Moonstead

Moonstead Privacy Policy

Effective Date: [EFFECTIVE DATE]. Last updated: [LAST UPDATED].

This Privacy Policy describes how [COMPANY LEGAL NAME] (“Moonstead,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects information when you use the Moonstead website, mobile experiences, and related services (the “Service”). It also describes the choices and rights you have. This Policy is part of, and incorporated into, our Terms and Conditions.

A note on what makes our service different.

Moonstead is a marketplace for spiritual, metaphysical, and intuitive services. To use it, you may share information that is unusually personal — birth dates and times for astrology, names of partners or family members, bereavement details, health concerns, financial worries, or descriptions of relationships. We treat that kind of information with extra care, as described below. Please read sections 3, 4, 6, and 7 closely — they cover how we handle the parts of your data that are most personal to readings and Spiritual Services.

1. Overview

We collect three broad categories of information: (i) information you provide to us (such as your account details, the contents of your reading requests, and messages you send to Sellers); (ii) information generated as you use the Service (such as device and log data); and (iii) information from third parties (such as payment-processor confirmations and identity-verification results).

We use this information to operate the marketplace, route orders to Sellers, detect fraud and abuse, comply with the law, communicate with you, and improve the Service. We do not sell your personal information for money, and we do not currently use the content of your readings or messages to train artificial- intelligence models. If those practices ever change, we will update this Policy and provide notice before the change takes effect.

2. Information We Collect

Account and identity information

When you create an account we collect your name, email address, account credentials (stored as a salted hash, not as a plaintext password), profile picture if you upload one, and your shop or display name if you sell. Sellers also provide additional identity, business, and tax information through our payment processor for KYC and 1099 reporting (see Section 9).

Order, transaction, and payment information

When you make or receive a payment we collect the items purchased, amounts, currency, taxes, fees, refund history, dispute history, the time and IP address of the transaction, and a payment-processor token that lets us settle the transaction. We do not store your full payment-card number, CVV, or bank credentials — those are tokenized and held by our payment processor.

Information you submit to a Seller

The most personal data on Moonstead is what you submit to a Seller as part of an order: questions, names of people in your life, birth data, photos, voice memos, dream descriptions, intentions, and similar. This is treated as Spiritual and Sensitive Information — see Section 3.

Reading deliverables

The text, audio, video, or PDF content that a Seller delivers to you for an order. We store this so you can re-access your purchase, and so we can resolve disputes. See Section 6 for retention specifics.

Communications

Messages you send to Sellers and to Moonstead support, including images and files you attach. See Section 6.

Reviews, favorites, and listing interactions

Your reviews of Sellers, items you favorite, listings you click on, and search terms you enter. We use this to recommend listings and improve search.

Device and usage data

IP address, browser type, operating system, device identifiers, referring URLs, pages visited, and timestamps. This is collected automatically when you use the Service. See Section 10 on cookies.

Diagnostic and crash data

When the website or mobile app crashes or throws an error, we automatically collect technical diagnostics through our error-monitoring provider (Sentry — see Section 9). This includes the error itself (stack trace, file paths, error message), your browser or device type, OS version, IP address, the URL or screen you were on, and a short structural snapshot of your activity in the ~60 seconds before the error (clicks, scrolls, page loads, network requests). All text content you typed, all images on the screen, and all form fields are masked before this snapshot is sent — we never receive your password, payment details, message bodies, addresses, search terms, or any text you have entered. On the mobile app, we also collect native iOS crash reports (which Apple defines as “Diagnostics” data) for the same purpose. This data is used solely to fix bugs and is retained according to Sentry’s data policy (typically 90 days). You can request that we exclude your diagnostics from collection by emailing legal@moonstead.app.

Information from third parties

We may receive limited information from our payment processor (verification results, dispute notices, payout status), our authentication providers if you sign in with a third-party account, and our fraud-prevention vendors. We do not buy data brokers’ lists or merge your account with profiles purchased from advertising data sources.

3. Spiritual and Sensitive Information

Because Moonstead is a metaphysical marketplace, you may share categories of information that are more sensitive than what most online services collect. We call this Spiritual and Sensitive Information. Examples:

  • Birth data. Your date, time, and place of birth (used by astrology and natal-chart Sellers).
  • Spiritual and religious context. The traditions, beliefs, or practices you reference in a reading. We treat this as a special category and do not infer it from your account beyond what you choose to share.
  • Bereavement information. Names, photos, dates, or memories of people who have passed, shared with mediumship or grief-related Sellers.
  • Health-adjacent information. Mentions of physical or mental-health concerns shared with energy work, reiki, or similar Sellers. Moonstead is not a healthcare provider and the information you share is not medical record; it is treated as personal information you have chosen to disclose.
  • Relationship details. Names, photos, and descriptions of romantic interests, ex-partners, family members, or others involved in love-, clarity-, or reconciliation-themed readings.
  • Financial worries. Statements about debts, savings, career concerns, or money goals shared with manifestation or prosperity Sellers.
  • Photos and recordings. Images or audio you upload as part of an order (palm readings, aura readings, voice memos, etc.).

