Privacy Policy

mymoto.world is operated by the team behind the service. For all privacy questions, including subject access requests and account deletion, contact support@mymoto.world.

• Account data: the email address you sign up with, the handle and display name you choose, and any optional profile information you add (bio, location, bikes, photos).
• Content you post: wall posts, comments, reactions, group / event / business / marketplace listings, direct messages, photos and videos you upload, and any metadata bundled with them (e.g. EXIF data is stripped from images on upload).
• Connection data: who you follow, who you have friended, who you have blocked, who you have direct-messaged, and who has invited you.
• Technical data: IP address, user-agent, basic device and browser information, and request logs (kept for a short period for security and abuse-prevention purposes).
• Push subscription data: if you opt in to push notifications, the push endpoint URL and cryptographic keys supplied by your browser.
• Third-party connections: if you connect your YouTube channel for auto-mirroring, we store your YouTube channel id and an encrypted-at-rest copy of the OAuth refresh token. We request only the youtube.readonly scope.
• Payment data (paid tiers only): if you subscribe to a paid tier we store your Stripe customer id and the subscription state (plan, status, period end). Card numbers and billing details are held by Stripe, not by us.
• MAIA chat content: when you message MAIA on /maia your messages and a short rolling conversation history are sent to Google Gemini for the AI to reply, and the conversation is kept on our servers so MAIA can refer back to it in your next turn. See section 5 for details.

We use your data to:

• provide the service (show your feed, deliver messages, etc.)
• send you a magic-link sign-in email when you log in
• send notifications (in-app, push, and where applicable email) about activity directed at you
• keep the service safe (rate limits, abuse / spam detection, content moderation)
• comply with our legal obligations (e.g. responding to lawful requests, retaining moderation records)

We do not sell your personal data. We do not show third-party advertising at this time. If we add advertising in future, this policy will be updated and existing users will be notified.

We rely on the following third-party providers to operate the service. Each is bound by their own privacy policy:

• Hostinger — VPS hosting (servers located in the EU).
• Cloudflare — DNS, edge network, R2 object storage for media, and (where enabled) Turnstile bot-defence.
• Resend — transactional email delivery (magic-link sign-in).
• Sentry — error reporting (no full request bodies are sent; PII is scrubbed where reasonably possible).
• Google / YouTube — only if you choose to connect your YouTube channel. We use the YouTube Data API to detect new uploads and read public video metadata.
• TomTom — map tiles, geocoding and route data when you use map features.
• Stripe — payment processing if you subscribe to a paid tier. Card details are entered on Stripe-hosted Checkout and are never seen by our servers.
• Google (Gemini API) — the model behind MAIA. Your chat messages with MAIA are sent to Gemini for the reply. We use the paid API tier, which (per Google's terms) does not use your prompts to train future models.
• Web Push / Firebase Cloud Messaging — only if you opt in to push notifications. Your browser's push endpoint and keys are stored on our servers; the message-delivery hop runs through your browser vendor (Mozilla autopush, Apple Push, FCM, etc.) with no notification content beyond a short title and body.

MAIA is the AI assistant on /maia. When you chat with MAIA, your message and a short rolling conversation history are sent to Google Gemini, which generates the reply. Conversation history is stored on our servers so MAIA can remember context across turns in the same session.

We use the paid Gemini API tier. Under Google's terms, data sent via paid Gemini is not used to train future models. Gemini may briefly cache requests for safety and abuse-detection purposes. The request travels to Google's servers, which may be located outside the UK / EEA — see section 7 (International transfers).

You can delete a MAIA conversation from your chat list. Deleting your account also deletes your MAIA conversation history along with the rest of your data, subject to the retention rules in section 9.

Under UK / EU GDPR (Article 6), every processing purpose needs a lawful basis. Ours:

• Performance of a contract (Art 6(1)(b)) — for providing the account, the feed, messaging, groups, events, marketplace, the MAIA assistant, and the paid-tier subscription once you take one out.
• Legitimate interests (Art 6(1)(f)) — for keeping the service safe (abuse detection, rate limiting, fraud prevention, log retention for security investigations) and for sending you in-app notifications about activity directed at you. You can object to legitimate-interest processing by emailing support@mymoto.world.
• Consent (Art 6(1)(a)) — for push notifications (you opt in via the browser prompt) and for connecting a YouTube channel for auto-mirroring (explicit click-through). You can withdraw consent at any time from /me or your browser's notification settings.
• Legal obligation (Art 6(1)(c)) — for retaining moderation records of policy breaches, fraud or abuse, and for responding to lawful requests from regulators or law enforcement.

Our primary databases and media storage are inside the UK / EEA (see section 8). However, some of our sub-processors process data in the United States, in particular:

• Stripe — payment processing.
• Resend — transactional email.
• Google (Gemini API, YouTube Data API, FCM) — the MAIA model, optional YouTube channel mirroring, and Android push delivery where applicable.
• Sentry — error reporting.

Where we transfer personal data to the United States, we rely on either the EU-US / UK-US Data Privacy Framework (where the recipient is self-certified) or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as appropriate. Each sub-processor is bound by their own data-protection commitments.

Account, content, messaging and moderation data is stored in a PostgreSQL database on our VPS in the EU. Media (photos, videos) is stored in Cloudflare R2. Daily encrypted backups are stored in a private R2 bucket. We do not transfer your data outside the UK / EEA except as needed to operate the third-party services listed above.

We keep your account data for as long as your account is active. If you delete your account, your profile and posts are removed within 30 days, except where we are legally required to retain certain records (for example, moderation logs in cases of policy violation or abuse). Direct messages addressed to you remain visible to your recipient unless they also delete them. Backups roll out within 30 days of the corresponding database state being deleted.

Under UK / EU GDPR you have the following rights over your personal data:

• Access — ask us what we hold about you.
• Rectification — correct anything that is wrong. Most of this is self-service from /me.
• Erasure — ask us to delete your account and personal data.
• Portability — receive a machine-readable export of the data you've given us.
• Restriction — ask us to pause processing while a dispute is resolved.
• Object — object to processing we do under a legitimate-interests basis (see section 6).
• Withdraw consent — for any processing where consent is the basis (push notifications, YouTube connection).

To exercise any of these rights, email support@mymoto.world. We aim to respond to all requests within 30 days (extendable by a further 60 days for complex requests under UK GDPR Art 12, in which case we'll tell you why).

If you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint (or your local data-protection authority if you're resident elsewhere in the EU / EEA).

We use a small number of strictly-necessary cookies to keep you signed in and to protect the service from CSRF and abuse. We do not use third-party advertising cookies or cross-site tracking.

mymoto.world is not directed at children under 13. If you believe a user is under 13, please email support@mymoto.world and we will investigate.

We may update this policy from time to time. The date at the top of the page will reflect the most recent update. Material changes will be notified via in-app notification or email.

For any privacy or data-protection question, email support@mymoto.world.