Privacy Policy

MoodNode is a node-based visual editor for AI-powered creative workflows. This Privacy Policy explains how we collect, use, and protect your information when you use our service. By using MoodNode, you agree to the collection and use of information in accordance with this policy.

For users in the EU/EEA and other GDPR jurisdictions, we process your data on the following lawful bases:

• Contractual necessity (Art. 6(1)(b)): account data, project data, generations — required to deliver the Service.
• Legitimate interest (Art. 6(1)(f)): usage telemetry, error logs, fraud and abuse detection, integrity monitoring.
• Consent (Art. 6(1)(a)): analytics cookies, marketing communications. You can withdraw consent at any time via the cookie banner or Settings.
• Legal obligation (Art. 6(1)(c)): tax records, regulatory data retention, lawful requests from authorities.

• Backend & database: Supabase (PostgreSQL + auth + object storage)
• Media storage: Cloudflare R2 (generated and uploaded images, videos, audio)
• Frontend hosting: Vercel
• Payments: Polar (subscriptions and credit packs)
• Email delivery: Resend (transactional notifications)
• Security: Row-level security (RLS), browser-local API key storage, HTTPS for all data transmission, server-side rate limiting.

MoodNode operates globally and our infrastructure providers (Supabase, Cloudflare, Vercel, Polar, Resend) and AI providers (listed in Section 5) process and store data primarily in the United States and the European Union. If you are located outside these regions, your data may be transferred to and processed in countries that may have different data protection laws than your home country.

For users in the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and adequacy decisions where applicable to safeguard transfers. For users in Turkey (KVKK), data transfers outside Turkey occur with the explicit consent obtained at signup or under the limited statutory exceptions in KVKK Art. 9.

MoodNode uses only a single functional cookie: the Supabase authentication session token. This cookie is required for the application to function and keeps you signed in.

We use analytics cookies (Google Analytics, Vercel Analytics) only with your consent. We do not use advertising cookies or third-party tracking cookies.

You have the following rights regarding your personal data, under the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), and similar regimes elsewhere:

• Access: View all your personal data from the Settings page within the app, or request a complete export.
• Rectification (Correction): Edit your profile information (display name, avatar) at any time from Settings, or request correction of any other data we hold.
• Erasure (Right to be Forgotten): Delete your account and all associated data. Deletion is permanent and processed within 30 days.
• Data Portability: Download all your project data as JSON or export individual assets at any time.
• Restriction of Processing: Request that we limit how we use your data while a dispute or correction is pending.
• Objection: Object to processing based on legitimate interest (e.g., usage telemetry, abuse detection).
• Automated Decision-Making (GDPR Art. 22): We do not subject users to solely automated decisions producing legal or significant effects. Content-moderation filters from upstream AI providers may automatically block specific generations; you can request manual review by contacting us.
• Withdraw Consent: Where processing is based on consent (analytics, marketing emails), you can withdraw at any time from Settings or the cookie banner — withdrawal does not affect prior lawful processing.
• Lodge a Complaint: EU/EEA users may contact their national data protection authority. Turkish users may apply to the Kişisel Verileri Koruma Kurumu (KVK Kurulu).

To exercise any of these rights, use the in-app Settings page or contact us at [email protected]. We respond to verified requests within 30 days, as required by GDPR Art. 12 and KVKK Art. 13.

• Active accounts: Your data is retained for as long as your account is active.
• Deleted accounts: All personal data is permanently deleted within 30 days of account deletion. Some records may be retained longer to satisfy legal, tax, or fraud-prevention obligations.
• Inactive free-tier accounts: Free accounts that remain inactive for an extended period (currently 180 days) may receive a warning email before any data cleanup. Paid accounts are not subject to inactivity cleanup.
• Backups: Encrypted backups are retained for up to 30 days for disaster recovery purposes; these backups are not used for any other purpose and are deleted on rotation.

MoodNode is intended for users aged 13 and older in the United States, and 16 and older in the European Economic Area (or the local minimum digital- consent age where lower). We do not knowingly collect personal information from anyone below the applicable threshold. If we become aware that an underage user has provided us with personal data, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. For material changes we will provide reasonable advance notice (at least 30 days) by email and/or an in-app notice; non-material changes will be reflected by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically for any changes.

If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of the rights described in Section 7, please contact us at: [email protected]