Privacy Policy

YourMOA.com operates the YourMOA.com website and calculator platform (the "Service"). We are the data controller responsible for your personal data.

For any privacy-related questions or requests, contact us at privacy@yourmoa.com.

We collect only what is necessary to provide the Service:

• Account data — email address, username, first name, last name. Provided by you at signup.
• Authentication data — hashed password, session tokens. Never stored in plaintext.
• Usage data — deals you save, calculator inputs and results.
• Billing data — Stripe customer ID, subscription tier. Full payment details are stored by Stripe, not by us.
• Referral data — referral codes and commission records if you participate in the affiliate program.
• Team / firm data — team membership and role if you are on a Small or Enterprise plan.

We do not collect sensitive personal data (e.g. health, race, religion, political opinions). We do not use cookies for advertising or tracking. We do not sell your data to third parties.

We use your data solely to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your session
• Process payments and manage your subscription via Stripe
• Enable team and enterprise plan features
• Calculate and pay affiliate commissions
• Send transactional emails (account confirmation, deletion notices, billing alerts)
• Comply with legal obligations

We do not use your data for profiling, automated decision-making, or marketing without your explicit consent.

We process your data under the following lawful bases:

• Contract — processing necessary to provide the Service you signed up for.
• Legal obligation — retaining payment records for accounting and tax compliance (typically 7 years).
• Legitimate interests — fraud prevention, platform security, and service improvement.

We retain your personal data for as long as your account is active. If you request deletion, your personal data is permanently deleted after a 14-day grace period (see Section 8 below).

Stripe payment and invoice records are retained for 7 years after your last transaction as required by accounting and tax law. These records are held by Stripe under their own privacy policy and cannot be deleted on request.

Referral commission records are anonymized (personal identifiers removed) rather than deleted, so that financial audit trails remain intact without retaining your identity.

You can download a complete copy of all personal data we hold about you at any time using the Export My Data feature on your Account page. Exports are provided in JSON format as required by GDPR Article 20 (Right to Data Portability).

We share your data only with:

• Supabase — our database and authentication provider. Data is stored on Supabase infrastructure. See supabase.com/privacy.
• Stripe — our payment processor. Stripe handles all card data directly. See stripe.com/privacy.

We do not share your data with advertisers, data brokers, or any other third parties. YourMOA.com products are ad-free.

If you are in the European Economic Area (EEA), UK, or another jurisdiction with similar data protection laws, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data.
• Right to erasure — request deletion of your personal data (see Section 8).
• Right to restriction — request that we limit processing of your data.
• Right to data portability — receive your data in a structured, machine-readable format. You can exercise this right directly from your Account page using the Export My Data button, which downloads a complete JSON file of all personal data we hold about you. No request to support is needed.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@yourmoa.com. We will respond within 30 days as required by GDPR.

You can request permanent deletion of your account and personal data at any time from your Account page or directly at Settings → Delete Account.

Upon requesting deletion, a 14-day grace period begins during which you can cancel the request and restore full access. After 14 days, the following is permanently deleted:

• Your profile (name, username, email)
• Your saved deals
• Your team and firm memberships
• Your login credentials

The following is retained for legal compliance and cannot be deleted:

• Stripe payment and invoice records (7-year legal requirement)
• Anonymized referral commission records (financial audit trail)

If you are a Small or Enterprise plan owner, you will be asked to transfer ownership to an Admin or dissolve your plan before your personal account is deleted. Member accounts on your plan are not deleted — only deactivated from the plan structure. Their personal data is theirs to manage independently.

We implement industry-standard security measures including encrypted data transmission (HTTPS), hashed passwords, server-side session management, and role-based access controls. We do not store payment card details — all card data is handled directly by Stripe.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33.

We use only the following cookies, all of which are strictly necessary to operate the Service:

• sb-* — Supabase authentication session tokens.
• yourmoa_ref — stores a referral code for 30 days if you arrived via an affiliate link.
• yourmoa_session_started — records when your session began for our 10-hour session expiry policy.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. No consent banner is required for strictly necessary cookies under GDPR Recital 47.

Your data is processed on infrastructure provided by Supabase and Stripe, which may involve transfers outside the EEA. Both providers maintain Standard Contractual Clauses (SCCs) and other GDPR-compliant transfer mechanisms. See their respective privacy policies for details.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@yourmoa.com and we will delete it promptly.

We may update this policy from time to time. When we do, we will update the effective date at the top of this page and, where changes are material, notify you by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

For any privacy questions or to exercise your rights, contact us at privacy@yourmoa.com.

If you are in the EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection supervisory authority.