Privacy Policy

Mahl ('we', 'our', 'us') is a software application operated by MAHL. APP, a registered business based in Adelaide, South Australia, Australia (ABN 89 646 767 162). Mahl provides AI-assisted paint colour matching and studio management tools for painters. Our website is mahl.app and you can contact us at hello@mahl.app.

We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the General Data Protection Regulation (GDPR) where applicable to users in the European Economic Area, and the California Consumer Privacy Act (CCPA) where applicable to users in California.

Information you provide directly

• Account information: your email address and display name when you sign up
• Profile preferences: your preferred painting style, medium, and other optional settings you enter
• Paint inventory data: paint names, brands, colours, and properties you add to your collection
• Reference photos: images you upload to use with our colour matching and Session Planner features
• Project data: notes, progress photos, and session plans you create within the app
• Communications: any messages you send us via hello@mahl.app

Information collected automatically

• Usage data: how you interact with the app, which features you use, and how often
• Device information: browser type, operating system, and screen size for technical compatibility
• Authentication data: login timestamps and session information managed via Supabase

Information from third parties

• Anthropic API: when you use AI features (colour matching, critiques, Session Planner), your reference photos and related data are processed by Anthropic's Claude API to generate results. Anthropic's privacy policy applies to this processing: anthropic.com/privacy
• Supabase: your account and all app data is stored in Supabase's infrastructure. Supabase's privacy policy applies: supabase.com/privacy
• Paddle: if you subscribe to Mahl Pro via the web, payment processing is handled by Paddle as merchant of record. Paddle's privacy policy applies: paddle.com/privacy

• To provide and operate the Mahl app and its features
• To process AI colour matching, critiques, and Session Planner requests using your uploaded reference photos and paint inventory
• To save and sync your paint inventory, projects, and session plans across devices
• To manage your subscription and process payments
• To send transactional emails such as account confirmation and password reset
• To respond to your support requests and feedback
• To improve the app based on aggregated, anonymised usage patterns
• To comply with legal obligations

We do not use your personal information for advertising, and we do not sell your data to any third party.

When you upload a reference photo, that image is transmitted to Anthropic's Claude API for AI processing (colour analysis, zone detection, critique generation). We do not permanently store your reference photos on our own servers beyond what is necessary to provide the service. Photos stored as part of your project in Supabase are retained until you delete the project or your account.

Please do not upload images that contain sensitive personal information beyond what is necessary for painting reference purposes. Do not upload images of documents, identification, financial records, or images depicting minors in contexts that could be considered sensitive.

Mahl uses essential cookies and local storage to maintain your login session and app preferences. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. You can clear cookies at any time through your browser settings, though this will log you out of the app.

Your data is stored in Supabase's infrastructure, which is SOC 2 Type 2 compliant and uses industry-standard encryption in transit and at rest. We implement Row Level Security (RLS) in our database so that users can only access their own data.

While we take reasonable steps to protect your information, no system is perfectly secure. We encourage you to use a strong unique password for your Mahl account.

• Active account data is retained for as long as your account exists
• If you delete your account, your personal data and content will be permanently deleted within 30 days
• Aggregated and anonymised usage statistics may be retained indefinitely as they cannot identify you
• Backup data may persist for up to 90 days after deletion for disaster recovery purposes

All users

• Access: you can view all data in your account at any time within the app
• Correction: you can update your profile information within the app settings
• Deletion: you can delete your account and all associated data via the app or by emailing hello@mahl.app
• Portability: you can export your paint inventory and project data on request

European Economic Area users (GDPR)

If you are in the EEA, you have additional rights including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is the performance of our contract with you (providing the Mahl service) and our legitimate interests in operating and improving the service.

California users (CCPA)

California residents have the right to know what personal information we collect, to request deletion of that information, and to opt out of the sale of personal information. Mahl does not sell personal information.

Australian users

Australian users may make a privacy complaint to us at hello@mahl.app. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Mahl is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hello@mahl.app and we will delete it promptly.

Your data may be stored and processed outside Australia, including in the United States where Supabase and Anthropic infrastructure is located. By using Mahl, you consent to this transfer. We rely on these providers' compliance with applicable data protection frameworks.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a notice within the app. Continued use of Mahl after changes are posted constitutes your acceptance of the updated policy.

For any privacy-related questions, requests, or complaints, please contact us at hello@mahl.app. We aim to respond within 5 business days.