Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Mooduna ("we", "us", "our") collects, uses, retains, and discloses personal data of users of the Mooduna application and website at mooduna.app (together, the "Service"). By accessing or using the Service, you ("User") acknowledge that you have read and understood this Policy.

2. Who we are (data controller)

Mooduna is operated by Cph Publishing & Service, based in Denmark, the company behind mooduna.app. Under the EU GDPR and UK-GDPR, we are the data controller for any personal data you enter into the service. You can reach us at the address in section 19 (Contact) with any privacy question, request, or complaint.

3. Data we collect

The Service processes only the categories of personal data listed below. No additional categories are collected.

• Account information: name, email address, and a bcrypt hash of the User's password (the password itself is never stored).
• Profile information: display name, age range, country, and any health-related context the User voluntarily provides to personalise the Service.
• Mood & tracking data: mood logs, tags, journal entries (encrypted at the application layer with AES-256), period entries, medication entries, migraine / seizure / panic-attack / OCD severity logs, and Moments created by the User.
• Usage data: streak counts, achievement progress, insight rotation history, and feature interactions within the Service.
• Device data: push-notification subscription details (anonymous browser/device endpoint and keys) where the User has enabled push, and timezone.
• Payment data: upon purchase of a paid plan, the Service receives and retains the Stripe checkout session identifier, amount, currency, plan tier, and paid-until date. No card details are processed or stored on Mooduna's servers — see section 7.

Operational data (short-lived):

• Wrong-password attempts: retained briefly to enable rate-limiting against brute-force attacks, then automatically purged.
• Push-notification subscriptions: the anonymous web-push token registered by each device where the User has enabled push notifications, used to deliver opted-in reminders. Tokens are purged when push is disabled in Settings → Notifications.
• Server error logs: short-lived technical logs used solely for diagnosing operational faults. No mood content or journal content is included.

4. What we do not store

• No phone numbers or postal addresses.
• No location tracking. The Service does not request device GPS or perform IP-based geolocation. The country field is optional and self-reported at sign-up.
• No advertising or behavioural profiles. No Google Analytics, Meta/Facebook Pixel, TikTok Pixel, Hotjar, Amplitude, Mixpanel, Segment, or equivalent telemetry is integrated.
• No third-party tracking cookies. A single first-party token in localStorage is used to maintain authenticated sessions on the User's browser.
• No sale, rental, or sharing of personal data with third parties. Should this position ever change, affected Users will be notified in advance and given the opportunity to delete their account before any such change takes effect.
• No AI training. Moods, journal entries, symptoms, photos, and check-ins are not used to train any language model, whether operated by Mooduna or any third party. AI chat messages submitted by the User are processed solely to generate a reply (see §10).

5. How we use personal data

Personal data is processed for the following purposes:

• Provision and personalisation of the Service.
• Generation of mood insights, patterns, analytics, and trends, displayed exclusively to the User within their own account.
• Delivery of mood reminders and weekly summaries, where the User has enabled the relevant setting.
• Processing of Premium subscriptions via Stripe.
• Service improvement, defect resolution, and security operations.
• Operation of the AI reflection chat and Your Story feature using context about the User's general wellbeing — excluding journal entries and medication data (see §10). Both features are opt-in.

6. Legal basis (GDPR / UK-GDPR)

For Users located in the EU or the United Kingdom, the following legal bases under Article 6 of the GDPR apply:

• Contract (Art. 6(1)(b)): processing necessary for the performance of the contract to which the User is a party — including account provisioning, mood logging, generation of personal insights, and operation of paid subscriptions. The generation of personal insights, patterns, and analytics within the User's account constitutes part of the core service requested by the User.
• Legitimate interest (Art. 6(1)(f)): short-lived rate-limiting on wrong-password attempts and the retention of server error logs, balanced against the User's interest in a secure and reliable service.
• Consent (Art. 6(1)(a)): push notifications and weekly summary emails, both of which are optional and may be enabled or disabled by the User at any time in Settings. The AI reflection chat and Your Story feature are also opt-in; consent is provided each time the User chooses to use them. Consent may be withdrawn by deleting the relevant AI chat conversation or by deleting the User's account (which also removes any generated Stories).

For the purposes of Article 9 of the GDPR, "special-category" data processed by the Service includes mood, symptoms, severity ratings, period data, migraine, seizure and panic-attack records, and related wellbeing information.

Such data is stored solely as entered by the User and is accessible only within the User's own account. It is not disclosed outside the User's account and is not used for any other purpose, including advertising, research, resale, or profiling beyond the personal insights and analytics generated within the Service. Processing of special-category data is therefore based on Article 9(2)(a) — the User's explicit consent, which is provided each time the User chooses to log a mood, habit, symptom, period day, migraine event, or journal entry.

The Service does not carry out any automated decision-making or profiling that produces legal or similarly significant effects on the User within the meaning of GDPR Article 22. Insights, patterns, badges, and predictions generated within the Service are displayed solely to the User, are informational in nature, and are not used to make any decision about the User outside the Service.

7. Payments

Where the User purchases a paid plan (monthly, yearly, or lifetime), payment processing is performed exclusively by Stripe, Inc. (San Francisco, CA, USA) under Stripe's own privacy policy at stripe.com/privacy. Mooduna does not see, process, or store card numbers, expiry dates, CVC codes, or billing addresses. Mooduna's servers receive and retain only the Stripe checkout session identifier, amount, currency, plan tier, and paid-until date for the purpose of administering the User's subscription. Stripe webhooks are verified by signing secret prior to acceptance of any subscription update. Subscriptions may be cancelled at any time via Settings → Billing.

8. Sub-processors

The Service relies on the following third-party processors. Each processes only the minimum personal data required to perform its function:

• Stripe (payments) — card details, billing country, and subscription lifecycle data. Privacy policy: stripe.com/privacy.
• MongoDB (database) — all stored account and tracking data identified in §3.
• Anthropic (AI chat & Your Story) — engaged only where the User opts in to the AI reflection chat or generates Your Story. Messages and relevant mood context are processed by Anthropic's Claude API to produce replies and summaries. Anthropic's API terms prohibit training on submitted data; payloads may be retained by Anthropic for up to 30 days for safety and abuse review, after which they are deleted.
• A transactional email provider — engaged solely to deliver password-reset emails and the weekly summary email where the User has opted in. Receives only the recipient's email address and the message content.
• Web-push services — where the User has enabled push notifications, payloads transit the standard Web Push infrastructure provided by the User's browser or operating system vendor. Payloads are encrypted with VAPID keys and cannot be read by such intermediaries.
• Hosting provider — operates the Mooduna server and serves the web application from EU/US data centres under a standard GDPR Data Processing Addendum.

The Service does not integrate Google Analytics, Meta/Facebook Pixel, advertising networks, session-replay tools, AI/ML training APIs, or any other third-party telemetry.

9. Data storage & security

• Encryption in transit: all connections are protected by HTTPS / TLS. The HSTS header is set to prevent downgrade to HTTP.
• Encryption at rest: the database provider encrypts storage volumes by default. Journal entries are subject to an additional application-layer AES-256 encryption. This encryption is not end-to-end: Mooduna's servers retain the technical capability to decrypt journal text in order to render it within the Service and operate related features. Mooduna does not manually access journal entries, mood data, or AI conversations except where strictly necessary for security investigations, legal compliance, or abuse prevention.
• Passwords are hashed using bcrypt and are never stored or logged in plaintext. Mooduna is unable to recover a User's password; password reset is available from the login screen.
• Account-scoped access: every API request requires a session token bound to a specific user identifier; all queries are filtered by user identifier such that cross-account data access is not architecturally possible.
• Rate limiting: per-IP request limits and lockout following repeated wrong-password attempts.
• Stripe webhook signatures are verified for every inbound billing event; unsigned events are rejected.
• CORS is restricted to Mooduna's own origins; no third-party site may invoke the API on a User's behalf.
• Sessions automatically expire after 30 days of inactivity, requiring re-authentication.
• No source maps are exposed in production. Conservative security headers (CSP, X-Content-Type-Options, Referrer-Policy) are applied.

10. AI chat, Your Story & your data

When you consent and use the Mooduna AI chat or generate Your Story, your messages, selected mood summaries, recent mood patterns, and related non-journal wellbeing context are sent to an AI service to generate responses or summaries. Journal entries and medication data are never sent to the AI.

Mooduna uses the Claude AI model from Anthropic to power both features. This means the relevant data is processed by Anthropic through their secure API so the AI can respond.

Your conversations and Your Story prompts are not used to train AI models. Under Anthropic's API terms, the data sent to their system is only used to generate responses and may be temporarily stored for up to 30 days for safety and abuse monitoring. After that, it is automatically deleted by Anthropic.

Mooduna's own storage of AI content is separate from Anthropic's temporary API retention described above. Mooduna stores AI conversations and generated Stories inside your account so you can re-read them — until you delete them or delete your account. We do not maintain any further long-term records of AI content beyond what is shown in your account history.

For your own privacy, we recommend not sharing sensitive personal information in the chat, such as your full name, address, social security number, passwords, or financial information.

You are always in control of your data. You can delete any AI chat conversation at any time, and when you do, it disappears from your history immediately and is removed from our active systems within 30 days. Your Story cannot be deleted individually — to remove it, delete your account.

Insights, trends, scores, predictions, and AI-generated reflections shown inside Mooduna are informational only. They may be inaccurate, incomplete, or change over time as more data is logged. They are not a substitute for professional advice.

Mooduna AI is here to help you reflect safely and notice patterns, but it is not a clinical tool, does not diagnose, treat, or provide medical guidance, and cannot replace real-life support. Mooduna is not monitored in real time and is not intended for crisis support, emergency response, or suicide-prevention services. If you are in immediate danger or experiencing a mental-health emergency, contact local emergency services or a qualified professional.

11. Data sharing

The Service does not sell personal data. Personal data is shared solely with the sub-processors identified in §8, in each case strictly limited to the minimum necessary for operation of the relevant feature.

The Service does not monitor, review, or act upon User-logged content. Moods, notes, journal entries, symptoms, severity ratings, and check-ins are not read or evaluated by Mooduna. Mooduna will not contact any third party on the User's behalf — including healthcare providers, therapists, schools, social services, family members, or emergency services — based on any content logged within the Service.

12. Retention

• Account: upon User-initiated account deletion, the account becomes immediately inaccessible and is scheduled for permanent deletion from production systems. Residual copies may persist in encrypted backups for up to 14 days before automatic overwrite, after which the data is fully purged.
• Mood logs, journal entries, periods, medications, symptoms, and Moments: retained for the duration of the User's account to enable historical review. No automatic deletion is applied. Individual records may be deleted by the User from within the Service.
• AI chat messages: retained until the User deletes the conversation or deletes the account; removed from active systems within 30 days of deletion.
• Your Story: retained for the duration of the User's account; removed only upon account deletion. See §10 in respect of Anthropic's separate retention.
• Wrong-password attempts: rate-limit counters expire shortly after the lockout window.
• Server error logs: retained briefly for diagnostic purposes, then expired.
• Push-notification subscriptions: retained while the device remains registered; purged upon disabling push notifications or account deletion.
• Payment transactions: retained for up to 7 years where required by applicable tax or accounting law; otherwise purged upon account deletion.
• Backups: daily database snapshots are retained for up to 14 days and then overwritten. A deleted account may persist within a backup for that period; thereafter it is fully purged.

