MOSSGOD PRIVACY NOTICE
Effective Date: 30 Dec 2026
Last Updated: 19 Dec 2025
ARTICLE 1: FUNDAMENTAL PRINCIPLES & SCOPE
1.1. Purpose and Commitment. This comprehensive Privacy Notice issued by MOSSGOD, establishes our firm commitment to transparency and the ethical stewardship of your personal data. It governs the collection, processing, storage, transfer, and protection of Personal Information (as defined herein) for all users of the website mossgod.com and the MOSSGOD Wellness Membership. This Notice is an integral, binding part of the MOSSGOD Terms of Service.
1.2. Comprehensive Acceptance. By accessing the Site, creating an account, enrolling in the Service, or otherwise submitting your Personal Information to us, you expressly acknowledge that you have read, comprehended, and voluntarily consent to all data practices described in this Notice. If you do not agree with any provision herein, you must immediately cease all use of the Site and Service.
1.3. Notice Modifications and Updates. We reserve the unilateral right to amend this Notice at our discretion to reflect operational, technological, or legal developments. Material changes that reduce your rights or expand our use of your data will be communicated via the email address associated with your account and a prominent website banner for a minimum of thirty (30) days prior to implementation. Your continued use of the Service following the effective date of revised terms constitutes your binding acceptance. The “Last Updated” date indicates the most recent revision.
ARTICLE 2: LEGAL & TECHNICAL DEFINITIONS
2.1. Core Terminology. For the unambiguous interpretation of this Notice:
1. “Personal Information” (PI) means any information relating to an identified or identifiable natural person, encompassing all data points detailed in Article 3.
2. “Processing” signifies any operation performed on PI, whether automated or manual, including collection, recording, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
3. “Controller” refers to MOSSGOD, which determines the purposes and means of Processing.
4. “Processor” denotes a third party that Processes PI on behalf of and under the explicit instructions of the Controller.
5. “Data Subject” is the identified or identifiable person to whom the PI relates.
6. “Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes, demonstrated by a clear affirmative action.
2.2. Governing Law Definitions. Where applicable, PI includes:
* “Personal Information” as defined by the California Consumer Privacy Act (CCPA), as amended by the CPRA.
* “Personal Data” as defined by the General Data Protection Regulation (GDPR) and the UK GDPR.
ARTICLE 3: CATALOG OF PERSONAL INFORMATION COLLECTED
We collect PI falling into the following statutory and commercial categories:
Category | Specific Data Elements Collected | Primary Collection Source |
Identifiers | Real name, postal address, online identifier, Internet Protocol (IP) address, email address, account name, telephone number. | Directly from you; Automated collection. |
Commercial Information | Records of products or services purchased, obtained, or considered; Membership tier history; purchasing tendencies. | Directly from you; Transactional systems. |
Financial Data | Payment card primary account number (PAN), card expiration date, CVV code, bank account details for ACH. Note: Full PAN is encrypted and vaulted with our PCI-DSS Level 1 compliant processor; we retain only a token and last four digits. | Directly from you via secure payment gateway. |
Internet/Network Activity | Browsing history, search history, information regarding interaction with the Site or advertisements, device fingerprint (browser type/version, OS, screen resolution, plugins), clickstream data, log files. | Automated technologies (Cookies, Pixels). |
Geolocation Data | Generalized location derived from IP address (city, state, country). We do not collect precise real-time geolocation. | Automated technologies. |
Audio/Visual Data | Recordings of customer service calls for quality assurance and training, with prior notification. | Directly from you (call recordings). |
Inferences | Profiles reflecting predicted preferences, behavior patterns, and aptitudes derived from the above data. | Internal analytics and profiling. |
ARTICLE 4: LEGAL BASES & PURPOSES FOR PROCESSING
We Process your PI based on one or more of the following lawful grounds and for the specified purposes:
4.1. Performance of a Contract (Article 6(1)(b) GDPR): Processing necessary for the fulfillment of the Membership agreement you enter into with us.
* Purpose Examples: Account creation and management; processing enrollment fees and monthly payments; order fulfillment, shipping, and returns; provision of customer support; sending essential transactional communications.
4.2. Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests, balanced against your rights and freedoms.
* Purpose Examples: Network and information security monitoring; fraud prevention and detection; internal analytics for service improvement; direct marketing of similar products/services (subject to opt-out); administration of IT systems.
4.3. Legal Obligation (Article 6(1)(c) GDPR): Processing necessary for compliance with a legal obligation to which we are subject.
* Purpose Examples: Maintaining accounting records as required by tax law; responding to lawful requests from law enforcement or regulators; compliance with consumer protection laws.
4.4. Consent (Article 6(1)(a) GDPR): Processing based on your explicit, prior consent, which you may withdraw at any time.
* Purpose Examples: Sending promotional emails for non-similar products or third-party offers; deploying non-essential cookies and tracking technologies; processing any Sensitive Personal Information not otherwise covered above.
ARTICLE 5: DETAILED DISCLOSURE OF INFORMATION SHARING
5.1. Categories of Recipients. We disclose your PI to the following categories of third parties for business purposes:
* Core Service Providers (Processors): Entities bound by strict data processing agreements (DPAs). This includes our payment gateway (Stripe), cloud hosting provider (AWS), email delivery service (SendGrid), shipping and logistics partners (FedEx, UPS), and customer support platform (Zendesk).
* Analytics & Marketing Partners: Such as Google Analytics (for site traffic analysis) and Facebook Pixel (for conversion tracking and ad measurement). These partners may collect data directly via cookies as joint controllers in certain contexts.
