Privacy Policy
What we collect, why, who we share it with, and how to get it deleted. Written to be read, not to hide behind.
Last updated 5 July 2026
Moonmoot ("Moonmoot", "we", "us") provides an AI advisory board for owner-operated businesses. This policy explains what data we handle when you use our website and product, and your choices over it. It covers both people who visit the site and owners whose businesses use the product.
Information we collect
- Account and contact details you give us: your name, email, phone, business name, industry, and country, whether through the contact form, the instant read, or onboarding.
- Business operating data from the tools you connect (for example a booking system or point of sale): appointments, attendance, clients, staff, and similar records, read to produce your board's analysis.
- Financial data if you connect a bank through an open-banking provider: account balances and transactions, read-only, so the board can compare real cash against booked revenue.
- Documents you choose to share, including files you explicitly pick from Google Drive. See the Google user data section below.
- Public profile references you provide, such as social media or website URLs, which the board reviews using public information only.
- Messages you exchange with the board, including over WhatsApp if you enable it.
- Instant-read submissions: the rough answers you give the free instant read. These are stored without contact details unless you go on to request onboarding.
- Technical and context data: IP address (used for coarse location and security), browser and device type, language, timezone, referring page, and cookieless, privacy-friendly analytics of page visits.
How we use it
- To run the product: generate your board's analysis, briefs, coaching, and proactive messages on your real numbers.
- To respond to enquiries and set up your account, and to give whoever replies useful context on your business.
- To operate, secure, and improve the service, and to understand how the site is used.
- We do not sell your data, and we do not use it for advertising.
AI processing
To produce advice, we send relevant business context to our AI provider, Anthropic. Anthropic processes this to generate a response and, under its commercial API terms, does not use it to train its models. We never ask the AI to invent figures, and the board is designed to say when data is missing rather than guess.
Google user data (Limited Use)
If you connect Google Drive, Moonmoot uses the drive.file scope, which grants access only to the specific files and folders you explicitly select through Google's own file picker. We do not request access to your whole Drive. We read the text of the documents you pick so the board can analyse them (for example a lease, a licence, or an insurance policy), and we store that text and derived search data to answer your questions and flag key dates.
Moonmoot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, do not use it to train generalized AI models, and do not transfer it except as needed to provide the feature or as required by law. You can disconnect Google Drive at any time in your settings, which removes our access; we delete the associated stored documents on disconnection or on request.
Who we share data with
We use a small set of service providers (subprocessors) to run Moonmoot. Each handles only what is needed for its function:
- Anthropic: the AI that generates the board's analysis.
- Hetzner (Germany): hosting and our database.
- Cloudflare: DNS and network protection.
- Resend: sending our own notification emails.
- Open-banking providers (such as Salt Edge or Plaid): only if you connect a bank, to read balances and transactions.
- Your connected tools (such as your booking or point-of-sale system, and Google): to read the data you authorise.
- Meta / WhatsApp: only if you enable WhatsApp messaging.
- An IP geolocation service: to derive coarse location from an IP for context and security.
Analytics are self-hosted on our own server and are cookieless, so page-visit data is not shared with a third-party analytics company.
Retention and deletion
We keep your data for as long as your account is active or as needed to provide the service, and as required for legal and accounting reasons. You can disconnect any integration at any time, which stops further access. To delete your account and associated data, contact us and we will action it. Disconnecting Google Drive removes access and deletes the stored documents from that connection.
Where your data is stored
Our servers and database are hosted in the European Union (Germany). Some subprocessors named above may process limited data elsewhere; where they do, appropriate safeguards apply.
Security
We use encrypted connections (HTTPS), restrict access to credentials, isolate each business's data, and follow least-privilege practices on our infrastructure. No system is perfectly secure, but we take protecting your data seriously and design for it.
Your rights
Depending on where you live (including under UK and EU data protection law), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these, contact us using the details below.
Cookies
We use a single essential cookie to keep you signed in. We do not use advertising or third-party tracking cookies, and our analytics are cookieless.
Changes
We may update this policy as the product evolves. We will change the date at the top when we do, and for material changes we will make reasonable efforts to notify account holders.
Contact
Questions or requests: privacy@moonmoot.com, or through our contact page. See also our Terms of Service.