Mosaic

Mosaic — Privacy Policy

Effective date: June 5, 2026

Mosaic Counterpart, Inc. ("Mosaic," "we," "us") provides software that helps people and small teams reflect on their work and act on patterns they care about. This Privacy Policy explains what we collect, how we use it, who we share it with, and your rights. It applies to your use of usemosaicai.com, the Mosaic desktop application, and any related services (collectively, the "Service").

We aim to be plain and specific. If anything is unclear, write to privacy@usemosaicai.com.

1. Data we collect

1.1 Account data

When you create an account, we collect:

  • Email address
  • A hashed and salted copy of your password (never the plaintext)
  • Your role (founder, owner, employee, or solo)
  • Your first name and other voluntary profile fields you provide during onboarding
  • The company you join (for owners and employees)
  • Timestamps of account creation and last login

1.2 Activity summaries

The Mosaic desktop application running on your computer observes window titles and activity patterns to produce summaries — short, human-readable reflections about your day. The desktop app uploads the summary text to our cloud. We do not upload raw window-title streams or screenshots. Only the summary text crosses the boundary to our servers.

Summaries are categorized by visibility: - Private summaries (your own daily reflections) are visible only to you. - Team summaries (for employees within a company) are visible to the company's owner. The text you see in the "What your owner sees" panel is exactly what the owner receives.

1.3 Mosaic Intelligence chat history

When you use the Mosaic Intelligence chat, we store your conversation (message text + timestamp) so the conversation persists across sessions. You may start a new conversation at any time using the "+ New chat" button.

1.4 Pre-approved patterns and proposals

When you mark a draft as auto-approved or describe a pattern for Mosaic to act on, we store that description and the resulting generated drafts (proposals).

1.5 Connected third-party accounts

When you connect a Google, Microsoft, or Slack account through OAuth, we store: - An access token and refresh token issued by that provider - The scopes you authorized - An identifier for the connected account (e.g., the Gmail address)

We do not store passwords for any third-party account. OAuth tokens are stored in our database; we plan to encrypt them at rest in a future update.

1.6 Inbound emails (when you enable the inbound watcher)

If you connect Gmail and enable the inbound watcher, we periodically read new messages in your mailbox. For each, we store: - Subject, sender, recipient, snippet, and a body excerpt (truncated to ~3 KB) - A classification and any matched pattern - A timestamp and an audit record

We process inbound messages only to (a) classify whether they match your pre-approved patterns, (b) draft a possible reply, and (c) either auto-reply (only when you have explicitly enabled this) or queue the message for your review.

1.7 Telemetry and diagnostics

The desktop application sends us: - Version, OS info, and machine identifier - Heartbeat timestamps - Error reports when something crashes

We use these to maintain and improve the Service.

1.8 Usage cookies

We use first-party cookies to keep you signed in (a session cookie) and to remember UI preferences (e.g., "what's new since last visit" markers and tour-state cookies). We do not use third-party advertising cookies.

2. How we use your data

We use the data we collect to:

  • provide, maintain, and secure the Service;
  • generate the summaries, briefings, proposals, and intelligence responses that are core to the product;
  • enforce role-based access controls so that data flows only where Mosaic's privacy walls permit;
  • send transactional emails (signup confirmation, password reset, notifications you opt into);
  • respond to your support requests; and
  • comply with legal obligations.

We do not sell your data. We do not use your data to train any machine learning model that we make available to anyone outside your account.

3. Third parties we share data with

We share specific portions of your data with the following third-party processors, each only for the purposes listed:

Processor Purpose Data shared Anthropic (Claude API) Generate summaries, briefings, classify inbound, draft proposals, and produce chat responses The specific prompts we send for each task, which include your summaries, knowledge, role context, and the inbound message at issue. We do not authorize Anthropic to use this data for training. Resend Send transactional email Your email address and the email content we send you Render Hosting and database All data stored in the cloud database Google (when you connect Gmail) Send and receive email on your behalf Whatever the OAuth scopes permit (read for inbound watcher, send for outbound replies) Microsoft / Slack (planned, when registered) OAuth scopes you authorize

We do not share your data with advertisers or data brokers.

3a. Google user data and API Limited Use

When you connect a Google account, Mosaic accesses Google user data only to provide features you have turned on:

  • Reading email (Gmail readonly) — only when you enable the inbound assistant — to classify whether a message matches a reply pattern you pre-approved and to draft a suggested reply for your review.
  • Sending email (Gmail send) — to send a draft after you approve it (or, for a pattern you explicitly set to auto-reply, the reply you pre-authorized).
  • Calendar events — to ground your briefings in your schedule and to create events after you approve them.

