Sunmoon.co – Privacy Policy

Last updated: 2 May 2025

Sunmoon.co ("Sunmoon," "we," "us," "our") respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, and what choices and rights you have.

1. Data We Collect

| Category | Examples | Purpose | | -------- | -------- | ------- | | Account Data | Name, e-mail, password hash, profile photo, birth date | Create and secure your account, personalise the Service | | Usage Data | Pages visited, clicks, session duration | Analytics, Service improvement | | Location Data | IP-derived geolocation, self-reported city | Show nearby cities, events, or content | | Device Info | Browser type, OS, device identifiers | Debugging, security | | Payment Data | Last 4 digits of card, billing address (processed by Stripe) | Manage subscriptions, detect fraud | | User Content | Reviews, messages, photos | Display to the community | | Cookies / Similar | Session cookies, local storage keys | Keep you logged in, remember preferences |

2. Legal Bases for Processing

Depending on your jurisdiction, we rely on one or more of the following:

• Consent – e.g., marketing e-mails, non-essential cookies.
• Contract – to provide the Service you request.
• Legitimate Interests – Service security, anonymised analytics.
• Legal Obligation – tax or regulatory compliance.

3. How We Use Your Data

1. Operate, maintain, and secure the Service.
2. Personalise recommendations and city rankings.
3. Send transactional or security e-mails.
4. Provide marketing communications you've opted into (you can opt out anytime).
5. Conduct aggregated or pseudonymised analytics.
6. Enforce our Terms and protect Sunmoon and users from misuse or fraud.

4. Sharing & Disclosure

We do not sell your personal data. We may share it with:

| Recipient | Reason | | --------- | ------ | | Cloud providers (e.g., AWS, Supabase) | Hosting and storage | | Payment processor (Stripe) | Complete transactions | | Analytics tools (e.g., PostHog) | Site metrics | | Event organisers | If you RSVP to an event | | Law enforcement | If required by law or subpoena |

All processors must follow strict confidentiality and data-protection obligations.

5. International Transfers

Sunmoon's servers are in Singapore, but partners may process data elsewhere. We use contractual safeguards (e.g., Standard Contractual Clauses) or equivalent mechanisms to protect cross-border transfers.

6. Data Retention

| Data Type | Retention Period | |-----------|------------------| | Account data | While account is active and up to 24 months after deletion (unless longer required by law) | | Payment & tax records | 7 years | | Analytics logs | Up to 24 months, then aggregated or deleted |

7. Your Rights

Subject to local law, you may have the right to:

• Access a copy of your personal data.
• Correct inaccurate data.
• Delete data ("right to be forgotten").
• Restrict or object to certain processing.
• Withdraw consent at any time.
• Receive an export of your data in machine-readable form.

To exercise any of these rights, e-mail [email protected]. We may verify your identity and will respond within the timeframe required by applicable law (usually 30 days).

8. Security

We employ industry-standard safeguards such as encryption in transit and at rest, firewalls, and role-based access controls. No system is 100 % secure; please notify [email protected] immediately if you discover any security vulnerabilities.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has provided data, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted on the Site or via e-mail before they take effect. The "Last updated" date at the top indicates the latest revision.

11. Contact

Questions or concerns about privacy? E-mail [email protected].