Masoon — Privacy Policy

This policy explains what Masoon collects, why we collect it, how we store it, and the rights you have over your data. It is written to be read, not to be survived. If anything is unclear, email us at privacy@daaim.sa and we will rewrite the unclear section.

1. What Masoon is

Masoon is a mobile application that helps you keep track of product warranties and home-service contracts you own. You sign in with your phone number, add your receipts and warranty details, and the app reminds you before anything expires.

2. Who runs Masoon

Masoon is built and operated by Daaim, a company based in Saudi Arabia. We host the backend for Masoon on servers we control — we do not use a third-party "Backend as a Service" provider.

3. What data we collect

We collect three categories of data. All of it is data you give us directly. We do not use any advertising SDKs, analytics SDKs, or third-party tracking libraries.

3.1 Account data

• Phone number — required for sign-in. We send a one-time password (OTP) to this number to verify you own it.
• First name, last name, email address — provided on the registration screen. Your first name + last name becomes your display name in the app. Email is optional but recommended so we can contact you about account-related issues.

3.2 Data you add to the app

• Product entries — invoice number, store, dealer, brand, purchase date, warranty duration, notes, and (optionally) a photo of the invoice.
• Home warranty entries — address, purchase date, warranty duration, sub-category, and notes.
• Support tickets — title and description of any help requests you open from within the app.

3.3 Technical data

• Authentication tokens — when you sign in, the backend issues a short-lived access token (15 minutes) and a refresh token (7 days). These live in the secure storage on your device (iOS Keychain / Android Keystore).
• Server logs — standard web-server logs that record the IP address, timestamp, and URL of each API request. Used to debug errors and detect abuse. Rotated and deleted after 14 days.
• Rate-limit buckets — short-lived counters keyed by phone number and IP to prevent OTP brute-forcing. Discarded automatically.

4. What we do NOT collect

We want to be explicit about what Masoon never sees:

• Your contacts, calendar, call history, or SMS messages
• Your location (GPS, network, or otherwise)
• Your browsing history, apps installed, or device identifiers for advertising
• Your microphone or voice recordings
• Data from other apps on your device
• Any payment or financial information (Masoon does not process payments)
• Biometric data (Face ID / Touch ID authentication happens entirely on your device; Masoon only learns whether the attempt succeeded, not what your face or fingerprint looks like)

5. How we use your data

• Phone number: to send the OTP at sign-in and to identify your account.
• Name and email: to show your display name inside the app and to contact you about account issues (never marketing).
• Product and warranty entries: to display them to you and to schedule local reminder notifications on your device before they expire.
• Invoice images: stored on our backend so they are available from any device you sign in to.
• Support tickets: so our support team can reply to you.
• Server logs: to debug errors, detect abuse, and respond to security incidents.

We do not sell your data. We do not share your data with advertisers, data brokers, analytics companies, or any other third party for their own purposes.

6. Where your data is stored

• Application database: PostgreSQL, hosted on a server we operate in Germany (Hetzner). The database is encrypted at rest.
• Invoice images: on the same server, in a dedicated volume.
• Authentication tokens: in the secure storage of your own device. Never in our logs.
• SMS delivery: the one-time password for sign-in is sent via oursms.com, a Saudi Arabian SMS provider. oursms.com receives your phone number and the 6-digit code (and nothing else) for the duration of the send. We do not share any other data with them.

7. How long we keep your data

• While your account is active: we keep everything you've added, plus what's needed to sign you in.
• Support tickets: retained for the lifetime of your account, so you can see the full history of your own conversations.
• Server logs: automatically rotated and deleted after 14 days.
• One-time passwords: hashed, and automatically purged 5 minutes after issue.
• If you delete your account (see section 9): all of the above is removed on the same request. There is no cooling-off period.

8. How we secure your data

• All network traffic between the app and our backend uses TLS 1.2 or higher.
• Access tokens are short-lived (15 minutes); refresh tokens rotate on every use so a stolen refresh token can be detected and revoked.
• OTP codes are stored as HMAC-SHA256 hashes, never in plaintext.
• The database volume is encrypted at rest at the disk layer.
• Administrative access to the production server is restricted to named engineers and requires SSH key authentication.
• We rotate credentials when an engineer leaves the project.

Security is a process, not a destination. If you believe you have found a security issue in Masoon, please email security@daaim.sa with the details. We respond within 72 hours.

9. Deleting your account

You can delete your Masoon account at any time, from inside the app, without contacting us.

How to delete

1. Open Masoon
2. Go to Account → Settings → Delete Account
3. Read the warning and tap Delete My Account to confirm

What happens when you tap confirm

• Your account row (phone number, name, email) is removed from our database.
• Every product you added is removed.
• Every home warranty you added is removed.
• Every support ticket you opened is removed.
• Every refresh token on your account is revoked so any other devices you signed in on are immediately logged out.
• Your invoice images are removed from server storage.
• Your account is immediately signed out on the device you performed the action from.

The deletion is irreversible and happens immediately. There is no "soft delete" or recovery window. If you change your mind later, you will need to sign up again from scratch.

Server logs that happen to contain your IP address from the last 14 days are not touched by the delete action — they rotate out automatically within their retention window.

10. Your rights

Depending on where you live, you may have legal rights over your data. We honour all of these regardless of your location:

• Right of access — ask us for a copy of what we hold about you
• Right to rectification — correct anything that's wrong
• Right to erasure — delete everything (the in-app Delete Account flow already does this in one tap)
• Right to restrict processing — pause any processing of your data
• Right to object — object to any processing we're doing
• Right to data portability — ask us to export your data in a machine-readable format

To exercise any of these rights, email privacy@daaim.sa from the address associated with your account (or include your registered phone number so we can verify it's really you). We reply within 30 days.

11. Children's privacy

Masoon is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, email privacy@daaim.sa and we will remove the account.

12. Changes to this policy

If we change this policy we will:

1. Update the "Last updated" date at the top
2. Post the new policy at this URL
3. If the change is material (e.g. a new data category, a new third party, a change in retention), show a one-time in-app notice the next time you open Masoon

Continuing to use Masoon after a material change means you accept the new policy. If you don't accept it, delete your account from Settings → Delete Account.

13. Contact

Topic	Email
Privacy questions / data subject requests	privacy@daaim.sa
Security reports	security@daaim.sa
General support	support@daaim.sa

Postal address:
Daaim
Saudi Arabia