Privacy Policy

Mahi — Calorie Balance Tracker

Last updated: 10 March 2026

This Privacy Policy explains how tcapdevs (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use the Mahi mobile application (“the App”). We are committed to protecting your privacy and being transparent about what data we collect and why.

Mahi is a calorie-balance tracker that helps you monitor alcohol calories consumed against workout calories burned. Because the App involves alcohol tracking, it is intended for users aged 18 and over only.

1. Information We Collect

We collect only the information necessary to provide the App's core functionality. Here is exactly what we collect and why:

Account Information

• Email address and password: Required to create and secure your account. Authentication is handled through Supabase Auth.
• Display name and username: Used to identify you within the App, particularly in social features such as leaderboards and friend connections.

Body Measurements

• Weight (kg): Required for accurate calorie burn calculations during workouts. The formula adjusts calorie estimates based on your body weight relative to a 70 kg baseline.
• Height (cm), age, and sex: Optional fields that support more personalised calorie calculations.

Activity Data

• Drink logs: The type of drink, calorie content, quantity, and date. This is the core data used to calculate your alcohol calorie intake.
• Workout logs: The activity type, duration, intensity level, calories burned, and date. This data calculates your calorie expenditure and balance.

Social Data

• Friend connections: Records of friend requests you send or receive, and their status (pending, accepted, or declined).
• Leaderboard membership: Which leaderboards you belong to and your associated statistics.
• Night Out sessions: Group drinking session data, including session details and participant information.

Information We Do Not Collect

• Location data
• Contacts or address book
• Photos or camera data
• Device identifiers or advertising IDs
• Analytics or behavioural tracking data
• Data from Apple Health, Google Fit, or any other health platform (see Section 10 regarding future plans)

2. How We Use Your Information

We use your information for the following purposes:

• To provide the App's core functionality: calculating your calorie balance, tracking drinks and workouts, and displaying your progress.
• To operate social features: managing friend connections, leaderboards, and Night Out sessions.
• To authenticate your identity and keep your account secure.
• To personalise calorie calculations based on your body measurements.
• To communicate with you about your account or important changes to the App or these policies.

We do not use your data for advertising, marketing to third parties, profiling, or any purpose beyond delivering the App's features to you.

3. Legal Basis for Processing

Under UK GDPR and EU GDPR, we process your personal data on the following legal bases:

• Contract performance: Processing your account information, activity data, and social data is necessary to provide you with the service you signed up for. Without this data, the App cannot function.
• Legitimate interest: We have a legitimate interest in maintaining the security of the App, preventing misuse, and improving the service. We balance these interests against your rights and freedoms.
• Consent: Where we rely on consent (for example, for optional data fields or future features), you may withdraw that consent at any time by contacting us or adjusting your settings within the App.

4. How We Store and Protect Your Data

Your data is stored in Supabase, a cloud-hosted PostgreSQL database platform. The following security measures are in place:

• Row-Level Security (RLS): Every database table is protected by Row-Level Security policies. This means each user can only access their own data at the database level.
• Encryption at rest: Data stored in the database is encrypted at rest.
• Encrypted connections: All data transmitted between the App and our servers is encrypted using HTTPS/TLS.
• Password security: Passwords are hashed and managed by Supabase Auth. We never store or have access to your plain-text password.

5. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, all of your associated data is permanently removed from our systems. This includes your profile, drink logs, workout logs, friend connections, leaderboard memberships, and Night Out session data.

We do not retain anonymised or aggregated versions of your data after account deletion.

6. Your Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can update or correct inaccurate information. Most data can be edited directly within the App.
• Right to erasure: You can delete your account and all associated data. This can be done directly within the App or by contacting us.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
• Right to object: You can object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at archie@tcapdevs.com. We will respond to your request within 30 days.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or with your local supervisory authority in the EU.

7. Account Deletion

You can delete your account directly within the App through the Profile section. Account deletion permanently removes all of your data, including your profile information, drink and workout logs, friend connections, leaderboard memberships, and Night Out session data. This action cannot be undone.

You may also request account deletion by emailing archie@tcapdevs.com.

8. Third-Party Services

We use Supabase as our infrastructure provider for authentication, database hosting, and data storage. Supabase processes your data solely on our behalf to provide these infrastructure services. Your data is not shared with, sold to, or made available to any other third parties.

We do not use any third-party analytics services, advertising networks, or data brokers. We do not sell your personal data under any circumstances.

9. International Data Transfers

Supabase may store and process data in data centres located outside the United Kingdom and European Economic Area. Where data is transferred outside the UK or EU, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office, to ensure your data receives an equivalent level of protection.

10. Future Apple Health and HealthKit Integration

We may introduce integration with Apple Health (HealthKit) in a future update. If and when this feature is introduced:

• Any data read from or written to Apple Health will be used solely to enhance the App's calorie tracking functionality.
• HealthKit data will not be shared with third parties.
• HealthKit data will not be used for advertising or marketing purposes.
• HealthKit data will not be sold to any party.
• HealthKit data will not be used for purposes unrelated to the App's core health and fitness tracking functionality.
• You will have full control over whether to enable or disable the integration.

We will update this Privacy Policy before introducing any HealthKit integration.

11. Children's Privacy

Mahi is intended for users aged 18 and over only, due to the App's alcohol tracking functionality. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will take prompt steps to delete that data and terminate the associated account.

If you believe a minor has provided us with personal information, please contact us immediately at archie@tcapdevs.com.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You can request details about the categories and specific pieces of personal information we collect about you.
• Right to delete: You can request that we delete your personal information, subject to certain exceptions.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to opt-out of sale: We do not sell your personal information to third parties, so no opt-out is necessary.

To exercise these rights, contact us at archie@tcapdevs.com.

13. Cookies and Tracking Technologies

Mahi is a native mobile application and does not use cookies. We do not use web-based tracking technologies, pixels, or similar mechanisms within the App.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the App's features, or legal requirements. When we make changes, we will update the “Last updated” date at the top of this policy and notify you through the App or via email.

We encourage you to review this policy periodically. Continued use of the App after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: