Privacy Policy

Last updated: 5 June 2026

This Privacy Policy explains how Mosena ("Mosena", "we", "us") collects, uses, and protects your personal data when you use the Mosena mobile application and related services. Mosena is operated by a registered individual entrepreneur based in Georgia (the "Operator"). We process your data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Law of Georgia on Personal Data Protection, depending on your jurisdiction.

Mosena is for adults 18+. Registration requires your year of birth and we reject sign-ups that do not meet this threshold. We do not knowingly collect data from minors. If you become aware that a minor has registered, please contact us at magleb@mosena.app and we will erase the account and its data.

1. What data we collect

Account data

• Email address — to create and access your account, receive password resets and notifications.
• Password — stored as a salted hash; we never see your plain-text password.
• Display name — optional, used inside the app.
• Year of birth — collected at registration to enforce the 18+ age requirement. We do not collect month or day.
• Language and time zone — to personalize content and schedule daily summaries.

Conversation data

• Text messages you send to the in-app AI.
• Voice messages you record. Voice is transcribed to text by our subprocessor and the audio is discarded after transcription; only the transcript is retained.

Derived data

Mosena automatically generates the following from your conversations to power the product:

• Emotional state metrics (e.g. vitality, anxiety, focus) on a 0–100 scale.
• Recurring themes and behavioural patterns identified across your messages.
• Daily, weekly, monthly, and yearly summaries of your conversations.
• References to people, events, and emotions you mention.

This derived data is personal data about you. You can delete it together with your account.

Technical data

• Device information — iOS version, device model.
• Push notification token — to send daily summaries and reminders.
• Crash and error logs — to diagnose technical issues.
• Usage events — which screens you open, how often you use the app (anonymized aggregate metrics for product analytics; not linked to message content).

Subscription and billing data

If you purchase a Mosena subscription:

• Subscription state — plan (monthly / yearly), status (trial / active / cancelled), period start and end dates, currency, and price. Used to unlock paid features.
• Apple transaction identifier — opaque ID issued by Apple to identify each subscription period. Used by our payments subprocessor (RevenueCat, see below) to validate purchases and to relay renewal / cancellation / refund events to our backend.
• Country code and currency — derived from your Apple ID at purchase time, for tax and currency reporting only.

We do not receive or store your payment card number, bank account number, or any other financial identifier. Apple processes the payment outside our app and never shares those details with us.

2. How we use your data

• To run the core service — store your conversations, generate AI responses, build your personal pattern portrait.
• To remind you about the app via push notifications and email.
• To resolve technical issues and improve reliability.
• To understand product usage in aggregate (e.g. how many users complete onboarding).
• To comply with legal obligations.

We do not sell your data, use it for third-party advertising, or share your conversations with anyone outside the strict subprocessor list below.

3. Legal basis

Under GDPR, we rely on the following legal bases:

• Contract — to provide the service you signed up for.
• Explicit consent — for processing your conversation data, which may include sensitive information (special category data under Art. 9 GDPR, including information about mental health). You give this consent during onboarding and may withdraw it at any time by deleting your account.
• Legitimate interest — for security, fraud prevention, and aggregate product analytics.
• Legal obligation — to comply with applicable law.

For users in Georgia, processing is performed under the Law of Georgia on Personal Data Protection, with your explicit consent for special category data including information about your mental health.

4. AI processing

Mosena uses large language models to read your messages and generate responses, summaries, and pattern insights. Specifically:

• Your messages are sent to OpenAI (USA) for processing through the GPT models.
• Voice recordings are sent to OpenAI Whisper for speech-to-text transcription.
• OpenAI processes data on our behalf under their API terms. Per OpenAI’s public API data usage policy, API inputs and outputs are not used to train OpenAI models by default. We are working to confirm enterprise-grade zero-data-retention terms; until that confirmation is in place we cite OpenAI’s default API policy as the operative standard.

AI-generated content is informational only. It is not medical advice, diagnosis, or a substitute for a licensed mental health professional. AI can make mistakes — verify any health-related conclusion with a qualified human.

