Privacy Policy

1. Information We Collect

1.1 Personal Information

When you register for an account or use our Service, we may collect the following personal information:

• Email address (required for account creation)
• Name (optional, collected only for manual registration)
• LinkedIn profile URL (optional, user-provided)

1.2 Automatically Collected Information

When you access our Service, we automatically collect certain information, including:

• Device ID (browser-generated identifier stored in local storage)
• IP address (hashed using SHA-256 for GDPR compliance - irreversible one-way encryption)
• Browser type and version
• Usage data (pages visited, time spent, actions taken)

1.3 User-Generated Content

We collect questions, votes, and other content you submit through the Service.

2. Google Sign-In

When you choose to sign up or log in using Google, we use Google's OAuth 2.0 authentication service.

2.1 What We Collect from Google

• Email address only - This is the only piece of information we request from your Google account

2.2 What We DO NOT Collect from Google

• Full name
• Profile picture
• Contacts or address book
• Google Drive files
• Calendar events
• Any other Google account data

2.3 How We Use Google Sign-In Data

• Purpose: Authentication and account creation only
• Scope: https://www.googleapis.com/auth/userinfo.email (minimal required permission)
• Storage: Email address is stored in our EU database (Supabase PostgreSQL, Frankfurt, Germany)
• No surveillance or advertising: We never use Google Sign-In data for surveillance, advertising, or any purpose other than account management
• No data sharing: We do not share your Google account information with third parties

2.4 Your Control

You can revoke Mokabu's access to your Google account at any time by visiting Google Account Permissions. Note that revoking access will not delete your Mokabu account - you will need to contact us separately to delete your account.

Alternative: You can use email/password registration instead of Google Sign-In if you prefer not to connect your Google account.

3. How We Use Your Information

We use the collected information for the following purposes:

• To provide, operate, and maintain our Service
• To authenticate users and manage accounts
• To prevent spam and abuse (rate limiting, reCAPTCHA verification)
• To send transactional emails (welcome, confirmation, password reset)
• To improve and personalize user experience
• To analyze usage trends and optimize performance
• To communicate with you about the Service
• To comply with legal obligations

4. Email Communications

We use Resend (hosted in Ireland, EU region eu-west-1) to send transactional emails, including:

• Welcome emails after registration
• Email confirmation links
• Password reset instructions
• Important account notifications

4.1 What Data We Share with Resend

• Email address only - We do not share your name, usage data, or any other personal information with Resend
• Purpose: Delivery of transactional emails only (not marketing)
• Location: Ireland (EU) - GDPR compliant
• Rate limit: 100 emails per hour (prevents abuse)

For more information, see Resend's Privacy Policy.

5. Data Protection and Security

We implement industry-standard security measures to protect your information:

5.1 Encryption in Transit

• TLS 1.3 / SSL: All data transmitted between your browser and our servers is encrypted using HTTPS
• HSTS: HTTP Strict Transport Security enforces secure connections

5.2 Encryption at Rest

• Database encryption: Supabase PostgreSQL uses AES-256 encryption for data at rest
• Password hashing: User passwords are hashed using bcrypt (one-way, irreversible)
• IP address hashing: All IP addresses are hashed using SHA-256 before storage (GDPR-compliant, irreversible)

5.3 Application Security

• CSRF protection: All data mutations require CSRF token validation
• Rate limiting: Prevents abuse and brute-force attacks (Upstash Redis)
• Row-level security (RLS): Database policies enforce access control
• XSS protection: React auto-escaping prevents cross-site scripting
• SQL injection protection: Parameterized queries prevent SQL injection

5.4 Regular Security Audits

We perform regular security audits and updates to maintain the highest level of protection for your data.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate our Service:

Essential cookies are required for the Service to function and cannot be disabled. Functional cookies enable enhanced features (like preventing duplicate votes) but are not strictly required.

You can control cookies through your browser settings, but disabling essential cookies will prevent you from using certain features of the Service (e.g., logging in, submitting questions).

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party services that help us operate the Service:
• Supabase (database, authentication) - EU region
• Vercel (hosting, deployment) - EU region
• Upstash Redis (rate limiting) - EU region
• Resend (transactional emails) - Ireland (EU)
• Google (reCAPTCHA spam prevention, OAuth authentication)
• Legal Requirements: When required by law, court order, or to protect our rights and safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets (users will be notified)

All service providers are contractually obligated to protect your data and use it only for the specified purposes.

