Privacy Policy

Last updated: May 14, 2026

Introduction

This Privacy Policy explains how Mashric Inc. (“Mashric”, “we”, “us”) collects, uses, shares, and protects personal information about you when you use the Mashric mobile application and related services (the “Service”). We follow Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario law. By using the Service, you agree to the practices described here.

Who We Are

Mashric Inc., 7880 Keele St #206, Vaughan, ON L4K 4G7, Canada. The Service is operated by Mashric Inc. Questions about this policy or your personal information can be directed to our privacy officer at support@mashric.com or +1 (647) 836-4594.

Information We Collect

We collect the following categories of personal information:

  • Account information — your name, email address, and phone number when you create an account or place an order.
  • Google Sign-In data — when you choose to sign in with Google, your device sends you to Google's sign-in page. On completion, Google returns the following standard OpenID Connect data to us via Supabase Authentication: your email address, basic profile information (name and profile picture URL), and an OpenID identifier. The scopes requested are the OAuth defaults: openid, profile, and email. We do not request and do not access any other Google services — no Gmail, no Drive, no Calendar, no Contacts, no Photos, no YouTube, and no personal Google Maps data. The data we receive is used solely to create and authenticate your Mashric account. Mashric's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Order information — items ordered, customizations, pickup or delivery preference, special instructions, and order history.
  • Delivery addresses — addresses you enter or save for delivery, including any apartment or buzzer details you choose to provide.
  • Location data — when you grant location permission, we use your device’s approximate or precise location to show you nearby stores and to estimate delivery distance. We do not collect location data in the background.
  • Payment information — when you pay, your card details are entered directly into Stripe’s secure payment interface. We do not see or store your full card number; we only receive a tokenized reference, the last four digits, the card brand, and the amount.
  • Device and notification data — a stable device identifier and a Firebase Cloud Messaging token, used to send you order-status push notifications. If you opt in to marketing notifications, the same channel is used for promotional pushes.
  • Support correspondence — any messages, photos, or details you send us through in-app support, email, or phone.

How We Use Your Information

We use your personal information to:

  • Create and manage your account and authenticate you.
  • Process, prepare, and deliver your orders.
  • Send transactional messages (order confirmations, status updates, receipts) by email, SMS, and push notification.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with our legal and tax obligations (including retaining order records for the Canada Revenue Agency).
  • Improve the Service — including diagnosing crashes and analyzing aggregated usage trends.
  • With your separate opt-in, send promotional emails and push notifications about new items, offers, and store events.

Sharing and Service Providers

We do not sell your personal information. We share it only with service providers who help us run the Service, under contractual confidentiality and security obligations:

  • Stripe (payments) — processes your card payments. See stripe.com/privacy.
  • Supabase (cloud backend and authentication) — hosts your account, order, and address data on PostgreSQL servers, and processes sign-in tokens including those issued by identity providers such as Google. When you sign in with Google, the OAuth token flows from your device to Google to Supabase to the Mashric app; Supabase is the only party that holds the underlying OAuth token.
  • Google Sign-In (account authentication) — handles the optional "Continue with Google" sign-in path. Google returns only your email address and basic profile information (name, profile picture) to us via Supabase, as described above. See Google's Privacy Policy.
  • Google Firebase Cloud Messaging (push notifications only) — delivers order-status and (if you opt in) promotional push notifications to your device. We do not use Firebase Authentication, Firebase Analytics, Firebase Crashlytics, Firestore, or any other Firebase service — only the messaging (FCM) component. All authentication runs through Supabase Auth, not Firebase.
  • Google Maps Platform — converts addresses to map coordinates and renders maps. We do not access your Google account's saved places, location history, or any other personal Google Maps data.
  • Resend (transactional email) — sends order confirmations, cancellation notices, and receipts.
  • Twilio (SMS, via Supabase Auth) — sends phone-based one-time codes during sign-in.

We may also disclose your information if required by law, by a court order, or to protect the rights, property, or safety of Mashric, our customers, or the public.

Cross-Border Data Transfers

Some of our service providers store or process data outside Canada — primarily in the United States. When personal information is transferred outside Canada, it remains subject to the laws of the jurisdiction where it is stored, which may include lawful access by foreign authorities. We rely on contractual safeguards (data-processing addenda) with each provider to keep your information protected to a comparable standard. You can request the list of countries where your data may be stored by contacting support@mashric.com.

Cookies and Similar Technologies

The mobile app does not use web cookies. We use local device storage (AsyncStorage and Keychain/Keystore on iOS and Android respectively) to keep you signed in, remember your cart, and store your saved addresses on the device. We do not embed third-party advertising trackers and do not currently run analytics SDKs that follow you across other apps or websites.

Your Rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Withdraw consent for any optional uses (such as marketing messages) at any time, from the Preferences section of your profile.
  • Delete your account and have your personal information removed from active systems. You can do this in-app from Profile → Delete Account. We anonymize order, receipt, and tax records (replacing your name, email, and phone with placeholders) but retain the underlying transactional record for the period required by tax law.
  • File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we have mishandled your information.

To exercise any of these rights, contact us at support@mashric.com. We will respond within 30 days.

Data Retention

We retain personal information only as long as needed for the purposes described above:

  • Account data — while your account is active, and deleted or anonymized within 30 days of you closing your account.
  • Order, receipt, and tax records — retained in anonymized form for six years after the transaction, as required by Canada Revenue Agency record-keeping rules.
  • Support correspondence — up to two years after the issue is resolved.
  • Device tokens — removed when you sign out, when the token becomes invalid, or when you delete your account.

Security

We use industry-standard security measures: encryption in transit (TLS) on every network request, encryption at rest on our cloud database, secure storage of session tokens on your device, and row-level security policies that prevent customers from accessing each other’s data. Payment card details are never seen by our servers — Stripe handles tokenization end-to-end. No system is perfectly secure, but we work to keep your data protected and will notify you and the appropriate authorities if a breach affects you.

Children

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact support@mashric.com and we will delete it.

Quebec Residents

If you reside in Quebec, additional rights under Quebec’s Law 25 may apply, including the right to data portability and the right to be informed before automated decisions affect you. The Service is currently operated from Ontario; we will update this policy if and when we begin actively serving Quebec residents. In the meantime, you may contact support@mashric.com for any Law-25-specific questions.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top and, for material changes, notify you in-app or by email before the changes take effect. Your continued use of the Service after the effective date means you accept the updated policy.

Contact Us

Privacy questions, access requests, and complaints can be sent to our privacy officer:

Mashric Inc.
7880 Keele St #206, Vaughan, ON L4K 4G7, Canada
Email: support@mashric.com
Phone: +1 (647) 836-4594