Privacy Policy

Last updated: Jun 8

How Mobieus Partners LLC collects, uses, discloses, and protects personal information across our marketing site and the Mobieus platform. We aim for clarity in plain English; the legal force of this document is global.

Effective date: 2026-05-29
Last updated: 2026-05-29

Image description: Mobieus 3D illustration of a privacy policy document with a shield and lock badge, connected to member avatar, file folder, and email envelope nodes.

0. Overview and roles

Mobieus Partners LLC ("Mobieus," "we," "us," "our") provides community-platform software at mobieus.io and through dedicated tenants we host for our customers. This Policy describes how we handle personal information ("Personal Data") in two distinct contexts:

As a Controller — when you visit our marketing site, contact us, create a Mobieus account, subscribe to a plan, or otherwise interact with Mobieus directly. Mobieus is the data controller.
As a Processor — when our tenant customers ("Tenant Operators") use Mobieus to run their own communities. The community's members, content, and moderation are operated by the Tenant Operator, who is the data controller for that community's Personal Data. Mobieus processes that data on the Tenant Operator's instructions under our Data Processing Addendum.

If you are a member of a community hosted on Mobieus, the Tenant Operator's own privacy policy applies first. This Policy applies in addition where Mobieus acts as the controller, for example, in providing security, fraud prevention, audit logs, and infrastructure operations.

1. Who we are and how to reach us

Mobieus Partners LLC
30 N Gould St Ste R
Sheridan WY 82801, United States

General: [email protected]
Privacy: [email protected]
Security: [email protected]

We do not currently maintain an EU or UK representative. Where EU or UK Data Subjects assert their rights, please email [email protected] with the subject line "EU/UK Data Subject Request" and we will respond within statutory timelines.

2. Categories of Personal Data we collect

We collect only what we need to operate the Mobieus service, secure our infrastructure, bill customers, and comply with applicable law. Categories may include:

Account data: name, email, password hash. We never store plaintext passwords. This may also include display name, role, and language preference.
Profile data: avatar, bio, location, links, and any other content you choose to make visible.
Communication data: messages, posts, replies, threads, support tickets, contact-form submissions, and metadata, including timestamps, IP at submission, and recipients.
Commerce data: subscription tier, billing currency, invoice history, last 4 digits of payment method, Stripe customer/account identifiers. Mobieus does not store full payment-card numbers.
Identity verification: where a community opts in to mobieusVerified, encrypted selfie video plus email-verification metadata for admin review, stored encrypted at rest.
Device and log data: IP address, browser user agent, referer, session cookies, CSRF tokens, request paths, response status, and timing.
Identity-provider data, Sovereign SAML/SSO: the SAML assertion attributes your identity provider passes to us at sign-in; we do not store IdP credentials.
API usage data: API key prefix, key SHA-256 hash, environment, rate-limit overrides, last-used timestamp and IP, scopes granted, request and event log.
Webhook data: endpoint URLs, signing-secret prefixes and hashes, subscribed event types, delivery attempts, response codes, latency, and truncated response bodies.
AI-feature data, when enabled: inputs sent to and responses received from your configured AI provider, currently Anthropic Claude, cached against a hash of the source content to avoid re-billing.
Cookies and similar technologies: see Section 5.

We do not knowingly collect special-category data, including race, religion, health, sexual orientation, political views, or biometric data, on our own behalf. Tenants that solicit such data from their members are themselves the controller for that processing.

3. Sources of Personal Data

From you: when you create an account, fill in a form, post content, or otherwise interact with the Service.
From your devices: log data, cookies, and similar technologies. See Section 5.
From third parties: from Stripe for subscription and payment status, from your identity provider for SAML attributes on Sovereign, from your email provider for delivery results, and from public sources, including WHOIS and DNS, where you ask us to verify a custom domain.

4. Purposes and legal bases for processing

{| class="wikitable" ! Purpose

! Legal basis, GDPR Art. 6
Provide, operate, and maintain the Service; create your account; deliver subscription benefits
Performance of a contract, Art. 6(1)(b)
-
Process payments through Stripe; bill subscriptions; recover failed payments
Performance of a contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c)
-
Secure the platform, detect and prevent abuse, log access for audit
Legitimate interest, Art. 6(1)(f); legal obligation, Art. 6(1)(c)
-
Comply with subpoenas, court orders, tax law, anti-fraud, sanctions screening
Legal obligation, Art. 6(1)(c)
-
Send transactional email, including password reset, billing receipts, and security alerts
Performance of a contract, Art. 6(1)(b)
-
Send marketing email, including newsletters and product launches
Consent, Art. 6(1)(a); opt-out at any time
-
Improve the Service, including analytics on our own traffic, performance metrics, and error logs
Legitimate interest, Art. 6(1)(f)
-
Provide AI features that you enable, using your AI provider key
Consent, Art. 6(1)(a); performance of a contract, Art. 6(1)(b)
-
Verify identity for mobieusVerified, where the Tenant Operator opts in
Consent, Art. 6(1)(a); legitimate interest, Art. 6(1)(f)
}

5. Cookies and similar technologies

We use the smallest set of cookies we can. Categories:

Strictly necessary: session cookies, CSRF tokens, load-balancing cookies. Required to operate the Service; cannot be disabled in-product.
Functional: theme preference, language, last-viewed pages. Set on sign-in.
Analytics: Google Analytics 4 via gtag.js on the marketing site, G-KXF06036G4. Aggregates page views, referrers, and device class. IP anonymization enabled. Disable via your browser, an ad-blocker, or the Global Privacy Control signal.
Tenant-set cookies: Tenant Operators may set additional cookies on their own community subdomain or custom domain. Mobieus does not control these; the Tenant Operator's own privacy policy governs.

We honor the Global Privacy Control signal as a request to opt out of analytics on the marketing site.

6. How we use Personal Data

To create, manage, and protect your account.
To process subscriptions, payments, refunds, and invoices via Stripe.
To send transactional emails about your account and your subscription.
To respond to your inquiries through the contact form, sales, support, and security channels.
To operate and improve the Mobieus platform, including security, reliability, performance, and feature development.
To detect, investigate, and prevent fraudulent, abusive, unauthorized, or illegal activity.
To enforce our Terms of Service and Acceptable Use Policy.
To comply with our legal obligations, including tax, anti-money-laundering, and law-enforcement requests under valid process.

We do not sell Personal Data. We do not "share" Personal Data for cross-context behavioral advertising as defined under CCPA/CPRA. We do not use Personal Data to train artificial-intelligence or machine-learning models. We do not provide tenant content to any AI provider for training purposes.

7. AI features and the use of artificial intelligence

The Mobieus platform offers optional AI features, including long-thread summaries, suggested tags, search synthesis, and report explanations. These features are off by default and require:

An explicit admin toggle, AI_FEATURES_ENABLED, in /admin/config.
An API key from a supported AI provider, currently Anthropic Claude, supplied by the Tenant Operator.

When enabled, the input text from the community, such as the thread being summarized, is transmitted directly from your tenant's server to the AI provider you configured. Mobieus does not interpose its own AI provider account or key, does not pool tenant data, and does not aggregate or pseudonymize tenant data for any cross-tenant purpose. We cache responses against a SHA-256 hash of the source content to avoid re-billing identical inputs; cached entries are stored only in your tenant's own database.

The AI provider's terms govern that processing. As of the effective date, Anthropic states that data submitted to its API is not used to train its models in the default configuration. Tenant Operators are responsible for reviewing their AI provider's terms, data-processing addendum, and any region-specific restrictions before enabling AI features.

8. Public API and webhooks

Tenants on Pro and higher plans can mint API keys and configure outbound webhooks. When a Tenant Operator subscribes a webhook to an event type, the event payload, which may include Personal Data of members, is transmitted to the URL the Tenant Operator has specified. The receiving endpoint is the Tenant Operator's responsibility; Mobieus is not the controller for that downstream processing.

API keys are stored as SHA-256 hashes; we cannot recover the plaintext. Webhook signing secrets are stored both as a hash and, in the tenant database only, as plaintext required for the dispatch worker to sign requests. Rotation is available in the admin UI. We log delivery attempts, including status code, latency, and truncated response body, for diagnostic purposes; you may delete a delivery log entry at any time.

9. mobieusMarket, file uploads, identity verification

mobieusMarket: Listings created by a member are visible to other members of the community per the Tenant Operator's settings. Members are responsible for the personal information they choose to include in a listing, such as shipping location or contact details.

File uploads: Files uploaded to a community pass through ClamAV virus-scanning. Files identified as containing malware may be quarantined. Files containing illegal content, such as CSAM, are reported and preserved as required by law.

mobieusVerified: Where a Tenant Operator enables identity verification, members may submit a selfie video plus email proof. Submissions are encrypted at rest, AES-256, and reviewed by the Tenant Operator's admins; Mobieus does not access these submissions except where required to operate the verification feature.

10. How we share Personal Data

We share Personal Data only as described here:

Subprocessors — service providers acting on our behalf, subject to written contracts that bind them to confidentiality and data-protection obligations. See the Subprocessor list in Section 13.
Tenant Operators — where you are a member of a community hosted on Mobieus, your data is processed primarily by that Tenant Operator. They control what is shared within their community.
Legal compliance — in response to valid legal process, including subpoena, court order, or warrant, or where required by applicable law.
Vital interests / safety — to protect the rights, property, life, or safety of Mobieus, our customers, our customers' members, our employees, or the public.
Corporate transactions — in connection with a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy; we will notify affected users and seek to bind successors to commitments at least as protective as this Policy.
With your consent — for any other purpose disclosed to you and to which you consent.

11. International data transfers

Mobieus is headquartered in the United States. Our primary infrastructure is in the United States; some subprocessors operate globally. Where we transfer Personal Data of EU, UK, Swiss, or other jurisdictions with cross-border-transfer restrictions, we rely on:

EU Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914, and equivalent UK International Data Transfer Addendum for transfers from the UK.
Adequacy decisions where applicable, including Switzerland, the United Kingdom, and the EU–US Data Privacy Framework where the recipient self-certifies.
Supplementary measures as informed by the EDPB Schrems II guidance, including encryption in transit and at rest, principle of least privilege, and transparency about government access requests.

12. Your rights and how to exercise them

Depending on where you live, you may have the following rights:

Access — receive a copy of the Personal Data we hold about you.
Rectification — correct inaccurate or incomplete Personal Data.
Erasure / "right to be forgotten" — ask us to delete your Personal Data, subject to lawful exceptions, such as where retention is required for tax, audit, or legal-claim defense.
Portability — receive your Personal Data in a structured, commonly-used, machine-readable format and transmit it to another controller. Members of a Mobieus-hosted community can request a one-click export from their account settings.
Restriction — restrict processing in certain circumstances.
Objection — object to processing based on legitimate interests, or to direct marketing.
Withdraw consent — where processing is based on consent, withdraw at any time without affecting the lawfulness of processing before withdrawal.
Lodge a complaint — with your local supervisory authority, such as your EU data protection authority, the UK ICO, the OPC of Canada, or the CNIL in France.
Non-discrimination — under CCPA/CPRA, we will not deny goods or services, charge different prices, or provide a different level of quality because you exercised your rights.

To exercise any of these rights, email [email protected]. We will verify your identity, typically via the account email on file, and respond within statutory timelines: 30 days under GDPR, 45 days under CCPA/CPRA. If you are a member of a community hosted on Mobieus and your request concerns data the Tenant Operator controls, we will route your request to that Tenant Operator and notify you.

13. Subprocessors

We engage the following categories of subprocessors. The list of named subprocessors below is current as of the effective date; an up-to-date list is maintained at this URL and material additions are announced 30 days in advance via the changelog and to active customers via email.

{| class="wikitable" ! Subprocessor ! Purpose

! Region
Stripe, Inc.
Subscription billing, optional Tenant Operator commerce, Stripe Connect
United States; global
-
Akamai Technologies / Linode
Infrastructure hosting, including VMs, networking, and storage
United States
-
Cloudflare, Inc.
DNS authoritative resolution; not used as a proxy for tenant traffic
Global
-
Google LLC, including Google Analytics 4 and Google Fonts via locally-hosted variable font
Marketing-site analytics; fonts are self-hosted to avoid Google Fonts requests
United States; global
-
Anthropic, PBC
AI provider only when a Tenant Operator enables AI features with their own Anthropic API key; Mobieus does not maintain an Anthropic account on customers' behalf
United States
-
Self-hosted exim4 / Dovecot relay, srv1
Outbound transactional email; we operate our own SMTP infrastructure rather than using a third-party email service
United States
-
GitHub, Inc.
Source-code repository; no Personal Data of end users is sent to GitHub
United States
}

14. Data retention

We retain Personal Data only as long as needed for the purposes described in this Policy and to satisfy legal, regulatory, tax, and audit obligations. Concrete retention periods:

Account data: kept while your account is active. On deletion, the account is soft-deleted for 30 days, recoverable on request, then permanently destroyed.
Audit logs: 365 days, then archived.
Performance logs: 30 days.
cron_runs: 90 days.
login_attempts: 30 days.
error_404 history: 7 days.
Read notifications: 90 days.
Backups: 30 days rolling.
Billing records and invoices: 7 years, US tax/audit requirements.
Stripe webhook events: 90 days in live table; older rows archived.
Public API event log: indefinite within the tenant's own database; the Tenant Operator may delete entries at any time.

15. Information security

We use commercially-reasonable administrative, technical, and physical safeguards to protect Personal Data, including encryption in transit, TLS 1.2+, and at rest, per-tenant database isolation, cross-tenant queries are structurally impossible, constant-time API key comparison, SSRF and DNS-rebind protection on outbound webhooks, ModSecurity web application firewall, rate limits at every layer, audit logging on every admin action, and daily backups with 30-day retention.

No system is perfectly secure. If we become aware of a Personal Data breach, we will notify affected customers without undue delay and, where required by applicable law, within 72 hours of becoming aware. See our Security page for the current posture.

16. Children's privacy

The Mobieus platform is not directed to children under 13, or under 16 in jurisdictions where that is the applicable threshold for child-directed online services. We do not knowingly collect Personal Data from children under those thresholds without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with Personal Data, contact [email protected] and we will delete the information.

Tenant Operators that intend to host communities of users under 13 must independently comply with the US Children's Online Privacy Protection Act, COPPA, the EU's GDPR, which sets the age of consent for information-society services between 13 and 16 depending on Member State, and analogous laws. Mobieus disclaims liability for a Tenant Operator's failure to do so.

17. California privacy disclosures, CCPA / CPRA

If you are a California resident, you have the rights described in Section 12 plus the following:

Right to know the categories of Personal Information collected, sources, purposes, and recipients described above.
Right to delete Personal Information, subject to exceptions.
Right to correct inaccurate Personal Information.
Right to opt out of sale or sharing of Personal Information. We do not sell or share Personal Information as those terms are defined in CCPA/CPRA.
Right to limit use of sensitive Personal Information. We do not use sensitive Personal Information beyond what is necessary to provide the Service.
Right to non-discrimination for exercising these rights.
Notice of financial incentive: we offer no financial incentives in exchange for Personal Information.

Submit requests to [email protected]. We honor the Global Privacy Control signal as a request to opt out.

18. Other US state privacy laws

If you live in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Florida, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, Maryland, Minnesota, New Hampshire, Rhode Island, or Kentucky, you have substantially similar rights. Submit requests to [email protected].

Relevant laws include CPA, CTDPA, VCDPA, UCPA, TDPSA, OCPA, FDBR, MTCDPA, ICDPA, TIPA, DPDPA, NJDPA, MODPA, and MCDPA.

19. Canadian privacy disclosures

For Personal Information about Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act, PIPEDA, and, for Québec residents, Law 25, formerly Bill 64. You may exercise access, correction, and complaint rights with the OPC or, in Québec, the Commission d'accès à l'information.

20. Brazilian privacy disclosures, LGPD

For Brazilian residents, we process Personal Data on the legal bases set out in Article 7 of the Lei Geral de Proteção de Dados, LGPD, corresponding to the GDPR bases above. You may exercise rights under Article 18 by contacting [email protected]. The ANPD is the supervisory authority.

21. Asia-Pacific privacy disclosures

Japan, APPI: We process personal information per the Act on the Protection of Personal Information, including obtaining consent for cross-border transfers where required.

South Korea, PIPA: We process personal information per the Personal Information Protection Act and provide the required disclosures on request.

India, DPDP Act 2023: We comply with the Digital Personal Data Protection Act for Indian Digital Personal Data, including consent management and grievance redressal.

Australia, Privacy Act 1988: We comply with the Australian Privacy Principles. Privacy complaints may be lodged with the Office of the Australian Information Commissioner.

China, PIPL: Mobieus does not currently market the Service within mainland China. Where the Personal Information Protection Law applies, we rely on consent and standard contracts under the PIPL Article 38 cross-border transfer mechanism.

22. Automated decision-making and profiling

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing of your Personal Data. Tenant Operators that configure automation rules, such as AutoMod or automated ticket routing, within their community are the controller for that processing and bear corresponding GDPR Article 22 obligations.

23. Do Not Track

Most browsers offer a Do Not Track, DNT, signal. Because there is no industry-standard interpretation of DNT, we treat it as advisory. We do honor the Global Privacy Control signal as a request to opt out of analytics on the marketing site.

24. Marketing communications

We send transactional emails, including account activity, billing, and security alerts, on the legal basis of contract performance; these cannot be unsubscribed from while you have an active account. Marketing emails, including newsletters and product launches, are sent only with consent and include a one-click unsubscribe link in every message, in accordance with the US CAN-SPAM Act, CASL in Canada, and the EU ePrivacy Directive.

25. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by posting a notice on the marketing site and, for active customers, by email. The "Last updated" date at the top reflects the latest revision. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy.

26. Data Processing Addendum

For customers who require a Data Processing Addendum, DPA, under GDPR, UK GDPR, CCPA/CPRA service-provider status, Québec Law 25, or other equivalent regimes, our standard DPA incorporating the 2021 EU Standard Contractual Clauses, controller-to-processor module, and the UK International Data Transfer Addendum is available on request. Email [email protected] with subject line "DPA request" and the legal name and address of your contracting entity.

27. Contact us

For any question about this Policy or our handling of Personal Data, contact us at:

Mobieus Partners LLC
Attn: Privacy
30 N Gould St Ste R
Sheridan WY 82801, United States

[email protected]