8. Third-Party Services

Our Service uses the following third-party services:

8.1 Supabase

• Purpose: Database and authentication
• Location: EU region (Frankfurt, Germany)
• What we share: Email, hashed IP addresses, user-generated content
• Privacy Policy: supabase.com/privacy

8.2 Vercel

• Purpose: Web hosting and deployment
• Location: EU region
• What we share: HTTP requests, usage analytics
• Privacy Policy: vercel.com/legal/privacy-policy

8.3 Upstash Redis

• Purpose: Rate limiting (abuse prevention)
• Location: EU region (Frankfurt, Germany)
• What we share: Hashed IP addresses, request counts (temporary, auto-deleted)
• Privacy Policy: upstash.com/docs/common/help/privacy

8.4 Google reCAPTCHA v3

• Purpose: Spam and abuse prevention
• Location: USA (Google servers)
• What Google collects: Browser information, cookies, IP address, mouse movements, browsing patterns
• How it works: Invisible background verification (no CAPTCHA challenges for legitimate users)
• Tracking: Google may track your activity across websites using reCAPTCHA
• Privacy Policy: policies.google.com/privacy
• Terms of Service: policies.google.com/terms

8.5 Resend

• Purpose: Transactional email delivery
• Location: Ireland (EU region eu-west-1)
• What we share: Email address only
• Privacy Policy: resend.com/legal/privacy-policy

9. International Data Transfers

Your personal information may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

9.1 EU-Based Services (GDPR Compliant)

• Supabase - EU (Frankfurt, Germany)
• Vercel - EU region
• Upstash Redis - EU (Frankfurt, Germany)
• Resend - Ireland (EU)

9.2 Non-EU Services

• Google (reCAPTCHA, OAuth): USA servers
• Legal basis: Standard Contractual Clauses (SCCs)
• Protection: Google complies with EU-US Data Privacy Framework
• More info: Google Privacy Frameworks

Where data is transferred outside the EEA, we ensure compliance with GDPR requirements through Standard Contractual Clauses (SCCs) or adequacy decisions recognized by the European Commission.

10. Your Rights (GDPR Compliance)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Request limited processing of your data
• Right to Data Portability: Request transfer of your data in a structured, machine-readable format (JSON)
• Right to Object: Object to processing of your data

10.1 How to Exercise Your Rights

Response time: We will respond to all requests within 30 days as required by GDPR. For complex requests, we may extend this period by an additional 60 days and will notify you of the extension.

11. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

11.1 Specific Retention Periods

• User accounts: Until you request deletion or after 2 years of inactivity (we will notify you before deletion)
• Questions and votes: Indefinitely (unless deleted by user or manager)
• Deleted questions: Moved to audit_logs for compliance purposes (accessible only to superadmins)
• Login attempts: Automatically deleted after 1 hour (brute-force protection only)
• Email confirmation tokens: Single-use, expire after 24 hours
• Password reset tokens: Single-use, expire after 24 hours
• CSRF tokens: 7 days (cookie expiration)
• Rate limiting data: Automatically deleted after time window expires (e.g., 1 minute for question submissions)

11.2 Inactive Account Policy

If you do not log in for 2 years, we will send an email notification to your registered email address. If you do not respond within 30 days, your account and all associated data will be permanently deleted.

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we are committed to transparency and prompt notification:

12.1 Our Commitment

• Notification timeline: We will notify affected users and relevant authorities within 72 hours of becoming aware of the breach (as required by GDPR)
• Notification method: Email to your registered email address
• What we will disclose:
  • Nature of the breach (what happened)
  • What data was affected
  • Potential consequences
  • Measures we have taken to address the breach
  • Recommended actions you should take

12.2 Our Security Measures

We employ multiple layers of security (encryption, rate limiting, CSRF protection, RLS policies) to prevent unauthorized access. However, no method of transmission over the internet is 100% secure. If you suspect unauthorized access to your account, please contact us immediately at info@mokabu.com.

13. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For material changes that significantly affect your rights, we will also send an email notification to your registered email address.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us at: