Musha
Get Musha

Privacy

Your farm records never leave your device.

Cows, hives, fields, transactions — all of it lives in local SQLite. Backups go from your phone to wherever you point them (Drive, email, local file). We do not have a copy.

Farm data is local-first

Every entity, event, and transaction is stored in on-device SQLite. The app works fully offline.

Server holds the minimum

Account email, subscription tier, and your daily AI usage count. That is the full server-held data set.

Encrypted backups

AES-256-GCM with PBKDF2-derived key (120,000 SHA-256 iterations). Passphrase is yours; we cannot recover it.

Open binary format

Backup files are versioned JSON inside the encrypted envelope. If we vanish, you can decrypt them with the published format spec.

Where data lives

Two clean lines: device vs server.

Nothing about your cows, hives, or fields ever reaches a server we run. The only time data leaves your device is if you ask the AI a question on Musha — and even then, only after you confirm the preview.

# on your device (local SQLite)
entities cows, hives, fields, flocks
events weighings, vaccinations, harvests
transactions income and expense ledger
templates pre-built + your custom ones
# on our server (Supabase)
account email, hashed password
subscription tier, renewal date
usage_log token counts, no prompts

When AI is used

You see what's sent before it goes.

AI features are Musha paid-tier only and strictly opt-in. The first time you open them, you acknowledge a disclaimer. Every prompt shows a preview of the data being included.

Preview before send

Chip list of every entity and event included. Strike any you don't want sent. Cancel for free.

Provider, your choice

OpenAI, Google Gemini, or Anthropic Claude. Same UI, same limits — different model under the hood.

Token counts only

We log how many tokens you used so we can count it against your daily quota. Never the prompt body, never the response.

Backups

Your records, your copy, your choice of destination.

Backup any time via the system share sheet — Drive, email, local file, anywhere. Encrypted with your passphrase. Restore is a single file pick.

  • AES-256-GCM with PBKDF2-derived key (120,000 SHA-256 iterations).
  • MUSHA_ENC_v1 magic header — the format is published and decryptable without our help.
  • Restore picks a file, asks for the passphrase, and replaces all four user tables in a single transaction.
  • If you lose the passphrase, we cannot recover it. We do not hold it.

What we won't do

A short, non-comprehensive list.

  • ·Store your farm data on our servers. Ever.
  • ·Train our own models on your prompts or responses.
  • ·Sell de-identified records to feed-supply firms or insurers.
  • ·Push notifications about features we want you to buy.
  • ·Add third-party analytics SDKs that follow you around.

Want the privacy pack?

Backup-format spec, data-flow diagram, sub-processor list, and the full AI prompt-routing diagram are available on request.

Request the pack