Privacy Policy

Last updated: February 24, 2026

This Privacy Policy describes how mog.md ("we", "us", or "our") collects, uses, and shares your personal information when you use our website, CLI tool (mogmd), and API (collectively, the "Service").

Disclaimer: This is a boilerplate privacy policy that is pending review by legal counsel. It is provided for informational purposes based on current data practices.

1. Information We Collect

A. Account Information

When you sign in using GitHub or Google OAuth, we collect your email address, name, and an avatar URL provided by the authentication service. We do not receive or store your passwords.

B. Payment and Wallet Data

When you make a purchase or fund your wallet, your payment is processed by Stripe. We store your Stripe Customer ID, purchase history, and wallet balances. We never collect or store your full credit card numbers or raw payment details on our servers.

C. Seller Information

If you publish packages as a vendor, we collect your vendor profile details (display name, slug, bio, website) and your Stripe Connect account ID. Your profile information and package details will be publicly visible.

D. Usage and Technical Data

We automatically collect certain information about your interaction with the Service, including:

  • Package installation events and search queries.
  • API token usage timestamps.
  • Reviews and ratings you submit.
  • IP addresses (used temporarily for rate limiting and abuse prevention).
  • Error traces and performance data to improve reliability.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process transactions, manage wallets, and send receipts.
  • Facilitate vendor payouts via Stripe Connect.
  • Enforce your configured spend policies.
  • Prevent fraud, abuse, and secure our systems.
  • Send administrative notifications, such as scan results and purchase confirmations.

3. Cookies and Tracking

We use strictly necessary cookies to maintain your session (NextAuth.js) and protect against Cross-Site Request Forgery (CSRF). We do not use third-party tracking or advertising cookies.

4. Subprocessors and Data Sharing

We share data with trusted third-party service providers (subprocessors) necessary to operate mog.md. These include:

  • Stripe: For payment processing and seller payouts.
  • Railway & Vercel: For hosting our API, databases, and web application.
  • Cloudflare R2: For storing package archives.
  • Resend: For transactional email delivery.
  • Sentry: For error monitoring and performance tracing.
  • OpenAI & Hugging Face: For automated security and quality scanning of package contents (we do not send your personal user data to these AI models, only the contents of uploaded packages).
  • GitHub & Google: As identity providers for OAuth login.

5. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide you the Service. If you delete your account, we will cascade the deletion to remove your API tokens, vendor profile, wallets, and spend policies. Certain records like historical orders may be retained for accounting and legal compliance purposes.

6. Security

We implement reasonable security measures, including SHA-256 hashing for packages, token hashing, automated secrets scanning, and rate limiting. However, no internet transmission is entirely secure, and we cannot guarantee absolute security.

7. International Data Transfers

Our infrastructure (Railway, Vercel, Cloudflare) is primarily located in the United States. By using the Service, your data may be transferred to, stored, and processed in the US.

8. Children's Privacy

The Service is not intended for or directed at children under the age of 13. We do not knowingly collect personal information from children under 13.

9. Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your personal data. You can manage most of your data directly within your account settings. For other requests, please contact us.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@mog.md.