Coin Moebius
Pact · VIII

Privacy

What we collect, what we don't, who we share it with, and how to make us delete it. Plain English first; section headings second.

Last revised: .

1.Who this applies to

"Coin Moebius Cloud," "the Cloud," or "we" means The Aquarian LLC, a Mississippi limited liability company doing business as Coin Moebius. This policy covers the marketing site at coinmoebius.com, the dashboard at app.coinmoebius.com, and the hosted webhook + status API.

The open-source SDK distributed at github.com/aquarian-metals/coin-moebius is licensed separately and runs in the merchant's environment, not ours. This policy doesn't govern data the SDK handles in the merchant's own infrastructure when self-hosted.

2.Information we collect from merchants

If you sign up for an account on the dashboard, we collect:

  • Account email, managed by our authentication provider (WorkOS) for sign-in. This is the most personal piece of information we hold.
  • Project metadata you create: project names, product catalog entries you add, the mailing address you list for pay-by-mail, and the payment provider credentials you paste in (encrypted at rest).
  • Billing information for paid plans, handled by Stripe or NOWPayments depending on the rail you choose. Card numbers, bank details, and crypto wallet addresses go to those providers; we receive only a customer reference and the subscription state.
  • Operational logs: the requests you make to our API, rate-limit counters, error traces. IP addresses in those logs are hashed with a project-specific pepper before storage.

3.Information we collect from buyers

When a buyer pays through one of your buy buttons, we receive a webhook from your payment provider. From that webhook we keep:

  • The transaction amount and currency.
  • The status (succeeded, pending, failed, refunded, disputed, etc.).
  • The provider's event id, so the row can be looked up against the provider's records.
  • Any product metadata you sent on the buy button (e.g., your internal product id).

We do not store buyer email addresses, names, postal addresses, IP addresses (raw), card details, or crypto wallet addresses. Those live in your Stripe and NOWPayments accounts, which are governed by their respective privacy policies. We don't ask the provider for them and we don't keep them when they appear in the webhook payload.

Raw webhook bodies are not retained; we verify the signature, read the fields named above, and discard the rest.

4.Visitors to your site

The buy button script loads from sdk.coinmoebius.com. When a visitor's browser fetches it, our edge sees the request (IP, user-agent, referrer, the project id the button is rendering for). We use that information to serve the script, rate-limit abusive callers, and produce coarse usage counts; we do not set cookies, do not run analytics on that traffic, and do not associate it with the buyer's identity (which we don't have).

If a visitor never clicks the buy button, we never write anything about them to our database. The edge logs are operational and rotate.

5.How we use information

We use the data above to:

  • Operate, maintain, and improve the Cloud.
  • Show you your transactions in the dashboard.
  • Send you the operational emails you signed up for (transaction notifications, billing receipts, security advisories).
  • Detect, investigate, and respond to fraud, abuse, or violations of our terms.
  • Comply with legal obligations.

We do not sell or rent your data, your buyers' data, or your visitors' data to anyone, ever. We do not use any of it for advertising. We do not train machine-learning models on it.

6.Sub-processors

The Cloud is hosted entirely on Cloudflare. Our other production dependencies are limited to the providers listed below. Each one receives only the data needed to do its specific job.

  • Cloudflare: hosting (Pages), serverless compute (Workers), database (D1), object storage (R2), key-value store (KV).
  • WorkOS: merchant sign-in (AuthKit). Sees the merchant's email.
  • Stripe: billing for the Pro monthly plan, on our behalf. Sees billing details for paid subscribers.
  • NOWPayments: billing for the Pro Annual crypto plan. Sees the crypto-payment metadata for that subscription.
  • Resend: transactional email delivery to merchants. Sees the merchant's email and the message body.

If we add or change a sub-processor in a way that affects what data is processed about you, we'll update this list and note it on the changelog. We will publish a changelog when the product is live. We also notify account holders by email.

7.Cookies and tracking

The marketing site at coinmoebius.com sets no cookies and runs no third-party analytics, advertising, or session-replay scripts. The dashboard at app.coinmoebius.com sets a single first-party session cookie used to keep you signed in; that's it.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, LogRocket, FullStory, Hotjar, or any equivalent. We do not embed third-party fonts that beacon the user's IP off-platform; fonts are self-hosted from our edge.

8.How long we keep things

  • Transaction records: kept for as long as your account is active, plus a reasonable archival period after closure (currently up to 12 months) so we can respond to disputes, audits, or your re-activation.
  • Hashed-IP rate-limit data: rotates within 30 days.
  • Operational logs: retained for up to 30 days for incident triage, then aggregated.
  • Account email and project configuration: kept while your account exists; deleted on request per section 10.
  • Billing records: retained as required by tax law (typically seven years for US LLCs).

9.Where data is stored

Cloudflare's global edge serves content close to where the request originates, but persistent stores (D1, R2, KV) are configured to keep our primary data within the United States. Sub-processors run in the jurisdictions they choose (WorkOS in the United States; Stripe globally; NOWPayments in the European Union; Resend in the United States).

We are a Mississippi-based US entity. If you are in the European Union, the United Kingdom, or another jurisdiction with cross-border data-transfer requirements, you are entrusting your data to a US controller; please consult your local rules and decide accordingly.

10.Your rights

Regardless of where you live, you can:

  • See what we have on your account (most of it is already in the dashboard).
  • Correct anything inaccurate.
  • Export your transactions in a machine-readable format.
  • Delete your account and the data tied to it (with the exceptions in section 8 for billing records we are legally required to keep).
  • Object to or restrict any processing we do; in our case there isn't much to object to, since we don't profile, advertise, or train.

To exercise any of these, write to theaquarian@coinmoebius.com from the email on your account. We aim to respond within 30 days.

If you are in the European Union or the European Economic Area, you also have the right to lodge a complaint with your national data-protection authority. If you are in California, the California Consumer Privacy Act gives you a similar set of rights, and we do not sell or share personal information for cross-context behavioral advertising, so the "Do Not Sell" right is, in our case, a no-op (but it still applies).

11.Children

The Cloud is not directed to children under 13 (or under 16 in the European Union), and we do not knowingly collect personal information from them. If you believe we've inadvertently received data about a child, write to us and we'll delete it.

12.Security

Provider credentials and other secrets are encrypted at rest with keys held in Cloudflare's secret store. Connections to and from our edge use TLS. We do not store buyer payment instruments. The full list of security and trust commitments lives on the Trust page; if you've found a vulnerability, instructions for reporting it are there too.

13.Changes to this policy

If we change this policy, we'll update the "Last revised" date at the top, post a note on the changelog when one exists, and, for material changes, email account holders at least 30 days before the new policy takes effect.

14.Contact

Questions about this policy, requests to exercise your rights, or anyone seeking to talk to us in writing about privacy: theaquarian@coinmoebius.com. We are The Aquarian LLC, a Mississippi limited liability company doing business as Coin Moebius.