Privacy
Policy.
Last updated: June 6, 2026
This policy explains what data Mosey Studio collects, how we handle your photos, which third-party services receive your data, and what rights you have. We've written it to be readable, not just legally sufficient.
The short version
- →The mosaic rendering engine runs entirely in your browser. Your photos are not uploaded during normal use. If you choose to Save a mosaic, your photo is uploaded to our cloud storage so it can be restored later.
- →Three optional AI features — background removal, depth-map generation, and AI palette curation — briefly transmit your photo to fal.ai, our AI processing partner. The image file is configured to auto-delete within 30 seconds.
- →We store your email, subscription status, and credit balance. If you save mosaics, we also store your source photos and configuration.
- →We use PostHog for analytics. A consent banner is shown on first visit — no data is sent until you accept.
- →We do not sell or share your personal data for advertising purposes.
- →To request access, correction, or deletion of your data, email support@mosey.studio.
01 / Who We Are
Mosey Studio ("we", "us", "our") is a trading name of Cameron Garvey, a sole trader based in New Zealand. We are the data controller for personal data processed in connection with this service. If you have any privacy questions, contact us at support@mosey.studio.
02 / What We Collect
Where applicable, we identify the legal basis for processing under GDPR. New Zealand users are protected by the Privacy Act 2020, which is covered in the Your Rights section below.
Account data
When you create an account we collect your email address, a Supabase user identifier, and — if you sign in with Google — your Google account identifier and profile avatar URL. We need this to authenticate you and link your subscription. We never store your password in plain text; Supabase handles credential hashing.
Lawful basis (GDPR): Performance of a contract — you can't have an account without it.
Subscription data
If you subscribe to Mosey Pro, we store your Stripe customer ID, subscription ID, status, billing interval, and current billing period dates. Your card number, CVC, and billing address are collected directly by Stripe and never pass through our servers.
Lawful basis (GDPR): Performance of a contract.
Credit ledger
We maintain an append-only credit transaction ledger recording each credit grant, purchase, usage, and refund. Each row stores: your user ID, which bucket (subscription or purchased) was affected, the amount, the transaction type (e.g. monthly_grant, purchase, usage, refund), optionally which AI feature was used, and a timestamp. No image content is stored in this ledger.
This ledger is visible to you in your account and is used for billing transparency, fraud prevention, and customer support. All ledger rows are deleted when your account is deleted.
Lawful basis (GDPR): Legitimate interests — credit accounting and fraud prevention are necessary to operate a fair and sustainable service.
Saved mosaics
When you explicitly click Save in the studio, we upload and store the following to Supabase Storage and our database on your behalf: your source photo, an optional painted mask, an optional depth map (only if you generated one), a small thumbnail image, and your mosaic configuration (tile type, layout, palette settings). This data is retained until you delete the mosaic or your account. You can manage your saved mosaics at any time from your library page.
By default, saved mosaics are private. If you toggle a mosaic to shared, it becomes accessible to anyone who has the link, including the source photo and mask you uploaded. You can revert to private or delete the mosaic at any time. Shared assets are served via Supabase's CDN; Supabase may cache them at edge nodes.
Lawful basis (GDPR): Performance of a contract — the save feature only works by storing your data.
Analytics
We use PostHog to collect page views and feature events (such as render completion with non-identifying dimensions like tile count and layout type). PostHog is configured with person_profiles: 'identified_only' — anonymous visitors generate session events but no personal profile is ever created for them. For signed-in users, we link events to a profile containing your user ID, email, and plan tier. We do not send image data or generated mosaics to PostHog.
Lawful basis (GDPR): Consent — all visitors are shown a cookie banner on first visit and PostHog is disabled until they accept.
Support messages
If you contact us via the FAQ support form, we collect your name (optional), email address (optional), the subject category, and your message. This is sent to our support inbox via Resend.
Lawful basis (GDPR): Legitimate interests — responding to support requests.
IP addresses (rate limiting)
To prevent abuse, our servers temporarily process your IP address for rate limiting purposes. For unauthenticated requests (e.g. the support form, image search, and guest checkout), your IP address is used as the rate-limit key. For authenticated API requests to our Edge Functions (e.g. checkout session creation), your Supabase user identifier is used instead of your IP address where possible.
