Privacy Notice
MOOCHA APP LTD — Last updated: 23 April 2026
Contact details
MOOCHA APP LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: privacy@moocha-app.com
What information we collect, use, and why
To provide our service:
- Names and contact details (email address)
- Account information (username, password, profile picture, bio)
- Website user information (including user journeys and cookie tracking)
- Photographs or video recordings
For the operation of user accounts:
- Account information, including registration details
- Information used for security purposes (session tokens, IP address)
For dealing with queries, complaints or claims:
- Names and contact details
- Account information
- Photographs (where relevant to a reported post)
For website analytics (Google Analytics):
- IP addresses
- Website and app user journey information
- Records of consent, where appropriate
From people who express interest in joining Moocha (waitlist, creator, and brand sign-up forms):
- Email address (waitlist)
- Name, email address, social handle, platforms, website URL, and optional message (creator form)
- Contact name, email address, brand name, social handle, platforms, website URL, and optional message (brand form)
- Consent timestamp for all of the above
Lawful bases and data protection rights
Under UK data protection law, we must have a lawful basis for collecting and using your personal information. Your rights:
- Right of access — you can ask us for copies of your personal information, including details about where we get it from and who we share it with.
- Right to rectification — you can ask us to correct or delete personal information you think is inaccurate or incomplete.
- Right to erasure — you can ask us to delete your personal information. You can also delete your account directly from the Settings page, which permanently deletes all your personal data immediately.
- Right to restriction of processing — you can ask us to limit how we use your personal information.
- Right to object to processing — you can object to us processing your personal information in certain circumstances.
- Right to data portability — you can ask us to transfer your personal information to another organisation or to you directly.
- Right to withdraw consent — where we rely on consent as our lawful basis, you can withdraw it at any time without affecting the lawfulness of prior processing.
We must respond to any request within one month. To make a request, contact us using the details at the top of this notice with the subject line [PRIVACY REQUEST].
You can also exercise your data subject rights via our Trust Center: https://app.prighter.com/portal/19933741352
Our lawful bases
- For providing our service: Contract — we need this information to enter into or carry out our contract with you.
- For the operation of user accounts: Contract — we need this information to enter into or carry out our contract with you.
- For dealing with queries, complaints or claims: Contract and Legitimate interests — we retain records of content reports to investigate abuse, protect users from harmful content, and maintain a safe platform.
- For website analytics (Google Analytics): Consent — we only load Google Analytics after you have given your permission via our cookie banner. You can withdraw consent at any time by adjusting your cookie preferences.
- For waitlist, creator, and brand sign-up forms: Consent — we collect this information only after you have given your explicit consent by ticking the checkbox on the relevant form. You can withdraw consent and request deletion of your data at any time by contacting us at privacy@moocha-app.com.
Cookies
We use cookies to operate our service and, with your consent, to analyse how it is used.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Supabase session (sb-*) | Keeps you logged in | Strictly necessary | Session |
| _ga | Google Analytics — distinguishes users | Analytics (consent required) | 2 years |
| _ga[ID] | Google Analytics — session tracking | Analytics (consent required) | 2 years |
Strictly necessary cookies cannot be disabled as they are required for the service to function. You can manage your analytics cookie preferences at any time using our cookie banner.
Where we get personal information from
Directly from you.
How long we keep information
- Account data (email, username, password, profile): deleted immediately when you close your account
- Posts, photos, videos, captions: deleted when you close your account
- Report records: retained for 3 years, with your identity removed on account deletion
- Session cookies: deleted when your session ends
- Google Analytics data: 2 months
- Email delivery logs: retained by Resend per their data retention policy
- Server logs (IP address): 30 days (retained by Vercel)
- Encrypted database backups: we maintain up to 5 encrypted backups, with older ones deleted as new ones are created
- Waitlist data: retained until you are invited to the platform or withdraw consent
- Creator and brand form data: retained until you are contacted and invited, or withdraw consent
Who we share information with
Data processors — organisations that process personal data on our behalf:
- Supabase — provides our database, user authentication, and file storage
- Google (Google Analytics 4) — provides website analytics
- Resend — provides transactional email delivery
- Vercel — provides website hosting and infrastructure
We may also share information with relevant regulatory authorities (such as the ICO) where required by law. We do not sell your personal data. We do not share your data with advertisers.
Sharing information outside the UK
Where necessary, we transfer personal information outside the UK. When doing so, we comply with UK GDPR, ensuring appropriate safeguards are in place.
| Organisation | Category | Country | Transfer mechanism |
|---|---|---|---|
| Google LLC | Web analytics provider | United States | Addendum to the EU SCCs |
| Resend Inc | Transactional email provider | United States | Addendum to the EU SCCs |
| Vercel Inc | Website hosting provider | United States | Addendum to the EU SCCs |
| Supabase Inc | Database and infrastructure provider | Ireland (EU) | UK adequacy decision — the EU is recognised as providing equivalent data protection |
EU/EEA Representative
We have appointed Prighter Group with its local partners as our privacy representative and your point of contact for the European Union (EU). To exercise your privacy-related rights, visit: https://app.prighter.com/portal/19933741352
DSA Representative
MOOCHA APP LTD has designated Prighter DSA as its legal representative according to Art 13 Digital Service Act (DSA). Prighter DSA serves as the addressee for competent authorities in the Member States and in the European Union on all matters related to the DSA.
Security
We take appropriate technical measures to protect your personal data, including encryption in transit (HTTPS), encrypted database backups, row-level security controls, and server-side only access for privileged operations. No system is completely secure. If we become aware of a data breach that affects your rights, we will notify you and the relevant supervisory authority as required by law.
Children
Our service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with their data, please contact us and we will delete it.
How to complain
If you have concerns about how we use your personal data, contact us using the details at the top of this notice. If you remain unhappy after raising a complaint with us, you can complain to the ICO:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint
If you are based in the EU/EEA, you can also complain to your local data protection authority or contact our EU representative Prighter using the details above.
Moocha App is operated by MOOCHA APP LTD, registered in England and Wales (company number 17162582).