We treat Spiritual and Sensitive Information with the same access controls and encryption as account information, and with shorter retention windows for the parts that are tied to a specific order (see Section 11). We do not advertise against this information, share it with data brokers, or use it to build profiles for sale. We do not use it to train AI models (see Section 7).

Important: any information you share with a Seller is shared with that individual Seller. Sellers are independent contractors, not employees of Moonstead, and we cannot guarantee how they will internally remember or process what you share. Our Seller agreement requires Sellers to use your information only for the order and to delete copies after a reasonable period, but you should share only what you are comfortable a Seller knowing.

4. Information About Other People

Spiritual Services often involve people other than you. You may name a partner, an ex, a family member, a friend, or a deceased loved one in a reading request, and you may upload their photo or a description of them. These people have not agreed to Moonstead’s Privacy Policy and may not know you are sharing information about them.

By submitting information about a third party, you confirm that:

  • You have the legal right to share what you are sharing;
  • You are not sharing information you know to be confidential, medically privileged, or otherwise legally protected (for example, information from a court-sealed proceeding, an employer’s confidential file, or a healthcare provider);
  • You will not name, target, or upload information about a minor (a person under 18);
  • You are not using the Service to surveil, stalk, harass, or attempt to control any specific person.

Moonstead treats third-party information you submit as your User Content for purposes of this Policy and our Terms. If a third party contacts us asking about information you submitted, we will respond consistent with applicable law — including, where required, telling them that the information came from you.

5. How We Use Information

We use the information we collect to:

  • Operate the marketplace — create accounts, list and browse services, route orders to Sellers, deliver reading content, process payments, issue refunds, generate tax forms, and resolve disputes;
  • Communicate with you — transactional emails about your orders, account activity, refunds, and policy updates;
  • Personalize your experience — suggest categories, Sellers, or listings based on your activity and stated interests, without inferring sensitive details that you have not explicitly shared;
  • Detect and prevent fraud and abuse — including chargeback prevention, account-takeover prevention, automated and manual review of listings and messages for policy violations, and identity-based rate-limiting;
  • Comply with the law — respond to subpoenas, court orders, regulator requests, tax-reporting obligations, and similar legal requirements;
  • Improve the Service — debug, performance-monitor, and run aggregate analytics that do not identify individuals;
  • Enforce our Terms — investigate and act on Terms or Seller Policy violations, including by suspending accounts and reversing payouts where appropriate.

6. Reading and Message Content

The actual content of a reading — the question you asked, the cards drawn, the text or audio response from the Seller, the back-and-forth in messages — is the most personal data on Moonstead. Here is exactly how we handle it.

Who can see it

  • You and the Seller you ordered from. Always, for the life of the order and your account.
  • Moonstead trust-and-safety personnel, only when needed to resolve a dispute, investigate a policy violation, respond to a chargeback, or comply with the law. Access is logged.
  • Automated systems, for safety scanning (detection of guaranteed-outcome language, threats, harassment, illegal content, and similar policy violations) and for spam/abuse prevention. These run on encrypted content; reviewer access requires a flagged result.
  • No advertisers. We do not share reading or message content with advertisers, ad networks, or data brokers.

How long we keep it

  • Order content (reading deliverables and the message thread tied to the order): kept for as long as your account is active, plus up to two years after your account is closed, after which we delete it from our active systems. Backups are purged on a 90-day rolling schedule.
  • Standalone Seller–Buyer messages not tied to an active order: we may delete these earlier, typically within 12 months of inactivity.
  • Trust-and-safety records of policy violations: kept longer where reasonably necessary to enforce repeat-violator rules, typically up to five (5) years.

What you can do

You can request deletion of your account and reading content at any time (see Section 12). We will honor the request unless we are required to keep specific records by law (for example, financial records for tax purposes) or to defend an ongoing dispute. In those cases we will retain only the narrow records required and delete the rest.

7. AI, Automated Decisions, and Model Training

Because users frequently ask, we want to be specific:

  • We do not currently use the content of your readings, messages, or Spiritual and Sensitive Information to train, fine-tune, or improve any artificial-intelligence model, and we will not begin doing so without first updating this Policy and providing prominent notice.
  • We may use automated systems to scan listings and messages for policy violations (for example, guaranteed-outcome claims, harassment, or illegal content). The output of those systems may be used to remove a listing, freeze an order, or escalate to a human reviewer. You can contest any automated action by contacting support@moonstead.app.
  • We do not use solely-automated decisions to take any action that produces legal or similarly significant effects on you (for example, banning your account or denying a refund) without human review.
  • Sellers may, in their own practice, use AI tools (for example, to draft a reading or generate an image). Whether and how a Seller uses AI is the Seller’s decision and is governed by their listing description, not this Policy. Sellers are not permitted to upload your reading content or personal information into a third-party AI service without your explicit consent.

