← Back to MockMonster

Privacy Policy

Last updated: 2026-05-14

This Privacy Policy explains how MockMonster ("we", "us") collects, uses, and protects your personal data when you visit our site or buy a mockup. The policy is written to comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and applies to all visitors regardless of where they're located.

1. Data controller

The data controller responsible for processing your personal data is the operator identified in our Imprint. You can reach the controller by email at support@mockmonster.com. We have not appointed a formal Data Protection Officer because we are not required to under Art. 37 GDPR; data-subject requests should be sent to the same email.

2. What we collect & why

The table below summarises every personal data we collect, why, and the legal basis under Art. 6 GDPR.

Data	Purpose	Lawful basis	Retention
Email + display name	Account creation, sign-in, transactional emails (purchase receipts, password reset)	Art. 6(1)(b) — performance of contract	Until you delete your account
Profile picture (only if you signed in via Google / Discord / Facebook OAuth)	Display in your account settings + on reviews you write	Art. 6(1)(b) — performance of contract	Until you delete your account or switch sign-in methods
Purchase records (transaction id, amount, currency, tax breakdown, buyer country)	Process the purchase, deliver the file, generate the invoice	Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — tax-law obligation	7 years (NL) / 10 years (DE) under tax-record-keeping rules, then deleted
Billing address (collected by Stripe Checkout)	Invoice + tax-rate determination	Art. 6(1)(c) — tax-law obligation	Same as purchase records (7–10 years)
Working-copy mockup data (your art uploads, layer adjustments, blend settings)	Sync your customisations across devices when signed in	Art. 6(1)(b) — performance of contract	Until you delete the working copy or your account
Article 16(m) consent record (timestamp + wording version)	Prove that you waived the 14-day withdrawal right at checkout	Art. 6(1)(c) — legal obligation (CRD record-keeping)	Same as the related purchase record
IP address + browser fingerprint (collected transiently by Stripe + Supabase for fraud prevention)	Detect chargeback fraud, bot scraping, abusive sign-ups	Art. 6(1)(f) — legitimate interests (security, fraud prevention)	Logs typically rotate within 30 days at Stripe / Supabase
Crash / error logs (Sentry — your user-id UUID only, no email or PII)	Diagnose bugs in production so we can fix them	Art. 6(1)(f) — legitimate interests (service reliability)	90 days, then automatically purged by Sentry
Reviews you write (your display name + review text + star rating)	Display public reviews on listing pages	Art. 6(1)(b) — performance of contract	Until you delete the review or your account

3. Where your data lives (sub-processors)

We don't run our own database or send our own emails — we use established service providers ("sub-processors") who handle parts of the technical infrastructure on our behalf. We've signed a Data Processing Addendum with each one.

Sub-processor	What it does	Where	Safeguard for non-EU data
Supabase, Inc.	Database, authentication, file storage	EU region (Frankfurt) + US infra for some services	Standard Contractual Clauses (SCCs, EU 2021/914) + Supabase EU data residency
Stripe Payments Europe Ltd. (and Stripe US for international card processing)	Payment processing, billing-address capture, invoice issuance, payouts	Ireland (EU) + US	SCCs + Stripe's EU-US Data Privacy Framework participation
Netlify, Inc.	Static-site hosting, CDN delivery	US (global CDN edge nodes)	SCCs + EU-US Data Privacy Framework
Sentry (Functional Software, Inc.)	Browser error monitoring (your UUID + browser/OS info only — no PII)	US	SCCs + Sentry's documented EU residency option (we operate the standard US tier)
jsDelivr / Cloudflare	Public CDN for DOMPurify (XSS sanitiser). No personal data flows here — just static JS bundles you fetch.	Global (Cloudflare edges)	No personal data shared — only public asset delivery
Google / Discord / Facebook (only if you use OAuth)	Sign-in (you choose whether to use them; email/password is also available)	US-headquartered, global delivery	Their own DPF / SCC participation; we receive only the data you consented to share with us

4. We do NOT do

• Sell your personal data to anyone.
• Use third-party analytics or advertising trackers (no Google Analytics, no Facebook Pixel, no TikTok, no Meta).
• Use cookies for advertising or behavioural profiling.
• Make automated decisions that have a legal or similarly significant effect on you (no automated denials, profiling-based pricing, etc.).
• Process special-category data (race, health, religion, etc.) — you don't need to submit any to use the service.

5. Cookies and local storage

We use a small number of strictly necessary cookies and browser localStorage:

• Supabase auth session (cookie + localStorage key sb-…-auth-token) — keeps you signed in. Expires when your session ends or after Supabase's configured refresh window.
• Theme + UI preferences (localStorage key mockup_theme) — remembers light/dark choice across visits.
• Working-copy cache (localStorage key mockmonster_user_edits) — your in-progress mockup customisations, so reloading the page doesn't lose them.
• Stripe Checkout sets its own session cookies on the Stripe domain (checkout.stripe.com) — these aren't ours, but we link to them.

None of these are used for marketing or cross-site tracking. They're all strictly necessary for the service to function. We don't currently use a cookie consent banner because EU/EDPB guidance allows strictly-necessary cookies to be set without prior consent.

6. Your rights under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct any inaccurate data. You can update most data yourself in Account Settings.
• Erasure (Art. 17, "right to be forgotten") — delete your account and associated data. Settings → Privacy → Delete Account, OR email us. We retain transaction records for the tax-law minimum (7–10 years) even after erasure, but flag them as anonymised — your email and display name are stripped.
• Restriction (Art. 18) — restrict processing while a dispute is resolved.
• Portability (Art. 20) — receive your data in a machine-readable format (JSON export) on request.
• Objection (Art. 21) — object to processing based on legitimate interests (e.g. Sentry error monitoring). We'll honour the request unless we have compelling lawful grounds that override your interests.
• Withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time. Doesn't affect processing already done.
• Complain to a supervisory authority (Art. 77) — if you believe we've mishandled your data you can complain to your home country's Data Protection Authority. NL: Autoriteit Persoonsgegevens. DE: BfDI or your state DPA. Other countries: see edpb.europa.eu/about-edpb/about-edpb/members_en.

Send any rights request to support@mockmonster.com. We respond within 30 days (extendable by 60 days for complex requests under Art. 12(3)).

7. Data security

• All connections to mockmonster.com are encrypted in transit (HTTPS / TLS 1.2+).
• Database access is gated by Row Level Security policies (every query is scoped to the requesting user automatically).
• Payment card data never reaches our servers — Stripe Checkout handles it directly on stripe.com. We're PCI-DSS SAQ-A.
• Files (uploaded designs, mockup outputs) are stored in Supabase Storage with bucket-level access controls.
• We use Sentry to monitor for errors so we can patch security issues quickly.

8. Children's privacy

Our service is intended for users aged 16 or older. We don't knowingly collect personal data from children under 16. If you believe a child has provided data, contact us and we'll delete it.

9. International transfers

Some of our sub-processors (Stripe US, Netlify, Sentry) are headquartered or operate infrastructure outside the European Economic Area, mostly in the US. We rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework to safeguard those transfers. The level of protection of your data is equivalent to the EEA standard.

10. Changes to this policy

We can update this policy from time to time. Material changes are announced in-app and/or by email at least 14 days in advance; minor clarifications are published with an updated "Last updated" date at the top. Past purchases are governed by the version current at the time of purchase.

11. Contact

Questions about this policy or your data? Email support@mockmonster.com. For our full legal contact details see the Imprint.