Privacy Policy

Last updated: May 23, 2026 · Effective date: May 23, 2026

Summary: Mudifly collects only the data needed to run the app. We do not sell your personal information. We do not process payments or store billing data. All data is encrypted in transit and at rest.

1. Who We Are

Mudifly ("we", "us", "our") is a property management application for short-term rental managers. This policy explains what data we collect, why, and how you can control it. Questions? contact@mudifly.com

2. Data We Collect

We collect the following categories of information:

  • Account information: your name, email address, and profile photo when you sign up or update your profile.
  • Authentication tokens: session tokens stored securely on your device via iOS Secure Enclave / Android Keystore (expo-secure-store). On-device cache is encrypted with AES-256 using a key stored in Secure Enclave / Keystore.
  • Workspace data: workspace name, currency preference, and timezone you configure.
  • Property data: property names, descriptions, addresses, property type, and images you upload.
  • Booking data: guest names, email addresses, phone numbers, check-in/check-out dates, booking source, revenue figures, booking status, staff assignments, and optional photo attachments per booking.
  • Guest profiles: recurring guest contact information (name, email, phone) saved per workspace to speed up future bookings.
  • Expense data: financial figures, categories, and descriptions you log for your properties or workspace.
  • Blocked dates: date ranges you mark as unavailable on a property calendar, including an optional reason.
  • Activity logs: an audit trail of who did what and when within your workspace. Visible only to workspace members.
  • Notification preferences: your per-category notification settings stored on your profile.
  • Device push tokens: Expo push notification tokens used to deliver booking and team notifications to your device. Stored in our database and deleted on sign-out.
  • Usage and crash data: anonymous crash reports to diagnose app stability issues.

We do not collect or store payment card details. Mudifly has no in-app purchases or subscription billing — there is nothing to charge.

3. How We Use Your Data

  • To operate and sync the app across your devices and workspace members.
  • To send push notifications for bookings, expenses, and team activity (only if you enable them).
  • To send transactional emails (workspace invitations, password reset links) via our email infrastructure. We do not send marketing emails.
  • To enforce workspace property limits at the database level.
  • To display activity logs and analytics within your workspace.
  • We do not use your data for advertising or sell it to third parties.

4. Data Sharing & Third-Party Services

We share data only with the infrastructure providers required to run the app:

  • Supabase — database, authentication, file storage, and serverless edge functions. Data hosted on AWS (EU region by default).
  • Expo / EAS — push notification delivery via Expo Push Notification Service.
  • Hostinger SMTP — transactional email delivery sent from noreply@mudifly.com.
  • Google Sign-In — optional OAuth provider. Governed by Google's Privacy Policy.
  • Apple Sign-In — optional OAuth provider on iOS. Governed by Apple's Privacy Policy.

5. Workspace & Team Data

Mudifly is a collaborative tool. Data you enter is visible to all members of the same workspace according to their assigned role:

  • Owner / Admin: full access to all workspace data.
  • Member: full booking, expense, and property access.
  • Cleaner: sees only relevant checkout tasks — no financial data, no expenses, no activity logs.

Workspace invitations are sent by email. A pending invite token is valid for 7 days and is stored as a one-way hash — the plaintext token is never persisted after generation.

6. Data Retention

Your data is retained for as long as your account exists. When you delete your account, all personal data is removed within 30 days, except where required by law. Workspace data is deleted when the workspace owner closes the workspace. On-device encrypted cache is wiped automatically on sign-out.

7. Your Rights

Depending on your location you may have the right to:

  • Access the personal data we hold about you.
  • Request correction or deletion of your data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.

To exercise these rights, contact us at contact@mudifly.com.

8. Children

Mudifly is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us data, contact us immediately at contact@mudifly.com.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase). On-device query cache is encrypted with AES-256 using a key stored in the device Secure Enclave (iOS) or Keystore (Android). Session tokens are stored exclusively in platform secure storage — never in plain AsyncStorage. Row-level security on all database tables ensures users can only access data within their workspaces.

10. Changes to This Policy

We will notify you of material changes via in-app notice or email at least 7 days before they take effect. Continued use of the app after changes constitutes acceptance.

11. Contact

Questions about this policy? Contact us at contact@mudifly.com.