What Mosaic sees,
and what it doesn't.

Raw captures stay on your machine, encrypted.

When the Mosaic desktop app runs, it samples your active window title every few seconds and watches for file saves you opt into. Those captures are encrypted at rest with a key generated on your computer and never sent anywhere. If you delete the app, the key is gone — even we can't recover the data.

What does leave your machine: short, Claude-generated summaries of what your day looked like. Never raw window titles. Never file contents. Never keystrokes.

A weekly summary in plain English. Nothing more.

If you're an employee using Mosaic at work, your owner sees a short, team-visibility summary your desktop chose to send up — the same one you can preview at any time on your /me/employee page. They never see your raw captures, file names, keystrokes, or the apps you had open.

Your private daily reflection is separate. It exists for you, in your own /me view, and never reaches your owner regardless of what's in it.

At the data layer, not in prompts.

When Mosaic Intelligence (the in-product chat) answers a question, the data it can read is filtered by SQL — not by an instruction in a prompt. An owner can't ask Mosaic Intelligence "what's in Sarah's reflection" and get an answer because Sarah's reflection is not loaded into the conversation. The model never sees it, so it can't accidentally reveal it.

Founders of Mosaic see aggregate signal across installs — counts, error rates, signup velocity — but never any specific client's substance. Same architectural rule.

Mosaic describes what happened. You decide what it means.

Mosaic never tells you whether a day was productive, off-task, late, or wasteful. It surfaces what the data shows; the interpretation belongs to the human reading it. That's a deliberate product choice, not a limitation we're working around.

Export, delete, walk away.

Every account can download a JSON export of everything Mosaic has on you at /me/export. Deleting your account removes all your summaries, telemetry, and installs in one operation — no waiting period, no retention games.

If you delete the Mosaic desktop app, the master encryption key on your machine goes with it. Anything captured before that point is unrecoverable. Back up data/capture/.master_key if you want to be able to read your old captures.

No ads. No sale. No third-party trackers.

Mosaic uses one third-party service: Anthropic, to call Claude for generating summaries and powering Mosaic Intelligence. Your summaries are sent to Anthropic's API per call. We don't sell data, we don't run ad networks, and we don't ship analytics pixels to anyone.

Email delivery (sign-up verification, password resets, feedback notifications) goes through Resend. Your hosting is on Render. Both are standard infrastructure and neither receives the substance of your work.

Google data is used only for features you turn on.

When you connect Google, Mosaic reads email only to draft replies you approve (and only if you enable the inbound assistant), sends only after you approve a draft, and reads your calendar to ground briefings. Mosaic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: Google data is never used for ads, never sold, never read by a human except with your consent or where required for security or law, and never used to train generalized AI models.

The full detail is in the complete Privacy Policy. You can revoke access anytime from Mosaic's settings or your Google security settings.

Talk to a human.

Mosaic is a small operation — small enough that you can ask a question and have the founder read and answer it directly. Send anything to hello@usemosaicai.com, or use the in-product feedback form once you're signed in.