Your thoughts are yours.

Mhisper (“we”, “us”, “our”) is a note-taking application operated from Australia. You can contact us at:

• Email: connect@mhisper.com
• Operator: Mhisper

This policy explains what personal information we collect when you use the Mhisper website and apps (the “Service”), how we use it, who we share it with, where it is stored, how long we keep it, and the rights you have over it.

By using the Service you agree to this policy. If you do not agree, please do not use the Service.

We try to collect as little as possible. Specifically:

Account information

• Email address — required to create an account, sign in, and contact you about your account.
• Display name (optional) — what we call you in the app.
• Authentication tokens — issued by us or by third-party providers when you sign in with Apple, Google, or email. Stored only to keep you signed in.

Content you create

Everything you put into the app:

• Bubbles, notes, and the text inside them
• Todos and reminders
• Zones, threads, and the relationships between bubbles
• File attachments (if and when supported)
• Your canvas layout (positions of bubbles)

You own this content. We store it so you can access it across devices.

Voice and dictation

• Audio is processed on your device by your operating system's built-in speech recognition. We do not record, transmit, or store the audio itself.
• The transcribed text you choose to keep becomes part of your content and is stored like any other text you type.
• If a future version of the Service streams audio to a server, we will update this policy and seek consent before doing so.

Payment information

For paid subscriptions purchased on the website, payment is processed by Stripe. We never see or store your full card number, CVV, or bank details. We do receive and store:

• A Stripe customer ID
• The last four digits of your card and card brand (for display)
• Subscription status, plan, and renewal date
• Billing country (for tax purposes)

Stripe's privacy policy: stripe.com/privacy

Technical information collected automatically

• IP address — used for security, abuse prevention, and approximate geolocation for legal/tax purposes.
• Device and browser information — user agent, screen size, OS version, app version.
• Service logs — timestamps of sign-in, sync operations, errors. Used to debug and protect the Service.
• Cookies and similar storage — see “Cookies and similar technologies” below.

Information we do not collect

• We do not run third-party advertising trackers.
• We do not sell your data.
• We do not perform behavioural profiling for advertising.
• We do not collect biometric data.
• We do not track your precise location. (If a future feature uses location, you will be asked for explicit permission first.)

We use the information above only to:

1. Provide the Service — store your content, sync across devices, authenticate you.
2. Operate paid subscriptions — process payments, send receipts, manage renewal and cancellation.
3. Communicate with you — service announcements, security notices, replies to support requests. We do not send marketing email without your opt-in.
4. Protect the Service — detect abuse, prevent fraud, debug errors, enforce our Terms.
5. Comply with law — respond to lawful requests, tax reporting, anti-money-laundering obligations on payments.

We do not use your content to train AI models. If we ever build features that involve sending your content to a third-party AI provider, we will update this policy, make it opt-in, and state the provider.

We share personal information only with the limited set of providers who help us run the Service:

• Supabase — database, authentication, storage.
• Cloudflare — website hosting, CDN, and DDoS protection.
• Stripe — payment processing.
• Apple, Google — sign-in via Apple ID or Google (only when you choose to use them).
• Crash and error reporting — if and when wired, limited to stack traces, app version, and OS version.

Each provider is bound by a data-processing agreement. We do not sell or rent personal information to anyone.

We may disclose information when required by law (a valid subpoena or court order from a jurisdiction we are bound by) or to protect the rights, property, or safety of Mhisper, our users, or the public.

Your data is stored with our database provider; some sub-processors (payment, hosting, sign-in, error reporting) may process data in other countries including the United States and the European Union.

For users in the EU and UK, where we transfer personal data outside the EEA we rely on Standard Contractual Clauses (SCCs) with each sub-processor.

• Account and content — for the life of your account.
• Backups — up to 30 days after deletion.
• Payment records — 7 years (Australian Taxation Office requirement).
• Service logs (auth, errors) — 30 days.
• Anonymised analytics (if any) — up to 24 months.

When you delete your account (Settings → Account → Delete account), your content and account record are deleted from live systems immediately. Backups age out within 30 days. Payment records are retained per the tax retention rule above.

You have rights over your personal information. Depending on where you live, these include:

• Access — get a copy of the data we hold about you.
• Correction — fix incorrect or out-of-date information.
• Deletion — delete your account and your content (available in-app at any time).
• Export — download your bubbles in a portable memory file (available in-app).
• Restriction or objection — limit how we process your data.
• Withdraw consent — for anything you opted into.
• Complain to a regulator:
  • Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
  • EU / UK: your national data-protection authority.
  • California: Office of the Attorney General.

Email connect@mhisper.com to exercise any right that isn't available in-app. We will respond within 30 days.

We protect your information by encrypting data in transit and at rest, storing only hashed and salted passwords where local authentication is used, limiting employee access to production data on a strict need-to-know basis, and reviewing dependencies for known vulnerabilities. For more detail on the principles behind this, see our security page.

No system is perfect. If we discover a breach affecting your personal information, we will notify you and the OAIC where required by the Notifiable Data Breaches scheme.

We use a small number of cookies and similar storage mechanisms:

• Authentication cookies / session storage — keep you signed in. Strictly necessary.
• Local browser storage — caches your content for offline use and faster startup.
• Mobile secure storage — on mobile, holds your authentication token.

We do not use third-party advertising or tracking cookies. You can clear local storage and cookies in your browser settings; doing so will sign you out and clear the offline cache.

Mhisper is not intended for children under 13 (or under 16 in the EU and UK). We do not knowingly collect personal information from anyone in that age range. If you believe a child has provided us personal information, email connect@mhisper.com and we will delete it.

We may update this policy as the Service evolves. Material changes will be announced in-app and by email to your account email at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Questions, requests, or complaints:

• Email: connect@mhisper.com
• Operator: Mhisper