Legal
Effective June 1, 2026
Ishira holds deeply personal things — your money, your routines, your memories. We take that trust seriously. This policy explains exactly what we collect, why, and what we will never do with it.
Ishira is a voice-first personal continuity app — a calmer way to remember your life. It is built and run by a small independent team.
In this policy, “Ishira”, “we”, “us”, and “our” mean the makers of the Ishira app. The policy applies to the Ishira mobile app (iOS and Android), the web portal at ishira.app, and any related services.
Ishira is operated from India. Your data is stored in the European Union — see Where your data lives below.
Ishira is built so you can start without giving us your identity. Most apps ask who you are first, then earn your trust. Ishira works the other way around.
When you first open Ishira, we create a random identifier for your account. It is not derived from your name, your email, your phone, or your device. No email, name, date of birth, or location is required to use Ishira.
The entries you create — expenses, income, notes, health logs, memories — are stored in your account. This is the core of what Ishira does. You control everything you add, and you can export or delete it at any time.
You can later secure your account with a username and passphrase so you never lose access. The username does not have to be your real name. We do not require an email for this.
Linking an email is optional and offered only in settings, to make account recovery easier. It is never required, and we never send marketing to it.
When you speak to Ishira, your words are turned into text. See How voice works for the full explanation.
We collect anonymous crash reports and basic usage signals — which features are used, how often the app opens. This helps us fix problems. We do not build behavioural profiles, and this data is not linked to your identity.
A note on IP addresses: our infrastructure providers (Supabase, Vercel) see IP addresses at the network level, as every internet service does. We do not use IP addresses for profiling, advertising, or identity tracking.
When you use voice, your speech is converted to text. Where your device supports it, this happens on-device using the built-in speech recogniser (Apple’s SFSpeechRecognizer on iOS, the Web Speech API on the web). Otherwise the audio is sent to our transcription provider, Groq, to be turned into text.
The text is then sent to Groq to understand its meaning — for example, identifying the amount, the merchant, and the category from what you said.
Groq processes your audio and text under a data processing agreement with us. Groq does not use your data to train its models. See Groq’s privacy terms at groq.com/privacy.
Raw audio is not retained after transcription. Only the text becomes part of your entry.
We use your data only to give you the service and to keep it working:
Ishira relies on a small number of carefully chosen providers. Here is what each one receives, and why.
Our database and authentication provider. Your entries and account data are stored on Supabase servers in Frankfurt, Germany (eu-central-1). Supabase processes this under a data processing agreement with us. See supabase.com/privacy.
Our provider for voice transcription and understanding. Groq receives your audio and text to produce structured entries. It does not retain or train on your data. See groq.com/privacy.
Our web host for ishira.app. Vercel processes standard web request logs, such as IP address and browser type. See vercel.com/legal/privacy-policy.
On-device speech recognition uses Apple’s SFSpeechRecognizer (iOS) and the platform speech frameworks (Android). Where these run on-device, the audio is processed on your phone and is not sent to Apple or Google by us.
Our analytics are privacy-first. The website uses Plausible, which sets no cookies and collects no personal data — only aggregate page views. The app uses PostHog for anonymous product analytics. We never use Google Analytics, session replay, or any cross-site tracking.
We do not use advertising networks, data brokers, or any service whose business model depends on your personal data.
Your data is stored on Supabase servers in Frankfurt, Germany (eu-central-1). We chose the European Union because it provides one of the strongest baselines of data protection in the world, under the General Data Protection Regulation (GDPR).
A copy of your recent data is also kept on your device for offline access and speed. That local copy is protected by your device’s built-in encryption.
We keep your data only for as long as it serves you.
If you never create an account, your data is permanently deleted after 90 days of inactivity. We show you this from your first day, so deletion is never a surprise. Creating an account keeps your timeline indefinitely.
Your account and entries remain stored for as long as you remain a user of Ishira.
If a named account is inactive for 3 years, we will notify you — where we have a way to reach you — 60 days before deleting your account and all associated data.
When you delete your account, your data is permanently removed from active systems within 24 hours and from all backups within 30 days.
Inactive accounts are subject to the standard 3-year retention above. Ishira does not currently offer legacy access or memorial accounts.
You have the following rights over your personal data. To exercise any of them, email us at hello@ishira.app.
You can request a copy of the personal data we hold about you. We respond within 30 days.
You can export all your entries at any time from within the app — as JSON, Markdown, or a PDF memoir. No need to contact us.
You can edit any entry directly in the app. For account details, contact us.
You can delete individual entries at any time, or delete your entire account and all data from Settings → Your Data → Delete Account.
Where processing is based on your consent, you can withdraw it at any time in settings. Withdrawal does not affect processing that happened before.
You can object to processing based on our legitimate interests, and you can receive your data in a structured, machine-readable format using Export.
Because your data is stored in the EU, GDPR applies. You have the rights above, including erasure (Article 17) and data portability. Our legal basis for processing is providing the service you asked for, and our legitimate interest in keeping it reliable.
Indian residents have rights under the Digital Personal Data Protection Act, 2023, including access, correction, erasure, and nominating someone to act on your behalf. Contact our Grievance Officer (below).
Ishira does not sell personal information and does not use it for cross-context behavioural advertising, so many CCPA provisions do not apply. You still have the right to know what we collect and to delete it. Email us to exercise these rights.
Ishira is not intended for anyone under 18, and we do not knowingly collect data from minors. If you believe a minor has created an account, email us at hello@ishira.app and we will delete it.
We may update this policy from time to time. When we make significant changes, we will notify you in the app, and by email where you have linked one, at least 30 days before they take effect. The date at the top shows when it last changed.
For any privacy question, data request, or concern, email us at hello@ishira.app. We respond within 7 business days.
Grievance Officer (DPDPA 2023)
Under the Digital Personal Data Protection Act, 2023, our Grievance Officer can be reached at hello@ishira.app. We aim to resolve all grievances within 30 days of receipt.