Privacy Policy

1. Quick summary

We collect the minimum needed to teach you Thai: your email + learning progress + (when you record) audio. We send audio to OpenAI + Anthropic for AI tone scoring. We don't sell your data. You can export or delete everything by emailing us.

2. Who we are

Maa is operated by a solo developer based in Bangkok, Thailand. The legal entity is in development — this Privacy Policy applies as a personal commitment. Contact: hi@maa.app

3. What we collect

• Email address — for login + lifecycle email (welcome, streak warnings, content updates).
• Display name + avatar — optional, from your Google sign-in.
• Learning progress — lessons completed, tone scores, streak, XP, achievements, saved phrases.
• Audio recordings — when you use the AI mic-check, your voice clip is stored for up to 30 days on Supabase Storage (cloud) and processed by OpenAI Whisper + Anthropic Claude.
• Payment metadata — Stripe (US) or Omise (TH) handles payment cards; we only see subscription status + plan, never your full card number.
• Usage analytics — anonymous events via PostHog (page views, feature clicks). We use a custom session ID, not your IP/precise location.
• Error tracking — Sentry captures crash reports; we strip personally identifying details.
• Push subscription — if you opt-in to notifications, your browser endpoint (no identifying info).

4. How we use it

• Run your account (login, settings, billing)
• Deliver the AI tone trainer (audio → Whisper → Claude → score back to you)
• Send transactional + lifecycle emails (you can unsubscribe anytime)
• Improve content based on aggregate completion + score data
• Detect abuse (excessive mic-check usage, spam recordings)

We do NOT: sell your data, share it with advertisers, use your audio to train public AI models, or send marketing emails from third parties.

5. Who we share with (processors)

Your data may be processed by these partners, who are contractually limited to their specific purpose:

• Supabase (Singapore ap-southeast-1) — database, auth, audio storage
• Vercel (US) — app hosting, serverless functions
• OpenAI (US) — Whisper speech-to-text (audio leaves Maa briefly)
• Anthropic (US) — Claude tone scoring (transcript only, not audio)
• Google (global) — TTS for phrase audio + OAuth sign-in (if used)
• Stripe (US) — card payments
• Omise (TH) — Thai PromptPay payments
• Resend (US) — transactional email delivery
• Bunny.net (EU) — video clips delivery
• PostHog (US/EU regional) — anonymous analytics
• Sentry (US) — error monitoring

All providers have their own privacy policies. Most are GDPR + SOC2 compliant.

6. Audio recordings — specific note

When you tap the mic, your voice clip is:

• Uploaded to Supabase Storage (private bucket, signed URLs only, Singapore ap-southeast-1 region — chosen for low Thai-user latency)
• Sent to OpenAI Whisper for transcription (their privacy policy applies during processing — they don't store API audio after responding to API calls)
• Sent (as transcribed text, not audio) to Anthropic Claude for tone analysis
• Retained on Supabase Storage for up to 30 days, then automatically deleted via lifecycle policy
• Never published, shared with other users, or used for advertising

Want your recordings gone now? Settings → Voice recordings → Delete recordings wipes them instantly. You can also flip Audio retention mode to immediate purge so future recordings are deleted right after each tone-check completes.

7. Retention

• Audio recordings: max 30 days, then auto-deleted
• Account data (email, progress): while your account is active + 30 days after deletion
• Analytics events: 24 months in PostHog, then auto-rolled-up
• Payment records: 7 years (Thai tax + Stripe compliance)

8. Your rights

Under PDPA (Thailand), GDPR (EU/UK), CCPA (California), and similar laws, you have the right to:

• Access + Export — one-tap JSON download in Settings → Your data
• Correct — fix inaccurate info (email us)
• Delete — request full account deletion in Settings → Danger zone (founder processes within 30 days)
• Restrict / object — limit how we process your data (email us)
• Withdraw consent — opt out of marketing, push notifications, optional features

Anything not self-serve above: email hi@maa.app. We'll respond within 7 days.

9. Cookies + similar tech

We use:

• Essential cookies — login session, security (cannot be disabled)
• Functional cookies — your preferences (theme, daily goal)
• Analytics cookies — PostHog session ID (anonymized)

We don't use third-party advertising cookies. EU users see a cookie banner; you can decline analytics there.

10. International data transfers

Maa is built in Thailand but uses US-based AI providers + cloud services. By using Maa, you consent to your data being transferred to and processed in the US (with Standard Contractual Clauses where applicable for EU/UK users).

11. Children

Maa is not for children under 13. We don't knowingly collect data from anyone under 13. If you believe we have, email us immediately and we'll delete.

12. Security

We use TLS encryption everywhere, store passwords as hashed magic-link tokens (no plaintext), and audit access via Supabase RLS (row-level security). No system is 100% secure; in the unlikely event of a breach, we'll notify affected users within 72 hours per GDPR norms.

13. Changes

We may update this policy. Material changes (new data processors, new data uses) will be announced via email + in-app notice 30 days before they take effect.

14. Contact

Privacy questions: hi@maa.app · Subject line “Privacy”.

For PDPA-specific requests (Thai users), the founder acts as the data controller and contact.