policy Legal

Privacy Policy

Last updated: June 01, 2025  ·  Effective: June 01, 2025

At mocaxr ("we," "us," or "our"), we take the privacy of our users seriously. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and augmented reality (AR) card platform (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use immediately.

info

Paddle as Merchant of Record: All payments on xrCard are processed by Paddle.com Market Limited ("Paddle"), acting as our Merchant of Record. When you purchase a subscription, you are transacting directly with Paddle. Paddle's own Privacy Policy applies to data Paddle collects as part of payment processing.

business

1. Data Controller

The data controller responsible for your personal data is:

mocaxr
[YOUR_COMPANY_ADDRESS]
[CITY, COUNTRY]
Email: [CONTACT_EMAIL]
Website: [YOUR_WEBSITE_URL]

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we are the data controller of your personal data under the General Data Protection Regulation (GDPR) and applicable national laws.

database

2. Personal Data We Collect

2.1 Data You Provide Directly

check_circle
Account Registration: Full name, username, email address, password (hashed — never stored in plain text). If you use social login (Google or Facebook), we receive your name, email address, and profile picture from that provider.
check_circle
Billing & Payment: Billing name, billing address, city, state/province, ZIP/postal code, country, and VAT/Tax ID (for business accounts). Card details are never stored on our servers — they are collected and processed exclusively by Paddle.
check_circle
Profile Information: Profile photograph you choose to upload, display name, and any other optional information you add to your account.
check_circle
Communications: Messages you send us via contact forms, support requests, or email correspondence.
check_circle
User-Generated Content: AR trigger images ("markers"), xrCard metadata (title, description, custom fields), linked digital content (videos, galleries, 3D model references), and QR code configurations.

2.2 Data Collected Automatically

sensors
IP Address & Location: We collect your IP address on each request. We use it to detect your approximate geographic location (country level) via the MaxMind GeoIP database, to comply with tax regulations, and to protect our Service against fraud and abuse.
sensors
Device & Browser Data: Browser type and version, operating system, device type, screen resolution, and referral URL — collected automatically when you visit our pages.
sensors
Usage Data: Pages visited, features used, xrCards created, QR code scan counts, session duration, and interaction events.
sensors
Log Files: Standard server log files containing IP addresses, browser data, request timestamps, and error information.
sensors
Cookies & Similar Technologies: See Section 5 (Cookies) for full details.

2.3 Data from Third Parties

hub
Paddle: We receive payment status, subscription status, transaction IDs, and billing country from Paddle for the purpose of managing your account plan and issuing access rights.
hub
Google / Facebook OAuth: If you log in via Google or Facebook, we receive your name, email address, and profile picture as shared by those platforms.
hub
MaxMind GeoIP: Country-level location derived from your IP address using the MaxMind GeoLite2 database stored locally on our servers. No data is sent to MaxMind's external servers.
settings

3. How We Use Your Data

We process your personal data on the following legal bases:

Purpose Lawful Basis (GDPR)
Providing and operating the Service (account creation, xrCard management, QR code generation) Contract performance (Art. 6(1)(b))
Processing payments and managing subscriptions via Paddle Contract performance (Art. 6(1)(b))
Sending transactional emails (account verification, password reset, invoices) Contract performance (Art. 6(1)(b))
Detecting your country for tax and pricing compliance Legal obligation (Art. 6(1)(c))
Maintaining security, preventing fraud and abuse Legitimate interest (Art. 6(1)(f))
Improving the Service through aggregated usage analytics Legitimate interest (Art. 6(1)(f))
Responding to support requests and communications Legitimate interest (Art. 6(1)(f))
Sending marketing communications (only with your consent) Consent (Art. 6(1)(a))
Complying with legal obligations, tax laws, court orders Legal obligation (Art. 6(1)(c))
share

4. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

payments
Paddle.com Market Limited (Merchant of Record) Privacy Policy ↗

Role: Payment processing, subscription management, tax compliance, invoicing

Legal basis: Contract performance; Data Processing Agreement in place

Location: United Kingdom / Global

g_mobiledata
Google LLC Privacy Policy ↗

Role: OAuth login (Google Sign-In), reCAPTCHA (bot protection), Google Fonts (typography)

Legal basis: Legitimate interest; consent for social login

Location: United States

face
Meta Platforms, Inc. (Facebook) Privacy Policy ↗

Role: OAuth social login (optional, user-initiated)

Legal basis: Consent

Location: United States

location_on
MaxMind, Inc. (GeoLite2) Privacy Policy ↗

Role: Country detection from IP address — database is stored locally on our servers; no data is transmitted to MaxMind.

