Moonshift
Start free
//legal · privacy

Privacy Policy

How Moonshift collects, uses, and protects your data. Plain-English summary up top; legal specifics below.

Effective 2026-04-23 · Last updated 2026-05-17

TL;DR. We collect the minimum we need to let you ship apps: your email, GitHub / Vercel / X / LinkedIn OAuth tokens (to push code and draft posts on your behalf), the prompts you send us, the code the agents write, and usage telemetry. We do not sell your data. We do not train third-party models on your prompts. You can delete your account and export your data any time by emailing [email protected].

1. Who we are

This site and service (“Moonshift”, “we”, “us”) is operated by Harjot Singh Rana (sole proprietor), based in Bengaluru, Karnataka, India. We are the data controller for personal data we collect through https://moonshift.io.

Questions about this policy: [email protected].

2. What we collect

Account data

When you sign up, we collect your email address, name, and a profile image. You can sign in with Google or GitHub OAuth (scopes: openid email profile for Google, user:email for GitHub sign-in), or with an email + password handled by Better Auth. We store an encrypted session token in a cookie to keep you logged in.

OAuth tokens from connected accounts

  • GitHub - to create repositories and push generated code to your account. Scopes: repo, user:email.
  • Vercel - to create projects and trigger deploys. Installation-level access token.
  • X (Twitter)— optional. Used only after you approve a post. Scopes: tweet.write tweet.read users.read offline.access.
  • LinkedIn— optional. Used only after you approve a post. Scopes: w_member_social r_liteprofile.

Tokens are stored encrypted at rest in our Turso database and used only on your behalf for the operations you authorize.

Prompts, generated artifacts, and run metadata

We store the prompts you send, the generated code, the marketing drafts, the hero images, per-phase LLM traces, cost, token counts, and run status. This data is necessary to run the pipeline, let you resume a failed run, and let you iterate on a project.

Billing data

Payments are processed by Dodo Payments. We never see or store your card details. We store your Dodo customer ID, subscription status, and ledger of Moon credit transactions.

Usage analytics

  • Product analytics via PostHog - page views, feature usage, conversion funnels.
  • Error telemetry via Sentry - stack traces, request metadata.
  • Aggregate site analytics via Google Analytics 4 - traffic source, device, country.

You can opt out of analytics and tracking cookies via the cookie banner on your first visit or at any time via your browser settings.

3. How we use your data

  • Run the Moonshift pipeline: generate code, deploy to your stack, draft launch posts, generate images.
  • Let you iterate on projects (chat turns, branching, revert).
  • Invoice you for paid usage and manage Moon credit balances.
  • Send transactional email (ship complete, human-approval pending, payment receipts).
  • Send product updates and launch announcements to your email, with an unsubscribe link in every message.
  • Operate, debug, and secure the service (error logs, anomaly detection, rate limiting).
  • Comply with law, respond to lawful requests, and enforce our Terms.

4. AI model providers and what they do with your data

Running a prompt through Moonshift sends parts of that prompt — and the generated code — to the LLM providers that power the agents. We currently use OpenAI and Anthropic as subprocessors. Your prompts and generated artifacts are transmitted to them only as needed to execute the pipeline.

We have configured our accounts so that your prompts are not used to train third-party models. OpenAI and Anthropic retain API data only for abuse monitoring under their published enterprise-equivalent terms. Review their policies directly: OpenAI Enterprise Privacy · Anthropic Privacy.

5. Sharing and subprocessors

We share personal data only with subprocessors that help us run the service, under contracts that bind them to equivalent protections.

  • Hostinger - VPS infrastructure (web application, Redis, reverse proxy) hosted in India.
  • Turso (managed libSQL) - primary database hosting.
  • OpenAI, Anthropic - LLM inference for the agent pipeline.
  • Cloudflare R2 - storage for generated hero images.
  • Dodo Payments - payment processing.
  • Resend - transactional email delivery.
  • PostHog, Sentry, Google Analytics - product and error analytics.
  • Google - OAuth sign-in (openid, email, profile scopes; sign-in only, no Google Workspace access).
  • GitHub, Vercel, X, LinkedIn - per-user OAuth, only the resources you explicitly authorize. Vercel and GitHub are user-side deploy targets for generated projects; we do not host on Vercel.

We do not sell your personal data, and we do not share it for targeted advertising.

6. Cookies

We use one essential cookie ( better-auth.session_token) to keep you logged in. Analytics cookies are optional and loaded only if you accept them via the cookie banner.

7. Data retention

  • Account data - until you delete your account.
  • Prompts, generated code, and run traces - retained while your project is active. When you delete a project we delete the data within 30 days.
  • Deleted-account purge - within 90 days of deletion request, except where we must retain for billing, legal, or fraud-prevention purposes.
  • Aggregate, anonymized analytics - retained indefinitely.

8. International transfers

Our primary infrastructure (Hostinger VPS) is hosted in India. Our managed database (Turso) and certain analytics subprocessors store data in regional locations outside India, including the United States and the European Union. If you access the service from outside these regions your personal data will be transferred to them. Where an EU-based data exporter is involved, we rely on the EU Standard Contractual Clauses with the relevant subprocessor.

9. Your rights

Depending on where you live, you may have rights to: access, correct, delete, restrict or object to processing, and port your personal data. You also have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Children

Moonshift is not intended for children under 13 (or under 16 in jurisdictions that require it). We do not knowingly collect data from children.

11. Security

We use industry-standard encryption in transit (TLS) and at rest. OAuth tokens and secrets are encrypted at the application layer. Access is limited to the operator under multi-factor authentication. No system is perfectly secure — if we learn of a breach that affects you, we will notify you within 72 hours.

12. Changes to this policy

We will post material changes on this page and update the “last updated” date at the top. If a change materially reduces your rights, we will notify you by email.

13. Contact

Harjot Singh Rana (sole proprietor)
Bengaluru, Karnataka, India
Privacy: [email protected]
General: [email protected]