← Back

Privacy Policy

Effective Date: May 2026

1. Introduction

Welcome to mosaïc. This Privacy Policy explains how Supaflow UG (haftungsbeschränkt) ("we," "us," or "our") collects, uses, processes, and protects your information when you use our application, mosaïc ("the App"), and our website, mosaiix.xyz ("the Website").

We are committed to protecting your privacy and handling your data transparently. This policy complies with the General Data Protection Regulation (GDPR) and German data protection laws.

2. Responsible Entity

The entity responsible for data processing (the "Controller") is:

  • Supaflow UG (haftungsbeschränkt)
  • Ackergasse 8, 67482 Freimersheim, Germany
  • Represented by: Giorgio Groß
  • E-Mail: giorgio@supaflow.xyz
  • HRB: 33644 (Amtsgericht Landau in der Pfalz)
  • VAT-ID: DE358620606

3. Data We Collect

3.1 Account Data

When you create an account, we collect your email address for authentication (via one-time passcode). This is necessary to provide access to the App.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

3.2 Profile Data

You may provide a display name and profile photo. Your display name and photo are visible to users you share meditation sessions with.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

3.3 Meditation Data

To generate personalized meditations, we process your data in multiple steps:

  • Problem statement: When you describe what is on your mind, this text is sent to an AI provider to generate a structured intention and situation labels. This problem statement is processed transiently and is not stored by us. Our AI providers typically delete such inputs within 24 hours in accordance with their data retention policies.
  • Intention & situation labels: The generated intention and situation labels are saved to your account and used as the basis for meditation script generation.
  • Meditation scripts & audio: The generated meditation scripts and audio narrations do not contain personal data. These are owned by Supaflow UG and are retained even after you delete your account.

Meditations are created automatically once per day. This is when your intention and situation data is sent to the AI providers for script and audio generation.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

3.4 Session Feedback

Before and after meditation sessions, we collect self-reported energy levels (scale of 1-10), outlook scores, and session completion percentage. This data is used to improve your meditation experience and is not used for medical or diagnostic purposes.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

3.5 Notification & Device Data

If you enable push notification reminders, we store your push notification endpoint, device type, preferred reminder time, and timezone (detected automatically from your browser). You can disable notifications at any time in your account settings.

Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via your account settings.

3.6 Sharing & Group Data

When you join or create a group, your profile data (display name, profile photo) and email address are visible to other members of that group. Only members within the same group can see each other's contact details.

You can choose to share individual meditations publicly. Shared meditations are accessible to anyone with the link. You have full control over whether a meditation is shared or kept private.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

4. Third-Party Service Providers

We rely on specialized third-party providers to deliver our services. All providers are bound by Data Processing Agreements (DPAs) that meet GDPR requirements.

  • Supabase — Database, authentication, and file storage. Data is hosted in the EU (Frankfurt, Germany).
  • Vercel — Web application hosting and delivery.
  • Anthropic (Claude) — AI language model used to generate personalized meditation scripts from your intentions and situation labels. Anthropic does not use your data to train their models.
  • DeepSeek — AI language model used to process your problem statement into structured intentions and situation labels. This input is processed transiently and typically deleted by the provider within 24 hours. DeepSeek does not use your data to train their models.
  • ElevenLabs — Text-to-speech service used to generate the audio narration for your meditations. Only the meditation script (which does not contain personal data) is sent to ElevenLabs. ElevenLabs does not use your data to train their models.
  • Mixpanel — Analytics service used to understand how visitors interact with the app. When you consent to analytics cookies, Mixpanel collects anonymous usage data including page views and feature interactions. Mixpanel never receives your email address, user ID, or any personally identifiable information. Data is processed in the EU (api-eu.mixpanel.com). Only active when you consent to analytics cookies.
  • Meta (Facebook) — We use the Meta Pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram. When you consent to marketing cookies, the Meta Pixel may collect information about your visit (pages viewed, actions taken) and use cookies to deliver and measure ads. Meta may link this data to your Facebook account if you are logged in. This data is processed by Meta Platforms Ireland Ltd. Only active when you consent to marketing cookies.

5. AI-Powered Features

mosaïc uses artificial intelligence to create personalized meditations. Once per day, a new meditation is generated automatically for you. This is how the process works:

  • Your problem statement is sent to DeepSeek to generate a structured intention and situation labels. The problem statement is not stored by us and is typically deleted by the provider within 24 hours.
  • Your intention and situation labels are saved and sent to Anthropic Claude to generate a meditation script.
  • The generated script is sent to ElevenLabs to create spoken audio narration. The script does not contain personal data.
  • None of our AI providers use your data to train their models. We have contractual agreements ensuring this.

All meditation scripts and audio are AI-generated, not created by human practitioners. The generated scripts and audio narrations do not contain personal data and are owned by Supaflow UG.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) — AI processing is integral to delivering the personalized meditation service you signed up for.

6. International Data Transfers

Your primary data (account, profile, meditation content) is stored in the EU (Frankfurt, Germany) via Supabase. Analytics data is processed in the EU via Mixpanel (api-eu.mixpanel.com). When you consent to marketing cookies, Meta may process data on servers located in the EU and the United States. When you use AI-powered features, your intention text is transmitted to servers operated by Anthropic, DeepSeek, and ElevenLabs, which may be located outside the European Economic Area (EEA).

For transfers outside the EEA, we rely on appropriate safeguards including EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework, to ensure your data receives an adequate level of protection.

7. Cookies & Tracking

mosaïc uses the following types of cookies and browser storage:

7.1 Essential Cookies

Supabase authentication session cookie. This is strictly necessary for authentication and session management. No consent is required (TDDDG § 25 / Art. 5(3) ePrivacy Directive).

7.2 Analytics Cookies (Optional)

Mixpanel tracking cookie (mp_*_mixpanel). Purpose: anonymous page view tracking, feature usage analytics, and marketing attribution (UTM parameters). This cookie stores a randomly generated anonymous ID — never your email address or account ID. Expiry: 365 days.

Legal basis: Consent (Art. 6(1)(a) GDPR). Analytics cookies are only set after you explicitly consent via the cookie banner.

7.3 Marketing Cookies (Optional)

Meta Pixel (_fbp, _fbc). Purpose: measuring the effectiveness of our advertising campaigns on Facebook and Instagram, and delivering personalized ads. Meta may link this data to your Facebook account if you are logged in. Data is processed by Meta Platforms Ireland Ltd. Expiry: up to 90 days.

Legal basis: Consent (Art. 6(1)(a) GDPR). Marketing cookies are only set after you explicitly consent via the cookie banner.

7.4 Consent Preferences

Your cookie consent preferences are stored in your browser's localStorage (mosaiic_cookie_consent), not as a cookie. This records whether you accepted or declined analytics and marketing cookies, along with your anonymous tracking ID.

7.5 Managing Your Preferences

You can change your cookie preferences at any time via the "Cookies" link in the website footer or the "Manage Cookies" option on your account page. Withdrawing consent stops all non-essential tracking immediately. We do not use fingerprinting or any other tracking technologies.

8. Data Retention

We retain your data for as long as your account is active and as needed to provide you with our services.

  • Account & profile data: Retained until you delete your account.
  • Intention & situation labels: Retained until you delete your account.
  • Session feedback: Retained until you delete your account.
  • Meditation scripts & audio: These do not contain personal data and are owned by Supaflow UG. They are retained even after account deletion.
  • Push notification data: Removed immediately when you disable notifications or delete your account.

When you delete your account, all personal data is permanently removed. This includes your profile, email address, intentions, situation labels, session feedback, device registrations, and group memberships. This process is irreversible.

9. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): You can request information about the personal data we hold about you.
  • Right to Rectification (Art. 16 GDPR): You can update your display name and profile photo at any time through your account settings.
  • Right to Erasure (Art. 17 GDPR): You can delete your account and all associated data through the account settings page. You can also request erasure by contacting us.
  • Right to Data Portability (Art. 20 GDPR): You can request a copy of your personal data in a machine-readable format. This includes your account data, profile information, intentions, situation labels, and session feedback. It does not include meditation scripts and audio, as these do not constitute personal data.
  • Right to Restrict Processing (Art. 18 GDPR): You can request restriction of processing under certain conditions.
  • Right to Object (Art. 21 GDPR): You can object to the processing of your data.
  • Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent (e.g., push notifications), you can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz.

To exercise any of these rights, contact us at giorgio@supaflow.xyz.

10. Data Security

We implement appropriate technical and organizational measures to protect your data from unauthorized access, both in transit and at rest. All data is transmitted via encrypted connections (TLS). Our database and file storage are hosted by Supabase, which encrypts data at rest, is SOC 2 Type 2 certified, and is audited annually. We follow security best practices including authenticated access controls for file storage.

11. Age Requirement

mosaïc is intended for users aged 16 and older, in accordance with Art. 8 GDPR as implemented under German law. We do not knowingly collect data from users under 16. If we become aware that a user under 16 has provided personal data, we will promptly delete their account and data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on our website. The effective date at the top of this page indicates when the policy was last revised.

13. Contact

If you have any questions about this Privacy Policy or your data, contact us at: giorgio@supaflow.xyz