Privacy Policy

MeritMosaic is a product of Katafract LLC (“we,” “our,” or “us”). This policy explains what information we collect when you use MeritMosaic (the iOS app and the website at meritmosaic.io), how we use it, and the choices you have. We keep this simple: your journal is yours, we do not sell your data, and we do not use it for advertising.

• Provide the service. Your journal text is sent to AI models to classify entries, generate resume bullets, draft recommendation letters, and coach you on your entries.
• Maintain your account. We use your email to authenticate you (magic-link sign-in) and send you receipts.
• Operate and improve our infrastructure. Server logs help us diagnose errors and maintain uptime.
• Comply with law. We may disclose information if required by a valid legal process.

We do not use your data for advertising, behavioral profiling, or any purpose beyond what is listed above.

Journal entries and resume profile data are sent to third-party AI providers to generate coached summaries, resume bullets, and full resume drafts. We currently use:

• OpenAI (GPT models) — for entry classification and coaching.
• Anthropic (Claude models) — for executive-tier resume and document generation.

We transmit only the minimum data needed to complete each request. We do not instruct these providers to use your data to train their models. Review OpenAI’s privacy policy and Anthropic’s privacy policy for their data handling practices.

Your data is stored on servers operated by Katafract LLC located in the United States and the European Union. All data in transit is encrypted via TLS. We apply access controls so that only the processes that need your data can reach it.

No system is perfectly secure. If we become aware of a breach that affects your personal data, we will notify you at the email on your account within the timeframe required by applicable law.

We retain your account data and journal entries for as long as your account is active. If you delete your account, we delete your personal data and journal content within 30 days, except where we are required to retain it by law (for example, transaction records for tax purposes, which we retain for 7 years).

• Access and export. You can export your journal entries and resume data at any time from within the app.
• Correction. You can edit or delete any journal entry or resume profile field at any time.
• Account deletion. Email us at privacy@meritmosaic.io to request full account deletion.
• California residents (CCPA). We do not sell personal information. You have the right to know what data we hold and to request deletion.
• European residents (GDPR). You have the right to access, rectify, erase, restrict, and port your data. Contact us at the address below to exercise these rights.

MeritMosaic is available to users of all ages, including high school students. For users under 13 in the United States, we comply with the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account without consent, contact us at privacy@meritmosaic.io and we will delete it promptly.

Beyond the AI providers listed above, we use the following third-party services:

• Apple In-App Purchase — payment processing on iOS.
• Stripe — payment processing on the web.
• Cloudflare — DNS, CDN, and DDoS protection. Cloudflare may process request metadata as traffic passes through their network.

We do not embed social media trackers, advertising networks, or analytics SDKs.

When you send a mentor feedback request, we store the recipient’s name and email address to send the invitation email and track the status of the request (pending, viewed, submitted). This data is deleted if you delete the request. We do not contact the recipient for any purpose other than the specific request you initiated.

Mentor responses (traits, anecdotes, notes) are associated with your account and used to compute your portfolio strength score and, optionally, draft a recommendation letter. They are not shared with third parties.

If you provide your own OpenAI or Anthropic API key, it is stored in your device’s iOS Keychain and transmitted to our servers over TLS only for the duration of each individual AI request. We do not log, store, or retain your BYOK key server-side after the request completes. Your key is never included in server logs.

You remain solely responsible for managing your key’s permissions, spend limits, and revocation through your key provider’s dashboard.

If we make material changes, we will update the effective date at the top of this page and notify you by email. Continued use of MeritMosaic after the effective date constitutes acceptance of the updated policy.

Questions, data requests, or concerns: