Privacy Policy

Last updated: 2026-05-23

Where's Ma Stuff? ("MaStuff," "we," "us") is a personal-inventory + lending/renting/selling/gifting tool. This policy explains what we collect, how we use it, and the limited circumstances under which we share it. The policy is written in plain English because the product is built for families, not legal departments.

1. What we collect

Account information

• Your name (first, last, optional public alias)
• Your email address(es) — primary plus any additional addresses you add for notifications
• Hashed password (argon2; we never store or see your plain password)
• Sign-in identity references — for Google Sign-In, the Google subject identifier and email address Google passes us at sign-in
• Optional profile photo (or an auto-generated initials disc when you haven't uploaded one)

Content you create

• Items you add to your inventory — title, description, photos, value, condition, brand/model/serial, purchase date, tags, location
• Locations you create (addresses for your home, cabin, sub-locations like rooms)
• Households and groups you create, join, or are invited to
• Transactions you initiate or receive (lend, rent, sell, gift)
• Tags, notes, and other free-text fields you fill in
• Receipts and item photos you upload
• Feedback messages you submit to the developers

Operational data

• Session tokens (so you stay signed in) and the IP address + browser user-agent of each sign-in (for security audit)
• Preferences you've set (notification settings, distance units, etc.)
• A minimal tally of AI feature usage (which endpoint, which model, timestamp) to enforce the per-user monthly cap. Rows are deleted automatically once they fall outside the quota window. The actual prompts you send (photos, descriptions, receipts) and the AI's responses are NOT stored on our servers — see "AI features" below.

2. How we use it

• Run the app for you. Display your inventory, route your transactions, render the right items to the right viewers based on your sharing settings.
• Send transactional emails when you've opted into them (Settings → Notifications). We never send marketing email.
• Anti-abuse and security. Detecting unusual sign-in patterns, enforcing the AI usage cap, supporting your password-reset flow if you lose access.
• Improve the app. Aggregate usage signals (which features are used, where errors happen) inform development decisions. We don't sell or share this data.

3. Who else sees your data

People you've explicitly shared with

This is the whole point of MaStuff. When you add a household member, share an item with a group, or publish a listing to Marketplace, the audience you chose sees the content. Specifically:

• Household members see all the items you've added that you haven't marked private to your own use. They see your real name on those items.
• Group members see items you've scoped to that group. They see your alias (or per-group nickname if you've set one), not your real name, unless they're also in your household.
• Marketplace viewers (any signed-in user) see items you've published to the Marketplace tab, with your alias (or "Anonymous seller" if you haven't set one). Your location precision setting controls how much of your address shows.

Third-party service providers we use

MaStuff is built on top of a small number of specialized services:

• Anthropic (Claude AI) — for the AI features (receipt scanning, item identification from photos, tag suggestion, value estimation). Photos + text you submit to these features are forwarded to Anthropic for processing. See the dedicated "AI features" section below for what MaStuff keeps after the round-trip (short version: nothing about the content).
• Resend — for transactional email delivery. Your email address(es) and the email body go to Resend when we send you a notification.
• Backblaze B2 — for storing the photos and receipts you upload.
• Google (Sign-In) — only if you choose to sign in via Google. We receive your name, email, and profile photo from Google.
• Cloudflare — DNS + edge network for wheresmastuff.com.

We don't share data with advertisers. We don't sell data. We don't use third-party analytics or tracking pixels.

AI features (Claude vision / value estimates / etc.)

When you use ✨ Add from a photo, 🧾 Scan a receipt, ✨ Suggest values, or any other AI feature, this is what happens with the content:

• We don't store the prompt. The photo / text you submit is forwarded straight to Anthropic for processing and is not written to our database or our logs. Once the request completes, our servers no longer hold a copy of what you sent.
• We don't store the response. The AI's answer pre-fills the form you're working on. If you accept what it filled in, the resulting item data (title, brand, etc.) is saved like any other item you'd type in by hand — but there's no separate "this was an AI output" record tied to your account.
• What we do keep: a one-line tally row with the endpoint name ("identify_from_photos"), the model used ("claude-sonnet-4-6"), a timestamp, and your account id — purely so the per-user monthly cap (200 calls / 30 days) can be enforced. These tally rows are deleted automatically about a week after they age out of the cap window, so "which AI features you used when" doesn't accumulate on our side over time. No content of the query is ever in those rows.
• What Anthropic does with the content is governed by their commercial terms. As of 2026, Anthropic doesn't use API submissions to train models unless the API account holder opts in — MaStuff has not opted in. That said, please don't put truly sensitive personal data (medical records, financial credentials, etc.) into the AI features — once content has left our server we can't reach in and pull it back.
• The AI features are always optional. Every form that offers an ✨ AI button works fine without tapping it — type the title, brand, etc. by hand and no part of the item reaches Anthropic.

Legal compliance

If we receive a valid legal request (subpoena, court order), we'll comply with applicable law. We'll notify you unless legally prohibited from doing so.

4. Cookies and local storage

MaStuff uses:

• A session cookie for keeping you signed in after sign-in.
• Browser localStorage for UI preferences (which tab you were on, view modes you've picked, dismissed banners). This stays on your device; we don't read it from the server.

No third-party tracking cookies. No advertising IDs.

5. Data retention and your rights

• Delete your account anytime from Settings. Your account is marked for deletion immediately and the content is hard-deleted from our database after a 30-day grace window (in case you change your mind).
• Export your data. You can request a copy of all your data by emailing the contact below. We'll respond within 30 days.
• Correct your data. Most of it you can edit directly in the app. For data you can't reach (audit logs, etc.), email the contact below.
• Backups. We keep daily database backups for 30 days. Deleted data persists in those backups until they roll out of the 30-day window.

6. Children

MaStuff is not designed for children under 13. We don't knowingly collect data from children. If you believe a child has created an account, contact us and we'll delete it.

7. Security

We take reasonable measures to protect your data:

• HTTPS everywhere (Let's Encrypt; auto-renews)
• Passwords hashed with argon2 (industry standard)
• Session tokens revoked on password reset
• Per-user AI usage caps to limit blast radius of stolen credentials
• Off-site encrypted backups

No system is 100% secure. If we ever experience a breach affecting your data, we'll notify you within 72 hours of discovery.

8. Where we're based

MaStuff is operated from the United States. By using the service you consent to your data being processed in the US, which may have data-protection laws different from your home country.

9. Changes to this policy

If we change this policy in a way that affects how we use your data, we'll notify you in-app and via email (if you have email-mirror enabled) at least 14 days before the change takes effect. Material changes will require you to acknowledge them on next sign-in.

10. Contact

Questions, requests, complaints: feedback@gizmos-inc.com. We try to respond within 7 days.