Privacy Policy

This Privacy Policy explains how Darren Paul (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use Mocksie (the “Service”).

We are the data controller for the personal data described in this Policy, except where specifically noted (for example, payment transactions, which are processed by Polar as an independent controller — see Section 5).

This Policy is written to comply with the EU General Data Protection Regulation (GDPR) and equivalent UK law (UK GDPR).

1. Who We Are

The controller of your personal data is Darren Paul. You can contact us at drobertpaul@gmail.com. Our postal address is available on request via that email.

If you have any questions about this Policy or want to exercise your rights, contact us at the email above.

We have not appointed a Data Protection Officer, as we are not required to do so under GDPR.

2. What Data We Collect

We collect the following categories of personal data.

2.1 Account Information

When you create an account, we collect:

• Email address
• Display name (if provided)
• Password (stored as a salted hash by our authentication provider; we never see your plaintext password)
• Authentication identifiers if you sign in via a third-party provider

2.2 Service Data and User Content

Any data you create, upload, or store while using the Service, including projects, mockups, uploaded images, settings, and other content. The specific categories depend on how you use the Service.

2.3 Subscription and Purchase Data

We receive limited purchase data from Polar (our Merchant of Record — see Section 5) sufficient to grant you access to paid features:

• Customer ID and email associated with the purchase
• Product purchased and subscription status
• Subscription start, renewal, and cancellation dates

We do not receive, store, or have access to your full payment card details, bank details, or billing address. That data is handled directly by Polar.

2.4 Usage and Technical Data

When you use the Service, we automatically collect:

• IP address (used briefly for security, abuse prevention, and approximate location)
• Browser type, version, and language
• Device and operating system information
• Pages visited, features used, and timestamps
• Error logs and diagnostic data

2.5 Communications

If you contact us by email or through a support form, we collect the content of your message and any contact details you provide.

2.6 Cookies and Similar Technologies

See Section 9 (Cookies) for details.

3. How We Use Your Data and Our Legal Bases

Under GDPR, we must have a lawful basis for processing your data. The bases we rely on are:

• Create and manage your account; provide the Service — performance of a contract
• Process and recognise your subscription or one-time purchase — performance of a contract
• Send transactional emails (account confirmation, password reset, billing notices, security alerts) — performance of a contract
• Operate, maintain, secure, and improve the Service — legitimate interests (running and improving our product)
• Detect, prevent, and investigate fraud, abuse, and security incidents — legitimate interests; legal obligation
• Respond to your support requests — performance of a contract; legitimate interests
• Comply with legal obligations (tax, accounting, responding to lawful requests) — legal obligation
• Send marketing emails about our products (where you have opted in) — consent
• Use non-essential analytics or marketing cookies — consent

You can withdraw consent at any time where consent is the legal basis (see Section 8).

4. Automated Decision-Making

We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects on you.

5. Who We Share Your Data With

We share personal data only with the parties listed below and only as necessary to operate the Service.

5.1 Polar (Payments — Independent Controller)

Payments are handled by Polar Software Inc. (“Polar”), which acts as the Merchant of Record and is the legal seller of your subscription or one-time purchase. When you make a purchase:

• Polar collects your billing information, payment details, and tax-relevant data directly. We do not receive this data.
• Polar acts as an independent data controller for the payment transaction, not as a sub-processor of ours.
• Polar’s processing of your data is governed by Polar’s own Privacy Policy, available at https://polar.sh/legal/privacy.
• Polar shares limited data back with us (see Section 2.3) so that we can provision access to paid features.

5.2 Sub-Processors (Service Providers)

We use the following service providers to operate the Service. They process personal data only on our instructions and under contractual obligations consistent with GDPR:

• Supabase — database, authentication, and file storage
• Our hosting and content-delivery provider — serving the Service
• Our transactional email provider — account and billing notifications
• Our error-tracking provider — runtime diagnostics

An up-to-date list of sub-processors, including their locations, is available on request at drobertpaul@gmail.com.

5.3 Legal and Safety

We may disclose personal data when required to comply with a legal obligation, valid legal process, or to protect our rights, safety, or property, or that of our users or the public.

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you and provide reasonable choices before your data becomes subject to a different privacy policy.

5.5 What We Don’t Do

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

6. International Data Transfers

Some of our sub-processors are based outside the European Economic Area (EEA), including in the United States. When personal data is transferred outside the EEA, we rely on appropriate safeguards under GDPR, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU–U.S. Data Privacy Framework certification (where the recipient is certified)
• Adequacy decisions where the destination country has been recognised by the European Commission as providing an adequate level of protection

You can request more information about the safeguards in place by contacting us at drobertpaul@gmail.com.

7. How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes set out in this Policy:

• Account and Service data — for the lifetime of your account; deleted within 30 days of account closure
• Subscription and purchase records — retained as required by applicable tax and accounting law (typically up to 10 years in Portugal/EU)
• Server and security logs — 90 days
• Support communications — up to 2 years after resolution
• Marketing consent records — until consent is withdrawn, then archived as proof of past lawful processing

Backups containing personal data are retained for up to 30 days after deletion of the live data, after which they are overwritten.

8. Your Rights

Under GDPR, you have the following rights in relation to your personal data:

• Right of access: obtain a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure (“right to be forgotten”): request deletion of your data, subject to legal retention requirements
• Right to restrict processing: ask us to limit how we process your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format and transmit it to another controller
• Right to object: object to processing based on legitimate interests, including profiling, and to direct marketing at any time
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint: file a complaint with your local supervisory authority (see Section 12)

To exercise any of these rights, email us at drobertpaul@gmail.com. We will respond within one month, as required by GDPR. We may need to verify your identity before acting on the request.

You can also access, update, export, and delete much of your data directly through your account settings.

9. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service and understand how it is used.

9.1 Strictly Necessary Cookies

These are required for the Service to function (for example, to keep you signed in, remember your preferences, and protect against attacks). They cannot be disabled.

9.2 Analytics and Performance Cookies

We use these only with your consent to understand how the Service is used and to improve it. You can accept or reject these through our cookie banner, and change your choice at any time from your account settings.

We do not use cookies for cross-site advertising tracking.

10. Security

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), encryption at rest where applicable, access controls, principle of least privilege, and regular security reviews. No system is completely secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR (within 72 hours where feasible).

11. Children

The Service is not directed at children under the age of 16 (or the minimum age of digital consent in your country). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Supervisory Authority

If you are in the EU, you have the right to lodge a complaint with your national data protection supervisory authority. The Portuguese supervisory authority is:

• Comissão Nacional de Proteção de Dados (CNPD)
• Av. D. Carlos I, 134 - 1º, 1200-651 Lisboa, Portugal
• https://www.cnpd.pt

You may also lodge a complaint with the supervisory authority in your own country of residence or where the alleged infringement occurred.

13. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes that affect how we use your personal data, we will notify you by email or through the Service before the changes take effect.

14. Contact

For any privacy-related questions or to exercise your rights, contact:

Darren Paul — drobertpaul@gmail.com