Skip to content
Privacy

Privacy Policy

How MoatKit collects, uses, stores, and protects personal data on the website and inside the iOS and Android app.

Legal identity is not complete yet: add the real postal address in landing/src/config.ts before launch. A privacy notice must identify the controller with reliable contact details.

1. Controller

The controller for the MoatKit website, app, waitlist, Charter reservation flow, and support channels is:

Max Krautwald
[postal address required before launch], 53721 Siegburg, Deutschland
Email: [email protected]

No data protection officer is listed here. If one is appointed or becomes legally required, this policy will be updated with the relevant contact details.

2. Scope

This policy covers the public website at https://moatkit.com, the MoatKit iOS and Android app, pre-launch waitlist and Charter forms, app accounts, purchases, support requests, and app diagnostics.

MoatKit is a founder education and operating tool. It may contain journal entries, tasks, habits, notes, decision logs, community content, profile details, purchase status, and learning progress created or triggered by you.

3. Data we process

Website delivery and security IP address, user agent, request metadata, timestamps, security logs, and basic technical diagnostics. Legitimate interests, GDPR Art. 6(1)(f): secure and reliable operation.
Waitlist and Charter interest Email address, optional name, founder stage, source page, created and updated timestamps. Consent and pre-contract steps, GDPR Art. 6(1)(a) and 6(1)(b).
App account Email address, authentication identifiers, optional name/profile fields, sign-in provider, device session data. Contract performance, GDPR Art. 6(1)(b).
In-app content and progress Lessons viewed, tasks, habits, streaks, notes, journal entries, decision logs, community posts, saved items, and local app preferences. Contract performance and your requested app functionality, GDPR Art. 6(1)(b).
Purchases and entitlement Subscription status, purchase history, Charter order data, refund state, user ID, app entitlement status, invoice and tax records handled by the relevant payment provider. Contract performance and legal obligations, GDPR Art. 6(1)(b) and 6(1)(c).
Notifications Notification permission status, Firebase Cloud Messaging token, notification preferences, delivery/open events, and reminder settings. Consent for push notifications and legitimate interest for delivery reliability, GDPR Art. 6(1)(a) and 6(1)(f).
Analytics and diagnostics Product interactions, feature flag exposure, crash reports, performance data, device identifiers, app version, OS version, and diagnostic logs. Legitimate interests, GDPR Art. 6(1)(f): improve stability, usability, and product quality.
Optional permissions Coarse location if you enable location-based business insights; photos or videos only if you select them for profile or feedback use. Consent and requested functionality, GDPR Art. 6(1)(a) and 6(1)(b).
Support and legal requests Your email, message content, attachments you provide, and metadata needed to resolve the request. Contract performance, legal obligations, and legitimate interests, GDPR Art. 6(1)(b), 6(1)(c), and 6(1)(f).

4. Website forms and analytics

During pre-launch, website email forms submit to a Cloudflare Pages Function and store lead records in Cloudflare D1 unless Loops is configured later. The stored fields are limited to the form data needed to contact you about launch access or Charter interest.

No non-essential website analytics script is currently loaded.

The website does not currently set advertising cookies. The app uses local storage technologies such as Hive, shared preferences, secure storage, and OS-level storage to keep preferences, cached content, and account sessions working.

5. Processors and service providers

  • Cloudflare hosts the website, runs Pages Functions, protects traffic, and stores pre-launch leads in D1.
  • Supabase provides app authentication, database, profile data, community data, and selected synced user content.
  • RevenueCat manages app subscription status and premium entitlements.
  • Apple App Store and Google Play process mobile app subscriptions, trials, renewals, cancellations, refunds, and store receipts.
  • Lemon Squeezy acts as Merchant of Record for the Founders' Charter purchase and handles payment, tax, invoice, and refund processing.
  • Firebase Cloud Messaging delivers push notifications if you grant notification permission.
  • Firebase Crashlytics and Firebase Performance collect crash and performance diagnostics to keep the app reliable.
  • PostHog may process product analytics and feature flag events used to improve the app experience.

Where providers process data outside the European Economic Area, MoatKit relies on appropriate transfer mechanisms such as adequacy decisions, Data Processing Agreements, and Standard Contractual Clauses where applicable.

6. Retention

  • Waitlist and launch email data is kept until launch communications are completed, you unsubscribe, or deletion is requested.
  • Account and app content is kept while your account is active or as needed to provide the app. You may request deletion.
  • Purchase, invoice, refund, and tax records may be retained for statutory accounting and tax periods.
  • Crash, security, and diagnostic logs are kept only as long as reasonably needed for security, debugging, and reliability.
  • Support messages are kept as long as needed to resolve the request and defend or exercise legal claims.

7. Your rights

Under GDPR, you may request access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time with future effect.

You can use in-app export or deletion tools where available, or email [email protected]. We aim to respond within one month unless GDPR permits an extension.

You also have the right to lodge a complaint with a data protection supervisory authority. For the currently configured German location, the likely authority is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia: ldi.nrw.de.

8. Children and sensitive data

MoatKit is intended for founders, entrepreneurs, and business users. It is not directed at children under 16. MoatKit does not intentionally collect special-category data such as health, political, religious, biometric, or genetic data. Please do not enter such data into notes, journals, community posts, or support messages.

9. Automated decision-making

MoatKit does not use automated individual decision-making or profiling that produces legal effects or similarly significant effects on you. Content recommendations and learning suggestions are based on general progress data and do not constitute profiling within the meaning of GDPR Art. 22.

10. Contact

For privacy requests, deletion, export, or questions about this policy, contact: [email protected].

We may update this policy when the app, providers, legal requirements, or data flows change. Material changes will be reflected by updating the date above.