Privacy Policy

Effective date: April 2026

MegaSuperSoft ("we", "us", "our") operates megasupersoft.com and publishes desktop software including FFFFinance, Ghosted, BruceOS, Astral Travel, and NodeUI. This policy explains what data we collect, what we don't, and why.

The short version

Your data stays on your device. Our software is local-first.
We don't sell data. We don't run ads. We don't track you.
AI features are opt-in. Your data is never used to train AI models.
We collect as little as technically possible to run our services.

What we don't collect

This is the most important section of this policy.

No telemetry. Our desktop applications do not phone home. We don't collect usage analytics, crash reports, or behavioural data unless you explicitly opt in.
No tracking. This website does not use cookies, analytics scripts, tracking pixels, or fingerprinting.
No advertising. We don't sell ads, so we have no reason to profile you.
No data sales. We have never sold user data and never will.
No profiling. We don't build profiles, segments, or behavioural models of our users.

Desktop applications

FFFFinance

FFFFinance is a local-first application. All your financial data — transactions, accounts, categories, budgets — is stored in a local database on your device. We cannot access it.

Bank connections via Akahu. If you choose to connect your bank accounts, FFFFinance uses Akahu, a licensed open banking provider regulated by New Zealand financial authorities. When you connect:

You authenticate directly with Akahu. We never see your bank credentials.
Transaction data flows from Akahu's API directly into your local database.
We do not receive, store, or have access to your bank data at any point.
You can disconnect your accounts and revoke Akahu's access at any time from within FFFFinance or from Akahu's dashboard.

Akahu's own privacy policy governs how they handle your data during the connection process. We encourage you to review it at akahu.nz/privacy.

AI features. FFFFinance includes an AI assistant. AI operates in two modes:

Local AI (default). Runs entirely on your device using Qwen3. No data leaves your machine. No internet connection required.
Cloud AI (opt-in). If you choose to enable cloud AI, your prompts and relevant financial context are sent to the selected provider for processing. Responses are returned to your device and stored locally. We do not retain, log, or have access to your cloud AI requests.

In both modes: your data is never used to train AI models, and AI features only run when you explicitly trigger them.

Cloud sync (if available). If we offer optional cloud sync in the future, it will use end-to-end encryption. Your data will be encrypted on your device before transmission, and only you will hold the decryption keys. We will update this policy before any such feature ships.

Auto-update. FFFFinance checks for updates by making a request to our CDN. This request includes your app version and operating system. We do not log or store this information.

Other desktop applications

Ghosted, Astral Travel, and our other desktop applications follow the same local-first principles. Data stays on your device. We don't collect usage data or phone home. Product-specific details will be added to this section as needed.

Dashboard (dash.megasupersoft.com)

Our web dashboard is a separate application used for internal analytics and project management.

Authentication. The dashboard uses Google OAuth for sign-in. When you authenticate, we receive your name, email address, and profile picture from Google. This information is used solely to identify your session. We do not access your Google contacts, calendar, files, or any other Google data.

Data storage. Dashboard data is stored in Cloudflare D1 (a serverless SQL database). Data is encrypted in transit (TLS) and at rest by Cloudflare's infrastructure.

Metrics. The dashboard collects aggregate metrics about our public-facing services (download counts, page views). These are aggregate counts — we do not track individual users.

This website

megasupersoft.com is a static site. It does not use cookies, local storage, or any client-side tracking.

Hosting and CDN. This site is served via Cloudflare. Cloudflare may process standard connection data (IP address, browser type, request URL) as part of delivering the site and providing security. This processing is governed by Cloudflare's privacy policy.

Fonts. We load fonts from Google Fonts. Google may log standard request data when serving font files. See Google's privacy policy.

Payments

We use Stripe to process payments. When you purchase a subscription or product:

Your payment details (card number, billing address) are handled directly by Stripe. We never see or store your full card number.
We receive a transaction confirmation, your name, email, and the last four digits of your card for record-keeping.
Stripe's handling of your data is governed by Stripe's privacy policy.