13. International transfers

The database and application servers are operated in EU and US data centres. Where personal data is transferred from the EU/UK to a non-adequacy jurisdiction (currently Stripe and Anthropic in the United States), such transfers are governed by Standard Contractual Clauses (SCCs) concluded with the relevant sub-processor. Personal data is not transferred to jurisdictions subject to government surveillance programmes that are incompatible with the requirements of EU/UK data-protection law.

14. Data breach & incident response

Notwithstanding all reasonable security measures, no system can be guaranteed wholly secure. In the event Mooduna becomes aware of a personal-data breach affecting Users, Mooduna will:

• investigate and take prompt steps to contain and remediate the breach;
• notify the relevant supervisory data-protection authority within 72 hours, as required by GDPR Article 33;
• notify affected Users without undue delay, with details of the breach and the personal data involved;
• display an in-app notice on next login to ensure timely awareness across all devices.

Mooduna implements industry-standard safeguards (password hashing, HTTPS, rate-limiting, input sanitisation, application-layer encryption of journal entries). The User acknowledges that providing personal data online carries inherent risk. Nothing in this Policy excludes or limits any liability that cannot lawfully be excluded or limited under applicable law, including, where relevant, the EU GDPR and UK-GDPR.

15. User rights

Under the GDPR, UK-GDPR, and California Consumer Privacy Act ("CCPA"), Users have the following rights:

• Access: review tracked personal data within the Service at any time.
• Rectification: update profile and account settings within the Service.
• Erasure ("right to be forgotten"): initiate account deletion via Settings → Account → Delete account. Such deletion is immediate within the application, irreversible, and cascades to all associated records (subject to the backup window in §12).
• Restriction / Objection: disable push notifications and weekly summary emails at any time via Settings → Notifications.
• Withdrawal of consent: disable push notifications and weekly summary emails via Settings → Notifications. For AI chat, deletion of an individual conversation withdraws consent in respect of that conversation. Your Story may not be deleted individually; withdrawal in respect of Your Story is achieved by account deletion.
• Right to lodge a complaint: Users may lodge a complaint with their local data-protection supervisory authority.

16. Cookies & local storage

Mooduna uses local storage to keep you signed in (a single first-party session token) and to remember preferences (theme, dismissed banners, dashboard ordering). We do not use third-party tracking cookies, advertising cookies, or session-replay tools.

17. Eligibility & age requirements

The Service is available only to Users aged 15 years or older. Persons under 15 may not access the Service or create an account.

Users between 15 and 18 (or the age of legal majority in the User's jurisdiction) may use the Service only with the involvement and consent of a parent or legal guardian.

By accessing or using the Service, the User represents and warrants that:

• the User meets the minimum age requirement;
• where the User is below the age of legal majority, a parent or legal guardian has consented to such use.

Mooduna is not responsible for verifying parental or guardian consent and disclaims liability for any misrepresentation of age. Parents and legal guardians remain responsible for the acts and omissions of minors under their supervision.

Where Mooduna is notified that a person under 15 has created an account, Mooduna will remove the account upon verification (see §19). For data relating to persons under 13, Mooduna is legally required to delete all such data, typically within one business day of notification.

18. Changes to this Policy

Mooduna may update this Policy from time to time, including in response to new features that affect data processing or to reflect changes in applicable law. Material changes will be communicated by an in-app notice displayed for 30 days and a corresponding update to the "Last updated" date at the top of this Policy. Continued use of the Service following such changes constitutes acceptance of the updated Policy.

19. Contact

The Service is operated by Cph Publishing & Service, based in Denmark.

For questions, data-subject requests (including access, deletion, restriction, or portability), or other privacy-related correspondence, please contact mooduna.app@gmail.com. Mooduna aims to respond within 7 calendar days.

This Policy is intended to comply with the EU GDPR, UK-GDPR, the California Consumer Privacy Act, and applicable principles of good-faith privacy practice. Nothing in this Policy is intended to confer rights weaker than those required by applicable law; where a User's local law grants stronger rights, those stronger rights apply.