Moonlock Privacy Notice

Moonlock software was developed to help machines protect you. We put people first by ensuring strong privacy protections, so technology enhances life without intruding on your freedom. This Privacy Notice explains who we are, what personal data we collect, how we use it, the legal grounds for processing it, how we protect it, and what rights you have under applicable data protection laws.

This Privacy Notice applies to you as a user (hereinafter “You/you,” “Your/your,” "Yours/yours," and sometimes referred to as “Customer/customer”) of Moonlock desktop application (the “Product” or “Software”). This Notice also applies to all interactions with us in the course of offering our Software and related Services. If you do not agree with the Privacy Notice, do not access or use the Software and/or the Services. The core functionality of the Software is described in the End User License Agreement (EULA). EULA is an integral part of this Privacy Notice.

Please note: Moonlock desktop app is in Beta – it’s an early version still under development, so things may change and some features are experimental. We will keep you updated on changes to Privacy Notice.

The data controller of Your Personal Data is MacPaw Way Ltd. (hereinafter “We/we”, “Us/us”, “Our/our” or “MacPaw”), registration number 428214, registered address: 25 Serifou, Allure Center 11, Office No. 11-12, 2nd Floor, 3046 Zakaki, Limassol, Cyprus.

This Privacy Notice does not apply to:

• Third-party services. Where third-party services are used, and the third party is not a Data Processor, no Personal Data (as defined below) is shared with them; and
• Personal Data that we process about you when you interact as a user with other products/services or our branded social media pages under the brand name “MacPaw”. In such cases, the relevant privacy notice of each product/service you interact with will apply accordingly.
• Your use of and interactions with our website MacPaw (Website or Site). The Site’s policy can be found by following this link. When you use the Website, we collect and use cookies and other tracking technologies; the relevant Cookie Policy can be found by following this link.
• Your use of and interactions with our Moonlock website. The Site’s policy can be found by following this link. When you use Moonlock website, we collect and use cookies and other tracking technologies; the relevant Cookie Policy can be found by following this link.
• Anonymized data.

Our Product(s) are not intended for minors under the laws of their country of residence. We do not knowingly collect or process Personal Data from individuals who have not reached the age of majority. If you are a minor, please do not use Our Product(s) or provide any Personal Data. If we learn that we have collected data from a minor without parental consent, we will delete it promptly. Parents or legal guardians who believe their child has provided personal data should contact us at [email protected] to exercise their rights, including access, correction, or deletion.

We do not collect or process special categories of Personal Data (such as race, ethnicity, beliefs, sexual orientation, political opinions, health, genetic or biometric data) or information about criminal convictions and offenses

Information collected by third parties is governed by their privacy practices and data transfer contractual commitments. To find out more, please refer to the section “Third-Party Information and Personal Data Disclosure” below.

Capitalised terms used in this Privacy Notice and not otherwise defined shall have the meanings provided below:

Data Processor means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of MacPaw.

Data Protection Laws means any applicable data protection or privacy laws or regulations as may be amended or superseded from time to time, including but not limited to: i) the EU General Data Protection Regulation (“GDPR”) as implemented by countries within the EEA; ii) the UK General Data Protection Regulation and Data Protection Act 2018, as amended by Brexit legislation (“UK GDPR”); iii) the California Consumer Privacy Act (“CCPA”) and California’s Shine the Light law; and iv) any other applicable Data Protection Legislation and/or other laws or regulations that are similar, equivalent to, successors to, or that are intended to implement the laws or regulations applicable to you in relation to the transmission and processing of your Personal Data under this Privacy Notice.

Device - a portable computer developed by Apple Inc., equipped with macOS, the proprietary operating system developed by Apple, that belongs to you.

Personal Data - any information relating to an identified or identifiable natural person.

Special Categories of Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health or a person’s sex life or sexual orientation. By default, the Special Categories of Data are not processed in any way by the Product or Site.

Processing/Processed - any operation on Personal Data, whether automated or not.

Standard Contractual Clauses means i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporating Module 1 (Controller to Controller transfers) (EU SCCs); and ii) where the UK GDPR applies, the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and approved by Parliament in accordance with s119A of the Data Protection Act 2018 (UK Approved Addendum) and the accompanying Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any further version published by the Information Commissioner's Office (UK Mandatory Clauses).

You – means the owner of the Device who installed the Software.

All capitalized terms used in this Privacy Notice and not otherwise defined shall have the meanings assigned to such terms in the EULA.

