Moibay Privacy Policy
Effective: 2026-05-25
1. Who we are
Moibay is operated by Moisei Smolianski as a sole proprietor in Ontario, Canada. Contact: [email protected].
2. What we collect
Shop account data
- Shop name, owner name, email address
- Hashed password (we never see your plaintext password)
- PIN code (hashed) for in-shop user switching
- Subscription status and billing identifiers from Stripe
Customer data the Shop enters
- Customer name, email, phone, address
- Vehicle details (make, model, year, VIN)
- Work-order line items, parts, labor, totals
- Photos and files the Shop uploads (stored on AWS S3)
- Payment records (amounts, methods; full card numbers are never seen by Moibay)
Operational data
- Server logs (IP address, user agent, request paths, timestamps) for security and debugging
- Usage analytics via PostHog (anonymized event names, no PII content)
- Captcha tokens via Cloudflare Turnstile during signup/login
Cookies
shopAuth— primary session cookie (HTTP-only, signed JWT)- NextAuth session cookies — secondary user-identity cookie set by PIN sign-in
adminAuth— internal admin session (not used by shop accounts)- Clerk session cookies — primary identity provider cookies
- PostHog analytics cookie
3. How we use it
- Operate the Service (display your data back to you, process payments, send invoices)
- Send transactional email via Resend (receipts, password reset, ToS updates)
- Send transactional SMS via Telnyx (work-order status, customer portal links) — Shop opt-in
- Detect abuse, debug, and improve the Service
- Comply with legal obligations
We do not sell personal data. We do not use Shop or Customer data to train AI models. We do not run third-party ad networks on Moibay.
4. Sub-processors
We share data with the following service providers, each only to the extent necessary to operate the Service:
| Sub-processor | Purpose | Region |
|---|---|---|
| Clerk | User authentication and session management | USA |
| Stripe | Subscription billing and payment processing | Global |
| Railway | Application hosting and Postgres database | USA |
| Cloudflare | Captcha (Turnstile), DNS, CDN | Global |
| Resend | Transactional email delivery | USA |
| Telnyx | Transactional SMS delivery | USA |
| AWS S3 | File and photo storage | USA |
| PostHog | Product analytics | EU/USA |
5. Where data is stored
Primary database is hosted on Railway (US region). Backups are encrypted at rest. Customer-uploaded files are stored on AWS S3 (US region). If you require data residency in Canada or the EU, contact us — this is not a default offering yet.
6. Retention
We retain Shop and Customer data for the lifetime of the Shop's active subscription plus 30 days after cancellation. Backup snapshots may retain data for up to 90 days. Billing records are retained for 7 years to meet Canadian tax obligations.
You may request earlier deletion by emailing [email protected]; we will comply unless a legal obligation requires us to retain specific records.
7. Your rights
Depending on where you live (PIPEDA, CCPA, GDPR), you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion
- Export your data in a machine-readable format
- Withdraw consent for non-essential processing
- File a complaint with your local data-protection authority (in Canada: the Office of the Privacy Commissioner)
To exercise any of these rights, email [email protected]. We will respond within 30 days.
8. Security
We hash passwords with bcrypt (cost 12) and PINs with bcrypt. Session cookies are HTTP-only and Secure in production. Database connections use TLS. We do not log plaintext passwords or PINs. Despite these measures, no system is perfectly secure — notify us immediately if you suspect a breach affecting your account.
9. Children
The Service is intended for businesses. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us data, contact us and we will delete it.
10. Changes
We may update this policy. Material changes will require you to re-accept the updated policy on next sign-in. The "Effective" date at the top reflects the current version.
11. Contact
Email: [email protected]