Mosaic Habits is built to respect your privacy. This policy explains what personal data we collect, why, and the choices and rights you have. Please read it before using the app.
1) Who is responsible for your data
This policy explains how your personal data is handled when you use the Mosaic Habits app (the "app") and this website. Personal data is any information that can identify you.
The party responsible for processing (the "controller" under the EU General Data Protection Regulation, "GDPR") is:
- Prachathorn Thanarithiporn ("Peak") — solo developer, Mosaic Habits
- Bangkok, Thailand
- Email: prachathornth@gmail.com
2) What we collect, and why
Account information. If you create an account, we store your email address and a securely hashed password (handled by our authentication provider) so we can sign you in and sync your data across devices. Legal basis: performance of our contract with you (Art. 6(1)(b) GDPR).
Your habit and app data. This includes the habits you create (names, optional notes, icons, colours, and categories), your completion history, your Discover mosaic progress, and your in-app settings. Depending on what you choose to track, this data may reveal sensitive aspects of your life (for example exercise, sleep, or health routines), so we treat it as sensitive. It is stored on your device and, if you are signed in, synced to our backend so you can access it on your other devices. Legal basis: performance of our contract with you (Art. 6(1)(b) GDPR).
Guest mode. If you use the app without creating an account, your habit data stays on your device and is not sent to our servers. Uninstalling the app removes it.
Purchases. In-app purchases (premium features) are processed by RevenueCat and the Apple App Store / Google Play. We receive your purchase and subscription status, but not your full payment-card details. Legal basis: performance of our contract with you (Art. 6(1)(b) GDPR).
Waitlist (this website). If you submit your email address to join the launch waitlist, we store it so we can email you when the app is available. Legal basis: your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by asking us to remove you or using the unsubscribe link in our emails.
Contact. When you contact us (for example by email), we process the information you include in order to answer your request and for the associated administration. Legal basis: our legitimate interest in responding to you (Art. 6(1)(f) GDPR), or performance of a contract where applicable (Art. 6(1)(b) GDPR). We delete this data once your request has been resolved, unless we are legally required to keep it.
3) Service providers and international transfers
We rely on a small number of service providers who process data on our behalf under data processing agreements. We only share what is necessary for each purpose.
Supabase (Supabase, Inc.) hosts our database and authentication and stores your synced account data and the website waitlist. See supabase.com/privacy.
RevenueCat (RevenueCat, Inc., 300 Euclid Avenue, San Francisco, CA 94118, USA) processes in-app purchases. We share only the information needed to process and validate your purchase, under a data processing agreement. See revenuecat.com/privacy.
Apple App Store / Google Play distribute the app and handle payments under their own privacy policies.
Some of these providers are based in, or may process data in, countries outside your own (including the United States). Where that happens, the transfer is safeguarded by appropriate measures such as the EU Standard Contractual Clauses (Art. 46 GDPR).
4) Analytics and crash reporting — what we do not do
By design, Mosaic Habits keeps tracking to a minimum. We do not:
- sell or rent your personal data;
- use third-party advertising networks or cross-app tracking;
- embed third-party analytics or crash-reporting SDKs that capture your habit content. The app does not send your data anywhere except to the backend services described above.
5) How long we keep your data
- Account and synced data: kept while your account is active. You can delete your account from within the app, which removes your account and the habit data associated with it from our backend.
- Guest data: stored only on your device; it is removed when you uninstall the app or clear its data.
- Waitlist email: kept until we have sent the launch announcement, or until you ask us to remove you or unsubscribe — whichever comes first.
- Contact messages: kept until your request is resolved, plus any period we are legally required to retain them.
6) Security
Data is transmitted over encrypted connections (HTTPS). Access to synced data is restricted per user at the database level, so one account cannot read another's data. Passwords are handled by our authentication provider and are not stored in plain text.
7) Your rights (EU / EEA — GDPR)
If you are in the EU or EEA, applicable data protection law grants you the following rights regarding your personal data:
- Access (Art. 15 GDPR) — to obtain confirmation of, and information about, the personal data we process about you.
- Rectification (Art. 16 GDPR) — to have inaccurate or incomplete data corrected.
- Erasure (Art. 17 GDPR) — to have your personal data deleted where the legal conditions are met.
- Restriction (Art. 18 GDPR) — to request that we restrict processing in certain circumstances.
- Data portability (Art. 20 GDPR) — to receive the data you provided in a structured, commonly used, machine-readable format, or to have it transmitted to another controller where technically feasible.
- Withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, to withdraw it at any time with effect for the future, without affecting the lawfulness of processing before withdrawal.
- Complaint (Art. 77 GDPR) — to lodge a complaint with a supervisory authority, in particular in the country where you live or work.
8) Right to object
Where we process your personal data on the basis of our legitimate interests, you have the right to object to that processing at any time for reasons arising from your particular situation. If you object, we will stop processing the data concerned unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims.
Where we process your personal data for direct marketing, you have the right to object at any time. If you object, we will stop processing your data for those purposes.
9) Your US privacy rights (California and other states)
This section applies if you are a US resident. Over the past 12 months we have collected the categories of personal information described in Section 2 — chiefly identifiers (your email address), your habit and app content, and your purchase/subscription status — for the purposes set out there: to provide and sync the app, process purchases, answer your messages, and (for the website) operate the launch waitlist.
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising, as those terms are used under the California Consumer Privacy Act (CCPA/CPRA). We have not done so in the past 12 months, so there is nothing for you to opt out of in that respect, and we do not offer financial incentives in exchange for your data.
Depending on your state, you may have the right to: know or access the personal information we hold about you; request that we delete it; request that we correct it; opt out of any sale or sharing (not applicable here, as we do none); and not be discriminated against for exercising these rights. Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, and Texas) have broadly similar rights.
To exercise any of these rights, email us at prachathornth@gmail.com. We may need to verify your request against information we already hold, and you may use an authorised agent where the law allows.
10) Changes to this policy
We may update this policy as the app evolves or as the law changes. We will revise the date at the top when we do, and material changes will be communicated where appropriate.
11) Contact
Questions about this policy or your data? Reach us at prachathornth@gmail.com.