もちもた
🌐 言語 / Language:
日本語 English

Privacy Policy

Last Updated: 26 February 2026

1. Introduction

Mochimota ("the Service") takes the protection of your personal information seriously. This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR) and explains how we collect, use, and protect personal information.

2. Data Controller

Data Controller: Hoshiko Tech Ltd.

ICO Registration: ZC083228

Contact: privacy@mochi-mota.com

3. Information We Collect

3.1 Information Provided by Sellers

When you list an item, we collect the following information:

  • Item Information: Title, description, price, category, condition
  • Contact Information: Email address (required), phone number (optional)
  • Location Information: Area name and outward code only (e.g., "SW1A" - we do not store your full postcode), nearest station (optional)
  • Images: Photos of the item (optional)
  • Contact Preferences: Whether to display email publicly, display phone publicly, or accept messages via the contact form (chosen by the seller)

⚠️ About Contact Information Visibility

Sellers can choose their contact methods. If you select "show email" or "show phone", that information will be publicly displayed on the listing page. If you select "accept contact form", buyers can send you messages through the form without your email address being publicly exposed.

3.2 Information from Contact Form Users

When using the contact form to message a seller, we collect the following:

  • Name: Displayed to the seller
  • Email Address: Set as the reply-to address on the email sent to the seller
  • Message Content: Forwarded to the seller via email

This information is used solely to send the email to the seller and is not stored in our database.

3.3 Automatically Collected Information

When you visit our site, the following information may be automatically collected:

  • IP address
  • Browser type and version
  • Access date and time
  • Referring URL
  • Device information

3.4 Information Collected at Image Upload

When you upload images, we collect and temporarily retain the following for content moderation and legal compliance purposes:

  • IP address: Retained for 30 days alongside the image, then automatically deleted
  • EXIF metadata: Extracted from the image and temporarily stored in our database during content moderation. Once moderation is complete (typically within seconds), the EXIF data is automatically deleted. In edge cases where moderation does not complete (e.g., system failure), EXIF data is retained for a maximum of 30 days before automatic cleanup. EXIF data is permanently stripped from the stored image to protect your privacy. EXIF data may include GPS coordinates, device information, and timestamps embedded by your camera or phone.

3.5 Information Collected When Reporting

When you report a listing, we create a cryptographic hash of your IP address combined with the listing ID. This hash:

  • Allows us to detect duplicate reports from the same source
  • Cannot be reversed to obtain your actual IP address
  • Is different for each listing you report (so reports cannot be linked across listings)

We do not store your raw IP address when you submit a report.

3.6 Information Collected via Complaints and Appeals

When you submit a complaint or appeal about a moderation decision (via the contact form or email), we collect and store:

  • Your name and email address
  • Listing ID (if provided)
  • Complaint type (e.g., content removal, listing rejection)
  • Message body describing your complaint
  • Reference number assigned to the complaint

Lawful basis: Legal obligation — we are required to operate a complaints procedure under the UK Online Safety Act 2023, Section 21.

Retention: Complaint records are retained for 6 years after resolution. See our Complaints and Appeals Procedure for details on how complaints are handled.

4. Cookies

This service does not use its own tracking or analytics cookies. However, our infrastructure provider Cloudflare may set technical cookies for security and bot detection purposes.

  • __cf_bm: A technical cookie used by Cloudflare for bot management (expires after 30 minutes)

These cookies are necessary for the proper operation and security of the service and qualify as "strictly necessary cookies" under the UK Privacy and Electronic Communications Regulations (PECR).

5. How We Use Your Information

We use the collected information for the following purposes:

  • Posting and displaying item information
  • Enabling communication between users (including forwarding messages via the contact form)
  • Operating and improving the service
  • Preventing and detecting fraudulent activity
  • Complying with legal obligations
  • Creating statistical data (in non-identifiable format)

6. Legal Basis (UK GDPR)

Personal data processing is based on the following legal grounds:

  • Contractual Necessity: Displaying posted items and facilitating communication between users is the core function of this service and is essential for performing the contract based on our Terms of Service.
  • Legitimate Interests: Maintaining service security, preventing fraudulent activity, and improving the service.
  • Consent: In certain circumstances (e.g., providing optional information), processing may be based on consent.
  • Legal Obligation: When required by UK law to respond to lawful disclosure requests from police or public authorities.

7. Data Retention and Protection

7.1 Retention Period

  • Posted information: Retained for 30 days from the last update (posting or editing). Expired listings are automatically deleted by the system.
  • Access logs: Processed in real time and not persistently stored. Cloudflare may retain edge logs for a short period as part of normal infrastructure operations.
  • Image upload metadata: IP address and EXIF data deleted automatically once moderation is complete (typically within seconds). Maximum retention of 30 days for unprocessed records.
  • Contact form messages: Not stored in our database (email delivery only).
  • Complaint and appeal records: Retained for 6 years after resolution, in accordance with the Limitation Act 1980 civil claims window.

