Privacy Policy
Last updated: February 20261. Introduction
M00N Report ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use M00N Report ("Service").
2. Information We Collect
We collect the following categories of information to provide and improve the Service:
Account Information: When you create an account, we collect your email address, name, organization details, and a securely hashed version of your password.
Social Login Data: If you sign in using a social login provider (e.g., Google), we collect your provider user ID, email address, display name, and avatar URL. This data is stored in association with your account to facilitate seamless authentication.
SSO Data: If your organization uses Single Sign-On (SSO), we collect your SSO provider ID and subject identifier. Supported SSO providers include Okta, Azure AD, Google Workspace, Auth0, and custom OIDC-compliant identity providers configured by your organization.
Test Data & Artifacts: We store test results, test cases, launches, runs, steps, errors, and related metadata that you submit through the Service. Artifacts - including screenshots (PNG/JPEG), videos (WebM/MP4), Playwright trace files, logs, and any other uploaded files - are stored in S3-compatible object storage (MinIO).
Jira Integration Data: If your organization enables the Jira integration, we collect and store your Atlassian account ID, Jira cloud ID, site URL, site name, and OAuth tokens (encrypted at rest). We also cache issue metadata such as summaries, statuses, project keys, and issue types to provide a seamless integration experience.
Audit Log Data: We record IP addresses and user agents for SSO authentication events, as well as user actions on test cases, to maintain a complete audit trail for security and compliance purposes.
Usage Data: We automatically collect information about how you interact with the Service, including access times, pages viewed, and features used.
Device Information: We collect information about the device and browser you use to access the Service, including IP address, browser type, and operating system.
Notification Configuration: If your organization configures notifications, we store SMTP credentials (encrypted at rest), webhook URLs for Slack, Microsoft Teams, Discord, and Telegram, as well as recipient email lists used to deliver test run notifications.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and send related information
- Send technical notices, updates, and support messages
- Respond to your comments, questions, and requests
- Monitor and analyze trends, usage, and activities
- Detect, investigate, and prevent security incidents
- Comply with legal obligations
4. Data Sharing
We do not sell your personal information. We may share your information with:
- Atlassian/Jira: When the Jira integration is enabled by your organization, test details, error messages, and links are sent to Atlassian's servers to create and link Jira issues. This data sharing is governed by Atlassian's Privacy Policy.
- Social Login Providers: OAuth authentication flows are conducted with Google (and future providers such as GitHub and Microsoft). These flows are governed by the respective provider's privacy policies.
- SSO Identity Providers: OIDC/SAML authentication flows are conducted with identity providers such as Okta, Azure AD, Google Workspace, Auth0, or custom providers configured by your organization.
- Notification Services: Test run summaries and notification data are sent to Slack, Microsoft Teams, Discord, Telegram, or custom webhook endpoints configured by your organization.
- Email Services: Notification emails are sent via SMTP servers configured by your organization.
- Service Providers: Third parties that help us operate the Service, including hosting, analytics, and payment processing providers.
- Business Transfers: In connection with a merger, acquisition, or sale of assets.
- Legal Requirements: When required by law or to protect our rights.
- With Your Consent: For any other purpose with your explicit consent.
5. Third-Party Integrations
The Service supports optional third-party integrations. Each integration is governed by the applicable third party's own privacy policy and terms of service.
Jira/Atlassian: When enabled by your organization administrator, test result data (including error details and links) flows to Atlassian's servers to create and manage Jira issues. OAuth tokens used for this integration are encrypted at rest using AES-256-GCM. You can disconnect the Jira integration at any time, at which point cached Jira metadata is deleted. See Atlassian's Privacy Policy.
Social Login: When you sign in via a social login provider (e.g., Google), we receive your email, display name, and avatar URL from the provider. You can unlink a social login from your account settings at any time. See Google's Privacy Policy.
Single Sign-On (SSO): SSO is organization-managed. When your organization configures SSO, authentication flows pass through your identity provider (Okta, Azure AD, Google Workspace, Auth0, or a custom OIDC provider). We receive only the claims necessary for authentication and profile information from your IdP.
Notifications: When your organization configures notifications, test run summaries are sent to the configured webhook endpoints (Slack, Teams, Discord, Telegram) or via SMTP email. The data sent includes test run names, pass/fail counts, and links back to M00N Report.
Users can revoke integration access at any time through their account or organization settings.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Test data retention periods depend on your subscription plan. You can request deletion of your data at any time by contacting support.
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS) and at rest
- AES-256-GCM encryption for all stored credentials, including Jira OAuth tokens and SMTP passwords
- Bcrypt hashing for user passwords
- Presigned URLs with 24-hour expiry for secure artifact access
- Regular security assessments and audits
- Access controls and authentication requirements
- Row-level security (RLS) for multi-tenant data isolation
8. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Object to or restrict processing of your data
- Request data portability
- Withdraw consent at any time
To exercise these rights, please contact us at privacy@m00nreport.com.
9. Local Storage and Tracking Technologies
M00N Report uses browser local storage and session storage - not cookies - to provide core functionality. The following storage keys are used:
Strictly Necessary (Authentication):
m00n_auth_token- JWT authentication token to keep you signed inm00n_auth_user- Cached user profile for the current session
Functional (UI Preferences):
m00n_selected_project- Last selected project- Other UI preference keys for layout and display settings
Session Storage (Temporary):
m00n_oauth_pending- Temporary state during OAuth login flowsm00n_version_reload- Version check flag for cache busting
No third-party tracking cookies or analytics are currently used by M00N Report. We do not use Google Analytics, Mixpanel, or any similar tracking services.
If analytics or tracking technologies are added in the future, we will update this policy and obtain your consent before activating any non-essential tracking.
For more details, see our Cookie Policy.
10. Data Processing and Sub-Processors
To deliver the Service, we use the following categories of sub-processors:
- Cloud Hosting: Infrastructure providers that host the application and database services
- Object Storage: S3-compatible storage (MinIO) for test artifacts including screenshots, videos, and trace files
- Email Delivery: SMTP services configured by your organization for sending notifications
For self-hosted deployments, all data processing occurs on your own infrastructure. No data is transmitted to M00N Report' servers except for optional license validation and telemetry (with your explicit consent).
11. Sensitive Content in Artifacts
Screenshots, videos, Playwright trace files, and other artifacts uploaded to the Service may contain personally identifiable information (PII) or other sensitive data from the applications under test. Please be aware of the following:
- M00N Report does not scan, analyze, or inspect the content of uploaded artifacts
- Users and organizations are responsible for ensuring that uploaded artifacts comply with their own data protection policies and applicable regulations
- Artifacts are isolated per organization using row-level security (RLS) and accessed exclusively via presigned URLs with limited expiry
- We recommend reviewing artifacts before upload to ensure no unauthorized sensitive data is included
12. Self-Hosted Deployments
For self-hosted deployments, your test data remains on your infrastructure. We only collect license validation data and optional telemetry (with your consent) to improve the product.
13. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.
14. Children's Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.
16. Contact Us
If you have any questions about this Privacy Policy, please contact us at:
Email: privacy@m00nreport.com