Mosaic

Privacy Policy

Last updated: May 11, 2026

This Privacy Policy explains how Mosaic (“Mosaic”, “we”), operated by Midvale LLC, collects, uses, and protects information about you when you use the Service. We have written this policy in plain English. If anything is unclear, email [email protected].

1. What We Collect

Account data

  • Email address (used to sign in and to send service emails);
  • Password — stored only as an argon2id hash, never in plaintext;
  • Account timestamps (created_at, last_login_at);
  • Email verification status.

Conversation data

  • The text of every message you send to a companion;
  • The text of every companion reply;
  • Long-term “memory” facts the companion extracts from your conversation (e.g. “user mentioned they live in Austin”);
  • Per-turn metadata used by the dialogue policy (tone, intent, escalation level);
  • Generated media (images, voice clips, and video) associated with your sessions.

Operational data

  • IP address (rate-limit enforcement; not retained long-term);
  • Refresh-token records (so we can revoke individual or all device sessions);
  • Service logs (latency, errors, model usage).

2. How We Use It

  • To run the Service. Authenticate you, recall past conversations, render generated media, enforce rate limits.
  • To improve the Service. Aggregated, anonymized turn statistics may inform model tuning. No individually identifiable content is shared with third parties for advertising.
  • To communicate with you. Email verification, password resets, important security or service notices.
  • To enforce these terms. Detect abuse, fraud, or violations of our Terms of Service.

3. Who We Share With

We do not sell your personal data. We share data only with:

  • Infrastructure providers we rely on to operate the Service (compute, networking, transactional email). These are bound by their own data-processing agreements.
  • Cloudflare for tunnel ingress and DDoS protection. Cloudflare may see request metadata as part of routing.
  • Law enforcement if compelled by valid legal process. We will push back against overbroad requests where appropriate.

4. Generated Media

Generated media files (images, voice clips, video) are served from a private path and gated by short-lived signed URLs (1 hour). Only you can fetch the media tied to your account. We retain the files only as long as the parent session exists; deleting a session or account removes them.

5. Retention

  • Conversation history and companion memory: retained until you delete the session or your account.
  • Generated media: retained until the parent session is deleted, or 90 days after the session ends, whichever comes first.
  • Refresh tokens: 30 days, or until you revoke them via “Sign out everywhere.”
  • Service logs: 30 days for operational logs.

6. Your Rights

  • Access and export. Email [email protected] and we will provide a JSON export of the data tied to your account within a reasonable time.
  • Deletion. Delete your account from the Account page. This cascades through every session, turn, memory, generated image, and voice clip on our infrastructure.
  • Correction. Email us; we will correct inaccurate account data on request.
  • Withdraw consent. Stop using the Service or delete your account at any time.

California residents have rights under the CCPA, and EEA residents have rights under the GDPR (access, rectification, erasure, restriction, portability, objection). To exercise these rights, email [email protected].

7. Security

We use industry-standard practices: argon2id password hashing, short-lived signed media URLs, JWT-based session auth with refresh-token rotation, encryption in transit (TLS), and database access controls. No system is perfectly secure; if we discover a breach affecting your account, we will notify you without undue delay.

8. Children

Mosaic is not directed to anyone under 18 and we do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.

9. International Transfers

Our infrastructure is hosted in the United States. By using the Service from outside the U.S., you consent to the transfer and processing of your data in the U.S. and other jurisdictions where our service providers operate.

10. Changes

We may update this Privacy Policy. Material changes will be announced via email or in-product notice. The “Last updated” date above reflects the most recent revision.

11. Contact

Midvale LLC
Email: [email protected]