Effective May 14, 2026. Last updated May 14, 2026.
This policy covers how MahaSangha LLC (a New Mexico limited liability company, "we," "our," "us") handles personal data across mahasangha.io and the products shipped under it — Amber, Anther, Bunkobun, amber-voice, Sandokai, and RainLock. We wrote it in plain English because a privacy policy nobody can read is not really a privacy policy.
The short version
We collect the minimum data needed to run the products you actually use. We do not sell it. We do not use it to train models. We disclose every third party that touches your data. You can ask us to delete it at any time and we will. Several of our products collect nothing at all — those tabs say so explicitly.
Who we are
MahaSangha LLC, registered in New Mexico, United States. Our data-processing infrastructure — the amber-mcp service and our email — runs on Hetzner servers in Hillsboro, Oregon, United States; our public website is served from Hetzner in Helsinki, Finland. You can reach us at love@mahasangha.io for any privacy question or request.
Browsing mahasangha.io
Essentially nothing collected. We do not run analytics, pixels, or third-party trackers on the landing page, essays, or this policy. Our webserver keeps standard access logs (IP address, user agent, URL, timestamp) for 30 days for operational reasons — debugging and blocking abuse. After 30 days those logs are rotated out.
Amber MCP (mcp.mahasangha.io/amber)
Amber is our editorial-discipline MCP server. It exposes two tools — draft_amber (paid) and audit_amber (free). To operate, Amber processes:
Your signup details: email address (for API key delivery), Dodo Payments customer ID. Card numbers are never on our servers — they live with Dodo.
Your per-user API key: issued at signup, hashed at rest, used to authenticate each request and decrement credits. You can rotate or revoke it via love@mahasangha.io.
Your draft inputs: the brief, register hint, and target word count you submit per draft_amber call. Sent to the language model provider for generation, returned to you, then discarded — Amber does not store your text. The audit_amber tool runs entirely on our server with no model call and stores nothing.
Credit metadata: credits purchased, credits consumed, timestamp of each draft. Retained so you can see your usage history and so we can reconcile billing.
Amber does not retain the drafts it produces. We do not log the text of your briefs or the generated outputs. We keep only billing-relevant metadata (which user made how many calls, when).
Authentication: Amber uses per-user API keys (Bearer tokens) issued after Dodo Payments signup, rather than OAuth. Each request carries your key; Caddy validates at the edge before reaching the MCP transport. Keys are hashed at rest. You can revoke and rotate at any time.
amber-voice (Claude skill)
amber-voice is a markdown-only Claude skill that loads editorial discipline (registers, positive moves, AI-shape tells, kill list) into your Claude session as reference material. It is not a server, does not run code on our infrastructure, does not make network calls to us, and does not collect any data. Everything happens inside your Claude session. Your prose stays between you and Claude (and is governed by Anthropic's policy for that session).
If you separately install the companion Amber MCP for drafting, that surface is governed by the Amber MCP tab.
Zero data collection. amber-voice is a static skill bundle. Installing it does not create any account, transmit any payload to MahaSangha, or contact any MahaSangha server. There is nothing to delete because nothing is stored.
Anther
Anther is a voice-first accessibility app. To answer your spoken questions it processes:
Audio of your speech, sent to the speech-to-text provider for transcription. The audio is not retained after the response is returned.
The transcribed text of your question, sent to the language model provider. Transcripts are retained for session context only and cleared on app close unless you explicitly save them.
Your language and voice preferences, stored locally on your device.
Anther uses Deepgram for English speech-to-text and text-to-speech, and Fish Audio S2-Pro for Russian text-to-speech. Both providers process audio and return results; we do not ask either to retain recordings.
Bunkobun
To print and ship a book you order, Bunkobun processes:
Shipping address and contact info — passed to the printer fulfilling your order.
Your uploaded manuscript files — stored encrypted at rest, used for the print job you commissioned, and retained so you can reorder without re-uploading. Deletable on request.
Sandokai (Claude skill)
Sandokai is a Claude skill that fetches transcripts from spoken-media URLs (YouTube, plus anything yt-dlp recognizes). It runs in your Claude session, on your own machine for Claude Code or on Anthropic's infrastructure for claude.ai. We do not run a server for Sandokai. We do not collect any data.
Sandokai may use your own Deepgram API key for audio transcription of non-YouTube sources. That key is configured by you locally and is sent directly from your Claude session to Deepgram per their privacy policy. We never see it.
Zero data collection. Sandokai is a Claude skill. We do not operate a server, mint accounts, or receive any payload from your use of it.
RainLock
RainLock is an Android app distributed via Google Play. It runs entirely on your device. It does not connect to any MahaSangha server, does not have user accounts, and does not collect or transmit data of any kind. Standard Google Play install metadata (download counts, country, device type, version) is visible to us in aggregate via the Play Console; we do not have access to per-user identifiers from Google.
Local-only. RainLock has no network calls of its own. Anything Google Play tells us is aggregate install metrics, never tied to you as an individual.