We collect information that, alone or in combination with other data, could be used to identify you (Personal Data). Some of the information we collect is stored using anonymization instruments that cannot be linked back to you (Non-Personal Data). Below, we provide information about what Personal Data and Device Information we collect and process, as well as the purposes of processing.

• Contact and Account Data namely, Your email, name and transactional data (if applicable). This information is needed to complete the sign-up form with MPA (see below), conclude EULA with You, provide You with Our Services, updates and communicate with You. Please note: the processor of your payment data is our payment partner indicated in Section VI below.
• Product(s) Usage Data refers to aggregated information collected about how You interact with a Product(s) or Services, such as a software application, Device. This data helps us understand usage patterns, optimize features, identify issues, and improve the overall user experience. It also helps to understand Your behavior, improve UX and performance of the Product(s). When we process data for purposes such as behavioral advertising or measuring the effectiveness of advertising campaigns, we rely on your consent. For purposes like fraud prevention, error correction, bug fixing, and technical improvements, we process this data based on our legitimate interests.
• System Protection Data is an interpretation of collected data about detected malwares and type of Device.
• Device Information means data from the Device, such as the type of hardware and software in use (for example, operating system and browser type), Device UUID, Device model, Device serial number, unique malware ID on the Device, macOS Device version, and Device system settings. This data is needed to provide you with the core Product’s functionality according to the Terms of Service, services for malware detection and monitoring of the list of applications on the Device, as well as to ensure compatibility, provide maintenance, and update our services. Technical Device Information alone is not Personal Data and cannot be directly attributed to you.
• MacPaw Account ID (MPA) is Your unique identifier, which helps you to access Products and Services through your personal Account on our website MacPaw from different Devices and manage Your subscriptions. We use it to identify your purchased subscriptions and grant access to our Services. MacPaw Account ID helps us to manage your access and subscription (s), identify fraudulent activity and fix the errors (if any). Please, take a note that MacPaw Account ID is a necessary identifier to provide you with our Services. We do not share Your MacPaw Account ID to any external third parties beyond MacPaw. We do not match Your MacPaw Account ID with Your data from Product (s) and related Services for any marketing and/or targeting purposes, and do not profile You.
• Marketing data refers to information collected through cookies and similar technologies, as well as data shared by third-party social media and advertising platforms (e.g., Google, LinkedIn, Facebook) when you interact with our website MacPaw and Moonlock website. With your consent, these third-party platforms may share your Personal Data to personalize your experience and deliver content relevant to your interests, including targeted offers. The relevant Cookie Policy can be found on the Websites. Marketing data also includes information provided when you subscribe to newsletters, such as your email address and preferences, which are used to send you updates and promotional content tailored to your interests.

Technical Information collected by "Malware automation” functionality

Our “Malware automation” function performs malware scans to protect You by identifying malware, detecting suspicious behaviour of applications, and improving the state of the user’s device. For this purpose, we may collect technical data (files that generally do not contain personal data, like binary files, executable files, system files, etc.) identified by the product as potentially infected, together with information about the nature of identified threats. These files will be evaluated only for the presence of a threat or malware. We apply appropriate safeguards to retain and anonymize these files from any other data that may be classified as Personal Data, so it hinders any identification of users. We collect only information that is required to provide malware protection and threat analysis. These files are being stored for a limited time, depending on their usefulness for security needs. The legal basis for processing is the performance of EULA with You.

Detailed information on the legal basis for the collection we rely on when offering you Product(s) and related Services, as well as the storage and processing of each type of Personal Data, is provided in the section “Purposes and Legal basis we rely on” of this Privacy Notice.

Our VPN no-log approach is at the core of Moonlock. Our Service is designed to ensure that we do not monitor, record, store, or share your online activities.

Specifically:

• We do not collect or store your browsing history, connection timestamps, IP addresses, session information, traffic logs, or any other usage data related to your online activities.
• When you use the Service, our VPN servers keep no connection logs, so your connections are kept private.
• Our systems are intentionally built to eliminate the storage of sensitive data, ensuring that your activities remain private and untraceable-even to us.

We do not pass information about your online activities to any third party.

Please note: this section applies to you when you run website MacPaw and Moonlock website: MacPaw uses cookies and similar technologies, including tracking technologies from third parties, which may collect information about you via the Websites and across other online services.

