Privacy Policy
Last updated: February 18, 2026
1. Overview
MUSD ("the App") is a currency and cryptocurrency conversion tool developed by QIAOZHI LIN ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our App and related services.
2. Information We Collect
2.1 Account Registration Data
When you register for an account, we collect the following information:
- Required: Username, display name, password (stored as a one-way SHA-256 hash; we never store or have access to your plaintext password)
- Optional: Phone number, email address (provided at your discretion during registration)
- Invitation code: The code used to register your account
This data is stored on our secure server infrastructure (Cloudflare D1) and is used solely for account authentication and management.
2.2 Email Verification Data
If you choose to verify your email address during registration:
- A one-time verification code (OTP) is generated and sent to your email address via Resend (a third-party email delivery service)
- OTP codes expire after 10 minutes and are automatically invalidated after use
- Your email address is shared with Resend solely for the purpose of delivering the verification email
2.3 Feedback Data
When you submit feedback through the App:
- Required: Feedback type (suggestion, bug report, or other) and feedback content
- Optional: Contact information (email, phone, or messaging handle — provided at your discretion)
- Automatically included: Device operating system version and submission timestamp
Feedback is transmitted to the developer via a secure messaging API for the purpose of improving the App. Feedback data is not stored on our servers.
2.4 Rate Limiting Data
To prevent abuse, we temporarily log IP addresses associated with API requests (registration, OTP sending, OTP verification). This data is used solely for rate limiting and is automatically purged.
2.5 Information We Do NOT Collect
The App does not collect, store, or transmit:
- Location data or GPS coordinates
- Advertising identifiers (IDFA) or device fingerprints
- Usage analytics or behavioral tracking data
- Cookies or tracking pixels
- Financial or payment information
- Photos, contacts, calendar, or any other device data
3. Local Data Storage
The App stores the following data exclusively on your device using iOS local storage (UserDefaults):
- User preferences: Language setting, theme selection, selected currencies
- Calculation history: Past calculator operations
- Account credentials: Username and hashed password (for local authentication)
- Client records: Service fee calculation records
- Feedback timestamps: Submission time records for rate limiting (stored locally)
If you enable iCloud Sync, this data is synced via Apple's iCloud Key-Value Store, governed by Apple's Privacy Policy. We have no access to your iCloud data.
4. How We Use Your Information
| Data | Purpose | Legal Basis |
|---|---|---|
| Account credentials | Authentication and login | User consent (registration) |
| Phone / Email | Account recovery and verification | User consent (optional fields) |
| Email (OTP) | Identity verification during registration | User consent (optional) |
| Feedback content | App improvement and bug fixing | Legitimate interest |
| IP address | Rate limiting and abuse prevention | Legitimate interest |
5. Network Requests
The App makes the following network requests:
5.1 Exchange Rate Data (Read-Only, No Personal Data Sent)
| Purpose | Endpoint | Data Sent |
|---|---|---|
| Fiat exchange rates | api.frankfurter.dev | None (GET request only) |
| Fiat exchange rates | open.er-api.com | None (GET request only) |
| Fiat exchange rates | api.exchangerate-api.com | None (GET request only) |
| Fiat exchange rates | cdn.jsdelivr.net | None (GET request only) |
| Fiat exchange rates | latest.currency-api.pages.dev | None (GET request only) |
| Crypto prices | api.coingecko.com | None (GET request only) |
| Real-time crypto prices | stream.binance.com (WebSocket) | None (subscription only) |
5.2 Account & Service Requests
| Purpose | Endpoint | Data Sent |
|---|---|---|
| Account registration | api.musd.cc | Username, display name, password hash, phone*, email*, invitation code |
| Account login sync | api.musd.cc | Username, password hash |
| Email OTP | api.musd.cc | Email address |
| Feedback submission | Telegram Bot API | Feedback content, device OS version, contact info* |
* Optional fields — only sent if provided by the user.
6. Third-Party Services
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Cloudflare (Workers & D1) | Account data storage and API hosting | Account registration data | Cloudflare Privacy Policy |
| Resend | Email delivery (OTP verification) | Email address | Resend Privacy Policy |
| Telegram Bot API | Feedback delivery to developer | Feedback content | Telegram Privacy Policy |
The App does not integrate any advertising SDKs, analytics SDKs (no Google Analytics, Firebase, Mixpanel), crash reporting SDKs (no Crashlytics, Sentry), or social media SDKs.
7. Data Retention
- Account data: Retained as long as your account is active. You may request deletion at any time (see Section 9).
- OTP codes: Automatically invalidated after use or expiration (10 minutes). Records retained for up to 30 days for security auditing, then purged.
- Rate limiting logs: Automatically purged after 24 hours.
- Feedback data: Retained by the developer for product improvement. No copies are stored on our servers.
- Local data: Retained on your device until you uninstall the App or manually clear data.
8. Data Security
- All server communications use HTTPS/TLS encryption in transit.
- Passwords are hashed using SHA-256 before transmission and storage. We never store or have access to plaintext passwords.
- Server infrastructure is hosted on Cloudflare's global network with enterprise-grade security.
- Local data on your device is protected by iOS built-in security features (device passcode, Face ID/Touch ID, encryption at rest).
- API endpoints are protected by rate limiting to prevent brute-force attacks.
9. Your Rights
You have the following rights regarding your data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may update your phone number, email, and display name through the App.
- Deletion: You may request complete deletion of your account and all associated server-side data by contacting us at the email below.
- Local data: You can delete all local App data by uninstalling the App or resetting from iOS Settings.
- Withdraw consent: You may stop using features that require data collection at any time.
To exercise any of these rights, please contact us at admin098+musdappprivacy@gmail.com. We will respond within 30 days.
10. Children's Privacy
The App is rated 4+ and is suitable for all ages. We do not knowingly collect personal information from children under 13. Account registration features are optional and not required to use the App's core currency conversion functions. If you believe a child under 13 has provided personal data through registration, please contact us and we will promptly delete it.
11. International Data Transfers
Account data is processed and stored on Cloudflare's global network. By registering an account, you consent to the transfer and processing of your data in accordance with Cloudflare's data processing practices. Cloudflare complies with applicable data protection frameworks.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. Material changes will be highlighted. Continued use of the App constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:
- Developer: QIAOZHI LIN
- Email: admin098+musdappprivacy@gmail.com