Privacy Policy
⚠️ DRAFT — NOT YET IN EFFECT
This document is a draft framework and has not been reviewed by legal counsel. It must be reviewed and approved by a qualified attorney before publication or enforcement. Do not publish or reference this document as binding privacy terms until legal review is complete.
Last updated: [DATE TBD on legal review]
1. Introduction
This Privacy Policy explains what personal data MoonFactory Creative Lab ("MoonFactory", "we", "us", "our") collects when you use our client portal and related services, why we collect it, how long we keep it, and what rights you have over it.
This policy applies to clients of MoonFactory ("you", "your") and to authorized users you invite to access the Portal on your behalf. It also covers visitors to your websites where we provide analytics on your behalf.
We are the data controller for personal data we collect about you in the course of providing our services. Where we provide analytics for visitors to your website, you are typically the controller of that visitor data and we act as a processor on your behalf.
2. Data we collect
We collect only the data we need to provide the service. Specifically:
- Account information. Your name, email address, organization name, and role. These come from you when we set up your account or when you update your profile.
- Support ticket content. Subjects, descriptions, and any attachments you send when you open a support ticket. Plus our replies and any internal notes attached to your ticket.
- Uploaded files. Any files you upload through the Portal (logos, photos, documents, design source files, etc.), along with the filename, size, type, and a description if you provided one.
- Website analytics. When we provide analytics for your website, we collect aggregated, anonymized visitor data — but only for visitors who explicitly agree via the cookie banner on your site. No analytics data is collected from visitors who decline.
- Billing information. Your billing name, address, and invoice history. Payment card details are handled directly by our online billing partner — we do not see or store your card number.
- Communication records. Emails between you and MoonFactory, plus a log of significant actions you take in the Portal (sign-ins, file uploads, ticket activity) for security and audit purposes.
3. How we use your data
We use the data above to:
- Provide the service — keep you signed in, deliver files, surface invoices, generate analytics reports, manage tickets, and run the integrations connecting your sites and accounts.
- Communicate with you — reply to tickets, send sign-in links, deliver invoices, share product updates, and respond to questions.
- Provide analytics — only for visitors who have consented on your site. Analytics is never collected from declining visitors.
- Bill you — issue invoices and process payments through our online billing partner.
- Keep the service safe — detect abuse, investigate security events, comply with legal obligations.
We do not sell your personal data. We do not use your data to train AI models. We do not show you third-party advertising in the Portal.
4. Cookies
The Portal uses a small number of cookies. They fall into three categories:
Necessary cookies (always set)
These are required for the Portal to work. We cannot turn them off because the Portal would not function.
| Cookie | Purpose |
|---|---|
portal_session | Keeps you signed in to the Portal. |
csrf_token | Protects forms against cross-site request forgery (a security measure). |
mf_consent | Remembers your cookie preferences so we don't show the banner on every page. |
If you also use other MoonFactory services (such as our admin areas or marketing site), additional necessary cookies may be set on those services for the same purposes.
Analytics cookies (opt-in)
Set only if you opt in via the cookie banner. Used to measure how the site is used so we can improve it. You can decline or change your mind at any time.
Marketing cookies (opt-in)
Set only if you opt in via the cookie banner. We use a single cookie (mf_ref) to attribute affiliate referrals on the public marketing site. This cookie is not set inside the Portal itself for normal client use.
5. Consent
When you first visit a MoonFactory site, we show a cookie banner asking you to choose:
- Necessary — always on (required for the site to work).
- Analytics — opt in or out.
- Marketing — opt in or out.
Your choice is recorded in the mf_consent cookie. We default to the most restrictive setting if you don't choose — analytics and marketing are off until you actively opt in.
To change your preferences, click the cookie preferences link in the site footer, or clear the mf_consent cookie in your browser to see the banner again.
6. Third-party processors
To run the service we share certain data with carefully selected third-party processors. Each one is contractually required to handle your data securely and to use it only for the purpose we've engaged them for.
| Processor | Purpose | Data shared |
|---|---|---|
| Online billing partner | Issuing invoices, processing payments | Billing name, address, invoice line items |
| Transactional email service | Sending sign-in links, ticket notifications, invoice emails | Your email address, message contents |
| Website hosting infrastructure | Running the Portal and your hosted sites | All Portal data (encrypted at rest) |
| Analytics service | Consent-gated visitor analytics | Aggregated visitor data only — no personal data from declining visitors |
| AI service | Content generation and AI assistant ("Atlas") | The text of prompts you submit; no account credentials |
| Domain management services | DNS hosting and domain registration | Domain names and DNS records |
| Error monitoring service | Detecting and diagnosing technical errors | Technical error data; no file contents |
We may add or change processors over time. Material changes will be reflected in this policy.
7. Data retention
We keep different categories of data for different lengths of time:
- Account data — for as long as your account is active, plus 30 days after termination.
- Uploaded files — for as long as your account is active. Deleted on erasure request or after the 30-day post-termination window.
- Support tickets — for as long as your account is active, then handled per your erasure preferences.
- Invoices and billing records — up to 7 years after issue, to meet legal and tax obligations.
- Analytics data — per the retention configured for your analytics service. We do not store more than is needed.
- Backups — rotated on a normal schedule. Data may persist in encrypted backups for a short period after deletion before being overwritten.
8. Your rights (GDPR / CCPA)
Depending on where you live, you have rights over your personal data including:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything that's wrong or incomplete.
- Erasure — ask us to delete your personal data. We process erasure requests over a 30-day cooling-off period (so you can change your mind), after which the data is anonymized or removed. Some records, like invoices, may be retained where we have a legal obligation to keep them.
- Portability — receive your data in a portable format you can take elsewhere.
- Object / withdraw consent — withdraw your consent for analytics or marketing cookies at any time, or object to specific uses of your data.
- Complain — lodge a complaint with your local data protection authority. We'd appreciate the chance to address any concern first — please email us before going that route.
To exercise any of these rights, email hello@moonfactory.dev or open a support ticket. We will respond within one month and may ask you to verify your identity before acting on a request.
9. Security
We take security seriously and apply industry-standard protections:
- All data is transmitted using HTTPS (encryption in transit).
- Sensitive data we store is protected with industry-standard encryption at rest.
- Access to your data inside MoonFactory is restricted to staff who need it to deliver the service, with role-based controls and audit logging.
- We carry out regular security reviews and updates to our systems.
- We use multi-factor authentication and other access controls for staff accounts.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at hello@moonfactory.dev.
10. Children's privacy
The MoonFactory portal is a business tool. It is not directed at, intended for, or designed for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will:
- Post the updated policy in the Portal with a new "Last updated" date.
- Notify clients by email where the change is significant.
We encourage you to review this policy periodically.
12. Contact
For any privacy-related question, request, or concern, contact us:
- Email: hello@moonfactory.dev
- Or open a support ticket from your dashboard with the subject "Privacy request".
⚠️ DRAFT — NOT YET IN EFFECT
This document is a draft framework and has not been reviewed by legal counsel. It must be reviewed and approved by a qualified attorney before publication or enforcement. Do not publish or reference this document as binding privacy terms until legal review is complete.