Privacy Policy
How MoonBase collects, uses, and protects personal data.
1. Introduction
MoxieAI Ltd. ("MoonBase", “we”, “us”, “our”) operates the MoonBase platform at moonbase.host. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our Service.
This policy applies to users of the MoonBase platform and visitors to moonbase.host.
If you are an EU resident, additional rights and information apply under the GDPR (see Section 9).
If you are a California resident, additional rights apply under the CCPA (see Section 10).
2. Information We Collect
Account information
When you register, we collect your email address, name (if provided), and a hashed version of your password. We cannot retrieve your password in plaintext.
Project data
When you upload a project, we store your project files, environment variable names and encrypted values, deployment history and logs, and metadata such as upload timestamps, file sizes, and detected framework type.
Payment information
Payment processing is handled by Paddle. We do not store full payment card numbers. We receive and store your billing email address, transaction history, and subscription status.
Usage data
We collect pages visited on moonbase.host via Plausible Analytics (privacy-preserving, no personal identifiers, no cross-site tracking), API request logs including IP address, timestamp, endpoint, and response status (retained for 30 days), and error reports via Sentry, which may include technical context about your session.
Communications
If you contact us, we retain the contents of your communication to provide support.
3. How We Use Your Information
We use your information to provide, operate, and maintain the Service; process your payments and manage your subscription; send transactional emails such as account confirmations, deployment notifications, and billing receipts; respond to support requests; detect and prevent fraud, abuse, and security incidents; improve the Service using aggregated, anonymized data only; and comply with legal obligations.
We do not:
- Sell your personal data to third parties
- Use your project files or code to train machine learning models
- Use your data for behavioral advertising
4. Legal Basis for Processing (GDPR)
For users in the EU/EEA:
| Processing activity | Legal basis |
|---|---|
| Account management, providing the Service | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement (aggregated, anonymized) | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Data Sharing
We share personal data only with subprocessors necessary to operate the Service (see our Subprocessors page), when required by law, court order, or governmental authority, in connection with a business transfer such as a merger or acquisition (with advance notice to you), or with your explicit consent.
We do not sell your personal data.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Project files | Duration of account + 30 days after deletion |
| Payment records | 7 years (legal/tax requirement) |
| API request logs | 30 days |
| Error reports | 90 days |
| Support communications | 2 years |
Note: During beta, data may be deleted earlier than the periods above due to infrastructure resets, migrations, or other operational requirements. See our Terms of Service, Section 2 (Beta and Early Access).
7. Data Security
We implement appropriate technical and organizational measures including encryption in transit (TLS 1.2+), encryption at rest for sensitive data, and access controls. However, no system is completely secure. We cannot guarantee the security of your data. In the event of a breach affecting your rights, we will notify you as required by applicable law.
8. Cookies
MoonBase uses only essential cookies required for authentication and session management. We use Plausible Analytics, which does not use cookies and does not collect personal identifiers. We do not use advertising or tracking cookies. See our Cookie Policy for more details.
9. Your Rights (GDPR — EU/EEA Residents)
You have the right to access, correct, delete, restrict, and port your personal data, and to object to processing based on legitimate interest. You may withdraw consent at any time where processing is consent-based. To exercise these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
10. Your Rights (CCPA — California Residents)
You have the right to know what personal information we collect, request deletion, opt out of the sale of personal information (we do not sell personal information), and receive non-discriminatory treatment for exercising your rights. Contact [email protected] to exercise these rights.
11. Children’s Privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected such information, contact [email protected] and we will delete it promptly.
12. International Data Transfers
Our primary infrastructure is in Germany (EU). Where data is transferred to subprocessors outside the EU, we rely on Standard Contractual Clauses or other approved transfer mechanisms under GDPR.
13. Changes to This Policy
We will notify you of material changes by email or notice in the Service at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.