Privacy Policy
Last updated: 12 May 2026 · Effective: 12 May 2026
Empakt Financial Inc. ("we", "us") operates Mashal, a social-intelligence platform available at mashal.app. This Privacy Policy explains what personal data we collect when you use Mashal, why we collect it, who processes it on our behalf, and the rights you have over your data under the EU General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Saudi Arabia's Personal Data Protection Law (PDPL), and other applicable laws.
If you have any questions, write to hello@mashal.app.
1. Data we collect
1.1 Account data
When you create a Mashal account we store your email address, your first name (if you provide it), and a hashed password (managed by Supabase Auth — we never see the plaintext). For accounts created via OAuth (Google, etc.), we additionally store the OAuth user ID and any profile metadata returned by the provider.
1.2 Workspace and connected-account data
When you connect a social media account to Mashal, we receive and store, via the platform's official API:
- The handle, display name, and follower count of the connected account.
- Public metadata about your posts: caption, post type, timestamp, view count, like / comment / share / save counts, hashtags, mentions.
- An OAuth access token (and refresh token where issued) that lets us re-fetch the same data on each sync. Tokens are encrypted at rest.
We do not access, read, or store: direct messages, private content, contact lists, content from accounts you have not explicitly connected, or your password to any social platform.
1.3 Competitor data
When you add a public handle as a "competitor", we pull publicly visible data from that account using third-party scrapers (Apify) or platform APIs where possible. We store only the same metric set as your own connected accounts.
1.4 Usage data
We log routine usage telemetry: the workspace ID making the request, the route hit, the status code returned, and a timestamp. We do not log request bodies, response bodies, or third-party content. This data is used to enforce plan-level rate limits and to investigate errors.
1.5 Cookies and local storage
Mashal uses two small client-side stores:
- Session storage for your Supabase Auth JWT (so you stay signed in). Cleared when you sign out.
- Local storage for UI preferences — your active workspace, theme (light / dark), and the AI model selector (Claude / Gemini).
We do not use third-party advertising cookies, cross-site tracking, or behavioural analytics scripts.
2. Why we collect it (lawful bases)
- Contract (Art. 6(1)(b) GDPR / PIPEDA "consent for stated purposes") — we collect account, workspace, and connected-account data to deliver the Mashal service you signed up for.
- Legitimate interests (Art. 6(1)(f) GDPR) — usage telemetry, error logs, and abuse detection.
- Consent (Art. 6(1)(a) GDPR / PIPEDA) — optional features like the weekly digest email require an explicit opt-in.
- Legal obligation (Art. 6(1)(c) GDPR) — invoice and tax records.
3. Who processes data on our behalf
Mashal relies on the following sub-processors. Each is bound by a Data Processing Agreement (DPA) and processes data only on Empakt Financial Inc.'s documented instructions.
- Supabase Inc. (USA, with EU + APAC regions) — primary database and authentication. Our project runs on the EU-West (Frankfurt) region by default.
- Vercel Inc. (USA) — application hosting, serverless function execution, file storage for generated PDF reports.
- Zernio (operating from the EU) — social-platform connector for Instagram, TikTok, Facebook, Snapchat. Receives the access tokens for those platforms; does not retain content after each delivery.
- Apify Technologies s.r.o. (Czech Republic, EU) — competitor public-data scraping. Receives only competitor handles; output is sent back to Supabase and discarded by Apify after each run.
- Google LLC (USA) — YouTube Data API (your YouTube content) and Gemini AI model (when selected as your intelligence layer).
- Anthropic PBC (USA) — Claude AI model (when selected as your intelligence layer). Claude operates under zero data retention; prompts and outputs are not used to train models.
- Resend Inc. (USA) — transactional email delivery (account verification, contact form, weekly digest).
An updated sub-processor list is maintained here and we'll email account holders thirty (30) days before adding a new one.
4. Where data is stored
The primary database is hosted in the EU (Frankfurt). PDF reports and short-lived edge cache live on Vercel's global network. AI inference (Claude or Gemini) runs in the USA or in EU regions depending on which provider you've selected. If you are based in the EU/EEA, UK, or Switzerland, your data is protected during US transit by the EU-US Data Privacy Framework (Anthropic, Google, Vercel, Resend, Supabase) and / or Standard Contractual Clauses.
5. How long we keep your data
- Account and workspace data — for as long as your account is active.
- Post and snapshot data — for the lifetime of the account; you can request deletion of older windows.
- Generated reports (PDFs) — stored until you delete them. The free tier keeps the last 50 reports per workspace.
- Usage logs — 12 months, then aggregated and anonymised.
- Contact-form submissions — kept in the recipient inbox; not stored in our database.
- Billing records — 7 years, where required by tax law.
When you close your account we delete personal data within 30 days (excluding records we are legally required to retain for billing or tax).
6. Your rights
6.1 Under GDPR (EU / UK)
- Access — request a copy of all personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion.
- Restriction — request that we limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — opt out of consent-based processing at any time.
- Lodge a complaint with your local supervisory authority.
6.2 Under PIPEDA (Canada)
- Access to your personal information held by us, including how it is being used and to whom it has been disclosed.
- Correction of inaccuracies.
- Withdrawal of consent (subject to legal and contractual restrictions).
- Complaint to the Office of the Privacy Commissioner of Canada.
6.3 Under PDPL (Saudi Arabia) and other regions
Saudi residents have analogous rights to access, correction, deletion, and to lodge a complaint with the Saudi Data & AI Authority (SDAIA). Residents of any other jurisdiction with applicable data protection law have at least the rights granted by that law; please contact us to exercise them.
6.4 How to exercise your rights
Email hello@mashal.app from the email address on your Mashal account. We respond within 30 days. There is no charge for reasonable requests.
7. Security
We use industry-standard measures: TLS in transit, encryption at rest (Supabase + Vercel), row-level security policies on every table, principle-of-least-privilege service tokens, OAuth-only social platform access, hashed passwords, signed URLs for PDF downloads, and audit logging on every workspace mutation. We run automated dependency vulnerability scanning on every deploy.
If you discover a security vulnerability, please report it to hello@mashal.app. We don't yet run a paid bug bounty programme but we credit responsible reporters publicly with their consent.
8. Children
Mashal is not directed to children under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, contact us and we'll delete the account.
9. Marketing
We do not sell your personal data. We do not share it with third parties for their own marketing. We only contact you with: (a) transactional emails about your account, (b) the weekly digest if you opted in, and (c) occasional product-update emails — for which you can unsubscribe in one click from the footer of any such email.
10. Changes to this policy
When we make material changes we'll notify active customers by email at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version. Earlier versions are kept on request.
11. Contact
Empakt Financial Inc.
Email: hello@mashal.app
Web: /contact