Privacy Policy
Last updated: 27 May 2026
1. Who we are
Mosher ("we", "us", "our") is a social network for live music fans. Our registered address and data controller contact: [YOUR COMPANY NAME, ADDRESS]. Data protection enquiries: [YOUR DPO EMAIL].
2. Data we collect
- Account data: email address, username, display name, profile photo, bio, location.
- Content: posts, comments, reviews, photos you upload.
- Usage data: gig attendance, likes, friend connections, group memberships.
- Payment data: Mosher+ subscription status. Card details are processed by Stripe and never stored by us.
- Technical data: IP address (for rate limiting, held for 60 days), session cookies necessary for authentication.
3. Legal bases (GDPR Art. 6)
- Contract — providing the service you signed up for.
- Consent — marketing emails (you can withdraw at any time in Settings).
- Legitimate interests — security, fraud prevention, service improvement.
- Legal obligation — complying with applicable law.
4. How we use your data
- Providing and personalising the Mosher service.
- Processing Mosher+ subscription payments via Stripe.
- Sending transactional emails (account confirmation, password reset).
- Sending marketing emails if you have consented.
- Detecting and preventing abuse, spam, and fraud.
- Complying with legal obligations.
5. Data sharing
We do not sell your personal data. We share data only with:
- Supabase — database and authentication hosting (EU West, London).
- Stripe — payment processing. Stripe Privacy Policy.
- Vercel — application hosting (EU region).
- Upstash — rate limiting (no personal data stored, only IP-derived keys for 60 seconds).
- Law enforcement or regulatory bodies where required by law.
6. International transfers
Your data is stored in the EU (Supabase EU West, Vercel EU). Where any transfer outside the EEA occurs, we ensure appropriate safeguards (Standard Contractual Clauses) are in place.
7. Retention
We retain your account data for as long as your account is active. After deletion we retain anonymised aggregate data indefinitely. Financial records (Stripe) are retained for 7 years for tax compliance.
8. Your rights (GDPR)
You have the right to:
- Access — download all your data from Settings → Data Export.
- Rectification — update your profile in Settings.
- Erasure — delete your account from Settings → Delete Account.
- Portability — export your data as JSON from Settings → Data Export.
- Withdraw consent — turn off marketing emails in Settings → Privacy.
- Object or restrict processing — contact us at [YOUR DPO EMAIL].
- Lodge a complaint — with the ICO (UK): ico.org.uk.
9. Cookies
We use the following cookies:
- sb-* (essential): Supabase authentication session. Required for the service to function.
- mosher_cookie_consent (essential): Records your cookie preference.
No third-party advertising or tracking cookies are set without your consent.
10. California residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know — what personal data we collect and how we use it (see sections 2–4).
- Right to delete — delete your account from Settings → Delete Account.
- Right to correct — update your profile in Settings.
- Right to opt out of sale or sharing — we do not currently sell or share your personal data with third parties for their commercial purposes. If this changes, you will be notified and given the opportunity to opt out before any sale occurs. You can manage your data sale preference at any time in Settings → Privacy → "Do Not Sell or Share My Data".
- Right to non-discrimination — exercising your CCPA rights will not affect your access to Mosher.
To exercise your rights, contact us at [YOUR DPO EMAIL] or use the self-service tools in Settings.
11. Age restriction (COPPA)
Mosher is restricted to users aged 18 and over and is not directed at children. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us immediately so we can delete the account.
12. Changes
We will notify you of material changes by email and/or a notice in the app at least 14 days before they take effect.
13. Contact
Questions or requests: [YOUR DPO EMAIL]