Privacy policy

We keep it short and human.

MOO is run by Scrum Facilitators. We collect the minimum data needed to make the daily MOO ritual work for your team, and we never sell it. This page explains exactly what we store, why, and what you can do about it.

Last updated: 16 May 2026

1. Who we are

MOO is operated by Scrum Facilitators (https://www.scrumfacilitators.com). When this policy says "we", "us" or "MOO", that's who we mean. MOO is offered through the website at getmoo.app and the native iOS app.

2. What we collect

We collect three buckets of data, all tied to your account:

  • Account data: your name, email address and a bcrypt-hashed password. If you sign in with Google, we also store your Google account ID so we know it's you next time.
  • Project & team data: the projects you create, the people you invite to them, and which role each person has.
  • Your daily MOO entries: the shape you pick (Nice / Just / Nasty) and the three short lines you write, with the date and the project they belong to.
  • Billing data (Pro only): if you upgrade to Pro, we store the Stripe customer ID and subscription ID. We do not store any card details. Stripe handles all payment information.

We do not run analytics SDKs, advertising trackers, or session recording. The site uses one essential cookie (an HTTP-only session token) and that's it.

3. How we use it

  • To run the product: show your projects to the right people, save your daily MOO, render the team overview and analysis.
  • To bill you (Pro only): pass your seat count to Stripe and receive subscription status updates back via webhook.
  • To contact you about your account: e.g. a billing receipt or a security notice. No marketing emails without an explicit opt-in.

4. Who can see your data

Inside MOO, only members of a project can see that project's data. Team leads and project admins can see everyone's entries for that project; regular members can see the team Overview but not the management screens.

We share data with these third-party processors, only to the extent needed to make MOO work:

  • Vercel: hosts the website and API. Sees request logs.
  • Scrum Professionals (database host): stores the encrypted MySQL data.
  • Stripe (Pro only): processes payments and stores your billing details.
  • Google: if you choose to sign in with Google, Google sees the OAuth exchange. We only ask for your name, email and Google account ID.

We do not sell, rent or trade your data with anyone else. We never share entry contents with third parties.

5. Where it lives

Account data and MOO entries are stored in an encrypted MySQL database hosted in the European Union. Payment metadata is held by Stripe in line with their global infrastructure. Backups are kept for 30 days and then deleted.

6. How long we keep it

  • Active accounts: indefinitely, while your account exists.
  • Deleted accounts: when you delete your account, we remove your user record. Project memberships, invites and your MOO entries are removed with it (the database uses ON DELETE CASCADE). Backups age out within 30 days.
  • Cancelled Pro subscriptions: the customer record at Stripe is deleted; on our side we drop the Stripe customer and subscription IDs from your user row.

7. Your rights (GDPR)

Under the GDPR you have the right to access, correct, export, restrict, or delete the personal data we hold about you, and to object to its processing.

  • Access & correction: in-app, on the Account page (web or iOS).
  • Export: Pro users can export their project's MOO entries as CSV from the Analysis page. For account data or other projects, email us at info@scrumfacilitators.com.
  • Deletion: in-app, on Account → Danger zone → Delete account. Or email us; we do it manually within 7 days.
  • Complaints: you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

8. Cookies & tracking

We use one cookie: moo_session, an HTTP-only, signed JWT that keeps you logged in. It expires after 30 days. We do not use analytics cookies, advertising trackers, fingerprinting, or session recording on the website. The iOS app uses the iOS Keychain to store the same session token, and otherwise makes no network calls beyond the MOO API.

9. Security

Passwords are stored as bcrypt hashes (cost factor 10). Session tokens are signed with HMAC-SHA256 using a server-side secret. All traffic between you and MOO goes over HTTPS (TLS 1.2 or higher). We follow standard hardening practices but no system is bulletproof; if you spot something, please email info@scrumfacilitators.com and we'll get back to you within 48 hours.

10. Children

MOO is built for working scrum teams. We do not knowingly collect data from anyone under 16. If you believe we've stored data about a minor, email us and we'll delete it.

11. Changes to this policy

We may update this policy as MOO grows. If we make material changes (new data category, new processor, etc.) we will notify active users by email before the change takes effect. The "last updated" date at the top of this page always reflects the current version.

12. Contact

For privacy questions, data requests, or anything else covered by this policy, email info@scrumfacilitators.com. We aim to respond within 5 working days.

Scrum Facilitators
https://www.scrumfacilitators.com