Privacy Policy.

1. Who we are (controller)

MOSAI Networks LLC ("MOSAI," "we," "us") is the data controller for personal information collected through mosai.draftlabs.org. Contact: privacy@mosai.draftlabs.org.

2. What we collect

We never collect: government IDs, financial account numbers (Stripe holds cards; we never see card data), health data, sexual orientation, political affiliation, or precise geolocation.

3. Legal bases (GDPR Article 6)

• Contract. Waitlist signup and Founding Listener purchase — performance of a contract you requested.
• Legitimate interest. Rate limiting, abuse detection, security logs — necessary to operate the Service.
• Consent. Analytics cookies and optional communications — opt-in; withdrawable at any time.
• Legal obligation. Responding to lawful regulatory or judicial requests.

4. How we use it

• Deliver Edge of AI episodes to listeners who opted in.
• Process Founding Listener payments and issue access.
• Send transactional emails (welcome, corrections) and, only with consent, episode announcements.
• Measure funnel conversion to improve the signup flow.
• Detect and block abuse (rate limits, CSRF, bot traffic).

We do not sell personal information. We do not use personal information to train AI models. Mosai's editorial LLM is trained only on the curated source corpus described in the content policy.

5. Who we share with

Each processor is bound by a data processing agreement and operates under GDPR Article 28. We do not transfer personal data to third countries that lack an adequacy decision without appropriate safeguards (Standard Contractual Clauses).

6. Retention

• Waitlist email: retained until deletion request or 24 months of inactivity after general launch.
• Founding Listener records: retained for the duration of lifetime access plus 7 years for tax and audit requirements.
• Server logs: 30 days hot, 1 year cold-archived.
• Analytics events: 24 months.
• Rate-limit state: up to 24 hours rolling window.

7. Your rights (GDPR + CCPA + UK GDPR)

You can request any of the following by emailing privacy@mosai.draftlabs.org:

• Access. A copy of the personal data we hold about you.
• Correction. Fix anything inaccurate.
• Deletion. Delete your data (subject to legal retention).
• Portability. Export your data in a machine-readable format.
• Objection / restriction. Restrict specific processing.
• Withdraw consent. For anything we do based on consent.
• Complain. To your national data protection authority. In the US (California), you may opt out of "sale/sharing" — we do neither, but the option is formally noted.

We respond within 30 days for EU/UK visitors, 45 days for California residents.

8. Cookies

We use a small set of cookies:

• mosai_csrf — double-submit CSRF token. Strictly necessary. Set on every request to the site.
• Supabase auth cookies — keep you signed in if you have an account. Strictly necessary for account features.
• PostHog analytics — set only after consent. Opt-in required for non-essential analytics.

9. Children

The Service is not directed to children under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact privacy@mosai.draftlabs.org and we will delete it.

10. Security

Transport is TLS 1.3. Database is AES-256 at rest. Row-Level Security is enabled on every table; application writes go through service-role paths with CSRF and rate limiting. Payment data never touches our servers — Stripe processes it end-to-end.

11. EU / EEA visitors

At Stage 1 launch the Service is US-only. EU/EEA visitors are redirected to /not-available and no signup surface is presented. If you are reached in error, our data processing ceases on notice. Full EU availability ships with our Stage 3 international pilot.

12. Changes

Material changes will be announced on @mosai on X and reflected in the "Last updated" date.