Privacy Policy
Last Updated: April 30, 2025
Masari is operated by Salah's Lab, a Tokyo-based software project, and provides tools for tracking expenses and managing personal financial information. We respect your privacy and are committed to protecting your data.
This policy applies to users of the Masari iOS application and any associated web services. By using Masari, you agree to the practices described below.
1. Information We Collect
- Account Information: Your email address, collected solely for authentication via one-time passcode (OTP). We do not collect passwords.
- Financial Data: Expenses, receipts, notes, categories, budgets, and other financial information you voluntarily enter into Masari.
- AI Interaction Data: Prompts, messages, receipts, and financial context you share within Masari's AI-powered features. This data is sent to Google Gemini via API to generate insights and automation. Google does not use this data to train its AI models.
- Usage and Technical Data: Device information, pseudonymous identifiers, crash reports, and usage events collected through Firebase Analytics and Firebase Crashlytics (Google) for app reliability and performance. This data is not linked to your identity for advertising purposes.
- Workflow and Session Data: Requests and session information processed through our automation infrastructure (n8n). Logs are retained temporarily to ensure reliability and support debugging.
2. How We Use Information
- Provide Masari features and synchronize your data across sessions
- Generate AI-powered financial insights and automation via Google Gemini
- Send authentication emails (OTP) via Mailgun
- Monitor app stability, detect errors, and improve performance via Firebase
- Maintain security and detect abuse
- Send transactional notifications such as reports and alerts
3. AI Processing
Masari uses the Google Gemini API to process your prompts, receipts, expense history, and messages to deliver AI-powered insights. Your data is sent to Google solely to fulfill your in-app requests. Google does not use your Masari data to train or improve its AI models under our API agreement. AI outputs depend on the context you provide and may not always be accurate; they are not financial advice.
4. Authentication
Masari uses email-based one-time passcodes (OTP) for authentication. Authentication emails are delivered via Mailgun. We do not support Sign in with Apple, Google, or other third-party identity providers. We do not store passwords.
5. Analytics and Crash Reporting
Masari uses Firebase Analytics and Firebase Crashlytics (provided by Google) to understand how the app is used and to detect and fix crashes. These tools collect pseudonymous identifiers, device information, and usage events. This data is not used for advertising or cross-app tracking. Firebase Analytics operates under Google's privacy policy, available at policies.google.com/privacy.
6. Data Sharing and Processors
We do not sell personal data. We do not use your data for advertising or cross-app tracking. Data may be processed by the following trusted service providers as necessary to operate Masari:
- Google (Firebase, Gemini API): Analytics, crash reporting, and AI processing
- Mailgun: Transactional email delivery (OTP and notifications)
- Cloud infrastructure providers: Hosting and database services
- n8n: Workflow automation and backend processing
Each provider is contractually required to handle data only as necessary to deliver their respective services.
7. Data Retention
Your data is retained while your account remains active. Workflow and session logs in our automation infrastructure are retained temporarily and purged periodically. Upon account deletion, personal data will be removed or anonymized within 90 days of your request, though limited backup copies may persist briefly for operational and security continuity.
8. Security
We use encrypted connections (TLS), provider-level storage protections, and access controls to safeguard your data. Authentication relies on short-lived one-time passcodes rather than stored passwords. However, no system can guarantee absolute security.
9. Your Rights
You may request to access, update, export, or delete your personal data at any time. To exercise any of these rights, contact us at masari@salahslab.com. We will respond within 30 days of receiving your request, and complete any required action within 90 days.
If you are located in the European Economic Area (EEA), you may have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local supervisory authority.
10. Children's Privacy
Masari is not intended for children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. International Data Transfers
Salah's Lab operates from Japan and our service providers may process and store data in various countries, including the United States and other jurisdictions where Google, Mailgun, and our infrastructure providers operate. By using Masari, you consent to these transfers. We rely on our providers' data transfer mechanisms and contractual safeguards to protect your data internationally.
12. Governing Law
This policy is governed by and construed in accordance with the laws of Japan, including the Act on the Protection of Personal Information (APPI). Users located in the EEA are additionally afforded rights under applicable EU data protection law.
13. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify you via email or an in-app notice before the change takes effect. Continued use of Masari after the effective date of any update constitutes your acceptance of the revised policy. The "Last Updated" date at the top of this page will always reflect the most recent revision.
14. Contact
For privacy requests, questions, or concerns:
masari@salahslab.com
Salah's Lab — Tokyo, Japan