sent to Voyage AI to generate embeddings. Voyage AI does not retain or use this content for model training under their API terms.

We do not and will not use your personal content to train any AI model without your explicit, opt-in consent.

Section 05

international data transfers

MYNAH and its sub-processors are based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States, which does not have the same data protection laws as your jurisdiction.

We rely on the following mechanisms to lawfully transfer your data:

EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) with all EEA-to-US sub-processors. Copies are available on request.
UK International Data Transfer Agreements (IDTAs) for transfers from the United Kingdom.
Swiss equivalents as recognised by the Federal Data Protection Act (nFADP) for transfers from Switzerland.

We conduct transfer impact assessments for each sub-processor to evaluate whether the protections afforded by the SCCs are effective in the recipient country, taking into account the nature of the data transferred and the sub-processor's security practices.

Section 06

data retention

We keep your data for as long as your account is active, or as long as is necessary to provide the Service. When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required by law to retain it longer.

Data type	Retention period
Account credentials (phone number)	Until account deletion + 30 days
Saved content (articles, podcasts, voice notes)	Until deleted by you, or account deletion + 30 days
Vector embeddings	Deleted with associated content
Recall query history	90 days rolling, or until account deletion
IP address logs	90 days
Backup copies	Purged within 30 days of primary deletion
Data required by law (e.g. tax, fraud)	As required by applicable law (typically 7 years)

You can delete individual saved items at any time within the app. Deletion is immediate from your library; embeddings associated with the deleted item are queued for removal and purged within 24 hours.

Section 07

your rights

You have rights over your personal data. We honour all of them. To exercise any right, email privacy@hello-mynah.com. We will respond within 30 days (GDPR requires 1 month; CCPA requires 45 days — we aim for 30 for everyone).

Rights for all users

Access

Request a copy of all personal data we hold about you, in a portable, machine-readable format (JSON).

Delete

Delete your account and all data at any time from Settings → Delete Account in the iOS app. We will purge everything within 30 days, including backups.

Correct

Request correction of inaccurate personal data we hold about you (e.g. phone number correction if there was an error).

Opt out

Opt out of any non-essential processing at any time. Since we have no advertising or profiling, this primarily covers optional product-improvement features if introduced in future.

Additional rights for EEA, UK, and Swiss residents (GDPR / UK GDPR / nFADP)

Portability

Receive your data in a structured, commonly used, machine-readable format, and have it transmitted directly to another controller where technically feasible.

Restrict

Request that we restrict processing of your data while a complaint is under review or while accuracy is disputed.

Object

Object to processing based on legitimate interest. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Withdraw

Withdraw consent at any time for any processing based on consent (e.g. podcast detection). Withdrawal does not affect the lawfulness of prior processing.

Complain

Lodge a complaint with your local supervisory authority. In the EU, this is your national data protection authority. In the UK, the Information Commissioner's Office (ICO) at ico.org.uk.

Additional rights for California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and its amendments:

Know

Know the categories and specific pieces of personal information collected about you, the purposes for collection, and any third parties with whom it is shared.

Delete

Delete personal information we collected from you, subject to certain exceptions (e.g. completing a transaction, legal obligation).

Correct

Correct inaccurate personal information we maintain about you.

No Sale

We do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of.

Limit SPI

Limit the use of sensitive personal information (SPI). We collect phone numbers as SPI under CPRA. We use it only to authenticate you — never for any other purpose without consent.

No Retaliation

We will not discriminate against you for exercising any of these rights. You will receive the same quality and price of service regardless.

Authorised agent requests: California residents may designate an authorised agent to make requests on their behalf. We will require proof of the agent's authorisation and may verify your identity directly.

Section 08

children's privacy

MYNAH is not directed at or intended for children under the age of 13 in the United States (or under 16 in the EEA and UK, consistent with GDPR Article 8 and applicable national laws). We do not knowingly collect personal information from children under these ages.

If we become aware that we have inadvertently collected personal information from a child below the applicable age threshold without verified parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, contact us at privacy@hello-mynah.com.

Section 09

security

We implement industry-standard technical and organisational measures to protect your personal data:

Encryption in transit. All data is transmitted over TLS 1.2 or higher.
Encryption at rest. All data stored in Supabase is encrypted at rest using AES-256.
Row-level security. Your data is isolated at the database level by your user ID. No query can return another user's data.
Phone OTP authentication. We use one-time passwords rather than persistent passwords, reducing the risk of credential-based attacks.
No persistent session tokens on device. Sessions are managed securely via Supabase Auth.
Access controls. Only essential personnel have access to production infrastructure. Access is logged and reviewed.

No system is perfectly secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law (within 72 hours under GDPR, without undue delay under CCPA).

Section 10

changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by sending an SMS notification and/or displaying a notice in the app before the change takes effect. The effective date at the top of this page will be updated.

For non-material changes (e.g. clarifications, corrections, minor additions), we will update the policy without separate notification, and the new effective date will reflect the change.

If you continue to use MYNAH after a material change takes effect and we have given you notice, we will treat your continued use as acceptance of the updated policy. If you do not accept the updated terms, you may delete your account.

Previous versions of this policy are available on request at privacy@hello-mynah.com.

Section 11

contact and complaints

For all privacy-related questions, requests, and complaints, contact us at:

Privacy contact

Offsite Camp LLC — MYNAH Privacy

For data subject requests, security reports, and general privacy inquiries.

privacy@hello-mynah.com

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

EEA residents: your national data protection authority (find yours at edpb.europa.eu)
UK residents: the Information Commissioner's Office — ico.org.uk/make-a-complaint
Swiss residents: the Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
California residents: the California Privacy Protection Agency — cppa.ca.gov