We preserve your privacy when we collect your Personal Data for our internal analytical purposes. We have developed our own analytics data module that removes any Personal Data and Personally Identifiable Information when you do not provide your consent (including Google clientid, Google gclid) and replaces it with random identifiers that cannot be directly linked to you, so that we gather only aggregated information. For more details about how we use this technology, as well as processing your Personal Data when you consent to it, please see our Cookie Policy. To find more about how we conduct customer surveys, and other marketing and analytics campaigns when we rely on your consent, go to the section “Customer Surveys and Conducting Analytics Campaigns” below.

We provide information on purposes we collect your Personal Data for and legal basis we rely on, in table format. Where processing is based on your consent, we will identify the processing purposes and provide you with an immediate consent form containing relevant information.

We receive information from third-party business partners, including Marketing Data and Product(s) and Usage Data. Some third-party applications and services that work with Us may request permission to access Your Personal Data. These applications will notify You and seek Your consent. Please review such permissions and their privacy policies carefully, as Personal Data collected by third parties is governed by their own policies.

Your Personal Data is primarily processed within the European Economic Area (EEA). When transferred outside the EU/EEA, We rely on Standard Contractual Clauses in most cases, and confidentiality obligations to ensure it is handled responsibly. We maintain the highest security standards to protect Your Personal Data in transit and at rest. For more information, see section “Security and Confidentiality” below.

The table below provides details on the recipients of Your Personal Data, the purposes of sharing, and the transfer mechanisms ensuring secure transmission.

For more information about the listed Third Parties whom we engage for marketing and analytics, follow section “Conducting Customer Surveys and other Interactions” below.

For more information about Third Parties whom we engage for marketing and analytics via Site, follow Our Cookie Policy.

We also receive Personal Data when you participate in a focus group, contest, activity, or event, request support, interact with our social media accounts, or otherwise communicate with MacPaw. We interact with you upon your consent.

All MacPaw account holders will continue to receive transactional messages related to our Product(s), even if you unsubscribe from promotional emails. Transactional messages mean important communication with you that, for example, may concern software setup, payment confirmation, or any updates to our Products and licenses. The legal basis for sending you transactional messages is the performance of the Terms of Service with you.

When you use Our Services and Products, we can also use Your Contact data to send you customer and satisfaction surveys. We will use the results of the surveys to improve our Products and Services and deliver You the customized content. By doing so, we rely on your consent.

We have developed and implemented an internal Data Retention and Destruction Policy that governs processing activities and scenarios we have carefully developed for each specific activity, specific terms for keeping your Personal Data, the legal basis we rely on, and justifications, as well as data destruction methods when retention periods expire.

We store your Personal Data:

• For the fulfillment of our contractual obligations and providing services under EULA, we keep your data during the term of the EULA. To find out more, please refer to the EULA.
• For the purpose of sending you newsletters, we keep your data for as long as we retain your consent. You may revoke your consent at any time by clicking “unsubscribe” in the email footer.
• For the fulfillment of tax and accounting obligations in accordance with our legal obligations, we will retain your personal data usually for 10 years (depending on the applicable law).
• When we process your data for the purposes of exercising your rights as the data subject and respond to your access requests, we will retain your data for 5 years.
• When we process your data for the purpose of establishing, exercising, or defending against legal claims, we will keep the data for as long as it is necessary to defend our specific rights and interests, and, in the case of a dispute, until the final execution of the binding decision of the competent supervisory authority.

Upon expiration of data storage, we will securely destroy your data in accordance with our Data Retention and Destruction Policy and applicable laws and regulations.

If we seek to retain your personal data on file on the basis that a further opportunity may arise in the future, we will inform you with notice, seeking your explicit consent to retain your personal data for a fixed period on that basis.

If you believe that we are keeping your data illegally, please send the respective notice request to [email protected]. We will review your request at our earliest convenience and delete your data unless we are required by law to keep it for a longer period, or unless we can demonstrate legitimate grounds for processing that override your interests, rights, and freedoms. If deletion is impossible, we will securely store your personal data and isolate it from any further processing until deletion is permitted.