5. Third parties and subprocessors

We share specific data with the following service providers under data processing agreements:

• OpenAI, L.L.C. (USA) — LLM and Whisper APIs. Processes your messages and voice to generate responses, transcripts, and embeddings.
• DigitalOcean, LLC (Amsterdam, EU region) — hosts our backend servers and database, including a self-hosted Qdrant vector store used for future recall features.
• Cloudflare, Inc. (USA) — DNS, CDN, and DDoS protection for our domain; static hosting of the marketing site via Cloudflare Workers.
• Resend, Inc. (USA) — sends transactional emails to you (welcome, password reset, security notifications).
• Google LLC (USA) — Google Workspace mailbox for receiving emails addressed to us at @mosena.app addresses.
• Apple Inc. (USA) — App Store distribution, in-app purchases (StoreKit), and push notification delivery (APNs). Apple processes your payment when you subscribe; we never see your payment card or bank details.
• RevenueCat, Inc. (USA) — subscription management. We send your Mosena user ID and the Apple-issued transaction identifier to RevenueCat so they can validate purchases with Apple and relay subscription events (initial purchase, renewal, cancellation, expiration, refund) back to our backend. RevenueCat does not see your conversation content, derived data, or any health-related metrics.
• Functional Software, Inc. d/b/a Sentry (USA) — captures unhandled errors and crashes for diagnostic purposes; may briefly include excerpts of message content when an exception fires inside content-handling code.
• PostHog, Inc. (USA, EU region) — product analytics on screen views and feature usage; does not receive message content.

We do not use third-party advertising networks, tracking pixels, or marketing analytics that combine your data with external profiles.

6. How long we keep data

• Active accounts — we retain all your data while your account is active.
• Deleted accounts — when you delete your account, your data is permanently erased from our active database within 30 days. Database backups are rotated and overwritten within 90 days.
• Anonymized aggregate metrics (e.g. "users who completed onboarding") may be retained indefinitely as they cannot be linked back to you.
• Legal records — payment receipts, legal correspondence, and other data we are required to retain by law are kept for the period required by applicable regulations.

7. Your rights

You have the following rights regarding your personal data:

• Access — request a copy of your personal data we hold.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — delete your account directly in the app (Profile → Delete account) or by emailing us. This permanently erases your messages, derived analyses, and profile.
• Portability — receive your data in a structured, machine-readable format (JSON export).
• Restriction and objection — restrict or object to certain processing where applicable.
• Withdraw consent — withdraw your consent for processing at any time by deleting your account.
• Complaint — lodge a complaint with your local data protection authority. EU users may contact their national DPA; users in Georgia may contact the Personal Data Protection Service of Georgia (personaldata.ge).

To exercise any of these rights, contact us at magleb@mosena.app. We respond within 30 days.

8. Security

We protect your data with industry-standard measures:

• HTTPS/TLS encryption for all data in transit.
• Encrypted storage for the database and backups.
• Salted password hashing — we never store plain passwords.
• Limited access — only the Operator can access production data, and only when necessary for support or maintenance.
• Regular security updates of all server software.

No system is fully immune to breaches. If a data breach affects your data, we will notify you and the relevant authorities as required by GDPR Art. 33 and applicable law.

9. International data transfers

Your data is transferred to and processed in the following locations:

• European Union — primary database hosting (DigitalOcean Frankfurt or Amsterdam region).
• United States — when interacting with OpenAI APIs (for AI processing) and Cloudflare network edge.

Transfers to the United States rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V. Cross-border transfers from Georgia comply with the Law of Georgia on Personal Data Protection, which permits transfers to jurisdictions with adequate safeguards.

10. Children

Mosena is rated 18+ on the App Store and is intended only for adults aged 18 or older. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by email at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Questions about this Privacy Policy, requests to exercise your rights, or other data-related inquiries:

Email: magleb@mosena.app
Operator: Maksimov Gleb Igorevich, registered individual entrepreneur (Georgia)
Jurisdiction: Georgia

If you reside in the European Economic Area or the United Kingdom, you may also contact your national data protection authority. A list of authorities is available at edpb.europa.eu.