Privacy Policy

1. Introduction

mooncloak (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and protect information when you use KodeTools services, including the thrust desktop application and related cloud services (collectively, the “Services”).

We believe in data minimization: we only collect what is necessary to provide and improve the Services.

2. Our Privacy Principles

Minimal Data Collection: We only collect data necessary for the Services
No Selling of Data: We never sell your personal information
Transparency: We are clear about what we collect and why
User Control: You have rights over your data
Privacy-First Analytics: If we use analytics, we use privacy-respecting tools that don’t track individuals

3. Information We Collect

3.1 Information You Provide

Account Information:

Email address (from OAuth provider or direct input)
Username or display name
OAuth provider profile information (GitHub, GitLab, Bitbucket, etc.)

Payment Information:

Billing name and address
Payment method details (processed and stored by third-party payment processors; we never store full credit card numbers)

Communications:

Messages you send to customer support
Feedback and survey responses (voluntary)

3.2 Automatically Collected Information

Essential Service Data:

Session identifiers (for authentication)
IP addresses (for security and fraud prevention)
Timestamps (for session management)

Optional Usage Data:

Features used within the Services
Error logs and crash reports (to fix bugs)
Performance metrics (to optimize the Services)

Device Information:

Operating system and version
Application version
Browser type (for web-based Services)

3.3 What We Do NOT Collect

No tracking cookies for advertising or analytics
No personal browsing history outside our Services
No access to your code or projects beyond what’s necessary to provide the Services
No invasive fingerprinting or cross-site tracking
No data from third-party websites

4. How We Use Your Information

We use your information only for these purposes:

Provide the Services: Account management, authentication, service delivery
Process Payments: Billing and transaction processing
Communications: Service updates, security alerts, billing notices (you cannot opt out of essential communications)
Support: Respond to your inquiries and provide assistance
Security: Detect fraud, prevent abuse, protect against security threats
Improvement: Fix bugs, optimize performance, develop new features
Legal Compliance: Comply with legal obligations

We do NOT use your information for:

Targeted advertising
Selling to third parties
Profiling or automated decision-making (except fraud detection)
Training AI models on your code or content

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on:

Contract Performance: Processing necessary to provide the Services you requested (Art. 6(1)(b) GDPR)
Legitimate Interests: Security, fraud prevention, service improvement (Art. 6(1)(f) GDPR)
Consent: For optional features or communications (Art. 6(1)(a) GDPR) - you can withdraw consent anytime
Legal Obligations: Compliance with laws, regulations, court orders (Art. 6(1)(c) GDPR)

We minimize data sharing and only share when necessary:

6.1 Service Providers

We use carefully selected third-party services to operate:

Infrastructure: Cloud hosting (DigitalOcean, AWS)
Payments: Payment processing (Stripe, PayPal) - they have their own privacy policies
Email: Transactional email delivery
Authentication: OAuth providers you choose (GitHub, GitLab, Bitbucket)

All service providers are contractually required to protect your data and use it only as instructed.

6.2 Analytics (Privacy-Focused)

If we use analytics, we use privacy-respecting tools that:

Do not use tracking cookies
Do not collect personal information
Do not share data with third parties
Comply with GDPR without requiring consent (e.g., Plausible Analytics)

We may collect aggregated, anonymous statistics about feature usage to improve the Services.

6.3 Legal Requirements

We may disclose information when legally required:

Court orders, subpoenas, or legal process
Law enforcement requests (we review each request carefully)
Protection of our rights, safety, or property
Prevention of fraud or illegal activity

We will notify you of legal requests unless prohibited by law.

6.4 Business Transfers

If mooncloak is acquired or merged, your information may transfer to the new entity. We will notify you and ensure the new entity honors this Privacy Policy.

6.5 What We Never Do

Never sell your personal information
Never share for advertising purposes
Never provide your code or content to third parties (except as necessary for the Services)

7. Data Retention

We retain data only as long as necessary:

Account Data: While your account is active + 30 days after deletion
Logs: 90 days maximum (unless legally required longer)
Payment Records: 7 years (tax/legal requirements)
Backups: May persist up to 90 days after deletion

After deletion, data is permanently removed and cannot be recovered.