Sub-processors
These third parties process data on our behalf. We only send them what they need to do their job, and we have reviewed each for reasonable data-handling practices. When you use a product that depends on one of these services, your data is governed by their privacy policy as well as ours.
Anthropic (Claude API) — language model for Amber drafting and Anther responses. Your prompts and inputs are sent for generation.
Anthropic does not train models on API inputs by default.
OpenAI (GPT-4 API) — legacy fallback model selectable in some surfaces (Anther chat). Not the default path for any current product.
Per OpenAI's standard API policy, inputs and outputs may be retained for up to 30 days for abuse monitoring. Not used to train OpenAI models.
Deepgram — speech-to-text and English text-to-speech for Anther. Also available to Sandokai users who configure their own Deepgram key locally.
Audio is processed and returned; we do not ask Deepgram to retain recordings.
Fish Audio — Russian text-to-speech for Anther (S2-Pro voice).
Text is sent for voice synthesis; audio is returned and not retained by us.
Dodo Payments — subscription and one-time billing for Amber and Bunkobun.
Card numbers and bank details are never stored on our servers. We keep only the Dodo customer ID.
Google (YouTube Transcript API) — fetches publicly available captions when you paste a YouTube URL into Amber or Sandokai.
We do not send your account information, only the video ID you provided.
Hetzner — cloud hosting. The amber-mcp service and email run on Hetzner servers in Hillsboro, Oregon (United States); the public website is hosted in Helsinki, Finland.
EU-based provider, GDPR-aligned data processing agreement in place (Art. 28 GDPR).
Wasabi — encrypted cold-storage backups of operational data.
Backups are encrypted at rest and accessible only by us.
Play Store and Namecheap — distribution (Anther, RainLock) and domain registration (mahasangha.io). Standard vendor relationships.
Not in this list: we do not use Google Analytics, Meta Pixel, Mixpanel, Segment, Amplitude, PostHog, Hotjar, Sentry cloud, or any advertising, session-recording, or behavioral-analytics service. The list above is complete.
How we use your data
To run the product you asked us to run. To bill you correctly. To fix bugs when something breaks. To respond when you email us. That is the full list.
We do not sell your data, rent it, share it with advertisers, or use it to train our own models. Your drafts are yours.
How long we keep it
Access logs: 30 days.
Amber draft inputs and outputs: not retained. We keep only billing-relevant metadata (which user made how many calls, when).
Amber account records and billing metadata: for as long as you have an account; deleted within 30 days of account closure, excluding billing records we are legally required to retain (US tax law: typically 7 years for transaction receipts).
Anther transcripts: cleared at session end unless you save them.
Bunkobun order data: retained through fulfillment plus a reasonable reorder window (2 years), after which manuscripts and addresses are purged unless you ask us to keep them longer.
amber-voice, Sandokai, RainLock: nothing retained — these products collect no data on our servers.
Encrypted backups: organized by monthly bucket, each expiring automatically 7 years after creation per bucket lifecycle policy.
Your rights
Regardless of where you live, you can:
Ask what personal data we have about you.
Get a copy of it.
Correct it if it is wrong.
Delete it (with the legal-retention caveat above).
Take it elsewhere (we will export in a standard format).
Object to a particular use.
Close your account.
If you are in the European Economic Area, the United Kingdom, Switzerland, or California, you have these rights under GDPR, UK GDPR, the Swiss FADP, or the CCPA/CPRA respectively — and we honor them the same way for everyone else too. Email love@mahasangha.io with the request and we will respond within 30 days.
International transfers
Our primary processing infrastructure for the amber-mcp service is in the United States (Hillsboro, Oregon), and several sub-processors (Anthropic, OpenAI, Deepgram, Dodo, Wasabi) also operate in the United States. If you are in the EEA, the UK, or another region outside the United States, your data is transferred to and processed in the United States; we rely on Standard Contractual Clauses and equivalent safeguards to protect it.
Security
Passwords are hashed, never stored in plain text. Data in transit is TLS-encrypted. Backups are encrypted at rest. Access to production systems is restricted to the operator (one person at present) via SSH key authentication. We do not have a bug bounty program yet; if you find a vulnerability, email love@mahasangha.io and we will acknowledge within 72 hours.
Nothing is perfectly secure. If we ever have a breach that affects you, we will tell you directly and promptly — not via a press release three months later.
Cookies
mahasangha.io sets one browser localStorage key for your theme preference (light, dark, or green). That is not a cookie and it is not sent to our server. None of our current products require cookies.
Children
Our products are not directed at children under 13. If we learn we have collected data from a child under 13, we will delete it.
Changes to this policy
We will post material changes here and update the "last updated" date at the top. For significant changes affecting how we use existing data, we will email active account holders at least 14 days before the change takes effect.
Contact
Privacy questions, data requests, or anything else: love@mahasangha.io. One operator reads this inbox and will respond.