Privacy Policy

Effective: 25 February 2026 · Last updated: 25 February 2026

The short version: Maushwave is built on a zero-knowledge architecture. We don't collect your name, email, location, or listening history. Your journeys, recordings, and affirmations never leave your device. We store only the minimum data needed to verify your subscription.

1. Who We Are

Maushwave ("we", "us", "our") is a privacy-first neuroacoustic wellness application distributed as a direct Android APK download. Our backend runs at app.maushwave.com.

Contact: support@maushwave.com

2. Our Privacy Philosophy

We believe your mental wellness journey is deeply personal. Our architecture is designed so that we cannot access your personal content — not that we choose not to, but that we are technically unable to.

Zero-knowledge: Your affirmation recordings, journal entries, favourites, session history, and journey configurations exist only on your device.
No accounts: You never create a username, password, or profile. There is no account to hack, breach, or sell.
No tracking: We do not use analytics SDKs, advertising identifiers, fingerprinting, or third-party trackers of any kind.
No cookies: Our website uses no cookies, no local storage tracking, and no third-party scripts.

3. What We Collect

We collect the absolute minimum data required to operate the subscription service:

Data	Purpose	Stored Where
Device ID hash (SHA-256)	Identify your device for subscription verification	Server (PostgreSQL)
Subscription tier	Determine what content is accessible	Server
Subscription expiry timestamp	Enforce subscription period	Server
Stripe Customer ID	Link payment to entitlement (managed by Stripe)	Server
First/last seen timestamps	Basic service health monitoring	Server
App version string	Compatibility checks	Server

The device ID hash is a one-way cryptographic hash. We cannot reverse it to identify your actual device. It serves only as an anonymous token to verify your subscription status.

4. What We Do NOT Collect

We explicitly do not collect, store, process, or transmit:

Data	Status
Your name	❌ Never collected
Email address	❌ Never collected (except if you email support)
Location / GPS	❌ Never collected
IP address (stored)	❌ Not logged (transits HTTPS, discarded)
Listening history	❌ On-device only
Affirmation recordings	❌ On-device only
Journey configurations	❌ On-device only
Favourited affirmations	❌ On-device only
Session duration / frequency	❌ On-device only
Device model / OS version	❌ Never collected
Contacts, photos, files	❌ Never accessed
Advertising identifiers (GAID)	❌ Never collected
Browsing or app usage data	❌ Never collected

5. On-Device Data

The following data is stored locally on your device and never transmitted to our servers:

Your affirmation recordings (voice audio files)
Journey history and session summaries
Favourited affirmations
Progress data (streaks, levels, points)
App preferences and settings
Alarm configurations
Downloaded content bundles

This data is stored in an encrypted local database. You can delete all local data at any time by uninstalling the app or using the in-app data deletion option in Settings.

6. Payment Processing

Payments are processed by Stripe, Inc. Stripe's privacy policy applies to all payment transactions: stripe.com/privacy

When you subscribe:

You are redirected to a Stripe-hosted checkout page
We never see, process, or store your credit card number, billing address, or other payment details
Stripe notifies our server that a payment succeeded, along with the anonymous device ID hash
We update your subscription tier accordingly

7. Social Sharing (Optional)

If you choose to share your journey experience on social media for trial rewards:

We store a hash of the shared post identifier to prevent duplicate claims
We do not access your social media accounts, followers, or profile
Social sharing is entirely optional and not required to use the app

8. Third-Party Services

Service	Purpose	Data Shared
Stripe	Payment processing	Payment info (on Stripe's page, not ours)
BunnyCDN	APK downloads, content delivery	Standard HTTP request headers (IP, user-agent)
Railway	Backend hosting	Server-side only (no user data exposed)

We do not use Google Analytics, Facebook Pixel, Mixpanel, Firebase, or any other analytics or advertising service.

9. Data Retention

Server data: Device ID hash and subscription records are retained for the duration of your subscription plus 90 days after expiry (for recovery purposes).
On-device data: Retained until you uninstall the app or manually delete via Settings.
Stripe data: Retained per Stripe's data retention policy.

10. Your Rights

Regardless of where you live, you have the right to:

Access: Request what data we hold about your device hash
Deletion: Request complete deletion of all server-side records
Portability: Export your local data via Settings → Privacy Center
Opt out: You already are — we collect almost nothing by default

For GDPR (EU), CCPA (California), and similar data protection requests, contact support@maushwave.com. We will respond within 30 days.

11. Children's Privacy

Maushwave is intended for users aged 13 and older. We do not knowingly collect data from children under 13. Since we don't collect personal information from any user, this risk is inherently mitigated.

12. Security

All communication uses HTTPS/TLS encryption
Server-side data is stored in managed PostgreSQL with encrypted connections
On-device data uses Android's encrypted storage APIs
Subscription verification uses HMAC-signed responses to prevent tampering
No user passwords exist (there are no accounts to compromise)

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We will not retroactively reduce your privacy protections without explicit consent.

14. Contact

For any privacy-related questions, data requests, or concerns:

📧 support@maushwave.com