8. Your Rights

8.1 General Rights

You have the right to:

Access: Request a copy of your personal data
Correction: Update inaccurate information
Deletion: Request deletion of your account and data
Portability: Receive your data in a machine-readable format
Objection: Object to certain processing activities
Withdraw Consent: For consent-based processing

If GDPR applies to you, you additionally have:

Right to Restriction: Limit how we process your data
Right to Lodge a Complaint: File complaints with your data protection authority
Right to Not Be Subject to Automated Decisions: No automated decision-making that significantly affects you (we don’t do this)

8.3 CCPA Rights (California Residents)

California residents have the right to:

Know: What personal information we collect, use, and share
Delete: Request deletion of your personal information
Opt-Out: We don’t sell personal information, so no opt-out needed
Non-Discrimination: We won’t discriminate against you for exercising your rights

8.4 How to Exercise Your Rights

Email us at [email protected] or visit /legal/privacy-rights

We will respond within:

30 days for most requests
45 days for complex CCPA requests
1 month for GDPR requests (extendable to 3 months for complex requests)

9. Data Security

We implement industry-standard security measures:

Encryption: TLS/SSL for data in transit, encryption at rest for sensitive data
Access Controls: Role-based access, multi-factor authentication
Security Monitoring: Intrusion detection, regular security audits
Secure Development: Security reviews, vulnerability scanning

However, no system is 100% secure. We cannot guarantee absolute security. You are responsible for protecting your account credentials.

10. Cookies and Tracking

10.1 Essential Cookies Only

We use only essential cookies required for the Services to function:

Authentication (session management)
Security (CSRF protection, fraud detection)
Preferences (user settings)

Essential cookies do not require consent under GDPR or CCPA.

10.2 No Tracking or Advertising Cookies

We do NOT use:

Third-party advertising cookies
Cross-site tracking cookies
Social media tracking pixels
Invasive analytics cookies

Since we only use essential cookies, we do not display cookie consent banners. If we add non-essential cookies in the future, we will:

Update this policy
Request your consent where required
Provide easy opt-out mechanisms

See our Cookie Policy for details.

11. International Data Transfers

Primary Location: United States

If you access the Services from outside the US, your data may be transferred to and processed in the United States.

GDPR Safeguards: For EEA transfers, we rely on:

Standard Contractual Clauses (SCCs) with service providers
Adequacy decisions where applicable
Your explicit consent for the transfer

12. Children’s Privacy

The Services are not intended for children under 13 (or 16 in the EEA). We do not knowingly collect data from children.

If we discover we’ve collected data from a child, we will delete it immediately. Parents/guardians can contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy to reflect:

New features or Services
Legal or regulatory changes
Improvements to our practices

Notice of Changes:

Material changes: Email notification + prominent website notice
Minor changes: Posted on this page with updated “Last Updated” date

Continued use after changes constitutes acceptance. If you disagree, please stop using the Services and contact us to delete your account.

14. Do Not Track (DNT)

Some browsers have “Do Not Track” (DNT) signals. Since we don’t track you for advertising purposes, DNT settings do not change our behavior - we already respect your privacy by default.

15. California Shine the Light Law

California residents can request information about disclosure of personal information to third parties for direct marketing. We do not share personal information for direct marketing purposes.

For GDPR-related inquiries, you can contact our data protection contact:

Email: [email protected] or [email protected]

If you’re in the EEA and have concerns we haven’t addressed, you can lodge a complaint with your local data protection authority.

18. Contact Us

Privacy Inquiries: [email protected] Data Requests: [email protected] (or visit /legal/privacy-rights) Security Issues: [email protected] General Legal: [email protected]

19. Summary

What we collect: Minimal data to provide the Services Why we collect it: To make the Services work, keep them secure, and improve them Who we share with: Only essential service providers and when legally required Your rights: Access, delete, correct, port your data Our promise: No selling data, no invasive tracking, no unnecessary data collection

Last Updated: January 11, 2025 Effective Date: January 11, 2025