Legal

Privacy Policy

Last updated: April 28, 2026

This Privacy Policy describes how Massfeller LLC ("we," "us," "the LLC") handles personal information across its websites and apps. It is written in plain language because pretending otherwise serves nobody.

Contents

The short version
Scope
Data controller
What we collect
Why we collect it
Service providers
What we do not do
Retention
Security
Your rights
Children
Changes
Contact

The short version

Massfeller LLC publishes a small portfolio of personal software products for small, intentionally limited audiences. We do not sell data. We do not share data with advertisers or data brokers. We do not embed third-party tracking SDKs. We use a small number of named service providers (Google Firebase, Cloudflare, Anthropic, Google AI, Spotify, OpenWeather, Resend, Twilio) who process specific data on our behalf to make the apps work. You can read, export, or delete your data at any time by emailing support@massfellerllc.com.

Scope

This policy covers massfellerllc.com and the four apps Massfeller LLC publishes — HEARTware, M.A.S.S. Trap, TPS League, and Homework Forensics — across web and native surfaces, plus any future product the LLC publishes unless that product carries its own published privacy notice. The web dashboard at us.themassfellers.com is the HEARTware surface and is governed by this policy. The web app at tpsleague.com is the TPS League surface and is governed by this policy.

Data controller

Massfeller LLC

Address7990 Baymeadows Rd E, Unit 1601
Jacksonville, FL 32256, US

Emailsupport@massfellerllc.com

Phone+1 (307) 289-2900

What we collect

We collect only what the apps need to function. Specifically:

Account data

The Google account email used to sign in (via Firebase Authentication)
Display name and profile photo, if your Google account exposes them
A user identifier issued by Firebase

Content you provide

Text, photos, and other media you submit to the app (journal entries, bookmarks, dashboard inputs, photos uploaded to Cloudflare R2 storage)
Personal data exports you voluntarily ingest into HEARTware (including but not limited to: iMessage history, Spotify listening history, calendar events, photo metadata, social media exports, health data exports)

Operational data

Server-side request logs containing IP address, user-agent, and request path. Retained briefly for security and debugging.
Conversation logs with the AI assistants (Claude and Gemini) integrated into the app. Used to provide the assistants with context and to debug bugs you report.
App-internal telemetry: which deck cards you opened, how long, when, in service of features that mirror your engagement back to you. Not transmitted to any third party.

Device data (apps only)

For the native iOS and Android apps published via Massfeller LLC: standard device identifiers used by Apple Push Notification service and Firebase Cloud Messaging to deliver notifications. We do not collect IDFA or advertising identifiers.

Why we collect it

To run the app. Authentication, content storage, dashboard rendering.
To make features work. Photos need somewhere to live. AI features need context. Time-series charts need timestamps. The data you give the app is what the app gives you back.
To keep things secure. Logs let us see if the app is being attacked or abused; allowlisting blocks unauthorized accounts at four independent layers.
To improve the app for the household using it. This is private software. Improvements come from real use by the people who use it. We do not aggregate or anonymize for sale.

Service providers (sub-processors)

We rely on the following named service providers, each processing only the data necessary for the function listed:

Google (Firebase Authentication, Firestore, Cloud Storage, Cloud Messaging) — sign-in, real-time data sync, photo storage for some surfaces, push notifications. Subject to Google's privacy practices.
Cloudflare (Pages, Workers, D1, R2, KV) — primary hosting, API layer, primary database, object storage for photos and media, edge cache. Subject to Cloudflare's privacy practices.
Anthropic (Claude API) — AI assistant features (chat, scenario generation, signal-intersection synthesis). Conversation context is sent to Anthropic and processed under its API data use terms.
Google AI (Gemini API) — alternate AI assistant features (text-to-speech, scene generation, reply drafting). Subject to Google AI's API data use terms.
Spotify — playback control and listening history retrieval, when the user has connected their Spotify account. Tokens are stored client-side; we do not transmit them to third parties.
OpenWeather — weather data lookups for selected features. We send only city-level coordinates; we do not transmit user identity.
Resend / Twilio (transactional only) — when implemented, used for transactional email (password resets, security alerts) and verification SMS (LLC business line). Not used for marketing.

We do not embed advertising SDKs, third-party analytics SDKs (Google Analytics, Mixpanel, Amplitude, Segment, Heap, etc.), session-replay tools, or attribution platforms.

We do not sell personal data, in any form, for any reason, to anyone.
We do not share personal data with advertisers, ad networks, or data brokers.
We do not use personal data to train AI models for any party other than the user it belongs to. Anthropic and Google's API terms govern API request handling on their end; we do not opt into any model-training programs they offer.
We do not contact users for marketing purposes. The apps are invitation-only.

Retention

We retain personal data for as long as you use the app, or until you ask us to delete it. Server logs are retained for 30 days. Backups, when present, follow the same lifecycle as the underlying data — deletion is propagated within 30 days.

Security

We use TLS for data in transit. Firebase, Cloudflare D1, and Cloudflare R2 encrypt data at rest by default. Authentication is enforced at four independent layers (server, client, Firestore Security Rules, Storage Security Rules). Allowlisting is enforced at every gate. Two-factor authentication on the LLC's developer accounts uses hardware-backed credentials. We have not had a security incident requiring user notification; if one occurs, we will notify affected users within 72 hours of discovery.

Your rights

You can:

Access your data — request an export by emailing support@massfellerllc.com
Correct your data — most user-editable content can be edited in the app directly; for anything else, email us
Delete your data — request deletion by emailing us; we will confirm within 7 days and complete within 30
Withdraw consent — for any consent-based processing
Object — to processing you believe is unjustified

If you are a resident of California, the EEA, the UK, Brazil, or another jurisdiction that grants additional rights, those rights apply to you and we will honor them. Florida's privacy rights, where applicable, apply.

Children

HEARTware, M.A.S.S. Trap, and TPS League are not directed at children under 13 and we do not knowingly collect personal information from children under 13 through those products. Homework Forensics is an exception by design: it is operated by parents on behalf of their own children and processes the children's school assignment and grading data with parental consent. Each family deploying Homework Forensics is the sole controller of their children's data; the engine never persists student data outside the family's own private vault repository.

Changes

If we materially change this Privacy Policy, we will update the "Last updated" date at the top and, where the change is material, notify users in the app. The most current version always lives at https://massfellerllc.com/privacy/.

Contact

Privacy questions, data export, or deletion requests