This Policy describes how Momentis collects, uses, and shares information when you visit our websites, create an account, use our dashboards or APIs, sign in with Google, or otherwise interact with the Services. Capitalized terms have the meanings in the Terms above. This Policy describes how Momentis collects, uses, and shares information when you visit our websites, create an account, use our dashboards or APIs, sign in with Google, or otherwise interact with the Services. Capitalized terms have the meanings in the Terms
When you log in with Google, we collect only the basic profile information that you authorize (typically your name, email address, and profile image) via the standard **openid**, **email**, and **profile** scopes. We **do not** request access to Gmail, Drive, Calendar, or other Restricted/Sensitive Google scopes for standard login. If we ever request additional scopes, we will explain why, request your consent, and (where required) complete Google’s verification. You can revoke our access at any time in your Google Account under
"Security → Third‑party access"
Controller:
Momentis (legal entity details to be updated upon incorporation).
Email:
privacy@momentis.io
Address:
To be updated
If you are in the EEA/UK, we act as controller for direct site usage and as processor where we process Personal Data on your documented instructions to provide the Services to you and your store.
Account details (name, email, password or single‑sign‑on identifier), profile details, designs and assets you upload, storefront settings, payout and tax details, and communications with us.
If you choose Google Sign‑In, we receive identifiers (e.g., Google user ID), your name, email, and profile image. We use this solely for authentication, account provisioning, and security.
Product metadata, order and fulfillment data, shipping details, returns, and customer service interactions as needed to operate your store and route orders to Fulfillment Partners.
Log files, browser/device information, IP address, timestamps, pages viewed, referring/exit pages, and interactions.
We use cookies and analogous technologies for essential functions (authentication, security), analytics (e.g., Google Analytics 4, PostHog), and (if enabled by you) advertising/retargeting pixels (e.g., Meta, Google Ads). See Section 10 (Cookies) for choices.
We use information to:
- provide, secure, and improve the Services;
- authenticate users (including via Google Sign‑In);
- create, render, and manage designs and listings;
- process and fulfill orders via Fulfillment Partners;
- enable payments, payouts, taxes, and fraud prevention via payment processors;
- provide customer support and communicate about the Services;
- comply with legal obligations and enforce our Terms; and
- analyze usage to better understand and improve performance, UX, and features.
**No ads from Google OAuth data.** Information obtained from Google via OAuth is **not** used for advertising or retargeting.
Our processing bases include: **contract** (to provide the Services), **legitimate interests** (e.g., security, product improvement, analytics), **consent** (where required by law, e.g., non‑essential cookies), and **legal obligation**.
We share information with:
- **Service providers/subprocessors** acting on our behalf (hosting, authentication, analytics, fraud, email, customer support, fulfillment, payment processing). Examples include: cloud hosting (e.g., GCP/AWS), analytics (GA4, PostHog), authentication (Google Sign‑In), payment processors (e.g., Stripe, PayPal), and print‑on‑demand/fulfillment networks.
- **Fulfillment Partners** (to make and ship your products) and e‑commerce integrations you connect (e.g., Shopify).
- **Compliance & safety** (to comply with law, respond to lawful requests, protect rights, safety, and security).
- **Business transfers** (merger, acquisition, financing, or asset sale), subject to appropriate safeguards.We **do not sell** Personal Data. We **do not** use or transfer Google OAuth data for ads.
When we use Google OAuth:
- We request only the minimum scopes required (typically **openid**, **email**, **profile**).
- We use OAuth data **only** to provide and improve user‑facing features that are prominent in the user interface (e.g., sign‑in, account identification).
- We **do not** transfer OAuth data except (i) with your consent, (ii) as necessary for security or to comply with law, or (iii) to a service provider acting on our behalf under strict confidentiality and security obligations.
- We **do not** allow humans to read OAuth data except with your explicit consent, to comply with law, or for security/abuse investigations.
- We **do not** use OAuth data to train generalized AI/ML models.**Revocation & deletion.** You can revoke access at any time at your Google Account → **myaccount.google.com/permissions**. If you disconnect Google or request deletion, we will delete associated OAuth tokens and identifiers within a reasonable period, subject to our retention obligations (Section 8).
Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to processing of your Personal Data. You can exercise rights by emailing **privacy@momentis.io**. You may also lodge a complaint with your supervisory authority.
We retain Personal Data for as long as needed to provide the Services and for legitimate business purposes (e.g., legal, accounting, fraud prevention). Typical periods:
- Account data: retained while the account is active and for up to 24 months after closure unless a longer period is required by law (e.g., tax/transaction records).
- OAuth tokens/identifiers: deleted promptly after you disconnect Google or after 90 days of inactivity tied to OAuth, whichever occurs first, unless needed for security, fraud prevention, or legal obligations.
- Order records: retained per applicable law (e.g., 7 years for tax/accounting in some jurisdictions).
We retain Personal Data for as long as needed to provide the Services and for legitimate business purposes (e.g., legal, accounting, fraud prevention). Typical periods:
- Account data: retained while the account is active and for up to 24 months after closure unless a longer period is required by law (e.g., tax/transaction records).
- OAuth tokens/identifiers: deleted promptly after you disconnect Google or after 90 days of inactivity tied to OAuth, whichever occurs first, unless needed for security, fraud prevention, or legal obligations.
- Order records: retained per applicable law (e.g., 7 years for tax/accounting in some jurisdictions).
We may process and store data in countries outside your own. Where required, we implement appropriate safeguards (e.g., Standard Contractual Clauses and supplementary measures) to protect data transferred from the EEA/UK/Switzerland.
We use:
- **Essential cookies** (authentication, security, load balancing);
- **Analytics** (GA4, PostHog) to understand usage and improve the Services; and
- **Advertising pixels** only if you enable such integrations in your store.You can manage cookie preferences via our cookie banner and in your browser settings. You can opt out of Google Analytics via browser add‑ons where available. Where required, we will request your consent for non‑essential cookies.
The Services are not directed to children under 13 (or under 16 where that is the age of digital consent). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data, contact us to delete it.
We implement administrative, technical, and physical measures designed to protect Personal Data (e.g., encryption in transit, access controls, logging). No system is 100% secure; please keep your credentials safe and notify us of any suspected breach.
If you are a business subject to GDPR/UK GDPR and you use the Services to process Personal Data as a controller, we will process such data as your processor under a DPA. Contact **privacy@momentis.io** to request or execute the DPA.
If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you may have additional rights, including the right to know, delete, correct, and opt‑out of certain data sharing. We do **not** sell Personal Data. To exercise rights, email **privacy@momentis.io**. We will not discriminate against you for exercising your rights.
We may update this Policy from time to time. We will post the updated Policy with a "Last updated" date and notify you of material changes.
For questions, requests, or complaints, contact **privacy@momentis.io**. For IP complaints, contact **legal@momentis.io**.
*(illustrative; subject to change and contract)*
- Cloud hosting & infrastructure (e.g., Google Cloud Platform, Amazon Web Services)
- Authentication & identity (Google Sign‑In)
- Payments & payouts (e.g., Stripe, PayPal; banks; fraud tools)
- Print‑on‑Demand & Fulfillment networks (e.g., providers you select or instruct)
- E‑commerce integrations (e.g., Shopify, WooCommerce)
- Analytics & product analytics (Google Analytics 4, PostHog)
- Email service providers & customer support tools
- Security, logging, and monitoring tools
To submit a copyright notice, email **legal@momentis.io** with: (1) your contact info; (2) description of the copyrighted work; (3) the URL or material you claim is infringing; (4) a statement of good‑faith belief; and (5) a statement under penalty of perjury that you are authorized to act. If we remove content, we may notify the uploader and provide an opportunity to submit a counter‑notice.
If you signed in with Google and want to delete data associated with that login, you may: (a) disconnect access in your Google Account; and/or (b) email **privacy@momentis.io** with the subject line **"Delete Google OAuth data"**. We will delete OAuth tokens and related identifiers, and (if requested) your account, subject to legal retention requirements.