MosaicMosaicTerminal
Legal

Privacy Policy

How we collect, use, and protect your personal data.

Privacy Policy

Last updated: 2026-06-28


TL;DR. Mosaic is a desktop app. Your code, terminal output, and prompts never leave your machine unless you connect an AI provider yourself. Then they go straight to that provider, not through us. We don't run a server that sees your work. We sell through Paddle, who acts as the seller of record and sends us your name, email, and country so we can deliver your license. That's the data we hold.

This policy explains the details.

Who we are

We are Barta Gergő (egyéni vállalkozó), operating Mosaic ("we", "us", "our").

Paddle is the seller and an independent controller

We sell Mosaic through Paddle.com Market Limited (UK company 08172977), acting as our Merchant of Record. Paddle is the seller of record on your invoice. Paddle runs the checkout, collects payment, handles VAT/GST, processes refunds, and screens for fraud.

Paddle is an independent data controller, not our processor. Paddle's MSA cl. 14.2 says so: each party acts as an independent controller. When you buy, your purchase contract is with Paddle. Paddle collects your name, email, billing address, country, payment info, and IP for its own purposes (MoR, tax remittance, AML). Paddle then sends us a defined subset (name, email, country, order reference, and the tier you bought) so we can deliver your license. From the moment we receive that data, we are a separate independent controller for it (Art. 14 trigger). Paddle's privacy policy: paddle.com/legal/privacy. We don't control Paddle's processing. Ask them directly.

What we collect

DataWhySource
Email, name, country, order IDDeliver and validate your licensePaddle (Art. 14)
License key + hashed device IDActivation, anti-piracyYour machine on first launch
Support emailsReply to youYou
Marketing-list email (opt-in)Product updatesYou
Anonymous crash reports + telemetry (opt-in, off by default)Bug fixes, stabilityYour machine
Web analyticsAggregate page countsUmami (self-hosted, cookieless)
Server / Cloudflare logsAbuse preventionOur infrastructure
Invoice metadataTax + accountingPaddle (reverse invoice)

We do NOT collect: file paths, project contents, prompt text, AI responses, machine hostname, GDPR Art. 9 special categories, or CCPA "sensitive personal information". We do not profile users or run automated decisions with legal or similarly significant effects (Art. 22).

Why we can process it (Art. 6)

PurposeBasisNotes
License delivery + validationArt. 6(1)(b) contractCan't deliver without it
SupportArt. 6(1)(b) contract; 6(1)(f) for pre-salesNo less-intrusive option
Transactional emails (license, security advisories)Art. 6(1)(b) contractNot marketing
Marketing emailsArt. 6(1)(a) consentOpt-in; revocable
Crash reports / telemetryArt. 6(1)(a) consentOff by default
Security + abuse loggingArt. 6(1)(f) legitimate interestProtect the license system and users
Cookieless analyticsArt. 6(1)(f) legitimate interestNothing stored on your device, so ePrivacy Art. 5(3) not triggered
Invoices + accountingArt. 6(1)(c) legal obligationHU Sztv. §169 — 8 years

You can withdraw consent anytime. Unsubscribe link or email us. Past lawful processing stays lawful (Art. 7(3)).

How long we keep it

DataRetentionWhy
Invoices + accounting records8 yearsHU Sztv. §169
License-activation recordsAccount lifetime + 8 yearsAccounting overlap
Support emails3 years from last replyLimitation period
Marketing-list emailUntil you unsubscribe + 30-day suppression hashStop accidental re-add
Crash reports / telemetry90 daysTrend analysis only
Server / Cloudflare logs7 daysOperational debugging
Records of consent + DSAR responses5 yearsArt. 5(2) accountability

When you exercise erasure (Art. 17), we delete from active systems within 30 days. Operational logs purge in their normal rotation. Exceptions: data we must keep for a legal obligation (HU 8-year accounting) or to defend a legal claim. We tell you which exception applies.

Who else touches your data

VendorRoleCountryTransfer basis
Paddle.com Market LtdMerchant of Record (independent controller)UKUK adequacy + UK Addendum/IDTA SCCs fallback
Cloudflare, Inc.DNS, CDN, edge securityUSEU-US DPF + 2021 SCCs fallback
Resend, Inc. → AWS SESTransactional emailUSEU-US DPF + 2021 SCCs fallback
PostmarkDMARC aggregate-report ingestionUSEU-US DPF + 2021 SCCs fallback
Google FontsWeb font delivery (JetBrains Mono, Outfit on the site)USEU-US DPF + 2021 SCCs fallback
Hetzner Online GmbHBackend hosting (incl. self-hosted Umami analytics)DEIntra-EU

Each vendor has a Data Processing Agreement (Art. 28) on file, or an independent-controller data-sharing addendum where appropriate (Paddle). We review this list at least annually. Email [email protected] if you want 30 days' notice of additions or replacements.