IP addresses passed to Edge Functions are forwarded to Upstash (our rate-limiting provider) as part of the rate-limit key. This data expires automatically after a short period (minutes). IP addresses used for rate limiting within the application server are held in process memory only and are never written to disk or sent to a third party.
Lawful basis (GDPR): Legitimate interests — protecting the service from abuse, spam, and denial-of-service attacks.
03 / Your Photos
Core rendering is 100% local. Your photos are compressed in the browser and held only in memory while the studio is open. Mosey's servers never receive them during normal use.
The mosaic rendering engine — tile layout, color matching, palette selection — runs entirely in WebGL on your device. No image data is sent to Mosey or any third party as part of this core workflow.
Three optional features change this by design:
Background Removal
When you tap "Remove Background", your photo is sent over HTTPS from your browser to a Supabase Edge Function, which forwards it to fal.ai for neural-network segmentation. The image file on fal.ai's storage is configured to expire in 30 seconds. The processed result (subject-only PNG) is returned to your browser and held in memory only. We do not intentionally retain a copy after processing completes; fal.ai temporary storage is configured to auto-delete within 30 seconds.
Depth Map Generation
The same flow applies: your photo is sent over HTTPS to fal.ai (via Supabase Edge Function) for depth estimation, returned as a grayscale depth map, and the uploaded file expires within 30 seconds.
AI Palette Curation (Pro)
When you use "Suggest Palette", your photo is uploaded to fal.ai's storage and that temporary URL is passed to Google Gemini 2.5 Flash via OpenRouter, which analyses the image and returns a list of emoji suggestions. The image file at fal.ai expires in 30 seconds; only the emoji list is stored by Mosey (in your browser session). Google processes the image on the paid API path, which Google states is not used for model training and is subject only to brief safety/abuse logging.
If you upload photos of other people, you are responsible for ensuring you have the right to do so and that those individuals have consented to their image being processed as described above.
04 / Sub-Processors
We share data with the following third-party vendors only to the extent required to operate the service. Each vendor is listed with what they receive and our understanding of their retention.
Vercel
Application hosting, SSR, and serverless functions (support email, Unsplash proxy, session-status routes)
Receives: IP addresses, request headers, and request bodies for all page views and API calls. Static assets (JS, CSS, images) served from Vercel's global CDN.
Retention: Per Vercel's Privacy Policy; log retention depends on your plan
Cloudflare
CDN, DDoS protection, and DNS — all traffic passes through Cloudflare before reaching our origin
Receives: IP addresses, request metadata (URL, User-Agent, headers). Cloudflare may cache static assets.
Retention: Per Cloudflare's Privacy Policy and your plan's log retention settings
Supabase
Authentication, database, Edge Functions
Receives: Email, user ID, subscription data, credit balance and transaction ledger
Retention: Until account deletion
Stripe
Payment processing — subscriptions and one-time credit pack purchases
Receives: Email, Supabase user ID, billing interval, one-time payment amount. Card details are collected by Stripe directly — we never see them.
Retention: Per Stripe's data retention policy
fal.ai
AI inference for background removal, depth maps, and palette curation
Receives: Compressed photo when you trigger one of these three features
Retention: Media file: ~30 seconds (auto-delete). Request metadata (no image bytes): up to 30 days per fal.ai defaults. fal.ai states it does not use customer data for model training.
OpenRouter
Routes the palette-curation request to a vision model
Receives: A temporary fal.ai URL pointing to your image, plus the curation prompt
Retention: Zero data retention by default — OpenRouter does not log prompts or responses unless you explicitly opt in. We do not opt in.
Google (Gemini 2.5 Flash)
Vision analysis for AI palette curation
Receives: The image at the temporary fal.ai URL (which expires in 30 seconds)
Retention: Google's paid API path: not used for training; brief safety/abuse logging only per Google's terms.
PostHog
Product analytics
Receives: Page views, feature events; for signed-in users: user ID, email, and plan tier. Anonymous visitors are never linked to a personal profile.
Retention: Per PostHog project settings; no images or file data is sent
Resend
Transactional emails (account verification, payment receipts, support replies)
Receives: Email address, message body
Retention: Per Resend's data retention policy
Upstash
Rate limiting for Edge Functions (abuse and spam prevention)
Receives: Rate-limit keys containing either your IP address (unauthenticated requests) or your Supabase user identifier (authenticated requests). No other personal data is transmitted.
