Privacy Policy
This Privacy Policy explains how Moonshop ("we", "us", or "our") collects, uses, stores, and protects information when you use our sustainability intelligence platform. We are committed to handling your data — and your clients' project data — responsibly.
1. Who We Are
Moonshop is a software-as-a-service (SaaS) platform for AEC professionals, providing automated carbon analysis and sustainability reporting from IFC building model files. Our contact email is hello@moonshop.app.
For the purposes of UK GDPR, Moonshop is the data controller for account and usage data. For IFC files and project data you upload, you (or your firm) are the data controller and Moonshop is your data processor.
2. What Data We Collect
Account Information
- Your email address (used for login and communications)
- Your firm or company name
- Password (stored as a salted hash — we never store your raw password)
- Subscription and billing information (processed by Stripe — we store a customer reference, not your full card details)
Project Data
- IFC files you upload for analysis
- Analysis results: material quantities, embodied carbon calculations, ratings
- PDF reports you generate and export
- Project names and metadata you provide
Usage Data
- Actions taken in the platform (analysis runs, exports, settings changes)
- Browser type, operating system, and IP address (for security and performance monitoring)
- Session data (to keep you logged in)
- Anonymous visit counts via our analytics beacon
Communications
- Emails you send us (support, queries)
- Transactional emails we send you (account confirmation, password reset, billing receipts)
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Moonshop platform | Contract (performance of our service) |
| Run carbon analysis on your IFC files | Contract (performance of our service) |
| Process payments via Stripe | Contract (billing for paid plans) |
| Send transactional emails (receipts, password resets) | Contract / Legitimate interest |
| Monitor platform security and prevent abuse | Legitimate interest |
| Improve and develop the platform (aggregated, anonymised) | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Send product updates and news (opt-in) | Consent |
We do not sell your data. We do not sell, rent, or trade your personal data or project data to third parties for marketing or commercial purposes.
4. How Your Data Is Stored
Your data is stored in a PostgreSQL database hosted on Neon (a managed cloud database service). All connections use TLS encryption in transit. Data at rest is encrypted by the hosting provider.
Firm-scoped isolation: Moonshop uses a multi-tenant architecture where each firm's data is logically isolated. Your firm's IFC files, projects, and analysis results are only accessible to users within your firm's account.
Our platform runs on Render, a cloud hosting provider. Both Neon and Render operate infrastructure primarily in the United States, with data transfer governed by appropriate safeguards. See Section 8 for international transfers.
5. Data Retention
- Free tier: Analysis data and IFC files are retained for 30 days from the run date, then automatically deleted.
- Paid plans: Analysis data and IFC files are retained indefinitely until you delete them or close your account.
- Account data: Retained for the duration of your account, plus up to 90 days after closure to allow for account recovery or billing disputes.
- Billing records: Retained for 7 years to comply with UK financial record-keeping requirements.
- Security logs: Retained for 90 days for fraud and abuse prevention.
When you delete an analysis or close your account, we delete your data from our active databases within 30 days. Encrypted backups may retain data for up to an additional 90 days before purging.
6. Cookies and Tracking
Moonshop uses the following cookies and client-side storage:
| Cookie / Storage | Purpose | Type |
|---|---|---|
| Session cookie | Keeps you logged in during your browser session | Strictly necessary |
polsia_vid (localStorage) |
Anonymous visitor ID for aggregate usage analytics | Analytics (no personal data) |
We do not use advertising cookies or third-party tracking pixels. The analytics we collect are aggregated and used only to understand how the product is being used in order to improve it.
Google Fonts is loaded from Google's CDN, which may set browser-level cache data. We do not pass any personal data to Google in this process.
You can disable cookies in your browser settings; however, the platform requires the session cookie to function.
7. Third-Party Services
We use a small number of third-party services to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing address, payment method (handled directly by Stripe) |
| Neon | Database hosting | All application data (stored encrypted) |
| Render | Application hosting | Application code, server logs (IP addresses, request metadata) |
| Google Fonts | Typography (CDN) | Browser user-agent, IP (standard CDN request — no account data) |
Each of these providers has agreed to process data only on our behalf, in accordance with their own security and compliance frameworks. Stripe is PCI-DSS compliant. Neon and Render are SOC 2 compliant.
8. International Data Transfers
Our infrastructure providers (Neon, Render) are US-based. Transfers of personal data from the UK to the US are made under appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs) where applicable.
If you have concerns about international transfers, please contact us at hello@moonshop.app.
9. Your Rights (UK GDPR)
If you are based in the UK or EU, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your data ("right to be forgotten")
- Right to restriction — ask us to limit how we process your data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, you can withdraw at any time
To exercise any of these rights, email us at hello@moonshop.app with the subject line "Data Rights Request". We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Children's Privacy
Moonshop is a professional tool intended for use by adults (18+) in the AEC industry. We do not knowingly collect data from children under 16. If we become aware that we have collected data from a child, we will delete it promptly.
11. Security
We take reasonable technical and organisational measures to protect your data, including:
- TLS encryption for all data in transit
- Passwords stored using bcrypt hashing (never stored in plain text)
- Session tokens with expiry and secure cookie flags
- Database access restricted to application servers only
- Regular security monitoring of access logs
No system is 100% secure. If we become aware of a data breach that affects your data, we will notify you in accordance with our obligations under UK GDPR.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or a prominent notice in the application at least 14 days before the changes take effect.
The "last updated" date at the top of this page will always reflect when the policy was last revised.
13. Contact Us
For any privacy-related questions, data rights requests, or concerns:
Moonshop
Email: hello@moonshop.app
We aim to respond to all privacy queries within 5 business days.