Privacy Policy
Humble Shark is a private asset tracker for Malaysian users. The short version: the only financial data in the app is what you type in yourself, it is stored so that only you (and people you explicitly share a book with) can read it, and we never connect to your bank, sell your data, or send it to advertising or AI services.
What we collect
- Account information — when you sign in with Google or Apple, we receive your name, email address, and profile picture from that provider. We never see your password.
- Profile details you add — a display name, and optionally your age (used only to tailor EPF retirement insights).
- Financial data you enter — asset names, categories, values, currencies, and the transaction history the app builds from your edits. There is no bank linking and no automated import; nothing enters the app unless you type it.
- Device preferences — theme, stealth mode, and your selected book are stored locally on your device only.
We do not use analytics trackers, advertising pixels, or session-recording tools, and the app contains no AI/LLM integrations — insights are computed with fixed rules inside the app.
Where your data lives
Your data is stored in a Supabase-hosted PostgreSQL database. Every table is protected by row-level security: the database itself enforces that only your account — or members of a book you have shared — can read or change your rows. Data is encrypted in transit (TLS).
Sharing — only when you choose it
By default nothing you enter is visible to anyone but you. If you create a shared asset book and invite someone (or join one yourself), members of that book can see its assets according to their role. Invite links are single-use and expire, but anyone holding an unused link can join — treat invite links like passwords.
Third-party services
- Supabase — authentication and database hosting.
- Google / Apple sign-in — identity only; governed by their own privacy policies.
- Exchange-rate providers — currency rates are fetched by our server from exchangerate.host and CoinGecko. No personal data is sent to them.
- Sentry (error monitoring, only if enabled) — if crash reporting is switched on, error reports (error message, stack trace, browser version) are sent to Sentry so we can fix bugs. Reports never include your asset data, and link fragments (such as invite codes) are stripped before sending.
Deleting your data
The book switcher's Empty this book permanently deletes every asset, transaction, and snapshot in your personal book while keeping your account. Settings → Delete account goes further: it removes your sign-in, profile, personal book, and any shared books you own, immediately and irreversibly. Full details and a fallback for users who can't sign in are on the account deletion page.
Your rights (PDPA)
Under Malaysia's Personal Data Protection Act 2010 you may request access to, correction of, or deletion of your personal data, or withdraw consent to its processing. Contact us and we will respond as soon as we reasonably can.
Changes
If this policy changes, we will update this page and its effective date. Material changes will be announced in the app.