Privacy Policy — Moyako Studio & Portfolio
Last updated: 23 April 2026
This policy covers: moyako.com (Moyako studio brand site) and portfolio.moyako.com (Moyako Portfolio — personal investment tool).
Other Hanalytic Limited services have their own policies:
- Moyako Kids Apps (Animal Kingdom, Sliding Puzzle, Memory Match) → /privacy-policy-kids/
- Moyako Games Web & 13+ Apps (games.moyako.com) → /privacy-policy-games/
- Hanalytic SAP consultancy → hanalytic.co.uk/privacy.html
1. Who We Are
Hanalytic Limited is a company registered in England and Wales. We operate Moyako, an AI-powered app development studio, as a trading name of Hanalytic Limited.
This policy covers:
- moyako.com — Moyako studio brand site (marketing only)
- portfolio.moyako.com — Moyako Portfolio, a personal investment-tracking tool
Company number: 10576728
Registered in England and Wales
Registered office address: publicly available at Companies House
→ find-and-update.company-information.service.gov.uk/company/10576728
For correspondence: info@moyako.com
2. Data We Collect — moyako.com
The Moyako studio brand site (moyako.com) does not collect personal information directly. We store only your theme preference and privacy-banner choice in your browser's local storage — this never leaves your device.
The site serves advertisements via Google AdSense, which uses cookies and similar technologies to display ads. See Section 9 (Advertising and Analytics) for details and your opt-out options.
If you email us, we receive your email address and whatever you choose to include. We use this solely to respond to your enquiry; we do not add you to any mailing list.
3. Data We Collect — Moyako Portfolio
Moyako Portfolio (portfolio.moyako.com) is a personal investment-tracking tool currently operated for internal use. If and when it is opened to external users, the following applies.
3.1 Account data
- Email address — for account creation, verification and password recovery
- Encrypted password hash — bcrypt-hashed; we never store or view your plaintext password
- Session / auth tokens — short-lived, scoped to your account
3.2 Financial data (broker integrations)
If you connect a broker account (e.g. eToro), we store only the credentials required to pull your holdings — never trading authority. We do not place trades on your behalf. Specifically:
- Broker API tokens / credentials — encrypted at rest, used only to fetch your holdings and snapshots
- Holdings snapshots — your positions, quantities, cost basis, acquisition dates
- Computed metrics — portfolio valuation, P&L, halal-compliance verdicts, performance indicators
- Market data derived from public feeds — ticker prices, FX rates, fundamentals
We do not share this data with any third party for marketing or advertising. It is used only to render your own dashboard and reports.
3.3 Where your data is stored
- Infrastructure: Hostinger VPS (EU region)
- Backups: encrypted off-site to Backblaze B2
- Database: PostgreSQL with row-level security (RLS) — queries cannot access another user's data even if a bug were present
- Disk encryption: LUKS at-rest encryption on the database volume
- Transport: HTTPS everywhere with HTTP Strict Transport Security (HSTS)
- Secrets management: broker tokens and API keys held in environment variables, never in code repositories
3.4 Third-party services for Portfolio
- eToro — broker data feed. Data flows one-way: eToro → us. We follow eToro's Privacy Policy.
- FX rate & ticker metadata providers — public market data only; no personal data is transmitted.
- Twilio / SendGrid — transactional email for verification codes.
- Hostinger — hosting infrastructure (EU VPS). See Hostinger Privacy Policy.
- Backblaze B2 — encrypted off-site backup storage. See Backblaze Privacy Notice.
4. How Long We Keep Data
- moyako.com logs (IP, access time): up to 30 days on the hosting provider, then purged
- Portfolio account data: retained while your account is active; deleted on request or after 24 months of inactivity
- Portfolio holdings snapshots: retained alongside the account for historical performance views; deleted with the account
- Broker credentials: deleted immediately if you disconnect the broker integration
5. Deletion & Your Data
You can delete your Moyako Portfolio account and all associated data at any time.
- Self-service — sign in, go to Settings → Delete my account. Deletion is immediate and permanent (cascading delete of profile, holdings snapshots, broker credentials, session tokens).
- By email — if you cannot access your account, email info@moyako.com with the subject "Delete my data" from the email tied to the account. We verify and delete within 30 days.
6. Your Rights (UK GDPR / EU GDPR)
Under UK GDPR, EU GDPR and the Data Protection Act 2018, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (see §5)
- Object to processing
- Data portability (export your Portfolio data as JSON)
- Withdraw any consent at any time
- Lodge a complaint with the Information Commissioner's Office (ICO) or your local EU supervisory authority
To exercise any right, email info@moyako.com.
7. International Transfers
Our hosting (Hostinger) and broker integration (eToro) operate within the UK/EEA, so your Portfolio data is not transferred outside the UK/EEA.
The one exception is transactional email: we use Twilio / SendGrid (USA) to deliver account-verification and security emails, which means your email address is processed in the United States. This transfer is covered by the EU-US Data Privacy Framework and the UK International Data Transfer Addendum.
8. Data Security
We apply industry-standard technical and organisational measures:
- Transport: HTTPS everywhere, HSTS, Content Security Policy, Permissions-Policy
- At rest: LUKS-encrypted database volume, bcrypt password hashing, encrypted broker credentials
- Access control: Postgres row-level security (RLS) — database-enforced per-user isolation; principle-of-least-privilege service accounts
- Secrets: managed via environment variables; never committed to code repositories
- Review cadence: quarterly review of data practices and dependency updates
9. Advertising and Analytics
The moyako.com studio brand site uses Google AdSense to serve advertisements. AdSense uses cookies and similar technologies to serve ads based on your visit to this site and other sites on the Internet.
Google's use of advertising cookies enables it and its partners to serve ads to you based on your visit to our sites and/or other sites on the Internet. You may opt out of personalised advertising by visiting Google Ads Settings or, for users in the EEA, UK, and Switzerland, by using our consent banner.
Third-party vendors, including Google, use cookies to serve ads based on your prior visits. Google's use of advertising cookies is governed by the Google Partner Sites policy.
We do not currently use Google Analytics on moyako.com. If we add analytics in the future, this policy will be updated to reflect the change.
10. Cookies & Local Storage
We use only essential storage on our own sites:
- Theme preference (localStorage) — light/dark mode
- Privacy-banner acknowledgement (localStorage)
- Authentication token (localStorage, portfolio.moyako.com only) — expires with your session
Google AdSense on moyako.com may set additional cookies for advertising purposes — see Section 9. See our Cookie Policy for the full list.
11. Changes to This Policy
We may update this policy. Material changes will be announced on this page, and for portfolio.moyako.com users via in-app notice on next sign-in. The "Last updated" date reflects the most recent revision.
12. Contact Us
Company number: 10576728
Registered in England and Wales
Registered office address: publicly available at Companies House
→ find-and-update.company-information.service.gov.uk/company/10576728
For correspondence: info@moyako.com
Data Protection queries: please use the same email and include "Data Protection" in the subject line.