privacy policy
Effective date: March 29, 2026 · Contact: privacy@mulya.io
Mulya ("we", "us", "our") is a revenue intelligence dashboard that helps indie makers and creators understand their real take-home income across multiple platforms. This Privacy Policy explains what data we collect, how we store and use it, and what rights you have over it.
1. what we collect
account information
When you sign up, we collect your email address and a hashed password (handled by Supabase Auth). If you use Google OAuth, we receive your name and email from Google — no passwords are stored in that case.
platform credentials
To sync your revenue data, we store the API keys, OAuth access tokens, and OAuth refresh tokens you provide for each connected platform (Stripe, Gumroad, PayPal, Lemon Squeezy). These credentials are encrypted at rest using AES-256-GCM before being written to our database. See "How we store data" below.
transaction data
We sync transaction records from your connected platforms: transaction IDs, amounts, currency, platform fees, refund status, timestamps, and platform names. This data is stored in our database and used exclusively to populate your dashboard.
usage and settings data
We store your preferences (tax rate, country, display settings), onboarding completion status, and subscription tier. We also log aggregate analytics events via Vercel Analytics (page views, no personally identifiable information) to understand how people use the product.
2. what we do not collect
Full credit card numbers, CVVs, or bank account details — ever.
Passwords in plaintext — all passwords are hashed by Supabase Auth before storage.
Customer PII from your platforms (buyer names, addresses, emails).
The actual contents of your products or files sold on connected platforms.
Browsing history, cookies for tracking, or cross-site identifiers.
3. how we store your data
database (Supabase)
All data is stored in a PostgreSQL database hosted on Supabase (AWS us-east-1). Row-level security (RLS) policies ensure each user can only read and write their own rows — not data belonging to any other user.
encrypted credentials
Platform API keys and OAuth tokens are encrypted with AES-256-GCM using a server-side encryption key before being written to the connected_platforms table. The raw credential is never stored in plaintext. If the database were compromised without the encryption key, the credentials would be useless to an attacker.
hosting (Vercel)
Our application is hosted on Vercel's edge network. Server-side environment variables (encryption keys, Supabase service role keys) are stored as Vercel encrypted environment variables and are never exposed to the client.
4. how we use your data
Dashboard display
Transaction data is fetched from our database and displayed in your personal dashboard to show gross revenue, platform fees, net revenue, and estimated take-home.
Revenue sync
Stored credentials are decrypted server-side (never sent to the client) and used to call platform APIs on your behalf to keep your transaction history up to date.
AI weekly insights (Pro/Teams only, opt-in)
If you have a Pro or Teams subscription and have not opted out, we send your aggregated revenue figures (no raw transaction IDs) to the Anthropic Claude API to generate a personalised weekly summary email via Resend.
Billing
Your email is shared with Stripe to manage your Mulya subscription. We do not share your revenue data with Stripe.
Product improvement
Aggregate, anonymised usage analytics (page views, feature usage counts) help us prioritise product improvements. No individual-level data is shared.
5. third parties
Database & Auth
Stores all user and transaction data. Privacy policy at supabase.com/privacy.
Hosting & Edge Functions
Serves the application and runs server-side API routes. Privacy policy at vercel.com/legal/privacy-policy.
Billing
Processes your Mulya subscription payments. We share your email address with Stripe. Privacy policy at stripe.com/privacy.
Transactional email
Sends account emails (confirmation, password reset) and optional weekly AI insight emails. Privacy policy at resend.com/privacy.
AI insights (Pro/Teams)
Aggregated revenue figures are sent to the Claude API to generate weekly insight summaries. No raw transaction IDs or personal data are included. Privacy policy at anthropic.com/privacy.
Usage analytics
Anonymised, aggregate page-view analytics. No cookies, no personal identifiers. Privacy policy at vercel.com/legal/privacy-policy.
We do not sell, rent, or trade your data to any third party for advertising or marketing purposes, ever.
6. your rights
You have full control over your data at all times. You can exercise these rights directly from your settings page without contacting us:
Export your data
Teams plan users can export all transaction data as CSV. All users can request a full data export by emailing privacy@mulya.io.
Disconnect a platform
Removing a connected platform immediately deletes the stored credentials for that platform from our database. Historical transaction records are retained until you delete your account.
Delete your account
Deleting your account permanently removes all your data from our database within 30 days, including transaction history, connected platform credentials, and settings.
Opt out of AI emails
You can disable weekly AI insight emails at any time from your settings page without affecting your subscription.
7. GDPR & international users
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data protection laws, you have additional rights under regulations like the GDPR:
Right of access — request a copy of all personal data we hold about you.
Right to rectification — request correction of inaccurate data.
Right to erasure ("right to be forgotten") — request deletion of all your data.
Right to portability — request your data in a machine-readable format.
Right to object — object to processing of your data for certain purposes.
To exercise any of these rights, email privacy@mulya.io. We will respond within 30 days.
8. data retention
We retain your data for as long as your account is active. Free-tier users' transaction history is displayed for the most recent 30 days but the full history is retained in case you upgrade. Pro users retain 12 months. If you delete your account, all associated data is permanently deleted within 30 days. Aggregated, anonymised analytics data (no personal identifiers) may be retained indefinitely.
9. changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the address on your account) at least 14 days before the changes take effect. Continued use of Mulya after that date constitutes acceptance of the updated policy. The effective date at the top of this page always reflects the most recent version.
10. contact
For any privacy-related questions, requests, or complaints, contact us at:
privacy@mulya.io