Privacy Policy
Last Updated: March 2026
movd helps you find which services need your new address when you move. We scan your Gmail metadata (sender names, subject lines, dates) to identify these services — we never read your email content.
What We Collect
Data you provide:
| Data | Purpose | Required? |
|---|---|---|
| Google email address | Account identity | Yes |
| Moving date | Deadline calculations | Yes |
| Old & new state/ZIP | State-specific deadlines | Yes |
| US citizenship status | Immigration deadline filtering | Optional |
| Gender & age range | Selective Service filtering | Optional |
| Driver's license status | DMV & vehicle deadline filtering | Optional |
From your Gmail (metadata only):
- Sender name & email address
- Subject line of most recent email per sender
- Date of most recent email
- List-Unsubscribe header (to filter newsletters)
What We Never Access
- Email body text or HTML content
- Attachments of any kind
- Contacts or address book
- Calendar events
- Google Drive files
- Drafts or sent mail content
Third-Party Services
Google (Gmail API)
Read-only access to email metadata. You can revoke access anytime from Settings or your Google Account.
Anthropic (Claude AI)
For senders we can't classify automatically, we send the sender domain, company name, and one subject line to Anthropic's Claude AI. We never send your email address, physical addresses, or email content.
We do not share your data with advertisers, data brokers, analytics services, or any other third parties. We do not use tracking cookies or pixels.
Data Storage & Security
- Google refresh token: Encrypted with AES-256 (Fernet) before storage
- In transit: All connections use HTTPS/TLS
- Session: JWT stored in HttpOnly, Secure, SameSite=Lax cookie — inaccessible to JavaScript
- OAuth: PKCE flow prevents authorization code interception
Cookies
We use exactly two cookies, both essential for the app to function:
| Cookie | Purpose | Duration |
|---|---|---|
| session | JWT authentication token | 30 days |
| oauth_code_verifier | PKCE security during login | 10 minutes |
No analytics cookies. No advertising cookies. No tracking pixels.
Data Retention & Deletion
From the Settings page, you can:
- Export your data — download everything as JSON
- Disconnect Gmail — revokes access and deletes encrypted token
- Delete your account — removes profile, checklist, and all data
Your Rights
- Access — request a copy of your data (Export in Settings)
- Deletion — request deletion of your data (Delete Account in Settings)
- Portability — download your data in machine-readable JSON format
- Revoke consent — disconnect Gmail access anytime
California Residents (CCPA/CPRA)
We do not sell or share your personal information for cross-context behavioral advertising. All access, deletion, and portability rights are available via Settings.
Children's Privacy
movd is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us for deletion.
Contact
For privacy questions, data requests, or concerns, email us at privacy@movd.app.