Privacy Policy
How we collect, use, and protect your personal data.
Privacy Policy
Last updated: 2026-06-28
TL;DR. Mosaic is a desktop app. Your code, terminal output, and prompts never leave your machine unless you connect an AI provider yourself. Then they go straight to that provider, not through us. We don't run a server that sees your work. We sell through Paddle, who acts as the seller of record and sends us your name, email, and country so we can deliver your license. That's the data we hold.
This policy explains the details.
Who we are
We are Barta Gergő (egyéni vállalkozó), operating Mosaic ("we", "us", "our").
- Address: 1123 Budapest, Nagyenyed utca 5., Hungary
- Adószám: 91914077-1-43 | EU VAT: HU91914077
- NAV nyilvántartási szám: 62099174
- Website: mosaicterminal.dev
- Privacy + general: [email protected]
- Security: [email protected]
Paddle is the seller and an independent controller
We sell Mosaic through Paddle.com Market Limited (UK company 08172977), acting as our Merchant of Record. Paddle is the seller of record on your invoice. Paddle runs the checkout, collects payment, handles VAT/GST, processes refunds, and screens for fraud.
Paddle is an independent data controller, not our processor. Paddle's MSA cl. 14.2 says so: each party acts as an independent controller. When you buy, your purchase contract is with Paddle. Paddle collects your name, email, billing address, country, payment info, and IP for its own purposes (MoR, tax remittance, AML). Paddle then sends us a defined subset (name, email, country, order reference, and the tier you bought) so we can deliver your license. From the moment we receive that data, we are a separate independent controller for it (Art. 14 trigger). Paddle's privacy policy: paddle.com/legal/privacy. We don't control Paddle's processing. Ask them directly.
What we collect
| Data | Why | Source |
|---|---|---|
| Email, name, country, order ID | Deliver and validate your license | Paddle (Art. 14) |
| License key + hashed device ID | Activation, anti-piracy | Your machine on first launch |
| Support emails | Reply to you | You |
| Marketing-list email (opt-in) | Product updates | You |
| Anonymous crash reports + telemetry (opt-in, off by default) | Bug fixes, stability | Your machine |
| Web analytics | Aggregate page counts | Umami (self-hosted, cookieless) |
| Server / Cloudflare logs | Abuse prevention | Our infrastructure |
| Invoice metadata | Tax + accounting | Paddle (reverse invoice) |
We do NOT collect: file paths, project contents, prompt text, AI responses, machine hostname, GDPR Art. 9 special categories, or CCPA "sensitive personal information". We do not profile users or run automated decisions with legal or similarly significant effects (Art. 22).
Why we can process it (Art. 6)
| Purpose | Basis | Notes |
|---|---|---|
| License delivery + validation | Art. 6(1)(b) contract | Can't deliver without it |
| Support | Art. 6(1)(b) contract; 6(1)(f) for pre-sales | No less-intrusive option |
| Transactional emails (license, security advisories) | Art. 6(1)(b) contract | Not marketing |
| Marketing emails | Art. 6(1)(a) consent | Opt-in; revocable |
| Crash reports / telemetry | Art. 6(1)(a) consent | Off by default |
| Security + abuse logging | Art. 6(1)(f) legitimate interest | Protect the license system and users |
| Cookieless analytics | Art. 6(1)(f) legitimate interest | Nothing stored on your device, so ePrivacy Art. 5(3) not triggered |
| Invoices + accounting | Art. 6(1)(c) legal obligation | HU Sztv. §169 — 8 years |
You can withdraw consent anytime. Unsubscribe link or email us. Past lawful processing stays lawful (Art. 7(3)).
How long we keep it
| Data | Retention | Why |
|---|---|---|
| Invoices + accounting records | 8 years | HU Sztv. §169 |
| License-activation records | Account lifetime + 8 years | Accounting overlap |
| Support emails | 3 years from last reply | Limitation period |
| Marketing-list email | Until you unsubscribe + 30-day suppression hash | Stop accidental re-add |
| Crash reports / telemetry | 90 days | Trend analysis only |
| Server / Cloudflare logs | 7 days | Operational debugging |
| Records of consent + DSAR responses | 5 years | Art. 5(2) accountability |
When you exercise erasure (Art. 17), we delete from active systems within 30 days. Operational logs purge in their normal rotation. Exceptions: data we must keep for a legal obligation (HU 8-year accounting) or to defend a legal claim. We tell you which exception applies.
Who else touches your data
| Vendor | Role | Country | Transfer basis |
|---|---|---|---|
| Paddle.com Market Ltd | Merchant of Record (independent controller) | UK | UK adequacy + UK Addendum/IDTA SCCs fallback |
| Cloudflare, Inc. | DNS, CDN, edge security | US | EU-US DPF + 2021 SCCs fallback |
| Resend, Inc. → AWS SES | Transactional email | US | EU-US DPF + 2021 SCCs fallback |
| Postmark | DMARC aggregate-report ingestion | US | EU-US DPF + 2021 SCCs fallback |
| Google Fonts | Web font delivery (JetBrains Mono, Outfit on the site) | US | EU-US DPF + 2021 SCCs fallback |
| Hetzner Online GmbH | Backend hosting (incl. self-hosted Umami analytics) | DE | Intra-EU |
Each vendor has a Data Processing Agreement (Art. 28) on file, or an independent-controller data-sharing addendum where appropriate (Paddle). We review this list at least annually. Email [email protected] if you want 30 days' notice of additions or replacements.
