1. Who we are
masir is operated by masir ("we", "us"). For questions about this policy or your data, contact us at privacy@masir-ai.de.
2. What data we collect
Account data
When you create an account we collect your name, email address, and (if you use email/password sign-up) a hashed password. If you sign in with Google, we receive your Google profile information (name, email, profile picture) as provided by Google. Following data minimization principles, we intentionally collect age ranges (e.g. 25 to 34) rather than exact dates of birth.
Goals and plans
masir stores the goals, constraints, and step plans you create. This content is free text and may include personal details you choose to enter. Please avoid entering special-category data (e.g. health, religion) unless necessary for your goal.
Preferences
We store appearance settings (light/dark/system theme) in your account. The web app may also remember your theme choice in browser storage.
Technical data
When you sign in we store session metadata including IP address and browser user agent for security and fraud prevention. On the web, authentication uses an HttpOnly session cookie scoped to our domain. On the native mobile app, we use a bearer token stored in your device's secure storage.
Website visitors (no account)
If you use our marketing site without signing in:
- Contact form: name, email, subject, and message, stored in our database and emailed to us via Resend.
- Waitlist: email address and optional source, stored in our database.
- Bot protection: Cloudflare Turnstile may process interaction data when you submit these forms or sign in on the web (see
).
Analytics (with your consent only)
If you accept analytics cookies on our marketing site or web app, we collect product usage events (e.g. plan created, step completed), page views, and JavaScript errors via PostHog EU. The same events may also be written to Cloudflare Workers Analytics Engine when our API receives your consent cookie (masir_consent). We use an internal user ID, not your email or name, in analytics. See our
Analytics load on the web app only (PostHog and Cloudflare Web Analytics beacon). The marketing site stores your consent choice but does not load those scripts. The native mobile app does not load PostHog or the web analytics beacon.
Error and performance monitoring
When enabled, Sentry receives error reports, stack traces, and performance traces from our web app, admin dashboard, API, and (optionally) native mobile app. This processing is not covered by analytics cookie consent; it supports reliability and security under our legitimate interest.
On the web and admin apps, session replay is recorded only after a critical error, not during normal browsing. These replays are strictly configured to mask all user text, inputs, and personal data by default, and are used solely to resolve critical application crashes. When you are signed in, we attach your internal user ID to Sentry events, not your email or name.
Installable web app (PWA)
The masir web app at https://app.masir-ai.de can be installed and caches its interface assets in your browser so pages load faster. Plan data is loaded from our servers when you are online and requires an active connection.
Native mobile app
The iOS and Android app stores your session token in secure storage and loads plans from our API when online. It does not share the web app's PWA service worker cache. You can export your data and delete your account from Settings → Privacy in the app (same APIs as the web app).
3. Why we use your data (legal bases)
- Contract (Art. 6(1)(b) GDPR): providing your account, storing plans, sending account emails (verification, welcome, password reset, referral notifications), and delivering the service you signed up for.
- Consent (Art. 6(1)(a) GDPR): analytics and optional tracking cookies on our marketing site and web app. You can withdraw consent at any time via Cookie settings.
- Legitimate interest (Art. 6(1)(f) GDPR): session security (IP address, user agent), abuse prevention (including Turnstile on forms), and error/performance monitoring (Sentry), balanced against your rights.
4. Processors and subprocessors
We use the following service providers to run masir:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, database (D1), API Workers, Workers AI (plan generation), Turnstile, Workers Analytics Engine, optional web analytics beacon | Global / EU edge |
| PostHog EU | Product analytics on web app (consent required) | EU (Frankfurt) |
| Sentry | Error monitoring, performance traces, optional session replay on errors | United States |
| Resend | Transactional email (verification, welcome, password reset, referral notifications, contact form delivery) | United States |
| OAuth sign-in only | Global / United States |
Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses where applicable.
5. AI plan generation
When you create or adjust a plan, text you enter as goals or instructions may be processed on Cloudflare Workers AI using hosted models such as Gemma 4 (@cf/google/gemma-4-26b-a4b-it) or, if the primary model is unavailable, a Meta Llama 3 8B fallback. Inference runs entirely on Cloudflare's infrastructure; Google and Meta do not receive or process your prompts.
We process this data to provide the feature you request (contract basis). Generation metadata may be stored in our database for debugging and quality. Your goals and plans are processed securely to provide the service and are not used to train the underlying AI base models.
Cloudflare acts as the processor for this inference. See Cloudflare's privacy policy.
6. Retention
- Account and plan data: until you delete your account or individual plans.
- Sessions: up to 7 days, with session activity refreshed at least every 24 hours while you remain signed in.
- Verification tokens: until used or expired.
- Contact and waitlist submissions: until no longer needed for the purpose you submitted them, or until deleted by us.
- Analytics: per PostHog, Cloudflare Analytics Engine, and Cloudflare Web Analytics retention settings (typically up to 90 days).
- PWA shell cache: until the app is updated or you clear site data in your browser.
7. Your rights
Under GDPR you have the right to:
- Access your data (export from Settings → Privacy in the web app at https://app.masir-ai.de or in the native app)
- Rectify inaccurate data (edit profile in the app)
- Erasure ("right to be forgotten"): delete your account from Settings → Privacy in the web or native app
- Data portability: export your data from Settings → Privacy in the web or native app
- Restrict or object to processing where applicable
- Withdraw consent for analytics at any time (Cookie settings on our marketing site and web app; Settings → Privacy on the web app)
- Lodge a complaint with your local supervisory authority
You may also email privacy@masir-ai.de for export, deletion, or other requests.
8. Children
masir is not directed at children under 16. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
9. Changes
We may update this policy. Material changes will be posted on this page with an updated date. Continued use after changes constitutes acceptance where permitted by law.
10. Contact
masirEmail: privacy@masir-ai.de
Website: https://masir-ai.de