PRIVACY POLICY · EFFECTIVE 5 JUL 2026
Mosaq handles your data with restraint.
One developer. No ads. No resale. No tracking pixels. This policy is written in plain English and describes exactly what data Mosaq handles, where it goes, and how to take it back.
What we collect
Only the data you explicitly capture with Mosaq, plus the minimum metadata needed to make it work across your devices:
- Clips you save — text content you highlight, images you clip, and (when available) the source page URL and title where you found them.
- Tags and labels — tags you apply manually, plus tags and image descriptions generated by an AI service when you enable auto-enrichment.
- Timestamps — when each clip was created, last updated, and deleted.
- Authentication — your email address if you sign in to enable cross-device sync. We do not collect your password; authentication is delegated to our auth provider.
- Crash & usage logs — none. Mosaq does not run analytics, telemetry, crash reporting, or error trackers.
Where it's stored
Two places, both under your control:
- Locally on your device — inside the Chrome extension's IndexedDB store. The extension will continue to work offline; nothing leaves your machine unless you sign in and enable sync.
- Your Supabase database — if you sign in, clips are synced via HTTPS to your own Supabase project so they appear across devices. Data is encrypted in transit (TLS) and encrypted at rest by Supabase. You can delete your account and wipe this copy at any time.
Third-party processors
Mosaq uses the following third parties. Each one handles only the minimum data needed to perform its role:
Supabase
Auth + Postgres + object storage. Hosted in the United States. Stores encrypted clips, tags, and image blobs scoped to your user ID. Access controlled by Row Level Security (RLS) so only you can read your data. Privacy policy:
supabase.com/privacy
LLM provider
Only invoked if you enable auto-enrichment. When you turn on AI tagging and/or image description, the relevant clip text or image is sent over HTTPS to a large-language-model provider to generate tags / descriptions. The provider processes the request and returns structured metadata; we do not send your full clip history, account email, or device identifiers. Tags returned are cached locally.
Cloudflare Pages
Hosting for the web app at mosaq.app. Cloudflare serves static files; no request logs are retained by us, and no cookies are set beyond what is strictly required for authentication. Privacy policy:
cloudflare.com/privacypolicy
Chrome Web Store
Distribution only. Google distributes the extension package and may collect anonymous install / crash stats. We do not control or see that data. See
Google's privacy policy.
How we use your data
For one purpose: making Mosaq work for you.
- We do not sell, rent, or trade your clips or account information.
- We do not show you advertising, and we do not let third parties show you advertising inside Mosaq.
- We do not train AI models on your data. If you use the LLM enrichment feature, the LLM provider processes your request under its own terms (typically a no-train / no-retain arrangement for API traffic).
- We do not run any cross-site tracking, fingerprinting, or analytics SDKs.
Your rights
You stay in control. From the extension settings or web app, you can at any time:
- Export — download all your clips as JSON or Markdown.
- Soft-delete a clip — removes it from timelines and marks it for garbage collection.
- Sign out — stops further sync; your local clips remain on the device.
- Delete your account — permanently wipes your Supabase copy. To do this, email the address below.
- Disable AI enrichment — turn off LLM-based tagging and image description entirely. Existing generated tags remain until you delete them.
Security
We treat the security baseline as table-stakes, not a feature:
- All requests between Mosaq and Supabase / the LLM provider are sent over TLS 1.2+.
- Supabase Row Level Security ensures no other user (and no anonymous actor) can read your clips.
- Image blobs are served to the web app via short-lived signed URLs (1-hour expiry, never permanently public).
- The extension ships with the minimum `permissions` and `host_permissions` declared in its manifest — no broad host access, no `` reading browsing history.
Children's privacy
Mosaq is not directed at children under 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect data from children. If you believe a child has created an account, contact the address below and we will delete it.
Changes to this policy
If we change this policy in a material way, the effective date at the top will update and the change will be noted in the extension release notes for the next version. Continued use of Mosaq after the effective date constitutes acceptance.
Contact
Questions, account-deletion requests, or privacy concerns: [email protected]
EFFECTIVE 5 JUL 2026 · v1