We are committed to protecting the privacy and security of Your Personal Data. We have recently achieved ISO 27001 certification for Our Product, demonstrating our dedication to maintaining a high standard of information security management. This internationally recognized standard sets requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Here’s how we ensure the security and confidentiality of Your Personal Data:

• Information Security Policies: We have established a comprehensive set of information security policies that guide our data protection practices, which are regularly reviewed and updated to remain effective;
• Access Control: Access to personal data is strictly controlled. We employ user authentication, role-based access controls, and encryption to prevent unauthorized access to your data;
• Data Encryption: Your personal data is encrypted both in transit and at rest using industry-standard encryption methods to prevent unauthorized access or disclosure;
• Risk Management: We conduct regular risk assessments to identify potential security threats and vulnerabilities. This proactive approach helps us to implement effective measures to mitigate identified risks.
• Security Awareness and Training: Our employees receive regular training on information security and data protection best practices to ensure they understand the importance of maintaining data privacy.
• Incident Management: We have established a comprehensive incident response plan to quickly and effectively address any security incidents or breaches. This includes processes for detection, containment, investigation, and communication.
• Data Integrity and Accuracy: We implement measures to ensure the accuracy and completeness of personal data and prevent unauthorized alterations.
• Physical and Environmental Security: Our data centers and office locations are protected by physical security controls such as access restrictions, surveillance, and environmental controls to safeguard against physical threats.
• Supplier Security and Vendor Check: We assess and monitor our suppliers and vendors to ensure they meet our high standards of data protection and information security

• Regular Audits and Continuous Improvement: As part of our ISO 27001 certification, we conduct regular internal and external audits of our ISMS to identify areas for improvement and ensure ongoing compliance with security standards.

Find our ISO 27001 certification by following this link.

We have developed a strong Incident Response Plan that, inter alia, in case of a Data Breach, will take all reasonable steps to investigate, contain, and report the Data Breach to you.

If the data breach is likely to result in a high risk to your rights and freedoms, we will communicate the Personal Data breach to you without undue delay via email and instruct you on mitigation measures. In case our communication channel with you is compromised by the incident, we will notify you using media channels, and this Site in particular.

Breaches of this Privacy Notice by staff, contractors, or officers of MacPaw will be dealt with under MacPaw’s internal grievance and disciplinary policy and may lead to a disciplinary sanction.

You have the following rights in respect to Your Personal Data, including the right to access, correct, or delete Personal Data. You can:

• Have Your Personal Data corrected or deleted. You may ask Us to correct information You think is inaccurate or completely delete all information that We hold about You by emailing: [email protected]
• Access Your Personal Data report by submitting a request at [email protected]. This report will include the Personal Data We have about You, provided to You in a structured, commonly used, and portable format.
• Object to Us processing Your Personal Data. It is Your right to lodge an objection to the processing of Your Personal Data by emailing: [email protected] if You feel the “ground relating to Your particular situation” applies. The only reasons We will be able to deny Your request is if We can show compelling legitimate grounds for the processing, which override Your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claim.
• Withdraw consent on marketing emails, including when We use Your Personal Data to send You marketing emails. We only send marketing communications to You with Your prior consent, and You may withdraw Your consent at any time by clicking the “unsubscribe” link found within MacPaw emails and changing Your contact preferences. Please note You will continue to receive transactional messages related to Our Product(s), even if You unsubscribe from marketing emails.
• Withdraw consent. This right only exists where We are relying on consent as a legal basis to process Personal Data about You (“Consent Withdrawal”).
• Without prejudice to any other administrative or judicial remedy, You have the right to appeal to a supervisory authority if You consider that the processing of Personal Data relating to You is in breach of the applicable laws and regulations. If You’re based in the European Economic Area (EEA) and think that We haven’t complied with data protection laws, You have a right to lodge a complaint with Your local supervisory authority. You can find the list of supervisory authorities via this link.
• Request to know more details about the categories or specific pieces of Personal Data We collect (including how We use and disclose this Personal Data), to delete their Personal Data, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

You may have other rights as may be provided by Data Protection Laws.

You will not have to pay a fee to access Personal Data about You (or to exercise any of the other rights outlined above). However, except in relation to Consent Withdrawal, We may charge a reasonable fee if Your request is clearly unfounded, repetitive, or excessive, or, We may refuse to comply with Your request in these circumstances.

We may need to request specific information from You to help Us confirm Your identity and ensure Your right to access Personal Data about You (or to exercise any of Your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact You to ask You for further information in relation to Your request to speed up Our response.

We try to respond to all legitimate requests within one (1) month (i.e. 30 calendar days). Occasionally it may take Us longer than a month if Your request is particularly complex or You have made a number of requests. In this case, We will notify You and keep You updated.

Data Protection Officer

To communicate with Our Data Protection Officer, please use our dedicated email channel [email protected].

