Privacy Policy
Last updated: April 26, 2026
1. Who we are
mood.cards is a service of Squared Lemon. When we say "we", "us", or "our" in this policy, we mean Squared Lemon, the operator of the mood.cards service.
2. Two roles we play
We act in two distinct capacities under the GDPR:
- Data controller — for the personal data of our account holders (you, the customer who signs up and manages projects).
- Data processor — for any personal data that your end-users submit through feedback cards embedded on your site. You remain the controller of that data; we process it on your behalf to provide the service.
3. What data we collect
Account data (controller)
When you create an account we collect:
- Name
- Email address
- Password (hashed, never stored in plain text)
We use this data solely to operate your account, authenticate you, and communicate service-related information.
Feedback submission data (processor)
When an end-user interacts with a mood.cards widget on your site, we may receive:
- The feedback response (rating, text, or emoji selection)
- Any context data you attach via the API (e.g. user IDs, order numbers)
- Page URL and trigger key
- Timestamp
We do not add tracking cookies, fingerprint end-users, or collect data beyond what your integration explicitly sends.
Website analytics
We use Fathom Analytics (referral link) on our marketing site and dashboard. Fathom is a privacy-focused analytics tool that:
- Does not use cookies
- Does not collect personal data
- Is fully GDPR, ePrivacy, PECR, and CCPA compliant
- Does not track individual visitors
No cookie consent banner is required for Fathom Analytics.
4. How we use data
We use the data we collect to:
- Provide, maintain, and improve the mood.cards service
- Authenticate your account and manage your projects
- Process and store feedback submissions on your behalf
- Send service-related communications (e.g. security notices)
We do not sell, rent, or share personal data with third parties for marketing purposes.
5. Where data is stored
All data is stored on servers located in the European Union. Data does not leave the EU unless you explicitly export it.
6. Data retention
- Account data is retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days.
- Feedback submissions are retained for as long as the associated project exists. You can delete individual submissions or entire projects from the dashboard at any time.
7. Your rights (GDPR)
If you are located in the EU/EEA, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service
- Object to processing of your data
To exercise any of these rights, contact us at the email address listed below.
For end-users of our customers' sites
If you submitted feedback through a mood.cards widget on someone else's website, that website's operator is the data controller. Please contact them directly to exercise your rights. They may then instruct us to delete or export your data on their behalf.
8. Security
We take reasonable technical and organizational measures to protect data, including:
- Encrypted connections (TLS) for all data in transit
- Encrypted storage for sensitive data at rest
- Hashed passwords using industry-standard algorithms
- Origin validation for widget API requests
9. Third-party services
We use the following third-party services:
| Service | Purpose | Data shared |
|---|---|---|
| Fathom Analytics | Website analytics | None (cookieless, no personal data) |
| Bunny Fonts | Web font delivery (Quicksand) | IP address, browser headers (no logging, GDPR-compliant by design) |
10. Cookies and local storage
The mood.cards service uses essential cookies only — a session cookie for logged-in users and a CSRF token. We do not use tracking cookies, advertising cookies, or any third-party cookies. Because of this, we do not display a cookie consent banner.
The mood.cards widget embedded on a customer's site stores small amounts of data on the visitor's device for functional purposes only. None of these values are personal data, none are shared with third parties, and none leave the customer's site or our service:
| Key | Storage | Purpose |
|---|---|---|
mc_aid |
sessionStorage | Anonymous per-session ID. Used to deduplicate ratings and link a comment to its rating within a single browsing session. Cleared when the tab closes. |
mc_seen_<cardId> |
localStorage | Suppresses a card the visitor has already seen, when the card's visibility is set to "once" or "cooldown". Stores either "1" or a timestamp. |
mc_session_<cardId> |
sessionStorage | Suppresses a card for the rest of the visitor's session, when the card's visibility is set to "session". |
mc_config_<apiKey> |
localStorage | Caches the customer's card configuration to avoid refetching on every page load. |
These keys fall under the "strictly necessary" exemption of the ePrivacy Directive (Article 5(3)) because they are required to deliver the feedback service the visitor's host site has chosen to embed.
11. Affiliate links
When we link to a recommended third-party service we sometimes use a referral link that earns us a small commission if you sign up. We only recommend services we use ourselves and the commission never affects which tools we choose. Referral links are clearly marked as such inline.
12. Changes to this policy
We may update this policy from time to time. We will notify account holders of material changes via email. The "last updated" date at the top reflects the most recent revision.
13. Contact
For privacy-related questions or to exercise your rights, contact us at: