privacy policy

last updated: 13 june 2026

this explains what mahfah collects, why, the legal basis for it, who it goes to, how long we keep it, and your rights. plain language, no tricks.

who runs mahfah

mahfah is operated by an individual (a sole operator), who is the data controller for the personal data described here. contact for any privacy question or request: nikita.akella13@gmail.com. we have not appointed a data protection officer (we are not required to).

what we collect

why we use it, and our legal basis

each purpose has a legal basis under the EU/UK GDPR:

where we rely on legitimate interest, you can object (see your rights).

your photo, and automated moderation

is your face treated as biometric data? no. mahfah does not use facial recognition. we do not build faceprints or face templates, and we never use your photo to identify, match, or recognise you. under EU law a face photo is only special-category "biometric" data when it is run through technology built to uniquely identify a person, and we do none of that. your photo is ordinary personal data: we use it to show your profile and to keep the app safe.

photos and lore are checked automatically before they go live. these checks run without a human and can reject content on their own. the logic, plainly: if an automated safety score crosses our threshold, the content is rejected and we fail closed (if a check can't run, the upload is blocked). a rejected photo or line of lore is simply not published and you're asked to submit a different one. it does not affect your account standing or scores.

your right to a human. if you think a rejection was wrong, email nikita.akella13@gmail.com and a person will review it, hear your view, and can overturn it.

where your data goes (international transfers)

your account and content are stored on supabase in the EU (stockholm), and a secondary photo-safety signal is handled by sightengine in the EU (france). some processors that briefly handle (but do not store) your data are in the united states: openai and anthropic (moderation and AI suggestions), expo (push delivery and builds), and sentry (crash diagnostics). when data leaves the EU we rely on the EU-US data privacy framework where the processor is certified, and on the european commission's standard contractual clauses as a fallback. email us for detail on any specific processor.

third parties

each is contractually bound to protect your data as described here.

how long we keep it

on deletion, cached copies on content-delivery networks can take up to 72 hours to expire. we keep no backups of deleted accounts.

guests (anonymous mode)

you can use mahfah as a guest without an account. we create an anonymous session and keep your progress on your own device. we don't collect your email or identity as a guest. anything you upload still goes through the same safety moderation. if you create an account later, your guest progress transfers to it. deleting the app clears your local guest data.

your rights

under the EU/UK GDPR you can, at any time:

for any right that isn't a button in the app, email nikita.akella13@gmail.com. we respond within one month.

age

mahfah is for users aged 18 and over. we verify age at signup via date of birth. mahfah is not directed to children. if we find a user is under 18, their account is deleted.

deleting your account

you can delete your account and all associated data at any time. how to delete your account. our community rules are in the terms.

changes to this policy

if we change this policy in a way that materially affects you, we'll update the date above and surface a notice in the app before the change takes effect.

contact

questions? email nikita.akella13@gmail.com.