We may need to update this Privacy Notice to keep pace with changes in our Product(s), Services, our business, and the laws applicable to us and you. We will, however, always maintain our commitment to respect your privacy. We will notify you of any material changes that impact your rights under this Privacy Notice by email or popup notification (to your most recently provided email address) or post any other revisions to this Privacy Notice, along with their effective date, in an easy-to-find area by following this link. Therefore, we recommend that you periodically check back here to stay informed of any changes. Please note that your continued use of MacPaw after any change means that you agree with and consent to be bound by the new Policy. If you disagree with any changes in this Privacy Notice and do not wish your information to be subject to it, you will need to stop using the Site and/or Product(s).

You may contact Us with any questions relating to this Privacy Notice by e-mailing to our customer support: [email protected], or to communicate with Our Data Protection Officer, please use our dedicated email channel [email protected].

This section provides details about rights of California consumers under the California Consumer Privacy Act (“CCPA”) and California’s Shine the Light law. Therefore, this section applies only to residents of California, United States.

1. CCPA (CPRA)

In addition to the rights listed above, CCPA provides you with the following rights:

1. Right to know what Personal Data is sold or shared and to whom. Under that title, you have the right to request that we disclose to you:

• The categories of Personal Data that we collected about you.
• The categories of Personal Data that we sold or shared about you and the categories of third parties to whom the Personal Data was sold or shared, by category or categories of Personal Data for each category of third parties to whom the Personal Data was sold or shared.
• The categories of Personal Data that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

You may request such information by contacting us by e-mailing to [email protected]. Please reference California Privacy Rights in your subject line.

2) The Right to Opt Out of Sale or Sharing and limit Use of Personal Data. We may share certain information about you with our partners for purposes of targeted advertising or data analytics, which could in certain circumstances be characterized as “selling,” “sharing,” or “targeted advertising” under California laws. You have the right to opt-out of such sale/sharing of your Personal Data by contacting us via [email protected].

We will also strive to recognize and process your opt-out preference signal as soon as possible after receiving it.

3) The right not to be discriminated against. Under this title, you have a right not to be discriminated against for exercising any of your rights under the California Privacy Rights Act (CPRA).

b. Access rights under California’s Shine the Light

California also provides its residents with additional access rights. Under Shine the Light law, the residents may ask companies once a year what Personal Data they share with third parties for those third parties' direct marketing purposes. Learn more about what is considered to be Personal Data under the statute.

To obtain this information from us, please send an email message to [email protected], which includes “Request for California Shine the Light Privacy Information” on the subject line and your state of residence and email address in the body of your message. Please be aware that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing will be included in our response.

This section provides details about individuals residing in the United Kingdom and details additional rights they have under the United Kingdom Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR) which is retained EU law after Brexit. Therefore, this section applies only to UK residents.

Your Rights and Choices in the UK

As a UK resident, You have several rights in relation to Your Personal Data under this Privacy Notice, including:

• Right to be informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights. This is why we’re providing you with the information in this Addendum.
• Right of access: You have the right to obtain access to your personal data (if we’re processing it) and certain other information (similar to that provided in this Privacy Notice). This is so you’re aware and can check that we’re using your personal data in accordance with data protection law.
• Right to rectification: You are entitled to have your personal data corrected if it’s inaccurate or incomplete.
• Right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
• Right to restrict processing: You have the right to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further.
• Right to data portability: You have the right to obtain and reuse your personal data in a structured, commonly used, and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such information transferred directly to a third party.
• Right to object to processing: You have the right to object to us processing your personal data for our legitimate interests or for direct marketing purposes (including in each case any related profiling).
• Right to withdraw consent: If we have obtained your consent to process your personal data for certain activities (for example, for profiling your suitability for certain roles), or consent to market to you, you may withdraw your consent at any time.
• Rights related to automated decision-making and profiling: You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.

To exercise any of these rights at any time, please contact us using the details in our “Contact Us” section of this Privacy Notice.

In accordance with UK data protection laws, we will handle your request related to these rights with care and in a timely manner. If you are not satisfied with our response, you also have the right to lodge a complaint with the UK’s data protection authority, the Information Commissioner’s Office (ICO). For more information, visit https://ico.org.uk/.

Data Retention and Erasure

We retain your Personal Data for as long as necessary to offer the Product and/or provide the Services you have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our policies.

Upon your request, and where it is possible, we will delete your personal data or anonymise it so that it no longer identifies you, unless, we are legally allowed or required to maintain certain personal data, including situations such as:

• If there’s an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved;
• Where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
• Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our customers.