Legal

Privacy Policy

Effective: April 14, 2026

This Privacy Policy explains how Mouda collects, uses, stores, and protects information when you use www.mouda-ledger.com and the Mouda application (together, the “Service”). We use your data to provide and improve the Service. By using the Service, you agree to the practices described here.

1. Who we are

Mouda is a product of Leemurcapital LLC, a California limited liability company (“Mouda,” “we,” “us,” or “our”). For users in the European Economic Area, the United Kingdom, and Switzerland, Leemurcapital LLC acts as the data controller for personal data processed through the Service. You can reach our privacy team at support@mouda-ledger.com.

2. Information we collect

We only collect information you provide directly, information we need to operate the Service, and information you authorize us to read on your behalf. Specifically:

  • Account data — your email address, password hash, display name, timezone, plan, and authentication identifiers issued by our auth provider.
  • Bank and card transaction data — when you connect a financial institution through Plaid, we receive read-only transaction records (date, amount, merchant description, account type) and account metadata (institution name, masked account number). We never receive your bank login credentials, and we cannot move funds. You can disconnect a linked institution at any time from Settings.
  • Ledger and budget data — transactions classified to a prop firm, your monthly profit goal and expense limit, manually-entered transactions, and any category overrides you make.
  • Billing metadata — Stripe customer ID, subscription status, and plan. Card numbers are handled and stored exclusively by Stripe; we never see or store full card details.
  • Feedback submissions — when you use the in-app Feedback channel, we store the type (bug / idea / other), title, body, any screenshots you attach, the page you submitted from, and whether you opted in to be contacted about your submission.
  • Support requests — your email address and the contents of any support message you send us, plus IP address and user-agent string for abuse prevention.
  • Service operation data — application logs, request metadata, and security events that are required to operate, secure, and debug the Service.

3. How we use your information

We process your personal data for the purposes below. Where we are subject to GDPR, the lawful basis for each purpose is shown in brackets.

  • Provide the Service — fetch your transactions through Plaid, classify them by prop firm, render dashboards and ledger views, and surface your budget status. [Performance of a contract — Art. 6(1)(b)]
  • Bill paid subscriptions and process renewals or cancellations. [Performance of a contract — Art. 6(1)(b)]
  • Send transactional email — account confirmation, password resets, billing receipts, and security alerts. [Performance of a contract — Art. 6(1)(b)]
  • Respond to your feedback and support requests. [Performance of a contract — Art. 6(1)(b)]
  • Keep the Service secure — rate limiting, abuse detection, and audit logging. [Legitimate interests — Art. 6(1)(f)]
  • Comply with legal obligations such as tax, accounting, and lawful requests from authorities. [Legal obligation — Art. 6(1)(c)]
  • Send product updates or marketing email where you have opted in. [Consent — Art. 6(1)(a). You can opt out at any time without affecting any prior processing.]

4. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share the minimum data necessary with vetted sub-processors who process your data on our behalf under their respective terms. Our V1 sub-processors are:

  • Plaid Inc. — links your financial institutions and provides read-only access to your transactions. Plaid handles your bank credentials directly; Mouda never sees them. See Plaid’s own end-user privacy policy.
  • Stripe, Inc. — processes payments and stores card data on our behalf.
  • Supabase (Postgres, Auth, Storage) — hosts our primary database, authentication system, and file storage for support and feedback attachments.
  • Amazon Web Services (AWS KMS) — manages the master key used to envelope-encrypt sensitive tokens, including Plaid access tokens.
  • Upstash, Inc. — hosts the Redis queue we use to schedule background sync jobs.
  • Vercel Inc. — hosts the marketing site and the application.
  • Resend, Inc. — delivers transactional email on our behalf, such as support replies and account notifications.

We may add additional sub-processors — for example, error tracking, product analytics, or status monitoring — as the Service grows. Material additions will be reflected here before they take effect.

