Privacy Policy

1. Who we are

Mosaicery is operated by Mosaicery, an independent digital service provider based in the European Union. We are the data controller for the personal data described in this policy.

Questions or data-rights requests: hello@mosaicery.com.

2. What we collect

2.1 Account data

When you sign up:

• Email address and a display name (you provide both at sign-up).
• Password — stored only as a salted hash by Supabase Auth. We can never see your password.
• Google account identifier and email — only if you sign in with Google. We never see your Google password.
• Account timestamps — when you signed up and last signed in.

2.2 Pattern data

Every saved pattern stores: a name, the grid dimensions, the mask of which cells are colour A vs B, the two yarn colours you picked, and timestamps. We don't scan or analyse the content of your patterns.

2.3 Subscription & billing data

If you upgrade to Pro, we store: your plan (monthly or yearly), its status, the billing-period end date, your Stripe customer ID and subscription ID.

We do not store your card number, CVC, or full billing address. Payment details are handled directly by Stripe; we only receive an identifier and the high-level plan status.

2.4 Technical & usage data

• Server logs from our hosting provider (Vercel) — IP address, user agent, timestamps, request path. Used for security, debugging, and abuse detection.
• Analyticsvia Vercel Web Analytics — page views, referrer, country (not city), device type. These are aggregated and don't include cookies or cross-site tracking.

2.5 Cookies and similar technologies

We use as few cookies and storage mechanisms as possible — below is the full inventory of what runs on your device when you use Mosaicery. “Similar technologies” covers browser localStorage and analytics beacons, both of which are treated the same as cookies under EU law.

Essential — always on, no consent required

These keep the basic Service working. Under EU law (Art. 5(3) of the ePrivacy Directive) strictly-necessary storage doesn't require consent — without it the editor wouldn't recognise you and payments couldn't complete.

• Supabase Auth session — stored in localStorage on mosaicery.com under keys starting with sb-. Keeps you signed in across page reloads. Cleared when you sign out, expire your session, or click “Delete account”.
• Cookie-consent preference — stored in localStorage on mosaicery.com under the key mosaicery.cookie-consent.v3. Remembers whether you accepted or rejected analytics so the banner doesn't reappear on every visit. Persists until you clear your browser data.
• Stripe Checkout cookies — set on checkout.stripe.com(a third-party domain) only when you upgrade to Pro. Used to process your payment securely, prevent fraud, and route you back to Mosaicery after checkout. We don't read or control these. See Stripe's cookie settings for the full list.

Optional — only with your consent

Off by default. We only load these after you click “Accept all” in the cookie banner. Click “Reject” (or just close the banner without choosing) and they will not run on your device.

• Vercel Web Analytics — page-view collection used to understand which features people use. Technically cookie-free— it sends a small beacon to Vercel's servers instead of writing a cookie — but we treat it the same as a cookie for consent purposes. When enabled, it transmits: the page path you visited, your country (not city), device type, and the referring URL. No cross-site tracking, no user IDs that persist across sessions, no IP address stored.

To change your mind after deciding, clear localStorage for mosaicery.com in your browser settings — the banner will re-appear on your next visit and you can pick again. Or email us at hello@mosaicery.com and we'll walk you through it.

We do not use:

• Advertising cookies of any kind.
• Third-party tracking pixels (Facebook Pixel, Google Ads, LinkedIn Insight, etc.).
• Cross-site analytics tools (Google Analytics, Mixpanel, Hotjar, FullStory, etc.).
• Session replay or heatmap tools.

3. Why we collect it (and the legal basis)

Under GDPR every processing activity needs a legal basis. Here's ours:

• To provide the Service — host your account, store and render your patterns, generate PDFs, run authentication.
  Legal basis: performance of the contract you enter when you sign up (GDPR Art. 6(1)(b)).
• To process payments and manage subscriptions — communicate plan status with Stripe, send receipts.
  Legal basis: performance of the contract (Art. 6(1)(b)) and compliance with our tax / accounting obligations (Art. 6(1)(c)).
• To keep the Service secure and detect abuse — rate-limiting, fraud screening, server logs.
  Legal basis: our legitimate interest in operating a reliable, abuse-free service (Art. 6(1)(f)).
• To understand product usage — anonymous page-view analytics so we know which features are used.
  Legal basis: legitimate interest (Art. 6(1)(f)); limited to aggregate, non-personal data.
• To send essential service emails — sign-up confirmation, password reset, billing receipts, material changes to these terms.
  Legal basis: performance of the contract (Art. 6(1)(b)).

