Privacy Policy

Last updated: November 2025

1. Introduction

Modu ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform (the "Service"), including our website and related applications.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information Collected Automatically

When you interact with our Service, we automatically collect certain information:

  • Device Information: We create a device fingerprint using a SHA-256 hash derived from your user agent, screen resolution, language preference, and timezone. This helps us prevent duplicate votes.
  • IP Address & Geolocation: Your IP address is anonymized before storage by removing the last octet (IPv4) or last 80 bits (IPv6). The anonymized IP is converted to country, city, and region data for analytics purposes. We cannot identify individuals from the anonymized IP addresses.
  • User Agent String: We collect and store your user agent, from which we extract device type, browser name, and operating system.
  • Interaction Timestamps: We record when you vote, submit suggestions, or view pages.
  • Page Views: We track which boards and polls you access, including referrer information.

2.2 Information You Provide

You may voluntarily provide:

  • Email Address: If you choose to verify your identity or subscribe to notifications, you provide your email address, which we store permanently.
  • Suggestions & Comments: Any free-text suggestions or feedback you submit are stored in our database and may be analyzed, clustered, and shared with board administrators.
  • Profile Information: Any custom profile data you choose to provide may be stored.
  • Admin Account Information: Administrators provide email addresses and passwords, which we store securely.

2.3 Information Collected from Board Administrators

Board administrators additionally provide:

  • Company name and subdomain
  • Email addresses and password hashes
  • Team member emails and role assignments
  • Board configuration and customization data
  • Integration credentials (stored encrypted)
  • Theme preferences and custom branding

3. How We Use Your Information

We use the collected information for:

  • Service Delivery: To provide, maintain, and improve our polling platform and features.
  • Vote Deduplication: To prevent duplicate voting using device fingerprinting and user identification.
  • Analytics: To analyze voting patterns, geographic distribution, device statistics, and engagement metrics.
  • Spam Prevention: To detect and prevent abuse through rate limiting and device/IP/email bans.
  • Suggestion Clustering: To group similar suggestions using artificial intelligence (see Section 5).
  • Communication: To send you notifications, updates, and emails about polls you participated in (if opted-in).
  • Authentication: To verify your identity through magic links and email verification.
  • Compliance: To comply with legal obligations and enforce our Terms of Service.
  • Security: To detect fraudulent activity and maintain the security of our platform.

4. Data Storage and Retention

Retention Policy: We retain your data indefinitely. Vote records, suggestions, email addresses, and device fingerprints are stored permanently in our PostgreSQL database unless you request deletion or the board administrator deletes the content.

Temporary Data: Email verification tokens expire after 15 minutes. Password reset tokens expire after 60 minutes. Administrative invitation tokens expire after 7 days by default.

Note: We currently do not have an automated data deletion system. Board administrators can manually delete suggestions, and admins can delete user accounts, but historical records may persist.

5. Artificial Intelligence and Third-Party Services

5.1 OpenAI Integration

To provide suggestion clustering functionality, we send suggestion text to OpenAI's API for processing. This includes:

  • The full text of your suggestion
  • Associated metadata (poll ID, timestamp)

Important: Do not submit sensitive personal information, trade secrets, or confidential data in suggestions. OpenAI may retain API request data in accordance with their Privacy Policy.

5.2 Email Service Providers

We use Resend or SMTP-based email services to send notifications and verification emails. Your email address and email content are shared with these services in accordance with their privacy policies.

5.3 Geolocation Services

We use the geoip-lite library to convert IP addresses to geographic locations. This process occurs locally without sharing your IP address with external services.

5.4 Google OAuth (Admin Authentication)

Administrators may optionally use Google OAuth for sign-up and login. Google receives your email address and name in accordance with their Privacy Policy.

5.5 Pexels Integration

Background images are sourced from Pexels. We do not share personal data with Pexels, but images are served from their CDN with standard web analytics.

5.6 Optional Integrations

Board administrators may optionally connect integrations with Slack, Google Sheets, Jira, and other tools. If enabled, poll data, vote counts, and suggestion information may be shared with these services. Credentials are encrypted and stored securely on our servers.

5.7 Plausible Analytics

We use Plausible Analytics, a privacy-friendly web analytics service, to understand how visitors use our marketing website. Plausible does not use cookies and does not collect personally identifiable information. Data collected includes page views, referrer sources, and general location data (country-level only). All data is anonymized and aggregated. Learn more at Plausible's Privacy Policy.