We may also disclose information when required to comply with a valid legal process, to enforce our Terms of Service, or to protect the rights, property, or safety of Mouda, our users, or the public. If we are involved in a merger, acquisition, or asset sale, your data may transfer to the successor subject to this Privacy Policy.

5. Your rights and choices

You have meaningful control over your information. Email support@mouda-ledger.com to exercise any of the rights below. We may need to verify your identity before acting on a request, and we respond within the timeframe required by applicable law (30 days under GDPR; 45 days under CCPA / CPRA).

Rights for everyone

  • Access and export — request a copy of your data from your Settings page or by emailing us.
  • Correction — correct inaccurate or incomplete information.
  • Deletion — delete your account from Settings or by emailing us. Data is purged within 60 days, subject to backup-rotation timelines and any legal-retention requirements (for example, tax and billing records).
  • Marketing opt-out — opt out of marketing email at any time using the unsubscribe link in any marketing message, or by emailing us. Transactional emails — account confirmation, password resets, billing receipts, and security alerts — cannot be opted out of while you maintain an account.

Rights under GDPR (EEA, UK, Switzerland)

  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests or to direct marketing.
  • Right to restrict processing — ask us to pause processing while a request is investigated.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
  • Right to lodge a complaint — with your national data-protection authority (in the UK, the Information Commissioner’s Office).

Rights under CCPA / CPRA (California residents)

This section is the notice at collection and the disclosure required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

  • Categories of personal information collected — identifiers, commercial information (subscription status), financial information (transaction records you authorize us to receive through Plaid), internet-or-network activity (usage logs, device data), and inferred geolocation from IP address.
  • Right to know — request the specific pieces and categories of personal information we have collected about you.
  • Right to delete and right to correct — same as described above.
  • Right to opt out of sale or sharing — Mouda does not sell your personal information and does not share it for cross-context behavioral advertising. There is therefore no sale or share to opt out of. If this ever changes, we will update this policy and provide a compliant opt-out mechanism first.
  • Right to limit use of sensitive personal information — Mouda does not use sensitive personal information for any purpose beyond providing the Service.
  • Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised a CCPA right.

Authorized agents may submit requests on your behalf with verifiable written permission.

6. Security, retention, and international transfers

Security

We use industry-standard safeguards to protect your information. All traffic is TLS-encrypted with HSTS. Sensitive secrets — most notably your Plaid access tokens — are protected by envelope encryption: a master key in AWS KMS protects per-user data-encryption keys, which in turn encrypt the secret values. Row-level security isolates users at the database layer, so one user’s queries cannot reach another user’s data. Administrative access is restricted and audited, and access tokens are never written to logs. Uploaded feedback screenshots are MIME- and size-restricted, and we strip image metadata (EXIF) on upload.

Retention

  • Active-account data is retained for the life of your account.
  • After you delete your account, user data is purged within 60 days.
  • Database backups are retained in line with our hosting provider’s standard backup retention and expire automatically.
  • Support and feedback submissions are retained for 2 years after closure for quality and pattern analysis, then purged.
  • Billing and tax records are retained as required by applicable law.

International transfers

Our sub-processors may process your data in the United States and other jurisdictions outside your home country. Where transfers are subject to GDPR or UK GDPR, they are protected by Standard Contractual Clauses or other lawful safeguards. Email support@mouda-ledger.com to request a copy of the relevant safeguards.

7. Cookies and tracking

The Service uses a small number of first-party cookies for authentication, session continuity, and theme preference. We do not use third-party advertising cookies, and we do not participate in cross-site tracking. Where required by applicable law, we will display a cookie notice on your first visit.

8. Children

Mouda is not directed at children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided information to us, contact support@mouda-ledger.com and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product notice at least 14 days before they take effect. The “Effective” date at the top of this page reflects the current version.

10. Contact

Leemurcapital LLC
Privacy team: support@mouda-ledger.com