AI sub-processors

When you opt in to cloud AI features, your data may be processed by the following providers. Each processes data solely to generate a response and does not use your data for model training:

Provider	Used by	Privacy policy
Cloudflare Workers AI	FFFFinance (cloud fallback)	cloudflare.com/privacypolicy

We will update this table if we add additional AI providers. Local AI (Qwen3 via node-llama-cpp) runs entirely on your device and involves no third parties.

Third-party services

We use the following services to operate. Each processes data as described in their own privacy policies:

Service	Purpose	Privacy policy
Cloudflare	Hosting, CDN, D1 database, KV, R2 storage	cloudflare.com/privacypolicy
Google	OAuth (dashboard), Fonts	policies.google.com/privacy
Stripe	Payment processing	stripe.com/privacy
Akahu	Open banking (FFFFinance)	akahu.nz/privacy
GitHub	Source code hosting, issue tracking	github.com/privacy

We maintain accounts on X (@megasupersoft), YouTube (@megasupersoftware), and Bluesky (@megasupersoft.bsky.social). Interactions on those platforms are governed by their respective privacy policies. We do not cross-reference social media data with product data.

Data retention

Since our software is local-first, we hold minimal data:

Desktop apps: All data is on your device. We hold none.
Dashboard: Session data is retained while your account is active. Aggregate metrics are retained indefinitely.
Payments: Transaction records are retained as required by NZ tax law (7 years).
Email correspondence: We retain emails you send us for as long as needed to resolve your query, then delete them.

For data processed by third parties, refer to their respective privacy policies.

International data transfers

Our services use Cloudflare's global network, which means your connection data may be processed in multiple countries. Cloudflare maintains EU Standard Contractual Clauses for international transfers. New Zealand has an EU adequacy decision, meaning data transfers between NZ and the EU are permitted without additional safeguards.

Security

We take reasonable measures to protect your data:

All connections to our services use TLS encryption.
Database storage (Cloudflare D1) is encrypted at rest.
We use scoped API tokens with minimum required permissions.
Authentication uses OAuth — we never handle passwords directly.

We do not store sensitive credentials beyond what is required for service operation.

Your rights

New Zealand (Privacy Act 2020)

You have the right to:

Access any personal information we hold about you.
Request correction of any inaccurate personal information.
Lodge a complaint with the Office of the Privacy Commissioner if you believe we've breached the Privacy Act.

We will respond to access and correction requests within 20 working days.

If you are in the EU or UK, you also have the right to:

Erasure — request deletion of your personal data.
Portability — receive your data in a machine-readable format.
Restriction — request we limit how we process your data.
Objection — object to processing based on our legitimate interests.
Withdraw consent at any time where processing is based on consent.

In practice, we hold very little personal information. If you believe we do, contact us and we'll respond within 30 days.

Do Not Track

We respect Do Not Track signals. Since we don't track you in the first place, there is nothing to disable.

Children's privacy

Our software is not directed at children under 16. We do not knowingly collect personal information from children.

Changes to this policy

We may update this policy from time to time. Material changes will be noted on this page with an updated effective date. We will not reduce your rights under this policy without giving notice.

Contact

For privacy questions or to exercise your rights:

Email: privacy@megasupersoft.com
Address: Wellington, New Zealand
GitHub: github.com/megasupersoft

MegaSuperSoft's Privacy Officer can be reached at the email address above.

Privacy Policy ​

The short version ​

What we don't collect ​

Desktop applications ​

FFFFinance ​

Other desktop applications ​

Dashboard (dash.megasupersoft.com) ​

This website ​

Payments ​

AI sub-processors ​

Third-party services ​

Social media ​

Data retention ​

International data transfers ​

Security ​

Your rights ​

New Zealand (Privacy Act 2020) ​

European Union and United Kingdom (GDPR) ​

Do Not Track ​

Children's privacy ​

Changes to this policy ​

Contact ​