Privacy Policy
Privacy Policy for Moonnight — moonnightapp.com
Last Updated: May 25, 2026
This Privacy Policy describes how Happy Melon Games Corp ("Moonnight", "we", "us", or "our") collects, uses, and protects your information when you use moonnightapp.com and its associated apps (collectively, the "Service").
By using the Service, you agree to the collection and use of your information as described in this policy.
1. Who We Are
Happy Melon Games Corp operates the Moonnight platform — a suite of SaaS productivity apps available at moonnightapp.com.
Contact: support@moonnightapp.com
2. Information We Collect
2.1 Information You Provide Directly
| Data | How Collected | Purpose |
|---|---|---|
| Name | Google OAuth at sign-in | Account creation, personalization |
| Email address | Google OAuth at sign-in | Account identification, transactional emails |
| Profile picture | Google OAuth (optional) | Account display |
| Payment method | Stripe checkout | Processing subscription payments |
Note: We never see or store your full payment card number. Card details are handled exclusively by Stripe.
2.2 Information Collected Automatically
| Data | Collection Method | Purpose |
|---|---|---|
| Pages visited, features used | Vercel Analytics | Product improvement, performance |
| Session duration and interactions | Vercel Analytics | Product improvement |
| IP address | Server logs | Security, fraud prevention |
| Browser type and operating system | Server logs | Technical support |
| UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) | Cookie (30-day expiry) | Ad attribution — understanding which ads drive signups |
| Subscription status and trial dates | Database | Service delivery, access control |
2.3 Information from Third Parties
- Google: When you sign in with Google, we receive your name, email address, and profile picture as permitted by Google OAuth.
- Stripe: We receive subscription status, payment success/failure events, and billing period information via Stripe webhooks.
2.4 What We Do NOT Collect
- Passwords (Google handles authentication — we never see your password)
- Sensitive personal data (health, biometric, financial account numbers)
- Location data beyond IP address
- Data from children under 13
3. How We Use Your Information
We use your information to:
- Provide and operate the Service — authenticate your account, grant app access, track subscription status
- Process payments — create and manage your Stripe subscription, handle billing lifecycle events
- Send transactional emails — trial reminders, payment receipts, account notices (via Resend)
- Measure ad performance — match signups to Meta (Facebook) ad campaigns using UTM parameters and the Meta Pixel (PageView and Purchase events)
- Improve the Service — analyze aggregated, anonymized usage patterns
- Ensure security — detect fraud, prevent abuse, protect against unauthorized access
- Comply with legal obligations — respond to lawful requests, enforce our Terms of Service
We do not use your information to:
- Train AI or machine learning models
- Sell to data brokers or advertisers
- Build advertising profiles for retargeting by third parties (beyond our own Meta ad campaigns)
4. Cookies and Tracking Technologies
4.1 Cookies We Set
| Cookie | Purpose | Duration |
|---|---|---|
| Session/auth cookie | Maintains your login state (set by NextAuth) | Session / until sign-out |
utm_params | Stores UTM attribution from Meta ads for first-touch attribution | 30 days |
4.2 Third-Party Scripts
| Technology | Provider | Purpose | Opt-Out |
|---|---|---|---|
| Meta Pixel | Meta (Facebook) | Tracks PageView and Purchase events for ad campaign measurement | facebook.com/privacy |
| Vercel Analytics | Vercel | Privacy-friendly page view analytics (no cross-site tracking) | vercel.com/legal/privacy-policy |
You can disable cookies in your browser settings. Note that disabling session cookies will prevent you from staying logged in.
5. Information Sharing and Disclosure
We share your information only with the following parties:
| Party | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing | Billing email, subscription data | stripe.com/privacy |
| Authentication | Email, name, profile picture | policies.google.com/privacy | |
| Resend | Transactional email delivery | Email address, email content | resend.com/privacy |
| Supabase | Database hosting (PostgreSQL) | All account and subscription data | supabase.com/privacy |
| Vercel | Application hosting and analytics | All data passing through the application | vercel.com/legal/privacy-policy |
| Meta (Facebook) | Ad measurement via Pixel | Anonymized PageView and Purchase events | facebook.com/privacy |
We do not sell your personal information to any third party.
We may disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Moonnight, our users, or the public.
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with notice provided to you.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email) | For the lifetime of your account |
| Subscription records | 7 years (required for tax and financial compliance) |
| Payment records | 7 years (required by law) |
| UTM attribution cookie | 30 days |
| Server logs (IP, browser) | 90 days |
| Usage/analytics data | 24 months (aggregated) |
When you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
7. Data Security
We implement industry-standard security measures including:
- HTTPS/TLS encryption for all data in transit
- Encrypted database connections
- Authentication via Google OAuth (we never store passwords)
- Payment card data handled exclusively by Stripe (PCI DSS compliant)
- Access controls limiting employee access to user data
- Regular security updates to all dependencies
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using reasonable measures.
In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.
8. Your Rights and Choices
8.1 All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and personal data.
- Opt-out of marketing: We do not send marketing emails. All emails are transactional (trial reminders, receipts). You may unsubscribe at any time via the link in any email.
8.2 Canadian Residents (PIPEDA / BC PIPA)
As a Canadian company based in British Columbia, we comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA BC).
Canadian residents have the right to:
- Access: Request access to your personal information we hold.
- Correction: Request correction of inaccurate or incomplete information.
- Withdrawal of consent: Withdraw consent to collection or use of your personal information (subject to legal or contractual restrictions), with reasonable notice.
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or the BC Information and Privacy Commissioner at oipc.bc.ca.
We collect personal information only with your knowledge and consent, and only for the purposes identified in this policy. We do not sell personal information.
8.3 California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out required.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of personal information collected: Identifiers (name, email, IP address), commercial information (subscription and payment history), internet activity (pages visited, features used), geolocation data (IP-derived only).
8.4 EEA/UK Residents (GDPR/UK GDPR)
If you are located in the European Economic Area or United Kingdom, you have additional rights:
- Legal basis for processing: Contract performance (account and billing), legitimate interests (analytics, security, ad attribution), legal obligation (financial record retention).
- Right to portability: Request your data in a structured, machine-readable format.
- Right to restrict processing: Request that we limit how we use your data.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent.
To exercise any of these rights, email support@moonnightapp.com. We will respond within 30 days (PIPEDA/CCPA) or within 1 month (GDPR).
9. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected personal information from a child, please contact us immediately at support@moonnightapp.com and we will delete the information promptly.
10. International Data Transfers
Moonnight is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country.
For users in the EEA/UK, transfers are made subject to appropriate safeguards including Standard Contractual Clauses where applicable, as provided by our data processors (Stripe, Vercel, Supabase, Resend).
11. Third-Party Links
The Service may contain links to third-party websites. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by posting a prominent notice on the Service at least 14 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the most recent changes were made.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact Us
For privacy-related requests, questions, or complaints:
Happy Melon Games Corp Doing business as: Moonnight Email: support@moonnightapp.com Website: https://moonnightapp.com
We will respond to all privacy requests within 30 days.
This Privacy Policy was last updated on May 25, 2026.