* Professional Advisors: Lawyers, auditors, and consultants bound by duties of confidentiality.
* Government & Law Enforcement: When required by a valid subpoena, court order, or similar legal process, or when necessary to prevent imminent physical harm or illegal activity.
5.2. No Sale of Personal Information. MOSSGOD does not and will not “sell” your Personal Information as that term is traditionally understood or as defined under the CCPA (i.e., exchanging PI for monetary consideration). We do not share PI with third parties for cross-context behavioral advertising.
5.3. International Data Transfers. Your PI may be transferred to, stored, and processed in countries outside your country of residence, including the United States, where data protection laws may differ. We ensure all such transfers are governed by appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) for transfers from the EEA/UK, and we will provide you with a copy upon request.
ARTICLE 6: DATA SECURITY, RETENTION, & INTEGRITY PROTOCOLS
6.1. Organizational and Technical Security Measures. We implement a risk-based, layered security program incorporating:
* Technical Measures: Encryption of data in transit (TLS 1.2+) and at rest (AES-256); regular vulnerability scanning and penetration testing; network segmentation; stringent access controls and multi-factor authentication for administrative systems.
* Organizational Measures: Mandatory privacy and security training for all personnel; strict contractual security obligations for all Processors; a designated internal data protection lead; and documented incident response procedures.
6.2. Precise Data Retention Schedule. We retain PI only as long as necessary for the fulfillment of the purposes stated in Article 4, or as required by law.
Data Category | Retention Trigger | Retention Period |
Account and Membership Data | Date of account closure or Membership termination. | 7 years from the end of the fiscal year in which the relationship ended (for tax and legal audit purposes). |
Transactional & Payment Data | Date of transaction. | 7 years from the transaction date (for financial record-keeping). |
Customer Service Communications | Date of communication. | 3 years from the date of the communication. |
Website Analytics Data | Date of collection. | 26 months from collection, aggregated thereafter. |
6.3. Data Integrity. We take reasonable steps to ensure that PI within our control is accurate, complete, and current for its intended use.
ARTICLE 7: DATA SUBJECT RIGHTS & REQUEST PROCEDURES
7.1. Catalog of Available Rights. Depending on your jurisdiction, you may exercise the following rights:
* Right of Access: To request a copy of the specific PI we hold about you.
* Right to Rectification: To correct inaccurate or incomplete PI.
* Right to Erasure (“Right to Be Forgotten”): To request deletion of your PI, subject to legal exceptions.
* Right to Restrict Processing: To limit the way we use your PI under certain conditions.
* Right to Data Portability: To receive a structured, commonly used, machine-readable copy of PI you provided, for transfer to another controller.
* Right to Object: To object, on grounds relating to your particular situation, to Processing based on legitimate interests. You have an absolute right to object to direct marketing.
* Rights Related to Automated Decision-Making: To not be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you.
* Right to Non-Discrimination (CCPA): To not receive discriminatory treatment for exercising your privacy rights.
* Right to Opt-Out of Sale/Sharing (CCPA/CPRA): As stated in 5.2, we do not sell or share PI for cross-context behavioral advertising.
7.2. Formal Request Submission Process. To exercise any right, you or your authorized agent must submit a verifiable consumer request via:
* Email: [privacy-requests@yourdomain.com]
* Web Portal: [https://yourdomain.com/privacy-request]
* Postal Mail: [Your Company’s Legal Name], Attn: Data Protection Officer, [Your Physical Address]
text
The request must provide sufficient detail for us to understand, evaluate, and respond, and must include your full name and a means of verification.
7.3. Our Verification and Response Protocol.
1. Verification: We will verify your identity by matching information provided in the request with information we maintain. For requests via an agent, we require proof of written authorization and will verify both identities.
2. Response Timeline: We endeavor to respond to verifiable requests within forty-five (45) calendar days. We may extend this period by an additional forty-five (45) days upon prior notification, explaining the reason for the delay.
3. Appeals Process (Where Required): If we decline to take action on your request, we will inform you of the reason and provide instructions for appealing the decision.
ARTICLE 8: COOKIES & AUTOMATED DECISION-MAKING
8.1. Explicit Cookie Policy. The Site utilizes the following cookie categories:
* Strictly Necessary: Essential for Site operation (e.g., shopping cart, login session). Cannot be disabled.
* Performance/Analytical: Collect aggregated data on Site usage (e.g., Google Analytics). Disabling may degrade site analytics.
* Functional: Remember your preferences (e.g., language, region).
* Targeting/Advertising: Used by ad networks to serve relevant ads on other sites.
text
A detailed, real-time cookie preference center is accessible via the Site footer, allowing granular control.
8.2. Automated Decision-Making Disclosure. We do not engage in fully automated decision-making that produces legal or similarly significant effects concerning you. Fraud screening may involve algorithmic analysis, but final decisions are made with human oversight.
ARTICLE 9: CHILDREN'S PRIVACY & SENSITIVE DATA
9.1. Children’s Online Privacy Protection Act (COPPA) Compliance. The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect PI from minors. If you believe a child has provided us with PI, contact us immediately for deletion.
9.2. Sensitive Personal Information. We do not intentionally collect government IDs, biometric data, or information concerning health, race, or sexual orientation. Payment card information is processed as outlined in Article 3.
ARTICLE 10: CONTACT, COMPLAINTS, & GOVERNANCE
10.1. Data Protection Officer. For inquiries related to this Notice or our privacy practices, contact our designated point of contact:
Email: info@mossgod.com
Mailing Address: MOSSGOD, 78 John Miller Way, Kearny, NJ 07032