Mosaic's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

  • We use Google user data only to provide and improve the user-facing features above.
  • We do not transfer Google user data to others except as necessary to provide those features (for example, sending the specific excerpt needed to our AI processor to draft a reply), to comply with applicable law, or as part of a merger or acquisition with notice to you.
  • We do not use Google user data for advertising, and we do not sell it.
  • We do not allow humans to read Google user data except with your consent (for example, to debug an issue you report), where required for security or to comply with the law, or where the data has been aggregated and anonymized.
  • We do not use Google user data to train generalized AI/ML models. The AI processor we use (Anthropic) is contractually not authorized to train on it.

You can revoke Mosaic's access to your Google account at any time by disconnecting it in Mosaic's settings or at Google's security settings; doing so stops all further access and you may additionally request deletion of stored data as described in Sections 5 and 6.

4. Where your data is stored

The Service runs on infrastructure provided by Render in the United States. The Anthropic API processes requests in the United States. If you access the Service from outside the United States, you consent to your data being transferred to and processed in the United States, which may have different data-protection rules than your country.

5. How long we keep your data

  • Account data: as long as your account is active, then up to ninety (90) days after account deletion for legal record-keeping and dispute resolution.
  • Summaries and chat history: as long as your account is active. You can export at any time and delete at any time using the in-product tools.
  • Inbound emails: retained while the watcher is enabled; deleted upon disconnection of the integration or upon your request.
  • OAuth tokens: retained until you disconnect the integration or delete your account.
  • Telemetry: up to twenty-four (24) months.

6. Your rights

Depending on where you live, you may have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to fix inaccurate data.
  • Deletion: ask us to delete your data, subject to limited exceptions where retention is required by law.
  • Portability: export your data in a machine-readable format.
  • Restriction: ask us to stop processing your data in certain ways.
  • Objection: object to certain processing.
  • Withdraw consent: revoke any consent you previously granted (e.g., by disconnecting a connected account).

To exercise any of these rights, email privacy@usemosaicai.com from the address associated with your account, or use the in-product tools where available.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect, the right to delete, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.

EU/UK/EEA residents may have rights under the GDPR/UK GDPR. Our legal bases for processing are contract performance (where the processing is necessary to provide the Service to you), consent (where you have given it, such as for the inbound watcher), and legitimate interests (such as security and service improvement). You have the right to lodge a complaint with your local data protection authority.

7. Security

We protect your data with industry-standard practices, including HTTPS for all network traffic, hashed-and-salted password storage, role-based access controls in our application, and OAuth scopes limited to the minimum needed for each integration. No system is perfectly secure; if we discover a breach that affects you, we will notify you in accordance with applicable law.

If you suspect unauthorized access to your account, email security@usemosaicai.com immediately.

8. Children

The Service is not directed to children under the age of 13 (or 16 in the EU/UK) and we do not knowingly collect personal information from them. If we learn that we have collected such information, we will delete it promptly. If you believe a child has provided us personal information, please contact privacy@usemosaicai.com.

8a. Browser extension ("Mosaic browser context")

The optional Mosaic browser extension for Chrome and Edge helps Mosaic understand which web pages you are actively working in, so it can give you more accurate answers about your work.

What the extension collects:

  • The URL and page title of the tab you are actively using, and the timestamps of tab switches and page loads.

What the extension never collects:

  • Form contents, password fields, or anything inside the page itself (the page DOM). It uses only the browser's tab metadata.
  • Any page on its built-in deny list (banking, healthcare, password managers, tax/IRS sites), or any page in an Incognito/InPrivate window.
  • Query strings are stripped from captured URLs before they leave your browser, so we never store tokens or session identifiers that ride in the query portion of a link.

The extension only sends data after you authenticate it with your own Mosaic account, and the data it sends is subject to the same storage, retention, access, and deletion terms as the rest of this policy. You can disconnect it at any time by removing the extension or clearing its stored token.

9. Changes to this Policy

We may update this Privacy Policy from time to time. The "Effective date" at the top indicates when the most recent version became effective. If a change is material (such as a new processor, a new category of data, or a new sharing purpose), we will notify you by email or through the Service at least thirty (30) days before the change takes effect, except where a shorter period is required by law.

10. Contact

For questions or requests:

Mosaic Counterpart, Inc. privacy@usemosaicai.com