Privacy Policy

1. Publisher and data controller

The Moston service (available at moston.app and app.moston.app) is published by MossLink S.A.S, acting as data controller within the meaning of the General Data Protection Regulation (GDPR).

For any questions about this policy or to exercise your rights: privacy@contact.moston.app

2. Data collected

Moston collects only the data necessary for the operation of the service:

• Account data: first name, last name, and email address, obtained via Google OAuth or email/password registration at account creation.
• Manager profile data: role, team size, and activity domain you provide during onboarding or in your settings.
• Team data: team member profiles (name, role, seniority) you add in the app.
• Managerial work data: 1:1 notes, actions, commitments, topics, projects, and objectives (OKRs) you enter in the app.
• Integration data: Google Calendar events, GitHub and GitLab activity (commits, pull requests, reviews), Jira and Linear tickets, only if you explicitly enable these integrations.
• Connection data: access logs, IP address, browser type, session identifier, for security and diagnostic purposes.
• Payment data: managed entirely by Stripe. MossLink does not store any card numbers.

3. Purpose of processing

Your data is processed exclusively to:

• Provide and improve Moston's features (AI briefs, team tracking, conversational assistant).
• Supply AI models with the context needed to generate briefs, suggestions, and extractions. Your data is not used to train third-party models.
• Manage your subscription and billing.
• Send you service-related communications (notifications, important updates) via transactional email.
• Comply with our legal and accounting obligations.

Moston does not sell your data to third parties and does not use it for advertising purposes.

4. Third-party integrations

Moston offers optional OAuth connections with: Google Calendar, GitHub, GitLab, Jira, and Linear. These integrations are explicitly enabled by you through each service's OAuth authorisation flow.

Data from these integrations is used solely to enrich managerial context in Moston (briefs, signals, summaries). You can revoke any integration at any time from Settings → Integrations.

5. AI processing

Moston's AI features are powered by Anthropic Claude models. Excerpts of your data (notes, team context, integration data) are sent to Anthropic to generate briefs, extractions, and suggestions.

Anthropic processes this data as a sub-processor under a GDPR-compliant agreement. Your data is not used by Anthropic to train its AI models.

6. Hosting and sub-processors

Your data is hosted and processed by the following sub-processors:

• Supabase: database (AWS infrastructure, EU West region — Ireland). Data stored in Europe.
• Vercel: application hosting (global edge network; session data transits through European servers for EU users).
• Anthropic: AI processing of managerial data. Data transmitted is not used for training.
• Stripe: payment processing. PCI DSS compliant. MossLink stores no banking data.
• Resend: transactional email sending (notifications, account confirmations).
• GitHub / GitLab / Jira / Linear / Google: optional integrations, enabled only with your explicit consent.

These sub-processors are bound by GDPR-compliant data processing agreements (DPAs). Transfers outside the EEA are governed by the European Commission's Standard Contractual Clauses (SCCs).

6bis. Data Processing Agreement

MossLink acts as data processor within the meaning of the GDPR for the processing of personal data carried out on your behalf. The Data Processing Agreement (DPA) available at moston.app/legal/dpa sets out the contractual obligations of each party.

The following sub-processors are authorised to process personal data in connection with the service:

7. Retention period

Your data is retained for the duration of your active subscription.

• Active data: retained for the duration of the subscription.
• After cancellation or trial expiry: retained for 60 days, during which you can export your content.
• After a deletion request: erased within 60 days of the request.
• Billing data: retained for 10 years in accordance with French legal obligations.

After the 60-day period, your account and all your data are permanently deleted.

8. Cookies and local storage

Moston uses cookies essential to the operation of the service (authentication and session management) as well as Google Analytics GA4 to measure the marketing site's audience, only if you have given your consent via the cookie banner.

A consent banner is shown on your first visit to the marketing site. Your choice is stored in your browser under the key moston_cookie_consent (local storage). You can change your choice at any time via the banner or by clearing your browsing data.

No advertising or third-party behavioural tracking cookies are used.

9. Your rights

Under the GDPR, you have the following rights:

• Right of access: obtain a copy of your data via "Export my data" in Settings.
• Right of rectification: edit your data directly in the app.
• Right to erasure: permanently delete your account and all your data from Settings → Danger zone.
• Right to data portability: export your data as JSON from Settings.
• Right to object: object to the processing of your data for marketing communications.
• Right to restriction: request restriction of processing in the cases provided for by the GDPR.

To exercise your rights, contact us at privacy@contact.moston.app. We commit to responding within one month.

10. Complaints

If you believe that the processing of your data does not comply with applicable regulations, you have the right to lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr. EU residents may also contact their local supervisory authority.

11. Governing law

This Privacy Policy is governed by French law and the General Data Protection Regulation (GDPR, EU Regulation 2016/679). In the event of a dispute, the courts of competent jurisdiction in the district of MossLink S.A.S's registered office shall have exclusive jurisdiction.

MossLink reserves the right to update this policy. In the event of a material change, you will be notified by email or via an in-app notification at least 15 days before the change takes effect.

12. Publisher details

MossLink S.A.S<br/>59 rue de Ponthieu · 75008 Paris · France<br/>privacy@contact.moston.app