Privacy Policy
How Moonshop collects and handles data for UK and European AEC customers.
Last updated: 27 March 2026
1. Data controller and scope
Moonshop acts as a data controller for account and operational service data, and as a processor for customer-uploaded project data used to deliver analysis services. This policy applies to website visitors and account users.
2. Data we collect
- Account data: email address, firm name, account identifiers.
- Usage data: page views, sign-in events, analysis and export events, selected plan actions.
- Project data: uploaded IFC files and derived carbon analysis outputs (material/category breakdowns, opportunities, summaries, export files).
- Technical data: security and request metadata used for reliability, abuse prevention, and troubleshooting.
3. How data is stored and isolated
Moonshop stores operational and analysis data in PostgreSQL and applies firm-scoped multi-tenant access controls. Data is segregated by firm context at application level, and customer data is not shared across tenants.
4. Purpose and legal basis (GDPR-aligned)
- Contract performance: to provide uploads, analysis, reporting, and account services.
- Legitimate interests: platform security, fraud prevention, diagnostics, and service improvement.
- Legal obligation: where required for compliance, accounting, or dispute resolution.
5. Data retention
Retention depends on plan and operational requirements. Analysis history and derived outputs are retained while your account is active, subject to plan-specific retention rules and deletion requests. Backups and logs may persist for a limited period for security and recovery.
6. Cookies and session technologies
Moonshop uses essential cookies and session storage for authentication, CSRF protection, and core app functionality. We do not rely on optional advertising cookies to operate the platform.
7. Third-party services
- Hosting/infrastructure: cloud hosting and managed database providers.
- Payments: Stripe for checkout and subscription processing.
- Email: transactional email providers for account and operational notifications.
These providers process data under their own terms and security commitments.
8. UK/EU data rights
Where GDPR/UK GDPR applies, you may request access, correction, deletion, restriction, or portability of personal data, and object to certain processing. To exercise rights, contact info@moonshop.ai.
9. Security
Moonshop applies layered controls including authentication, role/session controls, scoped data access, and operational monitoring. No internet service can be guaranteed as perfectly secure; users should also follow security best practices for credentials and project handling.