We collect what we need, protect it carefully, and never sell it.

Who we are

Moonty (moonty.travel) is a platform that connects travelers with local guides in Nanjing, China. This Privacy Policy explains what personal information we collect when you use our website and services, how we use it, and what rights you have over your data. This policy applies to all users of Moonty, including tourists, guides, and visitors.

For privacy purposes, Moonty is the controller of personal information collected through the platform. You can contact us at privacy@moonty.travel.

Moonty is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

What we collect

We collect information you provide directly, and some information automatically when you use the platform.

Information you give us:

• Your name, when you create an account
• Your email address, used for login and notifications
• Your phone number, if you choose to provide it
• Booking details: dates, number of guests, special requests
• Reviews and photos you submit after a tour
• Messages you send to guides through our platform
• Guide application and profile information, such as biography, languages, availability, payout onboarding status, and listing content
• Support requests, dispute details, cancellation reasons, and communications with our team

Payment information:

Payments are processed by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe securely handles all payment data and provides us only with a payment confirmation and the last four digits of your card.

Information collected automatically:

• IP address and approximate location
• Browser type, device type, and operating system
• Pages visited, time spent, and links clicked
• Cookies and similar tracking technologies (see Cookie Policy below)
• Security and diagnostic data, including login events, error logs, and anti-fraud signals

How we use your information

We use your data only for legitimate purposes:

• To process and manage your bookings
• To send booking confirmations, updates, and service notifications via email
• To enable communication between tourists and guides through our messaging system
• To improve the platform and understand how people use it
• To prevent fraud and keep the platform safe for everyone
• To comply with legal obligations

We do not send marketing emails without your consent, and you can unsubscribe at any time.

Legal bases for processing

Where laws such as the GDPR require a legal basis, we rely on the following bases depending on the context:

• Contract: to create your account, process bookings, payments, cancellations, refunds, messages, and customer support.
• Legitimate interests: to keep the platform secure, prevent fraud, improve services, maintain records, and understand aggregate usage.
• Consent: for optional marketing, certain cookies or analytics where legally required, and optional profile or review content you choose to provide.
• Legal obligations: to comply with tax, accounting, sanctions, payment, dispute, and regulatory requirements.

How we share information

We share personal information only as needed to operate the platform, protect users, or comply with law:

• With guides and travelers where necessary to complete a booking, coordinate meeting details, provide support, or resolve a dispute.
• With service providers that host our website, process payments, send emails, store files, provide maps, analytics, error monitoring, database, messaging, and security services.
• With authorities, courts, payment networks, or professional advisers if required by law, legal process, or to protect rights, safety, and security.
• In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality and continuity protections.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising as that term is commonly used in California privacy law.

How we store and protect your data

Your data is stored on servers managed by Supabase (PostgreSQL database) and Vercel (hosting). Both providers maintain enterprise-level security practices, including encryption at rest and in transit.

We retain personal information only for as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account profile data: retained while your account is active and for a reasonable period after closure for security, dispute, and audit purposes.
• Booking, cancellation, refund, and customer support records: retained as needed for service delivery, dispute handling, accounting, tax, and fraud prevention.
• Messages: retained while needed to provide messaging, safety review, support, and dispute resolution.
• Security logs and technical records: generally retained for a limited period unless needed for investigation, security, or legal compliance.
• Payment and payout records: retained as required by payment processors, tax, accounting, anti-fraud, and regulatory obligations.

We use reasonable administrative, technical, and organizational safeguards. No online service can guarantee absolute security, so you are responsible for keeping your login credentials confidential.

International transfers

Moonty serves travelers and guides across borders. Your information may be processed in the United States, China, the European Economic Area, or other countries where we or our service providers operate. Where required, we use appropriate safeguards such as contractual protections and service-provider commitments.

Third-party services

We use the following third-party services to operate Moonty. Each has their own privacy policy:

• Stripe (payments) — Handles all payment processing. Card data never touches our servers. Stripe is PCI DSS certified.
• Ably (real-time messaging) — Powers the in-platform messaging system between tourists and guides. Messages are transmitted over Ably's encrypted channels.
• Supabase (database and authentication infrastructure) — Stores account, booking, guide, message, and platform data in our PostgreSQL database and related infrastructure.
• Vercel (hosting) — Hosts the Moonty website and may process request data (IP addresses, request logs) as part of normal web hosting.
• UploadThing (file uploads) — Handles photo uploads for tours and reviews. Files are stored on their CDN.
• AMap / AutoNavi (maps) — Provides map display and location-related features where maps are enabled. Map requests may include device, network, and approximate location-related data.
• Sentry (error monitoring) — Helps us detect and diagnose crashes, performance problems, and security-relevant errors.
• Resend (email delivery) — Sends transactional emails such as booking confirmations, account messages, and service notifications.
• Analytics — We may use analytics tools (such as Umami or Google Analytics) to understand how the website is used. These tools may set cookies or collect anonymized usage data. You can opt out using your browser's privacy settings or a cookie consent tool.

Your rights

If you are in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws, you have the following rights:

• Right to access: request a copy of the personal data we hold about you
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure: ask us to delete your personal data ("right to be forgotten")
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing of your data for direct marketing or legitimate interests
• Right to restriction: ask us to limit how we use your data while a complaint is being resolved

To exercise any of these rights, email us at privacy@moonty.travel. We may need to verify your identity before processing the request.

We aim to respond within 30 days. If a specific law requires a different response period, we will follow that law. If you are in the EEA or UK, you may also lodge a complaint with your local data protection authority.

California privacy rights

If you are a California resident, you may have rights under the California Consumer Privacy Act and related regulations, subject to legal exceptions:

• Right to know: request details about the categories and specific pieces of personal information we collect, use, disclose, and retain.
• Right to delete: request deletion of personal information we collected from you, subject to exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: Moonty does not sell personal information or share it for cross-context behavioral advertising.
• Right to limit sensitive personal information: we use sensitive information only for service, security, legal, or other permitted purposes.
• Right to non-discrimination: we will not discriminate against you for exercising privacy rights.

We currently do not respond to browser-based opt-out preference signals because we do not sell or share personal information for cross-context behavioral advertising.

Automated decision-making

Moonty does not make decisions that produce legal or similarly significant effects based solely on automated processing. We may use automated security and fraud-prevention signals to protect the platform.

Cookies

Moonty uses cookies to keep you logged in, remember your preferences (such as preferred currency and language), and understand how the site is used. We use session cookies (which expire when you close your browser) and persistent cookies (which remain until you clear them or they expire).

You can control cookies through your browser settings. Disabling cookies may affect some features of the platform, such as staying logged in.

Contact us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:

privacy@moonty.travel

We aim to respond to all privacy-related requests within 30 days.

Disclaimer

This Privacy Policy was written to be clear and human-readable. It is not legal advice. If you are launching a commercial platform or have specific compliance requirements, we recommend having this policy reviewed by a qualified lawyer familiar with data protection law in your jurisdiction.

This policy is effective as of April 27, 2026.