5.8 Google Ads Conversion Tracking

We use Google Ads conversion tracking (Google Tag) to measure the effectiveness of our advertising campaigns and improve our marketing. Google may collect information about your visits to our website, including page views, clicks, and conversions. This data is used to measure ad performance and may be combined with data from other Google services. Google Ads uses cookies to track conversions. Learn more about how Google uses data at Google's Privacy & Terms. You can opt out of personalized advertising by visiting Google Ads Settings.

6. Data Security

We implement the following security measures:

  • HTTPS Encryption: All data transmitted between your device and our servers is encrypted in transit using TLS/SSL.
  • Password Protection: Administrator passwords are hashed using bcryptjs with 10 rounds.
  • Integration Credentials: Stored encrypted using AES-256-GCM encryption.
  • Session Security: Session tokens stored as httpOnly cookies, preventing XSS attacks.
  • Rate Limiting: Redis-based rate limiting prevents brute force attacks and spam.
  • Device Fingerprinting: Uses SHA-256 hashing with a secret salt for non-reversible identification.

Limitation: While we implement industry-standard security practices, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

7. Cookies and Tracking

We use the following cookies and tracking mechanisms:

  • Session Tokens: httpOnly cookies storing JWT tokens for authentication (14-day expiry for admins).
  • Device Fingerprinting: Stored in request headers for vote deduplication (no persistent cookie).
  • Plausible Analytics: Privacy-friendly analytics without cookies. Collects anonymized page view data on our marketing site only.
  • Google Ads Cookies: Third-party cookies used by Google Ads for conversion tracking and measuring advertising effectiveness on our marketing site.

You may disable cookies in your browser settings or opt out of Google Ads personalization, but this may impair some functionality.

8. Your Rights and Choices

8.1 Access and Portability

Currently, we do not provide a user-facing data export or access request system. To request your data, please contact us at the address below. We will respond to reasonable requests within 30 days.

8.2 Deletion

If you have created an account, you can delete it at any time through your account settings. When you delete your account:

  • Your email address, profile information, and credentials are permanently deleted
  • All OAuth connections and verification tokens are removed
  • Your votes and suggestions are anonymized (your name is removed but the data remains for integrity)
  • Page view records associated with your account are deleted

Board administrators can delete individual suggestions they've created. For data deletion requests or questions, please contact us at hello@modu.io.

8.3 Email Preferences

You may opt out of notification emails by adjusting your notification preferences in your account settings or by clicking the unsubscribe link in our emails.

8.4 Device Fingerprinting Opt-Out

You cannot disable device fingerprinting for vote deduplication on public polls. However, you can verify your email address to use an email-based account instead.

8.5 California Privacy Rights (CCPA)

If you are a California resident, you may have rights to know, delete, and opt-out of sale of personal information. We do not sell personal information. To exercise your rights, please contact us.

8.6 European Privacy Rights (GDPR)

If you are in the European Union, United Kingdom, or similar jurisdiction with GDPR protections, you have rights to access, correct, delete, and restrict processing of your data. Please note that we currently have limited technical ability to fulfill GDPR data subject access requests automatically. Contact us for assistance.

9. Data Sharing and Disclosure

9.1 Board Administrators

All votes, suggestions, and analytics are visible to administrators of the board you participate in. Administrators can see email addresses, voting patterns, and detailed suggestion information.

9.2 Service Providers

We share data with third-party service providers (email services, AI platforms, cloud infrastructure) as necessary to operate the Service.

9.3 Legal Requirements

We may disclose your information if required by law, court order, or government request. We will provide notice when legally permitted.

9.4 Business Transfers

If Modu is acquired, merged, or undergoes bankruptcy, your information may be transferred as part of that transaction.

9.5 No Sale of Personal Information

We do not sell, rent, or lease your personal information to third parties for marketing purposes.

10. Children's Privacy

Our Service is not intended for users under 13 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect information from children. If we become aware of such collection, we will delete the data and take appropriate action.

11. Policy Updates

We may update this Privacy Policy periodically. Changes will be effective upon posting to the Service. Your continued use constitutes acceptance of the updated policy. We encourage you to review this policy regularly.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Modu Support

Email: hello@modu.io

Website: https://modu.io

We will respond to privacy inquiries within 30 days.

13. Additional Information for Specific Jurisdictions

13.1 Canada (PIPEDA)

If you are in Canada, you have rights under PIPEDA. We handle personal information according to these principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure, accuracy, safeguarding, openness, access, correction, and complaints.

13.2 Brazil (LGPD)

If you are subject to Brazil's Lei Geral de Proteção de Dados (LGPD), you have rights to access, correct, delete, port, and object to processing. Contact us for assistance with these requests.