Privacy
Moss — Privacy Policy
Last updated: April 2026. Operated from Cairns, Australia by an independent solo developer. The full canonical policy renders client-side; the summary below covers every section with the binding language.
1. Information We Collect
Account data (email, display name, OAuth identifiers from Google/Apple), conversation content you create, documents you upload, billing data via Stripe, and minimal operational telemetry (IPs, user-agents, error logs). We do not buy user data from third parties.
2. How We Use Information
To operate the service (generate responses, retrieve memory, run research), authenticate you, process subscription payments, send transactional emails, improve performance via aggregate usage patterns, and enforce caps + abuse protection.
3. How Content Flows Through Language Models
Your conversations and uploaded content are sent to LLM providers (Anthropic, OpenAI, Google, xAI, Groq, Perplexity) under their respective enterprise no-training agreements. Providers use your content only to generate the immediate response and do not train on it. Moss never trains models on user data.
4. Data Storage and Security
Hosted on Supabase (Postgres) with encryption in transit (TLS) and at rest. Row-level security policies scope every user's data to themselves. Service-role credentials stay server-side. Rate limiting, abuse detection, and authenticated API endpoints across the stack.
5. Sharing of Information
We do not sell your personal data. Information is shared only with: LLM providers (for generation, under no-training terms), Stripe (payment processing), Supabase (hosting), and law enforcement if compelled by valid legal process — in which case we'll notify you unless legally prohibited.
6. Third-Party Services
Stripe (payments), Supabase (hosting + auth), Anthropic / OpenAI / Google / xAI / Groq / Perplexity (LLM inference). Each is bound by its own privacy policy and our processor agreements.
7. Cookies and Analytics
Minimal cookies used for session authentication. No third-party tracking or advertising pixels. UTM parameters from referral traffic are stored with conversion records for growth analytics.
8. Waitlist Data
Legacy waitlist mechanism retained for admin holds. Waitlist entries that never convert to active accounts are retained for a limited period then deleted.
9. Data Retention
Your data is retained while your account is active. On deletion, we hard-delete your conversations, memory units, uploads, and personal identifiers within 30 days. Aggregated, anonymised usage metrics may be retained longer.
10. Your Rights
You can export your memory on demand, delete individual facts or whole conversations at any time, request a full account deletion, or contact us with questions. EU/UK/AU residents have additional GDPR/UK-GDPR/Australian Privacy Act rights including access, rectification, portability, and objection.
11. Children's Privacy
Moss is not directed to children under 13 (under 16 in the EU). We do not knowingly collect data from children.
12. Changes to This Policy
We may update this policy. Material changes will be notified by email to active users. The "last updated" date at the top reflects the most recent revision.
13. Contact Us
Email hello@mossmemory.com for any privacy question or data request.
Home · Terms · FAQ · Blog