Moku — Privacy Policy
Last updated: 25 May 2026 Effective date: [TO BE SET WHEN PUBLISHED]
1. About this policy
This Privacy Policy explains how Moku ("Moku", "we", "us", or "our") handles your personal information when you use the Moku mobile application (the "App") and any related services (together, the "Service").
We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users outside Australia, additional rights may apply under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA) — see §13.
This Privacy Policy is incorporated into our Terms of Service.
2. What we collect
We collect only what we need to make the App work. There are four buckets:
2.1 Information you give us directly
| What | Source | Required? |
|---|---|---|
| Apple user ID | Sign in with Apple | Required after 5 anonymous scans |
| Email address (often a private Apple relay) | Apple shares this if you allow it | Optional |
| Display name | Apple shares this on first sign-in if you allow it | Optional |
| Health goal (e.g. "Eat healthier", "Blood sugar", "Pregnancy") | Onboarding | Required to personalise output |
| Dietary restrictions (e.g. "Gluten", "Dairy") | Onboarding | Optional |
| Pregnancy details — region (AU/UK/US), trimester, due date | Pregnancy mode only | Required if you select Pregnancy mode |
2.2 Food images
When you scan a food, the image is transmitted to Google's Gemini API for AI analysis and a result is returned. We do not retain the food image on our servers. See §4.2 for what Google does with it.
2.3 Information we generate when you use the App
| What | Purpose |
|---|---|
| Scan results (food name, "Go for it"/"Maybe not" decision, glucose impact, AI explanation, tags) | Saved to your history (local + cloud sync if signed in) |
| Scan timestamp | History ordering, daily limit enforcement |
| Goal active at scan time | So your history shows context |
Device timezone (X-Client-Timezone header) |
To apply the daily 5-scan limit on your local calendar day |
| Subscription status | To know whether to show the paywall |
Anonymous device identifier (Apple's identifierForVendor) |
For analytics — see §2.4 |
| Session token (JWT) | Stored in iOS Keychain so you stay signed in |
2.4 Anonymous usage analytics (Statsig)
We use Statsig to track aggregate, anonymous events about how the App is used:
scan_started,scan_completed,scan_error,result_dismissed- Properties: decision (yes/no), glucose impact, food name, error code, latency
These events are tied to an anonymous device identifier, not your name or email. We use them to improve the App.
2.5 Crash and performance diagnostics
We use Sentry, a crash reporting service, to capture crash logs and basic performance metrics so we can fix bugs faster. This data is:
- Anonymous — not linked to your Apple ID, email, or name
- Limited to technical details (stack traces, device model, OS version, app version, crash timestamps)
- Used solely to diagnose and fix issues in the App
2.6 What we do NOT collect
- Your real-time location
- Apple HealthKit data (steps, blood glucose readings, etc.)
- Contacts, photos library (other than the food image you actively choose to scan)
- Phone number
- Payment card details (Apple handles all billing — we never see your card)
- Any free-text input (we never offer a text field for you to describe food)
3. Why we collect it (legal basis)
Under Australian law, we collect personal information because it is reasonably necessary to provide the App and the Service you've requested (APP 3).
For users in the EU/UK, our legal bases under GDPR Art. 6(1) are:
| Purpose | GDPR basis |
|---|---|
| Providing the core App (auth, scans, sync, history) | Contract (Art. 6(1)(b)) |
| Subscription billing and fraud prevention | Contract + legitimate interests (Art. 6(1)(b), (f)) |
| Anonymous analytics to improve the App | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax, breach notification) | Legal obligation (Art. 6(1)(c)) |
For sensitive pregnancy data (Art. 9 GDPR / sensitive information under the Privacy Act), our basis is your explicit consent when you select Pregnancy mode.
4. Who we share information with
We do not sell your personal information. We share it only with the following service providers, each acting as our processor:
4.1 Apple (Sign in with Apple, App Store, in-app billing)
- What: Apple user ID, optional email and name, subscription events
- Where: US and globally distributed Apple infrastructure
- Privacy policy: apple.com/legal/privacy
4.2 Google (Gemini API)
- What: Food image + a prompt describing your goal and dietary restrictions
- What Google does with it: Generates a response. Per Google's API terms applicable to paid Gemini API use, image inputs are not used to train their models.
- Where: Google data centres (US and other regions per Google's routing)
- Privacy policy: policies.google.com/privacy
4.3 RevenueCat (subscription management)
- What: Apple user ID, subscription status, transaction events
- Where: US (AWS)
- Privacy policy: revenuecat.com/privacy
4.4 Cloudflare (backend infrastructure)
- What: All API traffic. Our database (D1) stores your profile, scan history, and subscription record.
- Where: Cloudflare's global edge network; D1 primary region: Western North America (WNAM)
- Privacy policy: cloudflare.com/privacypolicy
4.5 Statsig (anonymous analytics)
- What: Anonymous event data (see §2.4)
- Where: US
- Privacy policy: statsig.com/legal/privacy
4.6 Sentry (crash reporting)
- What: Anonymous crash logs and basic performance metrics (see §2.5). Configured in fully anonymous mode — no user ID, email, or name attached to events.
- Where: United States (Sentry's default region)
- Privacy policy: sentry.io/privacy
4.7 Other circumstances
We may also disclose personal information: - To comply with a law, court order, or lawful government request - To investigate suspected fraud, security incidents, or breaches of our Terms - In connection with a sale, merger, or restructure of Moku (we will notify you and your data will remain protected under terms no less protective than this Policy)
We will not sell or rent your personal information for marketing purposes.
5. Cross-border data transfers (APP 8)
Because the third parties above operate globally, your personal information is processed in countries other than Australia, including the United States and other regions where our providers operate.