International transfers
Some subprocessors sit outside the EU/EEA:
- United States (Cloudflare, Resend / AWS SES, Postmark): primary basis is the EU-US Data Privacy Framework (Implementing Decision (EU) 2023/1795, currently in force). We additionally hold the 2021 Standard Contractual Clauses (Decision 2021/914, Module 2) as fallback in case the DPF is invalidated.
- United Kingdom (Paddle): UK adequacy decision (Implementing Decision (EU) 2021/1772), with UK Addendum / IDTA SCCs as fallback.
- Intra-EU/EEA (Hetzner): no specific mechanism required.
We've completed a Transfer Impact Assessment per transfer; summary on request.
Your rights
| Right | Article | How |
|---|---|---|
| Get a copy | Art. 15 | email us |
| Fix something | Art. 16 | email us |
| Delete | Art. 17 | email us — overrides: invoices (HU 8-yr), defending claims |
| Pause processing | Art. 18 | email us |
| Take it elsewhere | Art. 20 | email us, machine-readable export |
| Object to marketing | Art. 21 | unsubscribe or email — absolute, immediate |
| Object to other processing | Art. 21 | email us; we'll assess and answer in writing |
| Withdraw consent | Art. 7(3) | email us; past processing stays lawful |
| Complain to a regulator | Art. 77 | NAIH (Hungary) or your country's DPA |
Email [email protected]. We respond within 30 days (Art. 12(3)); extendable by 60 days for complex requests, with notice in the first 30. To verify you, we ask for the email on your license. No fee for reasonable requests.
Cookies
The website uses Umami, a privacy-focused analytics tool we self-host on our own Hetzner server. Umami sets no cookies and stores nothing on your device. Because nothing is stored on or read from your terminal equipment, ePrivacy Directive Art. 5(3) is not triggered. No cookie banner needed. Umami records only anonymised, aggregated metrics (page paths, referrer hostname, browser/OS family, country derived from IP, daily salted visitor hash). Umami itself does not retain full IP addresses; Cloudflare sits in front of the site and sees transit IPs as part of normal network operation but does not log them to us beyond standard short-lived edge logs.
We do not load advertising cookies, retargeting pixels, social-share scripts, or session replay.
The desktop app sets no browser cookies. It stores your license and preferences locally in your OS userData folder only.
AI
Mosaic is an orchestration platform for AI coding agents you choose (Claude Code, Codex, Gemini, and other CLIs you install yourself). It does not itself contain an AI model.
- When you send a prompt or code to a provider, the data flows direct from your machine to that provider's API, and the response flows back direct. We do not proxy, cache, or store the conversation.
- We do not use your code, prompts, or AI responses to train any model. We don't have a model to train.
- AI output can be wrong, biased, or unsafe. Review before relying on it.
This is the AI Act Art. 50 disclosure for users interacting with AI through our product.
Security
We use HTTPS everywhere. Hosting and email providers encrypt data at rest. Access keys are minimum-scope. We don't run our own audit aggregator; we rely on the per-provider audit logs (Cloudflare, Resend, Paddle). No internet system is perfectly secure.
Vulnerabilities: [email protected] (RFC 9116 contact). We acknowledge within 72 hours, work in good faith on a fix, and credit you in the release notes if you wish. Please don't disclose publicly before we've had a reasonable chance to remediate.
Breaches: If a breach poses risk to your rights and freedoms, we notify NAIH within 72 hours (Art. 33) and you without undue delay (Art. 34).
If you're outside the EU
California, Virginia, Colorado and other US state laws. We do not sell personal information and do not share it for cross-context behavioural advertising as those terms are defined in Cal. Civ. Code § 1798.140 and equivalent state statutes. We honour Global Privacy Control (GPC) signals as a valid opt-out. Rights: know, delete, correct, opt-out, non-discrimination, agent designation. Email us; we respond within 45 days.
United Kingdom (UK GDPR + DUAA 2025). Same rights as listed in "Your rights" above. Complain to the ICO at ico.org.uk.
Other jurisdictions (Quebec Law 25, Singapore PDPA, India DPDP Act, and similar). You have equivalent rights under your local data protection law: access, correction, deletion, consent withdrawal. Email [email protected]. We respond within the applicable statutory window. You may complain to your country's data protection regulator.
Where laws overlap, we apply whichever gives you more protection.
Children
Mosaic is a developer tool not aimed at children. The Service is not intended for persons under 16 (GDPR Art. 8 default; Hungary set Art. 8 at 16 in Infotv.), and we do not knowingly collect personal data from anyone under 13 in any circumstance (US COPPA). If you believe a child has given us personal data, email [email protected] and we will delete it.
NAIH and the right to complain
Our lead supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
1055 Budapest, Falk Miksa utca 9-11., Hungary Postal: 1363 Budapest, Pf.: 9. [email protected] — naih.hu
You can also complain to the supervisory authority of your country of residence, work, or the alleged infringement (Art. 77).
Changes
We post material changes here with a new "Last updated" date. For changes that affect consent-based processing or materially expand how we use your data, we give 30 days' advance notice by email and on the home page. A changelog of material amendments lives at the bottom of this page.
Last updated: 2026-06-28 (initial public version).
Contact
| Privacy + general | [email protected] |
| Security | [email protected] |
| Postal | 1123 Budapest, Nagyenyed utca 5., Hungary |
| Supervisory authority | NAIH — naih.hu — [email protected] |