Last updated: June 01, 2025 · Effective: June 01, 2025
Quick Navigation
At mocaxr ("we," "us," or "our"), we take the privacy of our users seriously. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and augmented reality (AR) card platform (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use immediately.
Paddle as Merchant of Record: All payments on xrCard are processed by Paddle.com Market Limited ("Paddle"), acting as our Merchant of Record. When you purchase a subscription, you are transacting directly with Paddle. Paddle's own Privacy Policy applies to data Paddle collects as part of payment processing.
The data controller responsible for your personal data is:
mocaxr
[YOUR_COMPANY_ADDRESS]
[CITY, COUNTRY]
Email: [CONTACT_EMAIL]
Website: [YOUR_WEBSITE_URL]
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we are the data controller of your personal data under the General Data Protection Regulation (GDPR) and applicable national laws.
We process your personal data on the following legal bases:
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Providing and operating the Service (account creation, xrCard management, QR code generation) | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing subscriptions via Paddle | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (account verification, password reset, invoices) | Contract performance (Art. 6(1)(b)) |
| Detecting your country for tax and pricing compliance | Legal obligation (Art. 6(1)(c)) |
| Maintaining security, preventing fraud and abuse | Legitimate interest (Art. 6(1)(f)) |
| Improving the Service through aggregated usage analytics | Legitimate interest (Art. 6(1)(f)) |
| Responding to support requests and communications | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations, tax laws, court orders | Legal obligation (Art. 6(1)(c)) |
We do not sell, rent, or trade your personal data. We share it only with the following categories of recipients, and only to the extent necessary:
Role: Payment processing, subscription management, tax compliance, invoicing
Legal basis: Contract performance; Data Processing Agreement in place
Location: United Kingdom / Global
Role: OAuth login (Google Sign-In), reCAPTCHA (bot protection), Google Fonts (typography)
Legal basis: Legitimate interest; consent for social login
Location: United States
Role: OAuth social login (optional, user-initiated)
Legal basis: Consent
Location: United States
Role: Country detection from IP address — database is stored locally on our servers; no data is transmitted to MaxMind.
Legal basis: Legitimate interest
Location: Database is local (no external transmission)
Role: Law enforcement, courts, or regulatory bodies when required by applicable law, court order, or to protect rights and safety.
Legal basis: Legal obligation
Location: Jurisdiction-dependent
We use the following cookies and similar technologies:
| Cookie | Category | Purpose | Duration |
|---|---|---|---|
| PHP Session (PHPSESSID) | Strictly Necessary | Maintains your logged-in session across pages. | Session (browser close) |
| qarm | Strictly Necessary | "Remember me" authentication token — keeps you logged in across browser restarts. | 30 days |
| Google reCAPTCHA | Security / Functional | Bot detection on registration and login forms. Set by Google. | Session / ~6 months |
| Google OAuth | Functional | Social login state management. Set by Google. | Session |
| Facebook OAuth | Functional (if used) | Social login state management. Set by Facebook. | Session |
| Analytics (admin-configured) | Analytics (optional) | The site administrator may add third-party analytics (e.g., Google Analytics) via the site settings. These cookies are governed by the respective provider's policies. | Varies |
Strictly necessary cookies cannot be disabled as they are essential for the Service to function. You may manage or delete other cookies through your browser settings; however, disabling them may impair certain features. Most browsers allow you to refuse cookies — consult your browser's help documentation for instructions.
Your data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA). We ensure adequate protection through:
For information about the safeguards applicable to transfers to specific processors, you may contact us at the address in Section 11.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
California Residents (CCPA): You have the right to know what personal information is collected, the right to delete it, and the right to opt out of its "sale." We do not sell your personal information. To exercise CCPA rights, contact us at [CONTACT_EMAIL].
To exercise any of these rights, contact us at [CONTACT_EMAIL]. We will respond within 30 days (GDPR standard). We may require identity verification before processing your request. Exercising your rights is free; we will inform you if a request is manifestly unfounded or excessive.
The Service is intended for users aged 16 years and older (or 18 years in jurisdictions where the age of digital consent is 18). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us immediately at [CONTACT_EMAIL] and we will delete such data promptly.
We implement appropriate technical and organizational measures to protect your personal data, including:
In the event of a data breach that poses a risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (to the address on your account) and/or display a prominent notice on our website at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the current version was published. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
For any privacy-related questions, data subject requests, or concerns, contact our Privacy team:
mocaxr — Privacy Team
Email: [CONTACT_EMAIL]
Response time: Within 30 days (GDPR standard)