International transfers

Some subprocessors sit outside the EU/EEA:

  • United States (Cloudflare, Resend / AWS SES, Postmark): primary basis is the EU-US Data Privacy Framework (Implementing Decision (EU) 2023/1795, currently in force). We additionally hold the 2021 Standard Contractual Clauses (Decision 2021/914, Module 2) as fallback in case the DPF is invalidated.
  • United Kingdom (Paddle): UK adequacy decision (Implementing Decision (EU) 2021/1772), with UK Addendum / IDTA SCCs as fallback.
  • Intra-EU/EEA (Hetzner): no specific mechanism required.

We've completed a Transfer Impact Assessment per transfer; summary on request.

Your rights

RightArticleHow
Get a copyArt. 15email us
Fix somethingArt. 16email us
DeleteArt. 17email us — overrides: invoices (HU 8-yr), defending claims
Pause processingArt. 18email us
Take it elsewhereArt. 20email us, machine-readable export
Object to marketingArt. 21unsubscribe or email — absolute, immediate
Object to other processingArt. 21email us; we'll assess and answer in writing
Withdraw consentArt. 7(3)email us; past processing stays lawful
Complain to a regulatorArt. 77NAIH (Hungary) or your country's DPA

Email [email protected]. We respond within 30 days (Art. 12(3)); extendable by 60 days for complex requests, with notice in the first 30. To verify you, we ask for the email on your license. No fee for reasonable requests.

Cookies

The website uses Umami, a privacy-focused analytics tool we self-host on our own Hetzner server. Umami sets no cookies and stores nothing on your device. Because nothing is stored on or read from your terminal equipment, ePrivacy Directive Art. 5(3) is not triggered. No cookie banner needed. Umami records only anonymised, aggregated metrics (page paths, referrer hostname, browser/OS family, country derived from IP, daily salted visitor hash). Umami itself does not retain full IP addresses; Cloudflare sits in front of the site and sees transit IPs as part of normal network operation but does not log them to us beyond standard short-lived edge logs.

We do not load advertising cookies, retargeting pixels, social-share scripts, or session replay.

The desktop app sets no browser cookies. It stores your license and preferences locally in your OS userData folder only.

AI

Mosaic is an orchestration platform for AI coding agents you choose (Claude Code, Codex, Gemini, and other CLIs you install yourself). It does not itself contain an AI model.

  • When you send a prompt or code to a provider, the data flows direct from your machine to that provider's API, and the response flows back direct. We do not proxy, cache, or store the conversation.
  • We do not use your code, prompts, or AI responses to train any model. We don't have a model to train.
  • AI output can be wrong, biased, or unsafe. Review before relying on it.

This is the AI Act Art. 50 disclosure for users interacting with AI through our product.

Security

We use HTTPS everywhere. Hosting and email providers encrypt data at rest. Access keys are minimum-scope. We don't run our own audit aggregator; we rely on the per-provider audit logs (Cloudflare, Resend, Paddle). No internet system is perfectly secure.

Vulnerabilities: [email protected] (RFC 9116 contact). We acknowledge within 72 hours, work in good faith on a fix, and credit you in the release notes if you wish. Please don't disclose publicly before we've had a reasonable chance to remediate.

Breaches: If a breach poses risk to your rights and freedoms, we notify NAIH within 72 hours (Art. 33) and you without undue delay (Art. 34).

If you're outside the EU

California, Virginia, Colorado and other US state laws. We do not sell personal information and do not share it for cross-context behavioural advertising as those terms are defined in Cal. Civ. Code § 1798.140 and equivalent state statutes. We honour Global Privacy Control (GPC) signals as a valid opt-out. Rights: know, delete, correct, opt-out, non-discrimination, agent designation. Email us; we respond within 45 days.

United Kingdom (UK GDPR + DUAA 2025). Same rights as listed in "Your rights" above. Complain to the ICO at ico.org.uk.

Other jurisdictions (Quebec Law 25, Singapore PDPA, India DPDP Act, and similar). You have equivalent rights under your local data protection law: access, correction, deletion, consent withdrawal. Email [email protected]. We respond within the applicable statutory window. You may complain to your country's data protection regulator.

Where laws overlap, we apply whichever gives you more protection.

Children

Mosaic is a developer tool not aimed at children. The Service is not intended for persons under 16 (GDPR Art. 8 default; Hungary set Art. 8 at 16 in Infotv.), and we do not knowingly collect personal data from anyone under 13 in any circumstance (US COPPA). If you believe a child has given us personal data, email [email protected] and we will delete it.

NAIH and the right to complain

Our lead supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):

1055 Budapest, Falk Miksa utca 9-11., Hungary Postal: 1363 Budapest, Pf.: 9. [email protected]naih.hu

You can also complain to the supervisory authority of your country of residence, work, or the alleged infringement (Art. 77).

Changes

We post material changes here with a new "Last updated" date. For changes that affect consent-based processing or materially expand how we use your data, we give 30 days' advance notice by email and on the home page. A changelog of material amendments lives at the bottom of this page.

Last updated: 2026-06-28 (initial public version).

Contact

Privacy + general[email protected]
Security[email protected]
Postal1123 Budapest, Nagyenyed utca 5., Hungary
Supervisory authorityNAIH — naih.hu[email protected]