Privacy Policy

We collect only what we need to run the Service: your email, the URLs you submit, the generated reports, and basic usage analytics.

We don't sell your data. We don't train models on your reports. We don't share data with advertisers.

Account data: email address (for magic-link login), session tokens, plan and billing status.

Submitted content: URLs you paste, scraped page content, generated product briefs and launch kits.

Usage data: requests, IP (for rate limiting), browser/device, page events via PostHog if enabled.

Billing data: handled by Dodo Payments. We receive subscription status and customer ID; we do not store card numbers.

To run the pipeline (scrape → product brief → launch kit) and store the result so you can view, edit, share, and export it.

To send you transactional emails (magic links, billing receipts).

To prevent abuse via rate limits and fraud checks.

To improve the product through aggregate, non-identifying analytics.

Firecrawl, scrapes the URLs you submit.

OpenAI, generates briefs and launch kits. OpenAI does not train on API data per their policy.

Neon (Postgres), stores accounts and reports.

Vercel, hosts the application.

Upstash, rate-limit storage.

Dodo Payments, subscription billing.

PostHog, product analytics (optional).

Resend / email provider, magic-link delivery.

Free-plan reports are public by default, anyone with the /r/[slug] URL can view them. Treat them as shareable.

Pro-plan reports default to private and are gated to your account. You can toggle visibility at any time.

We use a session cookie to keep you signed in. We use a theme cookie to remember light/dark preference. PostHog (if enabled) sets analytics cookies.

No third-party advertising cookies. No cross-site tracking.

We retain reports while your account is active. If you delete a report, it's removed from the database within 30 days (backups age out shortly after).

If you delete your account, we delete or anonymize your data within 30 days, except where retention is legally required (e.g. tax records on payments).

You can request a copy of your data, correction, or deletion by emailing hello@moonshift.io.

If you're in the EU, UK, or California, you have additional rights under GDPR/UK-GDPR/CCPA. We honor them globally.

Data is encrypted in transit (HTTPS) and at rest by our infrastructure providers. Magic-link login means no password to leak. Sessions are signed and short-lived.

No system is bulletproof. If we discover a breach affecting you, we will notify you within 72 hours.

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from minors.

Our infrastructure is primarily in the US. By using the Service from outside the US you consent to your data being processed in the US under appropriate safeguards.

Material changes will be announced on the Service or by email. Questions: hello@moonshift.io.