8. How We Share Information

We share information in these specific circumstances:

  • With Sellers you transact with — the Seller of an order receives the reading request, your messages on that order, and a buyer label (display name and avatar). Sellers do not receive your billing address, payment method, or full email address by default.
  • With Buyers (if you are a Seller) — Buyers see your shop page, listings, reviews, response time, and messages on their orders. They do not see your legal name, tax ID, payout bank, or home address.
  • With service providers who help us operate the Service (see Section 9), under written agreements that limit them to processing data on our behalf.
  • For legal reasons — in response to subpoenas, search warrants, court orders, regulator requests, or to investigate fraud, abuse, threats to safety, or violations of our Terms.
  • In a business transaction — if Moonstead is involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or similar transaction, your information may be transferred as part of that deal. We will notify you and post a notice if your information becomes subject to a materially different privacy policy as a result.
  • With your consent — for any other purpose, only after you authorize the sharing.

We do not sell your personal information for money, and we do not currently share personal information with third-party advertising networks for cross-context behavioral advertising. If that ever changes, we will update this Policy and provide opt-out tools as required by law.

9. Service Providers and Sub-processors

We use the following third-party service providers (sub-processors) to operate the Service. Each is contractually limited to processing data on our behalf and for the listed purpose:

  • Stripe, Inc. — payment processing, payment-method tokenization, Connect (Seller payouts and KYC), tax calculations, and chargeback handling. Stripe’s privacy practices are governed by Stripe’s Privacy Policy.
  • Cloudflare, Inc. — storage of files, audio, and video you upload (Cloudflare R2), and image hosting and transformation (Cloudflare Images). Also DNS and edge networking.
  • Supabase, Inc. — managed PostgreSQL database hosting for accounts, orders, messages, and reading content.
  • Resend — transactional email delivery (order confirmations, password resets, dispute notifications).
  • Functional Software, Inc. dba Sentry — error monitoring, crash reporting, and performance diagnostics for the website and mobile app. Sentry receives the technical error data, device metadata, IP address, and the masked-text activity snapshot described in Section 2 (“Diagnostic and crash data”). Sentry does not receive any reading content, message bodies, payment data, passwords, addresses, or other text you have typed — all such content is replaced with *** before the snapshot leaves your device. On the mobile app, Sentry also handles native iOS crash diagnostics, which Apple categorizes as “Diagnostics — Crash Data” on the App Store privacy label. Sentry’s privacy practices are governed by Sentry’s Privacy Policy and its Data Processing Addendum.
  • Vercel, Inc. — application hosting and edge runtime.
  • NextAuth identity providers — if you sign in with a third-party account (for example, Google), the provider authenticates you and shares your email address and basic profile with us; we do not receive your third-party account password.

We may add or replace sub-processors as the Service evolves. When we do, we will update this list. If you would like to receive notice of sub-processor changes before they take effect, contact us at legal@moonstead.app.

10. Cookies and Similar Technologies

We use a small set of cookies and similar technologies (local storage, fingerprint-resistant device identifiers) to keep you signed in, remember your preferences, run the cart and checkout, prevent fraud, and measure aggregate traffic. We currently do not use third-party advertising or cross-site tracking cookies.

You can control cookies through your browser settings and through any cookie banner we display. Disabling strictly-necessary cookies will prevent core features (sign-in, checkout) from working.

11. Data Retention

We keep information only as long as we need it for the purposes described in this Policy or as required by law. The summary table:

  • Account profile: while your account is active, plus 30 days after deletion to allow account recovery.
  • Reading content and order messages: see Section 6.
  • Order, payment, and tax records: minimum 7 years (federal tax retention requirement).
  • Dispute and chargeback evidence: minimum 5 years from resolution.
  • Server logs and security telemetry: typically 90 days, longer where investigating an active incident.
  • Marketing-email opt-out records: indefinitely (so we don’t accidentally re-add you).
  • Backups: rolling 90-day window. Deleted data persists in backups for up to 90 days before being purged.

12. Your Privacy Rights

Depending on where you live, you may have one or more of the following rights over your personal information. We honor these rights regardless of where you live, to the extent reasonable:

  • Right to know / access — what personal information we hold about you, and a copy in portable format.
  • Right to correct — if information is inaccurate.
  • Right to delete — subject to the retention requirements in Section 11 and any legal holds.
  • Right to opt out of sale or sharing — we do not sell personal information, and we do not currently share for cross-context behavioral advertising. If that changes, we will provide an opt-out.
  • Right to limit use of sensitive information — see Section 13.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.
  • Right to appeal — if we deny a privacy request, you can appeal by replying to our denial email.

