This Privacy Policy explains how ARIA CAPITAL AND HUMAN PARTNERS SRL ("Mochi", "we", "us") collects and uses personal data when you use the Mochi website and app (the "Service"). We are the data controller for the personal data described here.
We're based in Romania, and we handle personal data in line with the EU General Data Protection Regulation (GDPR) and applicable local law.
1. Who we are
Controller: ARIA CAPITAL AND HUMAN PARTNERS SRL
Registered address: [registered address — TODO]
Company registration: [company registration no. — TODO]
Privacy contact: privacy@mochi.app
2. The data we collect
Account data
When you create an account we collect your email address, a securely hashed password, and a display name. Authentication and account storage are handled by our processor, Supabase.
Study and pet data
We store the content you create — your study cards, your review history and schedule, and the state of your pet (mood, bond, streak, stage). This is the core of the Service and is tied to your account.
Usage analytics
We collect anonymised, aggregated usage data (such as which features are used and general device and browser information) to understand how the Service is used and to improve it. We do not use this to build advertising profiles.
Communications
If you email us, we keep that correspondence. If you opt in, we may send you product and marketing emails; we also send transactional emails (for example, account confirmation and security notices) that are necessary to run the Service.
3. Why we use your data, and our legal basis
- To provide the Service — creating your account, storing your cards, running your review schedule and pet. Legal basis: performance of a contract.
- To improve and secure the Service — analytics, debugging, preventing abuse. Legal basis: our legitimate interests in running a reliable, safe product.
- To send transactional emails — confirmations, security and service notices. Legal basis: performance of a contract and our legitimate interests.
- To send marketing emails — news and tips about Mochi. Legal basis: your consent, which you can withdraw at any time.
- To meet legal obligations — for example, responding to lawful requests. Legal basis: compliance with a legal obligation.
4. Service providers (processors)
We share data with a small number of providers who process it on our behalf, under contracts that require them to protect it:
- Supabase — authentication, database, and hosting of your account and study data.
- Our analytics provider — privacy-conscious, aggregated usage analytics.
- Our email provider — sending transactional and (where you've opted in) marketing email.
We do not sell your personal data, and we do not share it with advertisers.
5. International transfers
Some of our providers may process data outside your country, including outside the European Economic Area. Where that happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses to protect your data.
6. How long we keep it
We keep your account and study data for as long as your account is active. If you delete your account, or ask us to, we delete or anonymise your personal data within a reasonable period, except where we must keep some of it to meet a legal obligation. Aggregated, anonymised analytics that can't identify you may be kept longer.
7. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time, where we rely on it (for example, marketing email);
- lodge a complaint with a supervisory authority — in our case, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
To exercise any of these, email privacy@mochi.app. We'll respond within the time the law allows.
8. Cookies and local storage
We use cookies and similar local storage only as needed to run the Service — chiefly to keep you signed in — and for the anonymised analytics described above. We don't use advertising or cross-site tracking cookies.
9. Children
The Service isn't directed at children under 16. If you believe a child has given us personal data, contact us and we'll delete it.
10. Security
Passwords are stored hashed, data is encrypted in transit, and access is limited to what's needed to run the Service. No system is perfectly secure, but we take reasonable measures to protect your data and will notify you and the relevant authority of a breach where the law requires.
11. Changes to this policy
We may update this policy as the Service evolves. When we make material changes we'll update the date above and, where appropriate, let you know in the app or by email.
12. Contact
Questions about your privacy? Email privacy@mochi.app.