Retention: Auto-expires after a short period (minutes). No persistent storage.
Unsplash
Stock photo search in the Library (proxied via Mosey server route)
Receives: Search query text only — no user identity or photos
Retention: Per Unsplash's Terms of Service
Google OAuth
Optional single sign-on
Receives: OAuth identity and profile picture URL if you choose to sign in with Google
Retention: Per Google's Privacy Policy
06 / We Don't Sell Your Data
Mosey Studio does not sell, rent, or share your personal data with third parties for cross-context behavioral advertising or any commercial purpose. The sub-processors listed above receive data only to perform services on our behalf. California residents: this constitutes our "Do Not Sell or Share My Personal Information" disclosure. We do not sell or share as defined by the CCPA.
07 / Children
Mosey Studio is not directed at children under the age of 13 (or 16 in jurisdictions where a higher age applies to digital consent). We do not knowingly collect personal data from children. Account creation requires email confirmation, which acts as a basic age gate. If you believe a child has submitted data through our service, please contact us at support@mosey.studio and we will delete it promptly.
08 / Your Rights
GDPR / UK GDPR rights
If you are located in the European Economic Area or the United Kingdom, you have the right to: access a copy of the personal data we hold about you; request correction of inaccurate data; request erasure (the "right to be forgotten"); request restriction of processing; obtain a portable copy of your data; object to processing based on legitimate interests; and withdraw consent at any time (this does not affect the lawfulness of processing prior to withdrawal). You also have the right to lodge a complaint with your local supervisory authority.
CCPA / CPRA rights (California)
California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of any sale or sharing (we do not sell or share — see Section 6), and to non-discrimination for exercising these rights.
New Zealand Privacy Act 2020
As a New Zealand-based operator, we are bound by the New Zealand Privacy Act 2020. If you are located in New Zealand (or anywhere else), you have the right to request access to personal information we hold about you, and to request correction of that information if it is inaccurate, out of date, incomplete, or misleading. We will respond to such requests within 20 working days as required by the Act.
If you believe we have breached the Privacy Act 2020 and are unsatisfied with our response to your complaint, you have the right to make a complaint to the Office of the Privacy Commissioner (privacy.org.nz).
How to exercise your rights: Email support@mosey.studio. We will respond within 20 working days (or the applicable legal deadline). To request account deletion, include the email address associated with your account. We will delete your profile, subscription record, credit transaction ledger, and PostHog person record, except where retention is required for legal, fraud-prevention, tax, accounting, or security obligations. You can also delete your account directly from your account settings.
09 / International Transfers
Mosey Studio operates globally. Your data may be processed in the following regions:
- →Australia (ap-southeast-2) — Supabase database, auth, and file storage. Your account, subscription, usage data, and saved files are stored here.
- →United States — Vercel (hosting & serverless functions), Cloudflare (CDN), PostHog, Stripe, fal.ai, OpenRouter, Resend, Upstash (rate limiting).
Mosey Studio is based in New Zealand and not established in the EU. GDPR applies to us because we offer this service to individuals in the European Economic Area, and we process that data accordingly.
If you are in the European Economic Area or the United Kingdom, these transfers are to countries without an EU adequacy decision. Where required, we rely on vendor-provided Standard Contractual Clauses (SCCs) or equivalent safeguards as made available by each vendor's Data Processing Agreement.
10 / Security
All data in transit is encrypted via HTTPS/TLS. Database access is enforced by Supabase Row-Level Security policies — you can only read or modify your own account and subscription rows. During normal use, we do not receive or store your photos. If you explicitly save a mosaic, your source photo and related assets are stored securely in Supabase Storage on your behalf until deleted. No security measure is 100% infallible; if you discover a vulnerability please disclose it responsibly to support@mosey.studio.
11 / Business Transfer
If Mosey Studio is involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the service before your data becomes subject to a materially different privacy policy.
12 / Changes to This Policy
We may update this policy as the product evolves. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to check back periodically.
13 / Contact
Privacy questions, data requests, or concerns: support@mosey.studio. We aim to respond within 1 business day for general enquiries and within 20 working days for formal data subject requests.
