Coin Moebius
Sanctum · VI

Trust

What we keep, where the money goes, and how to leave. The short version of every promise this product makes, written in one place so you don't have to piece it together from the FAQ.

What we keep about your buyers

Almost nothing. Less data means less to leak and less to be subpoenaed over.

  • The transaction itself: amount, currency, status, and the provider's event id. That's it.
  • No buyer email, name, or address. Stripe and the other providers collect those for their checkout flows; they live in your provider account, not ours. Same goes for subscription buyer data. We don't mirror the provider's customer id, we don't keep card details, we don't hold anything that points back to a specific person.
  • An opaque identifier you set.If you pass your own user id as metadata.customerRef at checkout, we store that string so your dashboard can show "this transaction is from user_bob_42." To us it's meaningless. To you it's the bridge into your own user system. When you need real buyer detail, follow the "View in Stripe" link on the transaction; we link out, we don't duplicate.
  • No raw webhook bodies. We verify the signature, read the fields we care about, and discard the rest.
  • IP addresses are never stored. We do not log, hash, or transmit IP addresses to our database. Cloudflare's edge network handles rate limiting without storing IP data on our side.
  • The most personal thing on file is the merchant's account email, managed by our auth provider for sign-in. Buyers' data is not in our database.

Where your money goes

It doesn't pass through us. We never have custody of it.

When a buyer pays via Stripe, the funds settle into your Stripe account. When they pay via NOWPayments, they settle into your NOWPayments account. When they pay by mail, they arrive in your mailbox. At no point does Coin Moebius sit in the middle of that flow as the merchant of record.

Operationally, that has two consequences. We are not a money transmitter, so we are not subject to the regulations that come with holding customer funds. And if your provider account is ever frozen, the only practical effect on Coin Moebius is that the corresponding rail in your dashboard goes quiet. Your other rails keep working, and nothing about us makes the upstream freeze worse.

You can leave whenever

The whole product runs on an open-source SDK that works without us.

SDK

The open-source SDK is the load-bearing piece. It handles signature verification, runs the buy button, and talks to providers. The Cloud is a hosted webhook, a dashboard, and an encrypted secret store on top of it. Convenience, not lock-in.

If we shut down tomorrow, your site keeps working as long as you point the SDK somewhere else. There is no proprietary format you'd need to migrate out of, no buyer database you'd lose access to, and no contractual minimum keeping you here.

SDK on GitHubRead the docs

Where this runs

A short list of the third-party surfaces in our stack. We picked each of them on purpose, and each is replaceable.

  • Cloudflare Pages (marketing + dashboard hosting)
  • Cloudflare Workers (API, webhook receivers)
  • Cloudflare D1 (database)
  • Cloudflare R2 (object storage, when needed)
  • Cloudflare KV (rate-limit + cache)
  • WorkOS AuthKit (merchant sign-in only)
  • Stripe (cards, your account)
  • NOWPayments (crypto, your account)
  • Resend (transactional email to merchants)

No third-party analytics on the marketing site or in the dashboard. No session replay. No advertising pixels. The first time a request leaves Cloudflare's edge for someone else's server is when it goes to your payment provider on your behalf.

Reporting a security issue

If you think you've found a vulnerability (in the SDK, in the Cloud, in the dashboard, or anywhere on these marketing pages), write to [email protected] with "security" somewhere in the subject line.

We aim to acknowledge security reports within two business days and to ship a fix or workaround within thirty. We do not currently run a paid bug-bounty program. We will publicly credit good-faith reporters who want credit, and will absolutely not pursue legal action against researchers acting in good faith under standard responsible-disclosure norms.

Please do not file security issues as public GitHub issues; the project repository is for code, not vulnerability triage.

The warrant canary lives on About

It belongs in one canonical place so it's easy to spot when it disappears.

Read the canaryPrivacy in the FAQ