Privacy Policy

Midway is operated by Midway Chat, an entity based in Namibia. For any privacy-related question, request, or complaint, contact us at magnaem@midwaychat.app. We respond to verifiable privacy requests within thirty (30) days, or sooner if required by applicable law.

For data about Owners (people who sign up to use Midway), we act as a data controller: we decide why and how that data is processed.

For data about Members (people who use a chat embedded into an Owner’s site), we act as a data processor on the Owner’s behalf. The Owner is the data controller for their members’ data and decides what is collected, how it is used in their community, and how long it is retained. By embedding Midway, the Owner agrees that they are responsible for obtaining any consents required from their members under applicable law.

We collect the following categories of personal information:

• Account information (Owners). Name, email address, hashed password (handled by Memberstack), and the project metadata you create in your Midway dashboard (project name, accent colour, custom logo URL).
• Billing information (paying Owners). When you subscribe to Starter or Studio, Lemon Squeezy (our merchant-of-record) collects your billing address and payment details. We do not store full payment card numbers; we receive only the subscription identifier and status from Lemon Squeezy.
• Member identity (Members). When a Member interacts with the chat embedded into an Owner’s site, we receive the Member’s Memberstack ID, display name, and (optionally) avatar URL. We do not receive Member passwords or other Memberstack data unless the Owner explicitly shares it.
• Content. The text messages, voice notes, images, and files Members send through the chat. This Content is stored so it can be delivered, reread, and synchronised across devices.
• Usage and device data. Standard server logs (IP address, user agent, timestamps, request paths, error traces), and aggregated product analytics about feature usage.
• Communications with us. The contents of emails and support requests you send to us, retained so we can respond and so we can improve our support over time.

We do not knowingly collect special-category data (e.g. health, biometric, or religious information). If you choose to share such data through the chat, you do so at your own discretion.

We use personal information for the following purposes:

• To provide the Service. Delivering messages, identifying Members, rendering branded inboxes, syncing read receipts and reactions across devices.
• To process subscriptions. Activating and renewing paid plans, sending invoices and receipts, applying plan-based features.
• To communicate with you. Transactional emails (password resets, billing receipts, security notices). We do not send marketing emails to Owners without their explicit opt-in.
• To secure the Service. Detecting and investigating abuse, fraud, spam, and violations of our Terms.
• To improve the Service. Aggregating usage data to understand which features Owners actually use and to fix bugs. We do not sell personal information and do not share it with advertisers.
• To comply with law. Responding to lawful requests from authorities and complying with our legal obligations.

Where the EU/UK General Data Protection Regulation applies, our legal bases for processing personal information are:

• Contract. To provide the Service to Owners who have signed up, and to deliver chat features to Members on behalf of the Owner.
• Legitimate interests. To secure the Service, to improve it, to prevent abuse, and to communicate operational notices. We balance these interests against your rights and freedoms.
• Consent. Where required (for example, optional analytics or marketing emails). You can withdraw consent at any time.
• Legal obligation. To comply with applicable accounting, tax, and law-enforcement requirements.

We rely on the following service providers (“ sub-processors”) to operate Midway. Each is bound by data protection terms appropriate to its role, and each maintains its own privacy practices.

• Memberstack: member authentication and identity for both Owners and Members.
• Lemon Squeezy: payments, subscription management, and merchant-of-record obligations including tax/VAT.
• Vercel: hosting of the application, marketing site, and edge delivery.
• Neon: managed PostgreSQL database for account, project, conversation, and message data.
• Ably: real-time transport layer that delivers messages, typing indicators, and presence updates.
• Vercel Blob: encrypted object storage for voice notes, image attachments, and uploaded files.

We may add or replace sub-processors as the Service evolves; when we do so for a sub-processor that handles personal data, we will update this list and, where required by law or contract, notify affected Owners.

Midway is operated from Namibia. Our sub-processors operate primarily from the United States and the European Union, which means your personal information will be transferred to and stored in those regions. Where required, we rely on the European Commission’s Standard Contractual Clauses, or equivalent safeguards offered by the sub-processor, to protect those transfers.

We use commercially reasonable technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption in transit (HTTPS / TLS) for all client traffic.
• Encryption at rest for the database and for blob storage of uploaded media.
• Access controls limiting employee access to production data to the minimum necessary, with audit logging of administrative actions.
• Webhook signatures (HMAC) for billing events from Lemon Squeezy, so we can verify subscription changes are genuine.
• Routine dependency and security updates of the Service.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify affected Owners without undue delay and in accordance with applicable law.

• Account data. Retained while your Midway account is active. If you close your account, we delete account data within 30 days, except where we are legally required to keep it (for example, accounting records for subscriptions).
• Message Content. Retained until you (or the Owner) delete it, or until the Owner closes the project, at which point we delete it within 30 days.
• Billing records. Retained for at least seven (7) years, as required by applicable tax and accounting rules.
• Server logs. Retained for up to 90 days for debugging and abuse-investigation purposes, then deleted or aggregated.

Depending on where you live, you have some or all of the following rights with respect to your personal information:

• Right of access. Ask for a copy of the personal data we hold about you.
• Right to rectification. Ask us to correct inaccurate or incomplete data.
• Right to erasure. Ask us to delete your personal data, subject to our legal retention obligations.
• Right to restriction. Ask us to limit how we process your data while a request is being resolved.
• Right to portability. Ask for your data in a structured, machine-readable format.
• Right to object. Object to processing based on our legitimate interests.
• Right to withdraw consent. Where we rely on consent, withdraw it at any time without affecting prior lawful processing.
• Right to complain. Lodge a complaint with the data protection authority in your jurisdiction.

To exercise any of these rights, email magnaem@midwaychat.app. If you are a Member contacting us about data the Owner controls, we may forward your request to the relevant Owner.

Midway uses strictly necessary cookies and similar storage to keep you signed in, to remember your project selection, and to provide real-time chat features. We do not currently use advertising cookies, cross-site tracking pixels, or session-replay tools. If this changes we will update this policy and request consent where required by law.

Midway is intended for adult community owners and is not directed to children. Owners must not knowingly enable use of Midway by children below the age of digital consent in their jurisdiction (which is 13 in the United States and ranges from 13 to 16 across EU member states). If we become aware that we have collected personal data from a child without verified parental consent, we will delete it promptly.

You can close your account at any time from your Midway dashboard, or by emailing magnaem@midwaychat.app. On account closure we delete your account data and project content within 30 days, except where retention is required by law (such as accounting records).

We may update this Privacy Policy from time to time. When we make material changes we will update the effective date at the top of this page and, where appropriate, notify you by email or via the dashboard. Continued use of the Service after a change constitutes acceptance of the updated policy.

Questions, requests, or complaints can be sent to magnaem@midwaychat.app.