Privacy Policy

Last updated: May 15, 2026

MahWins ("we", "us") is a Mahjong tracking app for iOS and Android. This policy explains what information we collect, how we use it, and the choices you have. We keep things simple and collect only what's needed to run the app.

Information We Collect Through the App

Account information

When you create an account with email and password, you give us your email address, a display name, a preset accent color, and optionally a profile photo. Passwords are hashed with bcrypt — no one at MahWins ever sees or can recover your plaintext password.

If you sign in with Apple, we receive an opaque Apple user ID and the email address Apple shares with us (which may be an Apple Private Relay address). We never see your Apple password.

If you sign in with Google, we receive your Google account ID and the email address associated with that account. We never see your Google password. Google Sign-In is currently available in our iOS app; Android support is on the way.

Before an email-based account is created we send a one-time verification code to your email address. Codes are hashed, expire in 15 minutes, and are rate-limited.

Game, group, and social data

Every game you log — winner, winning hand, self-draw flag, notes, timestamp, and any photo you attach — is stored on our servers so you can access your history from any device. Games you log inside a group are visible to other members of that group. Group data includes the group's name, emoji, color, optional avatar, join code, membership, and roles (owner, admin, member). Friends lists, pending friend requests, blocks, and any abuse reports you submit are stored so we can operate those features and review reports.

Photos

Photos you attach to a game or use as an avatar are uploaded to our servers and stored outside of public web access. Only you and the members of the group the game belongs to can view a game photo. We do not use your photos for advertising, training machine-learning models, or any purpose beyond showing them back to you and your group.

Device tokens (push notifications)

If you enable push notifications, your device registers a push token with us so we can notify you about friend requests, group invites, comments on your games, and similar events. Push is delivered through Apple's Push Notification service (APNs) on iOS and through Firebase Cloud Messaging (FCM, a Google service) on Android. The push token is a per-install identifier issued by APNs or FCM — not a Google or Apple account ID. Tokens are removed when you log out, delete your account, or when APNs/FCM tells us they're no longer valid.

Security and operational logs

We keep operational logs in a separate database to run the service safely:

• API request logs — method, normalized path (e.g. /games/:id, never the actual ID), status code, response time, app version, platform, IP address, and user agent.
• Error logs — error message and stack trace alongside the same request context, so we can fix bugs.
• Authentication events — sign-up, sign-in, sign-out, password reset, account deletion, and similar events along with IP, user agent, and platform — used to detect compromised accounts.
• Email and push delivery records — recipient, template type, delivery status. Push delivery records store only the last 16 characters of the device token, never the full token.
• Rate-limit hits — when a request is throttled, we record the route and identifier so we can tune limits and detect abuse.

Failed login attempts are tracked briefly to throttle brute-force attempts and are cleared on a successful sign-in. Verification and password-reset codes are hashed before storage, expire after fifteen minutes, and are rate-limited.

App permissions

Both the iOS and Android apps request camera access to scan group-invite QR codes and to take photos when logging a game, and photo-library access so you can upload an existing photo. On Android, we use the appropriate per-version permission (READ_MEDIA_IMAGES on Android 13+ and READ_EXTERNAL_STORAGE on older versions). We only read from your camera or library when you tap to take or pick a photo — nothing is accessed in the background.

Information We Don't Collect

MahWins does not use analytics SDKs, crash-reporting SDKs, advertising SDKs, location services, or contact-book access. We do not track you across other apps or websites, sell your data, or use your data to train machine-learning models.

Third-Party Services

We use a small set of outside services to run MahWins:

• Resend — delivers transactional email (verification codes, password resets, and other account notifications).
• Apple Push Notification service (APNs) — delivers push notifications on iOS.
• Firebase Cloud Messaging (FCM) — delivers push notifications on Android. Operated by Google.
• Sign in with Apple — optional authentication. Operated by Apple.
• Sign in with Google — optional authentication. Operated by Google.
• DigitalOcean — hosts our API, database, and uploaded photos.

These providers process only what's needed to do their job (for example, Resend sees the email address and message body; APNs/FCM see the message title and body for any push you receive) and are bound by their own privacy terms.

How We Use Your Information

• To provide core app functionality — logging games, computing stats, photos, groups, friends, notifications
• To authenticate requests and keep your account secure
• To send you account-related messages (verification codes, password resets, and push notifications you've enabled)
• To diagnose and fix bugs
• To prevent abuse (rate limiting, blocks, review of reports)

We do not sell your data, share it with advertisers, or use it to train machine-learning models.

Data Retention and Deletion

• Your account and data are kept as long as your account is active.
• You can delete your account at any time from the app's Settings screen. Deletion suspends the account immediately and signs you out of all devices. Logging back in within 30 days reactivates it; after that, the account and all associated data (games, photos, group memberships, push tokens, friend links) are permanently removed.
• Refresh tokens expire after 30 days; expired tokens are purged daily. JWT access tokens expire after 15 minutes. Verification and password-reset codes expire after 15 minutes.
• Group invitations that have been accepted or declined are removed after 90 days. Pending invitations stay until they're acted on.
• Photo files no longer referenced by any game or avatar are removed by a daily cleanup job (with a one-hour grace period to avoid race conditions during uploads).
• Failed-login records are cleared automatically on a successful sign-in.
• Abuse reports you submit are stored as long as your account exists so we can review patterns of repeat offenders. Operational logs (request, error, authentication, email/push delivery, and rate-limit logs) are kept for as long as needed to operate and secure the service; we don't sell or share them.

Your Rights

You can access, correct, export, or delete your data at any time. Most changes can be made in the app (display name, color, avatar, password, stats visibility, blocks, account deletion). For anything else, email support@mahwins.com.

Security

All data in transit is encrypted over HTTPS. API requests are authenticated with short-lived JWT access tokens (15-minute lifetime) backed by longer-lived refresh tokens stored on your device in the OS's secure keychain/keystore. Refresh tokens are hashed on the server — we can revoke a session but we can't read the token itself. We restrict production access to a small number of engineers and rotate credentials regularly.

Children

MahWins is not directed at children under 13 and we don't knowingly collect information from them. If you believe a child has created an account, please contact us and we'll remove it.

Changes to This Policy

If we update this policy we'll change the "Last updated" date above and, for material changes, notify you in the app or by email.

Contact

Questions? Email support@mahwins.com.