Child Sexual Abuse Material (CSAM) Exception

Where content is identified as potential child sexual abuse material, the uploader's IP address and EXIF metadata may be retained beyond the standard 30-day period as required by the Child Sexual Exploitation and Abuse (Reporting) Regulations 2025. This data is retained solely for the purpose of reporting to the National Crime Agency (NCA) and is subject to the retention periods specified in those Regulations.

⚠️ Fraud-Related Data Retention

Listings flagged for suspected fraud may be retained even if a deletion request is made, in accordance with UK GDPR Article 17(3)(e), for the establishment, exercise, or defence of legal claims. Data will be retained for as long as necessary for these purposes.

7.2 Security Measures

We implement reasonable technical and organizational security measures to protect personal information.

8. Disclosure to Third Parties

We do not provide personal information to third parties except in the following cases:

  • Information you have chosen to make public
  • When required by law
  • Service providers necessary for service provision
  • When necessary for fraud investigation or legal proceedings

8.1 Service Providers

This service uses the following categories of third-party providers to process personal data on our behalf:

  • Cloud infrastructure and content delivery: Hosting, database, image storage, and global content delivery (Cloudflare)
  • Email delivery: Transactional emails such as magic links and contact form forwarding (Resend)
  • Content moderation providers: Automated checks on text and images to detect prohibited content
  • Admin notification services: Internal alerts to service administrators only (no user data is shared publicly)

All providers are bound by data processing agreements. For a current list of specific providers, please contact privacy@mochi-mota.com.

8.2 Automated Content Moderation

Text Moderation: Listing titles and descriptions are automatically checked by third-party AI moderation services.

Image Moderation: Uploaded images are automatically checked by third-party content moderation services.

Image Metadata: To protect your privacy, EXIF data (GPS location, device information, etc.) is automatically stripped from uploaded images.

Right to Human Review: If you disagree with an automated decision, please contact privacy@mochi-mota.com.

9. International Data Transfers

This service uses providers located outside the United Kingdom. As a result, your personal data may be transferred outside the UK.

Cloudflare, Inc. (USA): Used for hosting, database, image storage, and content delivery. Cloudflare applies Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) under Article 46 of UK GDPR for transfers of UK personal data.

Resend, Inc. (USA): Used for email delivery. Data is processed under Standard Contractual Clauses (SCCs).

Content moderation providers: Text and image data may be sent to third-party moderation services located in the USA or EU. Where providers are in the USA, transfers are covered by Standard Contractual Clauses (SCCs). Where providers are in the EU, transfers are covered by the UK adequacy decision.

We ensure that appropriate safeguards under UK GDPR are in place for all transfers. For more information about international data transfers, please contact privacy@mochi-mota.com.

10. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights:

  • Right of Access: The right to access your personal data and obtain a copy
  • Right to Rectification: The right to correct inaccurate personal data
  • Right to Erasure: The right to request deletion of personal data in certain circumstances
  • Right to Restriction: The right to restrict processing of personal data
  • Right to Data Portability: The right to receive data in a structured format
  • Right to Object: The right to object to the processing of personal data

How to Exercise Your Rights

Email: privacy@mochi-mota.com

For identity verification, please contact us from the email address used when posting.

11. How to Delete Your Listing

  • Magic Link: You can edit or delete at any time using the link in the email sent when posting.
  • Automatic Deletion: Listings are automatically deleted 30 days after the last update.
  • Email Request: If you've lost the magic link, contact us at privacy@mochi-mota.com.

12. Children's Privacy

This service is not intended for use by anyone under the age of 18. If you are under 18, please do not use this service.

We prioritise child safety and use automated moderation tools to actively prevent the upload of illegal content (including CSAM). If personal information of a person under 18 or inappropriate content is detected, we will delete it immediately and report to the relevant authorities, such as the UK National Crime Agency (NCA), as required.

13. Complaints to Supervisory Authority

If you have concerns about the handling of personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Helpline: 0303 123 1113

14. Changes to This Policy

This Privacy Policy may be updated from time to time. If we make significant changes, we will update the "Last Updated" date at the top of this page and notify you through a notice on the site. Your continued use of the service after changes are made constitutes acceptance of the updated policy.

We encourage you to review this page periodically.

15. Contact Us

Data Protection Enquiries:

privacy@mochi-mota.com

Hoshiko Tech Ltd.
16 The Mall, Surbiton, England, KT6 4EQ

16. Governing Law

This Privacy Policy and all legal matters relating to this service are governed by the laws of England and Wales.