PIPEDA Compliant

Privacy Policy

This is the long, legal version. Skim the plain-English summary below first — it covers what most people actually want to know.

Plain-English summary

The legal text below is detailed because Canadian privacy law (PIPEDA + Quebec Law 25) requires it. But here's the gist:

  • We collect what we need to show you your finances — and nothing else.
  • We connect to your accounts through Plaid and SnapTrade. Read-only. No money movement.
  • We do not sell your data to anyone. Ever.
  • Your data is stored in Canada (Google Cloud Montreal) and follows PIPEDA + Quebec Law 25.
  • You can export or delete your data anytime from Settings. Deletion is permanent within 30 days.
  • Our Privacy Officer is Laurent Risser — laurent.risser@mozaicfinance.com. Real human, replies personally.
🔒 For security details (encryption, hosting, auditing), see our Security page →

1. Identity and Contact Information

Mozaic Finance is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

Organization: Mozaic Finance

Privacy Officer (as required by Quebec Law 25 and PIPEDA):
Laurent Risser
Email: laurent.risser@mozaicfinance.com

The Privacy Officer is responsible for ensuring compliance with privacy legislation, handling privacy inquiries, and overseeing the protection of your personal information. For any privacy-related questions or concerns, please contact our Privacy Officer directly.

2. Information We Collect

We collect the following types of personal information:

Account Information:

  • Email address (from your Google sign-in via Google Cloud Identity Platform)
  • Name and profile picture
  • User preferences and settings

Financial Data:

  • Account balances and holdings (from connected institutions)
  • Transaction history
  • Investment positions and portfolio data

Technical Data:

  • Browser type and version
  • Device information
  • Usage patterns and analytics

We collect information directly from you when you create an account and connect your financial institutions through our third-party partners (Plaid and SnapTrade). We never receive or store your bank or brokerage password — your login credentials go directly from you to your financial institution through these partners.

3. How We Use Your Information

We use your personal information to:

  • Provide and maintain our financial dashboard service
  • Aggregate and display your financial data
  • Generate insights and analytics about your finances
  • Improve our services and user experience
  • Send service-related communications
  • Comply with legal obligations

We do not sell your personal information to third parties.

4. Information Sharing and Disclosure

We share your information with the following third parties:

Financial Data Providers:

  • Plaid Technologies Inc. (United States) - Connecting your bank accounts (read-only)
  • SnapTrade Inc. (Canada) - Connecting your brokerage accounts (read-only)

Service Providers:

  • Stripe, Inc. (United States) - Subscription billing and payment processing (email, name, and billing metadata only)
  • Resend (United States) - Delivery of transactional and notification emails
  • Google Cloud and Google Identity Platform (United States and other regions) - Authentication, application hosting, and infrastructure

These providers act as our processors: they are bound by their own privacy commitments and security certifications, and receive only the personal information necessary for their specific function.

Cross-Border Transfers:
Your primary data — including your financial records — is stored in Canada (Google Cloud, Montreal / northamerica-northeast1 region). Some of the service providers listed above process limited personal information in the United States: Plaid (bank-connection data), Stripe (billing email and metadata), Resend (email delivery), and Google (authentication and infrastructure). We have assessed these cross-border transfers under Quebec's Law 25 (s. 17) and PIPEDA: we minimize the personal information disclosed to each provider, protect it with encryption in transit (HTTPS/TLS), and rely on each provider's data-protection terms and security certifications. Contact our Privacy Officer for more information about these transfers.

We may also disclose information when required by law or to protect our rights and safety.

5. Consent

By using Mozaic Finance, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

You may withdraw your consent at any time by:

  • Disconnecting your financial accounts
  • Deleting your account through the Privacy & Data settings
  • Contacting us at laurent.risser@mozaicfinance.com

Withdrawing consent may affect your ability to use certain features of our service.

6. Access and Correction

You have the right to:

Access Your Information:

  • View all data we have collected about you
  • Export your data in a portable format

Correct Your Information:

  • Update your account settings
  • Request corrections to inaccurate data

To exercise these rights, visit the Privacy & Data section in your account settings or contact us at laurent.risser@mozaicfinance.com.

We respond to access, correction, and deletion requests within 30 days, as required by Quebec Law 25.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services.

After account deletion:

  • Your data will be permanently deleted within 30 days
  • You have a grace period to cancel deletion
  • Transaction records may be retained up to 7 years to comply with Canadian financial recordkeeping obligations (Income Tax Act and applicable provincial legislation)

Financial transaction data is refreshed regularly and older data may be archived or deleted based on our retention policies.

8. Security Measures

We use the following security measures to protect your information. We've kept the language exact rather than aspirational — if a claim isn't true, it isn't here.

Encryption in transit:

  • All traffic to Mozaic uses HTTPS (TLS 1.2 or higher; TLS 1.3 supported), terminated by Google Cloud Run
  • HSTS is enforced with a 1-year max-age, so browsers refuse to downgrade to insecure connections

Encryption at rest:

  • Sensitive fields in our database (such as the access tokens that link to your bank or brokerage, plus transaction merchant names, descriptions, and locations) are encrypted at the application layer using Fernet (AES-128-CBC with HMAC-SHA256 authentication)
  • The underlying database storage is also encrypted by Google Cloud SQL

Authentication:

  • Sign-in is handled by Google Cloud Identity Platform (Firebase Authentication). Today we support Google sign-in only; email/password and Apple sign-in are on our roadmap for users who do not have or prefer not to use a Google account.
  • Your browser receives a short-lived Firebase ID token that the backend re-verifies on every request against Google's public keys. Token lifetime, refresh, and revocation are managed by Identity Platform.
  • Optional two-factor authentication (2FA) using a TOTP authenticator app

Infrastructure:

  • We run on Google Cloud Run + Cloud SQL in the northamerica-northeast1 (Montreal) region
  • Google Cloud is SOC 2 Type II and ISO 27001 certified — this describes our hosting infrastructure; Mozaic itself is not separately SOC 2 certified, and we have not yet commissioned a formal external penetration test. We will update this page when we do.

Ongoing monitoring:

  • Every code change is automatically scanned for vulnerabilities (Bandit static analysis) and known bad dependencies (pip-audit) before it can be merged
  • Server-side logging of integration security events and Google Cloud Monitoring for anomaly detection
  • Per-endpoint rate limiting is applied to prevent abuse

What we never store:

  • We never receive or store your bank or brokerage password. When you connect an account, you log in directly with that institution through Plaid or SnapTrade. We only receive an opaque access token, which we encrypt before storing.
  • Our connections are read-only — we have no permission to move money or place trades, even if our system were compromised.

9. Changes to This Policy

We may update this Privacy Policy from time to time. A "material change" means any change affecting how we collect, use, share, or retain your personal data.

We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically for any changes.

10. Language Preference Data Handling

When you select a language preference, we store this locally in your browser. Your language preference is not transmitted to our servers or shared with third parties.

Last Updated: May 2026

Manage Your Data

Access, export, or delete your personal data anytime. laurent.risser@mozaicfinance.com