We do not use your data for advertising, we do not sell or rent it, and we do not profile you to make automated decisions about you.

4. Who we share it with

We only share personal data with the sub-processors we need to run the Service. Each is bound by a Data Processing Agreement (DPA) and may only use your data on our instructions.

• Supabase Inc. — authentication and database. Our project is configured in the EU region, so account and pattern data is stored on EU servers.
• Stripe Payments Europe Ltd.— payment processing. Receives your email, billing address (you enter it on Stripe's page), payment method, and our internal user ID.
• Vercel Inc. — hosting, edge delivery, Web Analytics. Receives request metadata (IP, user agent, path) as part of serving the app.
• Google LLC — only if you sign in with Google. Receives a sign-in request; returns your Google email and a stable account identifier.

We do not share data with anyone else, except where required by law (e.g. a binding court order) or to protect rights and safety. If we're ever asked to do so, we'll push back where it's legally possible to do so.

5. International transfers

Some of our sub-processors (Stripe, Vercel, Google) are US-headquartered and may transfer personal data outside the EU/EEA. These transfers rely on EU-approved safeguards:

• EU Standard Contractual Clauses (SCCs)— the European Commission's model contract terms — and/or
• EU–US Data Privacy Framework certification for providers that are registered.

Your pattern data and Supabase Auth records stay in the EU region by default; only request metadata and Stripe billing data leave the EU.

6. How long we keep it

• Account & pattern data — until you delete your account. After deletion, data is removed from our live database immediately and from backups within 30 days.
• Invoices and tax records— kept for as long as required by applicable accounting and tax law (typically 7–10 years in the EU). Invoices contain only the minimum required: name, amount, date, plan.
• Server logs — rolling 30–90 days, then automatically expired.
• Analytics— aggregated, not tied to your account; retained per Vercel's standard retention.

7. Your rights under GDPR

As an EU resident, you have the right to:

• Access — request a copy of the personal data we hold about you (Art. 15).
• Rectification — correct inaccurate or incomplete data (Art. 16). You can update your name from Account → Settings.
• Erasure– ask us to delete your data (the “right to be forgotten”, Art. 17). You can do this yourself via Account → Settings → Delete account.
• Restriction — ask us to pause processing (Art. 18).
• Data portability — export your patterns and account data in a machine-readable format (Art. 20). You can already export each pattern as a PDF from the editor; email us if you want the full dataset.
• Objection — object to processing based on our legitimate interest (Art. 21).
• Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, email hello@mosaicery.com. We aim to respond within 30 days (Art. 12(3)).

You also have the right to lodge a complaint with the supervisory authority in the EU country where you live, work, or believe a violation occurred. A list is published at edpb.europa.eu.

8. Security

We take reasonable technical and organisational measures to protect your data, including:

• HTTPS/TLS for everything in transit.
• Passwords hashed at rest (Supabase Auth handles this with bcrypt by default).
• Database-level row security so each account can only access its own patterns.
• Card numbers never reach our servers — Stripe handles them under PCI-DSS Level 1 certification.
• Minimal access: only our maintainers have admin access to the database, and only when needed for support or debugging.

No system is 100% secure. If we ever experience a breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by Art. 33–34 of GDPR.

9. Children

Mosaicery is not intended for users under the age of 16. We don't knowingly collect personal data from anyone below that age. If you believe a child has signed up, please email us and we'll delete the account.

10. Changes to this policy

We may update this policy from time to time. If a change is material (new categories of data, new sub-processors, or changes to your rights), we'll notify you by email at least 14 days before the new version takes effect.

The latest version is always available at /privacy, with the “Last updated” date at the top.