Privacy Policy

PrivyMask is operated by MISA LUNA LIMITED, a company registered in England and Wales (company number 16335349), whose registered office is at Flat 32 Hanover Avenue, London, England, E16 1DX.

We are the data controller for the personal data described in this policy. You can contact us at hello@privymask.com.

Account data. When you sign in, we collect your email address via Firebase Authentication. This is necessary to provide your account and track your usage across sessions.

Usage data. We store a document count and your subscription plan in Firestore. This is used to enforce the free tier and manage your subscription.

Payment data. Payments are processed by Stripe. We receive a Stripe customer ID and subscription status. We never see or store your card details — these are handled entirely by Stripe.

Feedback. If you submit feedback via the in-app widget, we store the text you provide.

What we do NOT collect. We do not store the content of documents you upload. Files are parsed in server memory and immediately discarded. We do not store the pseudonymised text or mapping keys you generate.

We process your data on the following bases under UK GDPR:

• Contract — processing your email and usage data is necessary to provide the service you have signed up for.
• Legitimate interests — we have a legitimate interest in detecting abuse and maintaining service security.
• Legal obligation — we retain payment records as required by UK tax law.

All data in transit is encrypted via TLS. Firebase and Firestore are hosted on Google Cloud infrastructure with industry-standard security controls. Stripe is PCI-DSS Level 1 certified.

The mapping key that pseudonymises your documents is generated in your browser using the Web Crypto API and never transmitted to our servers. This means we cannot read or reconstruct your documents even if compelled to do so.

We use the following sub-processors:

• Google Firebase / Firestore — authentication and usage data storage (EU/UK data centres available)
• Stripe — payment processing (PCI-DSS Level 1)
• Vercel — frontend hosting (EU region)
• Render — backend hosting

We do not sell your data to third parties or use it for advertising.

Account and usage data is retained for as long as your account is active. If you request deletion, we will remove your data within 30 days except where we are required to retain it by law (e.g. payment records for 7 years under UK tax regulations).

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request erasure of your data
• Object to or restrict processing
• Data portability
• Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email us at hello@privymask.com.

The application itself (the upload and pseudonymisation flow) does not use cookies or third-party tracking scripts. The landing page uses Plausible Analytics, a privacy-respecting analytics tool that does not use cookies and does not collect personal data.

We may update this policy from time to time. We will notify you of material changes by email or by a notice in the app. Continued use of PrivyMask after changes constitutes acceptance of the updated policy.

MISA LUNA LIMITED (trading as PrivyMask)
Flat 32 Hanover Avenue, London, England, E16 1DX
Company number: 16335349
Email: hello@privymask.com