Legal basis: Legitimate interest

Location: Database is local (no external transmission)

gavel
Legal Authorities

Role: Law enforcement, courts, or regulatory bodies when required by applicable law, court order, or to protect rights and safety.

Legal basis: Legal obligation

Location: Jurisdiction-dependent

cookie

5. Cookies & Tracking Technologies

We use the following cookies and similar technologies:

Cookie Category Purpose Duration
PHP Session (PHPSESSID) Strictly Necessary Maintains your logged-in session across pages. Session (browser close)
qarm Strictly Necessary "Remember me" authentication token — keeps you logged in across browser restarts. 30 days
Google reCAPTCHA Security / Functional Bot detection on registration and login forms. Set by Google. Session / ~6 months
Google OAuth Functional Social login state management. Set by Google. Session
Facebook OAuth Functional (if used) Social login state management. Set by Facebook. Session
Analytics (admin-configured) Analytics (optional) The site administrator may add third-party analytics (e.g., Google Analytics) via the site settings. These cookies are governed by the respective provider's policies. Varies

Strictly necessary cookies cannot be disabled as they are essential for the Service to function. You may manage or delete other cookies through your browser settings; however, disabling them may impair certain features. Most browsers allow you to refuse cookies — consult your browser's help documentation for instructions.

public

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA). We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
  • Paddle's EU-US and UK data transfer mechanisms — Paddle maintains compliance with applicable data transfer requirements and has Data Processing Agreements covering transfers to processors.
  • Google's Data Processing Terms (incorporating SCCs) for Google OAuth and reCAPTCHA.
  • Adequacy decisions for countries recognized by the EU Commission as providing adequate protection.

For information about the safeguards applicable to transfers to specific processors, you may contact us at the address in Section 11.

schedule

7. Data Retention

calendar_month
Account & Profile Data: Retained for the duration of your account. After deletion, retained for up to 30 days before permanent erasure, except where legally required to retain longer.
calendar_month
Payment & Invoice Records: Retained for 7 years (or as required by applicable tax/accounting laws) from the date of the transaction.
calendar_month
User-Generated Content (xrCards, markers): Retained while your account is active. Archived content may be retained for up to 90 days after account closure before permanent deletion.
calendar_month
Server Logs & IP Addresses: Retained for up to 90 days for security and fraud prevention purposes, then deleted.
calendar_month
Session Data: Deleted when your session expires or you log out.
calendar_month
Email Communications: Retained for up to 3 years from the date of the last communication for support and compliance purposes.
calendar_month
Backup Copies: Encrypted backups may contain your data for up to 30 additional days beyond the standard retention period before they are overwritten.
verified_user

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

access
Right of Access: Request a copy of the personal data we hold about you (Art. 15 GDPR).
edit
Right to Rectification: Request correction of inaccurate or incomplete data (Art. 16 GDPR).
delete
Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations (Art. 17 GDPR).
block
Right to Restriction: Request that we limit processing of your data in certain circumstances (Art. 18 GDPR).
download
Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another controller (Art. 20 GDPR).
thumb_down
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes (Art. 21 GDPR).
cancel
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing (Art. 7(3) GDPR).
balance
Right to Lodge a Complaint: File a complaint with your national data protection supervisory authority (Art. 77 GDPR).

California Residents (CCPA): You have the right to know what personal information is collected, the right to delete it, and the right to opt out of its "sale." We do not sell your personal information. To exercise CCPA rights, contact us at [CONTACT_EMAIL].

To exercise any of these rights, contact us at [CONTACT_EMAIL]. We will respond within 30 days (GDPR standard). We may require identity verification before processing your request. Exercising your rights is free; we will inform you if a request is manifestly unfounded or excessive.

child_care

9. Children's Privacy

The Service is intended for users aged 16 years and older (or 18 years in jurisdictions where the age of digital consent is 18). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us immediately at [CONTACT_EMAIL] and we will delete such data promptly.

lock

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Passwords are stored as bcrypt hashes — we never store plain-text passwords.
  • All data transmission occurs over encrypted HTTPS/TLS connections.
  • Payment card data is never transmitted to or stored on our servers — all payment data is handled exclusively by Paddle's PCI DSS-compliant infrastructure.
  • Access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Paddle webhook requests are verified using HMAC-SHA256 signatures.
  • Regular security reviews and updates are applied to our infrastructure.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.

update

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address on your account) and/or display a prominent notice on our website at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the current version was published. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

mail

12. Contact Us

For any privacy-related questions, data subject requests, or concerns, contact our Privacy team:

mocaxr — Privacy Team
Email: [CONTACT_EMAIL]
Response time: Within 30 days (GDPR standard)