To exercise any of these rights, email legal@moonstead.app from the email address on your account, or use the in-app account-deletion flow. We may need to verify your identity before fulfilling certain requests — the more sensitive the request, the more we may ask. We respond within the timelines required by your applicable law (typically 45 days under U.S. state laws, 30 days under GDPR).

Authorized agents. California, Colorado, and certain other residents may use an authorized agent to submit requests. We will require the agent to provide written permission and may require you to verify your identity directly.

13. Sensitive Personal Information Under State Laws

Several U.S. state privacy laws (California’s CPRA, Colorado, Connecticut, Virginia, and others) treat certain categories of personal information as “sensitive” or “special” and grant you additional rights over their use.

Information you share on Moonstead may, depending on context, fall into one or more of these categories:

  • Religious or philosophical beliefs (your engagement with metaphysical and spiritual practices);
  • Health or mental-health information you choose to share with a Seller;
  • Precise geolocation (we do not collect this, except as derived from IP for fraud prevention);
  • Account login credentials (always stored hashed, never disclosed).

We use Sensitive Personal Information only for the purposes described in Section 5 (operating the marketplace, security, fraud prevention, complying with the law) and not for inferring characteristics about you, profiling you for advertising, or sharing with third-party advertisers. Where state law requires it, you can request that we limit our use of Sensitive Personal Information to those purposes by emailing legal@moonstead.app.

14. International Users and Data Transfers

Moonstead is operated from the United States. If you use the Service from outside the U.S., your information will be transferred to, stored in, and processed in the U.S. and other countries where our service providers operate. These countries may have data-protection laws that differ from those in your country. By using the Service, you consent to this transfer and processing.

Where required by law, we rely on Standard Contractual Clauses or other approved transfer mechanisms (for example, the EU-U.S. Data Privacy Framework, where applicable to a sub-processor) to protect your information when it leaves the EEA, UK, or Switzerland.

The Service is not currently offered to users in Japan, Mexico, or Thailand (see the Terms, Section 21).

15. Children Under 18

Moonstead is intended exclusively for adults. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has created an account or that someone has submitted information about a minor (for example, a reading request about a child), please contact us at legal@moonstead.app and we will investigate, delete the account or information, and take appropriate action.

16. Security

We protect your information with administrative, technical, and physical safeguards including: encryption of data in transit (HTTPS/TLS), encryption at rest for sensitive fields, hashed and salted password storage, access controls based on the principle of least privilege, audit logging of trust-and-safety access to user content, and regular review of our sub-processors’ security practices.

No system is perfectly secure, and we cannot guarantee that information will never be accessed by an unauthorized party. If we discover a security incident that affects your information, we will notify you and, where required, the relevant regulators within the timelines required by law.

You also have a role in security: choose a strong, unique password; do not share your account; enable any multi-factor authentication we offer; be cautious about what you share with Sellers; and report suspicious activity to support@moonstead.app.

17. Marketing Communications

We may send you transactional emails (order confirmations, dispute updates, policy changes) and, if you opt in, marketing emails (new Seller spotlights, category roundups, promotions). You can opt out of marketing emails at any time using the unsubscribe link in the email or by changing your account communication preferences. We will continue to send transactional emails because they are required to operate your account.

We do not send SMS marketing messages without your express opt-in consent.

18. Changes to This Policy

We may update this Policy from time to time. If we make material changes — for example, beginning to share data with advertisers, beginning to use reading content for AI training, or adding a new sub-processor that materially changes the data flow — we will provide prominent notice (an in-app banner, an email to your account address, or both) at least 14 days before the change takes effect, except where a shorter period is required by law or by a security or legal emergency.

Non-material changes (clarifications, formatting fixes, sub-processor changes that do not change the categories of data shared) take effect on the date listed at the top of this Policy.

19. Contact Us

Questions about this Policy or the way Moonstead handles your information? Contact us at legal@moonstead.app. For privacy requests (access, deletion, correction, etc.), please email from the address associated with your account so we can locate your records and respond efficiently.

Questions? Send our legal team a note.

Goes straight to legal@moonstead.app. We’ll reply to the address you provide.

Postal mail: [COMPANY LEGAL NAME], attn: Privacy, [MAILING ADDRESS].

EU/UK users: our representative under Article 27 GDPR (if applicable) is [GDPR REPRESENTATIVE, if appointed]. You also have the right to lodge a complaint with your national data-protection authority.

Moonstead - Energy-Focused Services