Under APP 8.1, we take reasonable steps to ensure overseas recipients handle your information consistently with the APPs. We do this by:
- Using providers who publish privacy commitments aligned with the GDPR and/or Privacy Act
- Relying on contractual terms in our service agreements with each provider
- Choosing providers with recognised security certifications (e.g. SOC 2, ISO 27001) where available
You consent to these cross-border transfers when you use the App. By doing so, you acknowledge that overseas privacy regimes may differ from the Privacy Act, and that we may not be accountable under the Privacy Act for an act or practice of an overseas recipient where you have consented to the disclosure (APP 8.2(b)).
6. How long we keep your information
| Data | Retention period |
|---|---|
| Account profile (goal, restrictions, pregnancy details) | While your account exists. Deleted on account deletion. |
| Scan history | While your account exists. Capped at 50 most recent items locally; full history in the cloud while signed in. Deleted on account deletion. |
| Subscription records | While your account exists + 7 years after for tax/accounting (Australian Taxation Office requirement) |
| Webhook events from RevenueCat | 90 days (audit log) |
| Anonymous analytics (Statsig) | Per Statsig's retention policy. Not linkable to your identity. |
| Crash and performance logs | Per the crash reporting provider's retention policy. Not linkable to your identity. |
| Food images sent to Gemini | Not retained by us. Google's retention per its API terms. |
When you delete your account (Profile → Delete account in the App, or via trymoku.ai/delete-account), we delete: - Your user record - All profiles linked to your account - All scan history - Your subscription record
Cascading deletion is enforced at the database level. Records held by Apple, RevenueCat, and Google remain subject to their own retention policies.
7. How we protect your information
- Encryption in transit: all API traffic uses HTTPS/TLS
- Encryption at rest: Cloudflare D1 encrypts data at rest
- Authentication: Sign in with Apple — we never see or store passwords
- Session tokens: JWTs stored in iOS Keychain (hardware-backed where available); 60-second clock-skew tolerance to avoid spurious sign-outs
- API keys: Stored as Cloudflare Worker secrets, never bundled in the App binary
- Access control: Worker endpoints require a valid session token; the worker enforces per-user data isolation
- Content safety: Gemini API safety filters (
BLOCK_MEDIUM_AND_ABOVEfor explicit/hate/harassment/dangerous categories)
No system is 100% secure. We do our best, but cannot guarantee against all risks.
8. Your rights
8.1 Under the Australian Privacy Act (APPs 12 & 13)
You have the right to: - Access the personal information we hold about you - Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading - Opt out of direct marketing (we don't currently send marketing — see §10) - Complain about how we handle your information (see §14)
To exercise these rights, email [email protected]. We will respond within 30 days.
8.2 Under GDPR (EU/UK users)
In addition to the above, you have the right to: - Erasure ("right to be forgotten") - Data portability — receive your data in a machine-readable format - Restriction of processing in certain circumstances - Object to processing based on legitimate interests - Withdraw consent at any time (where processing is based on consent) - Lodge a complaint with your local data protection authority
8.3 Under CCPA/CPRA (California users)
You have the right to: - Know what personal information we collect and how we use it - Delete your personal information - Correct inaccurate information - Opt out of "sale" or "sharing" of personal information (we do not sell or share) - Non-discrimination for exercising your rights
8.4 How to delete your data the fast way
The fastest way to delete everything we have on you is in-app: Profile → Delete account → Confirm. This is a one-tap permanent deletion. No email required.
9. Data breach notification
If we suffer a data breach that is likely to result in serious harm to any individual, we will: - Notify the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act - Notify affected users as soon as practicable
For EU/UK users, we will also notify the relevant data protection authority within 72 hours where required under GDPR Art. 33.
10. Direct marketing
We do not currently send marketing emails. If we ever do, it will only be to users who have signed in and provided an email, and you will be able to opt out at any time via an unsubscribe link.
We will never share your contact details with third-party advertisers.
11. Children's privacy
The App is intended for users 17 years and older. We do not knowingly collect personal information from anyone under 17.
If you believe a child under 17 has used the App, please contact [email protected] and we will delete the account.
We do not target advertising to children and do not collect data triggering COPPA (US Children's Online Privacy Protection Act) obligations.
12. Cookies and tracking
The App is a native iOS app and does not use browser cookies.
We do not use third-party advertising trackers or share data with data brokers. The App does not currently implement Apple's App Tracking Transparency (ATT) prompt because we do not track you across other companies' apps or websites.
13. International users
The App is operated from Australia. If you access the App from outside Australia, you consent to the transfer of your personal information to Australia (and to the third-party countries listed in §4).
13.1 European Economic Area / UK / Switzerland
Where we transfer your personal data outside the EEA, UK, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. You can request a copy of these safeguards by emailing [email protected].
13.2 California
We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We have not done so in the past 12 months. To exercise your CCPA rights, email [email protected] with the subject "CCPA Request".
14. Complaints
If you believe we have breached the Australian Privacy Principles or mishandled your personal information:
- Contact us first at [email protected] with the subject "Privacy Complaint". We will acknowledge within 7 days and respond substantively within 30 days.
- If unresolved, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
15. Changes to this Policy
We may update this Policy from time to time. When we do: - We will update the "Last updated" date at the top of this page - For material changes affecting how we use your data, we will notify you in-app or by email (where we have one) at least 14 days before the change takes effect - Continued use of the App after the effective date constitutes acceptance
16. Contact
Email: [email protected] Web: trymoku.ai/support Operator: Moku, located in New South Wales, Australia
© 2026 Moku. All rights reserved.