Privacy Policy

Last updated: March 19, 2026

This Privacy Policy describes how mog.md (“we”, “us”, or “our”) collects, uses, and shares your personal information when you use our website, CLI tool (mogmd), and API (collectively, the “Service”).

1. Information We Collect

A. Account Information

When you sign in using GitHub or Google OAuth, we collect your email address, name, and an avatar URL provided by the authentication service. We do not receive or store your passwords.

B. Payment and Wallet Data

When you make a purchase or fund your wallet, your payment is processed by Stripe. We store your Stripe Customer ID, purchase history, and wallet balances. We never collect or store your full credit card numbers or raw payment details on our servers.

C. Seller Information

If you publish packages as a vendor, we collect your vendor profile details (display name, slug, bio, website) and your Stripe Connect account ID. Your profile information and package details will be publicly visible.

D. Usage and Technical Data

We automatically collect certain information about your interaction with the Service, including:

  • Package installation events and search queries.
  • API token usage timestamps.
  • Reviews and ratings you submit.
  • IP addresses (used temporarily for rate limiting and abuse prevention).
  • Error traces and performance data to improve reliability.

E. Communications

When you contact us for support, legal inquiries, or other requests, we collect the contents of your correspondence, including your name and email address. We use this data to respond to you, improve our support processes, and comply with legal obligations.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process transactions, manage wallets, and send receipts.
  • Facilitate vendor payouts via Stripe Connect.
  • Enforce your configured spend policies.
  • Prevent fraud, abuse, and secure our systems.
  • Send administrative notifications, such as scan results and purchase confirmations.
  • Compile aggregate, anonymized statistics on package usage and marketplace trends.

We do not sell your personal information to third parties.

3. Cookies and Tracking

We use strictly necessary cookies to maintain your session and protect against Cross-Site Request Forgery (CSRF). We do not use third-party tracking or advertising cookies.

Do Not Track

We do not track users across third-party websites. Because we do not use third-party tracking or advertising cookies, the Service responds to Do Not Track (DNT) signals by default — there is no cross-site tracking to disable.

4. Subprocessors and Data Sharing

We share data with trusted third-party service providers (subprocessors) necessary to operate mog.md. We do not sell or rent your personal information. These providers include:

  • Stripe: Payment processing and seller payouts (United States).
  • Railway: API and database hosting (United States).
  • Vercel: Web application hosting (United States).
  • Cloudflare R2: Package archive storage (United States).
  • Resend: Transactional email delivery (United States).
  • Sentry: Error monitoring and performance tracing (United States).
  • OpenAI & Hugging Face: Automated security and quality scanning of package contents — we do not send your personal user data to these services, only the contents of uploaded packages (United States).
  • GitHub & Google: Identity providers for OAuth login (United States).

5. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide you the Service. If you delete your account, we will cascade the deletion to remove your API tokens, vendor profile, wallets, and spend policies. Certain records like historical orders may be retained for accounting and legal compliance purposes.

6. Security

We implement reasonable security measures, including SHA-256 hashing for packages, token hashing, automated secrets scanning, and rate limiting. However, no method of transmission over the internet or electronic storage is fully secure, and we cannot guarantee absolute security.

7. International Data Transfers

Our infrastructure (Railway, Vercel, Cloudflare) is primarily located in the United States. By using the Service, you consent to the transfer, storage, and processing of your data in the United States. We strive to take appropriate safeguards to ensure your personal information remains protected consistent with applicable data protection laws.

8. Children's Privacy

The Service is not intended for or directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

9. Your Rights

Depending on your location, you may have rights under applicable data protection laws, including:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct or update inaccurate information.
  • Deletion: Request that we erase your personal data, subject to legal retention obligations.
  • Portability: Receive your personal data in a structured, commonly used format.
  • Restriction: Ask us to limit how we process your data in certain circumstances.
  • Objection: Object to our processing of your data where we rely on legitimate interests.

You can manage most of your data directly within your account settings. For other requests, please contact us at privacy@mog.md. We will respond to verified requests within 30 days, or as required by applicable law.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of your personal information. We do not sell personal information as defined under the California Consumer Privacy Act (CCPA).

European Economic Area Residents (GDPR)

If you reside in the EEA, Switzerland, or the United Kingdom, we process your personal data on the following legal bases: (1) your consent; (2) as necessary to perform our agreement to provide the Service; and (3) as necessary for our legitimate interests where those interests do not override your fundamental rights and freedoms. You may contact your local data protection authority if you have concerns about how we handle your data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the website or by email. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@mog.md.