MOALegalPrivacy Policy
LEGAL

Privacy Policy

This policy explains what data MOA collects, why we collect it, how we use it, and the rights you have over your information.

Last updated: May 22, 2026

1. Who We Are

MOA Inc. (“MOA”, “we”, “us”, or “our”) operates the website at mentionsonai.com and the MOA platform (collectively, the “Service”). We are the data controller for personal data collected through the Service.

Registered address: MOA Inc., 548 Market St PMB 72547, San Francisco, CA 94105, United States. You can reach our privacy team at privacy@mentionsonai.com.

2. Data We Collect

2.1 Information You Provide

  • Account data — name, email address, password (hashed), company name, and billing details when you sign up.
  • Scan input data — business name, website URL, and industry category you submit for analysis.
  • Support communications — content of emails or messages you send us.
  • Payment information — processed directly by Stripe; we store only the last four digits of your card and billing address.

2.2 Information Collected Automatically

  • Usage data — pages visited, features used, scan frequency, click paths, and session duration.
  • Device and browser data — IP address, browser type, operating system, screen resolution, and time zone.
  • Log data — server logs including request timestamps, response codes, and referring URLs.
  • Cookies and similar technologies — see Section 7 and our Cookie Policy.

2.3 Information From Third Parties

  • If you sign in via Google OAuth, we receive your name, email address, and profile picture from Google.
  • We may receive limited data from marketing partners about ad campaign performance.

3. How We Use Your Data

PurposeLegal Basis (GDPR)
Providing and operating the ServiceContract performance (Art. 6(1)(b))
Processing paymentsContract performance (Art. 6(1)(b))
Sending transactional emails (receipts, scan results)Contract performance (Art. 6(1)(b))
Security, fraud prevention, and debuggingLegitimate interests (Art. 6(1)(f))
Product analytics and improvementLegitimate interests (Art. 6(1)(f)) or Consent
Marketing emails and product updatesConsent (Art. 6(1)(a)) or Legitimate interests
Legal compliance and regulatory obligationsLegal obligation (Art. 6(1)(c))

4. Data Sharing and Disclosure

We do not sell your personal data. We share data with:

  • Service providers — infrastructure, analytics, email delivery, and payment processing (e.g. Vercel, Supabase, Stripe, Postmark, Posthog). Each is bound by a Data Processing Agreement.
  • AI API providers — anonymised query data may be sent to OpenAI to power scan results. We do not transmit personally identifying information to AI providers.
  • Legal authorities — where required by law, court order, or to protect the rights and safety of users.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.

5. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. After account deletion:

  • Account and profile data is deleted within 30 days.
  • Scan history and results are deleted within 30 days.
  • Billing records are retained for 7 years for tax and accounting compliance.
  • Server logs are retained for 90 days for security purposes.
  • Anonymised aggregate analytics data may be retained indefinitely.

6. Your Rights

6.1 EEA and UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion of your data, subject to legal retention requirements.
  • Restriction — ask us to temporarily stop processing your data.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint — with your local supervisory authority (e.g. ICO in the UK, CNIL in France, DPC in Ireland).

We will respond to GDPR requests within 30 days of receipt (extendable by a further two months for complex requests).

6.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete — request deletion of your personal information, subject to certain exceptions (e.g. legal obligations, completing transactions).
  • Right to Correct — request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing — MOA does not sell your personal information and does not share it for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this at any time.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes beyond those permitted by CPRA. No limitation request is required.
  • Right to Non-Discrimination — we will not discriminate against you (e.g. deny services, charge different prices, or provide a different quality of service) because you exercised any of these rights.

To submit a CCPA/CPRA request, email privacy@mentionsonai.com with the subject line “California Privacy Request” and include your account email address. We will acknowledge receipt within 10 business days and respond substantively within 45 days (extendable by a further 45 days where reasonably necessary).

You may also designate an authorised agent to make a request on your behalf; we may require written proof of the agent’s authorisation and verification of your identity.

6.3 All Other Users

Regardless of location, you may at any time: update your account information, delete your account from the dashboard settings, or unsubscribe from marketing emails using the link in any such email. Contact privacy@mentionsonai.com for any other privacy request.

7. Cookies

We use strictly necessary, analytics, and marketing cookies. You can manage your preferences at any time using the cookie banner or our Cookie Policy page.

8. International Transfers

MOA is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and regular security audits. No system is completely secure; if you believe your account has been compromised, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email and display the new effective date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have any questions about this document, please contact us at legal@mentionsonai.com or write to: MOA Inc., 548 Market St PMB 72547, San Francisco, CA 94105, United States.