back to home

Privacy Policy

Last updated: March 15, 2026

Mikasa Labs, LLC ("Mikasa Labs," "we," "us," or "our") operates the Candles mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your phone number solely for authentication. Your phone number is immediately and irreversibly hashed using HMAC-SHA256 cryptographic hashing and is never stored in plaintext on our servers. We also collect your display name, profile photo (if provided), birthday (month and day only), timezone, and notification preferences.

1.2 Contact Information

With your explicit permission, we access your device contacts to help you find friends who also use Candles. All contact phone numbers are cryptographically hashed on your device using HMAC-SHA256 before being transmitted to our servers. We never receive, transmit, or store plaintext phone numbers from your contacts. We may also collect contact names, birthdays (month and day only), and contact photos that you choose to upload.

1.3 Birthday and Social Information

You may add birthday entries for your contacts, including names, dates, notes, and associated emojis. We also maintain records of friendships, blocked users, and birthday dismissals to provide the core Service functionality.

1.4 User-Generated Content

We collect and store content you create through the Service, including: song lyrics and style preferences you provide for AI song generation; voice recordings you make for birthday messages; video messages; photos and images; and text messages included in birthday deliveries.

1.5 Payment Information

When you make purchases through the Service (gift cards or song credits), payment processing is handled by Stripe or Apple (for in-app purchases). We do not directly collect or store your credit card number, bank account details, or other financial account information. We receive and store transaction identifiers, payment status, purchase amounts, and related metadata necessary to fulfill your orders.

1.6 Device and Technical Information

We automatically collect certain technical information, including your device push notification token (if notifications are enabled), device type, operating system version, and IP address. We use this information to deliver notifications, maintain security, and improve Service performance.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To create and manage your account and provide the core Service functionality
  • To match you with contacts who also use Candles and facilitate social connections
  • To send birthday reminders and notifications you have opted into
  • To generate personalized AI birthday songs based on your input and preferences
  • To transcribe voice recordings into text for song lyrics and word-level display
  • To process gift card purchases and in-app purchases on your behalf
  • To deliver birthday greetings, songs, gift cards, and messages to intended recipients
  • To prevent fraud, abuse, and enforce rate limits on Service usage
  • To comply with legal obligations and respond to lawful requests
  • To improve, maintain, and optimize the Service

3. AI-Powered Features and Third-Party AI Services

Candles uses artificial intelligence to generate personalized birthday songs. When you use these features:

  • Song lyrics may be generated using Google Gemini AI based on the birthday details, style preferences, and optional descriptions you provide.
  • Music is generated by Mureka, a third-party AI music generation service, using the lyrics and style parameters you select.
  • Voice recordings may be transcribed using OpenAI Whisper for creating custom song lyrics and word-level timestamp display.

The information shared with these AI services is limited to the content you provide for song generation (such as recipient descriptions, style preferences, and voice recordings). These services process your data in accordance with their own privacy policies. We do not share your account information, contact list, or other personal data with these AI service providers.

4. Payment Processing

4.1 Stripe

Gift card purchases are processed through Stripe, Inc. When you make a purchase, Stripe collects and processes your payment information directly. We share with Stripe only the information necessary to complete the transaction, including your user identifier, purchase amount, and order metadata. Stripe’s collection and use of your information is governed by Stripe’s privacy policy.

4.2 Apple In-App Purchases

Song credit purchases are processed through Apple’s App Store. We receive transaction verification data from Apple to confirm and fulfill your purchase. Apple’s collection and use of your payment information is governed by Apple’s privacy policy and App Store terms.

4.3 Tillo (Gift Cards)

Gift cards are issued through Tillo, our gift card fulfillment provider. We share with Tillo only the gift card brand, amount, and currency required to issue your gift card. No personal information is shared with Tillo.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your data only in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

  • Supabase — cloud hosting, database infrastructure, authentication, and file storage
  • Stripe — payment processing for gift card purchases
  • Tillo — gift card issuance and fulfillment
  • Google (Gemini) — AI lyrics generation
  • Mureka — AI music generation
  • OpenAI (Whisper) — voice transcription
  • Apple Push Notification service (APNs) — push notification delivery
  • Apple App Store — in-app purchase verification

5.2 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: comply with a legal obligation or lawful request; protect and defend the rights or property of Mikasa Labs; prevent or investigate possible wrongdoing in connection with the Service; protect the personal safety of users of the Service or the public; or protect against legal liability.

5.3 Business Transfers

If Mikasa Labs is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you before your personal information becomes subject to a different privacy policy.

6. Data Storage and Security

Your data is stored on Supabase, a secure cloud infrastructure platform hosted in the United States. We implement industry-standard security measures, including:

  • HMAC-SHA256 cryptographic hashing for all phone numbers — plaintext phone numbers are never stored
  • Encrypted data transmission using TLS/SSL for all data in transit
  • Row-level security (RLS) policies enforced at the database level
  • Role-based access controls and service role authentication for server operations
  • Rate limiting on all API endpoints to prevent abuse
  • One-time passwords (OTP) for sensitive delivery verification

While we implement commercially reasonable security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. Specific retention practices include:

  • Account data is retained until you delete your account
  • Birthday delivery data (messages, songs, gift cards) is retained to allow recipients to access their deliveries
  • Voice recordings are temporarily processed for transcription and are not retained after processing is complete
  • AI-generated songs are retained as long as associated with an active account or active delivery
  • Transaction and payment records are retained as required by applicable financial regulations and tax laws

8. Your Rights and Choices

8.1 Access and Portability

You have the right to access the personal data we hold about you. You can view and export most of your data directly through the app.

8.2 Correction

You can update or correct your profile information at any time through the app settings.

8.3 Deletion

You can delete your account at any time from the app settings menu. Upon account deletion, all your personal data — including your profile, birthdays, contacts, generated songs, delivery history, and device tokens — is permanently and irreversibly removed from our servers. Certain anonymized or aggregated data that cannot be used to identify you may be retained for analytics purposes.

8.4 Notifications

You can opt out of push notifications at any time through your device settings or within the app. You can also configure notification preferences on a per-birthday basis.

8.5 Contact Permissions

You can revoke contact access at any time through your device settings. Previously synced contact hashes will remain on our servers until you delete your account.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected your personal information, the business or commercial purpose for collecting your personal information, and the categories of third parties with whom we share your personal information.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • We do not sell or share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

To exercise these rights, please contact us at support@candles.app or use the account deletion feature within the app. We will respond to verifiable consumer requests within 45 days.

10. European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your personal data based on your consent (for contact access and notifications), contractual necessity (to provide the Service), and legitimate interests (for security, fraud prevention, and service improvement).
  • Data Transfers: Your data is stored and processed in the United States. By using the Service, you consent to the transfer of your data to the United States.
  • Additional Rights: In addition to the rights described above, you have the right to restrict processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority.
  • Data Protection Officer: For GDPR-related inquiries, contact us at support@candles.app.

11. Children’s Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age, we will take steps to promptly delete that information. If you believe a child has provided us with personal information, please contact us at support@candles.app.

12. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy.

13. Third-Party Links and Services

The Service may contain links to third-party websites or services, including gift card redemption pages. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy within the app, updating the "Last updated" date at the top of this page, and, where required by law, obtaining your consent. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

If you have questions, contact us at support@candles.app.