Privacy Policy

Mosaic Singularity Inc. (“Mosaic Singularity,” “Company,” “we,” “us,” or “our”), a corporation incorporated under the laws of Canada, operates the HeartBeatAgents platform, website located at heartbeatagents.com, application programming interfaces, desktop and mobile applications, and all related services (collectively, the “Service”). This Privacy Policy (“Policy”) describes how we collect, use, disclose, retain, and protect personal information when you access or use the Service, visit our website, communicate with us, or otherwise interact with our business.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, you must discontinue use of the Service immediately. This Policy forms part of, and is incorporated by reference into, our Terms of Service.

We are committed to complying with all applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), the General Data Protection Regulation (GDPR) (European Union / European Economic Area), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) (United States), and any other applicable federal, provincial, state, or international data protection laws.

1. Definitions

In this Policy:

• “Personal Information” means any information about an identifiable individual, as defined under applicable privacy legislation, including but not limited to name, email address, IP address, device identifiers, billing information, and any data that can be used, directly or indirectly, to identify a natural person.
• “Processing” means any operation or set of operations performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Agent Data” means all data generated through the use of AI agents on the Service, including agent configurations, conversation messages, tool invocation logs, workflow outputs, and memory entries.
• “Sub-processor” means any third party engaged by us to Process Personal Information on our behalf in connection with the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Registration Data: Email address, name, and organization name. We use passwordless authentication via cryptographically signed magic links; no passwords are collected or stored.
• Billing and Payment Data: Payment method details, billing address, tax identification numbers, and transaction history. Payment card information is processed exclusively by our PCI DSS-compliant payment processor, Stripe, Inc. We do not receive, store, or have access to full payment card numbers.
• Communications: Information contained in correspondence you send to us, including support requests, feedback, and inquiries submitted via email, contact forms, or other channels.
• Integration Credentials: OAuth tokens, API keys, and authentication credentials for third-party services you connect to the Service (e.g., Google Workspace, Salesforce, GitHub, Slack, Stripe). All credentials are encrypted at rest using AES-256-GCM encryption with per-tenant encryption keys and are never exposed in agent responses, logs, API outputs, or to other users.

2.2 Information Generated Through Use of the Service

• Agent Data: Agent configurations (including standing orders, model preferences, tool assignments, and system prompts), conversation messages between users and agents, tool invocation logs (including function names, input parameters, and output results), workflow execution records, and memory entries (episodic, semantic, and procedural memories generated during agent operation).
• Usage Data: Pages and features accessed, actions taken, frequency and duration of activities, API call volume and endpoints, error logs, and performance metrics.

2.3 Information Collected Automatically

• Device and Technical Data: IP address, browser type and version, operating system, device type, screen resolution, language preferences, time zone, and unique device identifiers.
• Log Data: Server logs recording requests made to the Service, including timestamps, HTTP method, URL path, response status codes, referrer URLs, and bytes transferred.
• Cookies and Similar Technologies: We use strictly necessary cookies for session management and authentication. We do not use advertising or third-party tracking cookies. See Section 11 (Cookies and Tracking Technologies) for further details.

2.4 Information We Do Not Collect

We do not knowingly collect sensitive personal information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sexual orientation, unless you voluntarily include such information in conversations with your agents, in which case it is processed solely to provide the Service and is subject to the protections described herein.

3. Legal Basis for Processing and Purposes of Use

We Process Personal Information only where we have a lawful basis to do so. The table below sets forth each purpose, the categories of data involved, and the legal basis under PIPEDA, GDPR, and CCPA/CPRA:

• Providing and operating the Service (Account Data, Agent Data, Integration Credentials) — Performance of contract; consent under PIPEDA. We process this data to authenticate your identity, execute agent conversations, invoke connected tools, and deliver the core functionality of the Service.
• Processing payments and managing billing (Billing Data) — Performance of contract; legal obligation. We process billing data to charge fees, issue invoices, manage subscriptions, and comply with tax and financial reporting obligations.
• Transactional communications (Account Data) — Performance of contract; legitimate interest. We send sign-in magic links, billing receipts, service alerts, security notifications, and policy change notices essential to the operation of your account.
• Service improvement and analytics (Usage Data, Device Data, Log Data) — Legitimate interest. We analyze aggregate, de-identified usage patterns to improve the Service, optimize performance, and develop new features. We do not use your conversation content or Agent Data to train, fine-tune, or improve any machine learning or artificial intelligence models.
• Security and fraud prevention (All categories) — Legitimate interest; legal obligation. We monitor for and investigate unauthorized access, abuse, and security threats to protect the Service and our users.
• Legal compliance (All categories) — Legal obligation. We process data as required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

No Sale of Personal Information. We do not sell, rent, lease, or trade your Personal Information to any third party for monetary or other valuable consideration. We do not use your Agent Data, conversation content, memory data, or integration data for advertising, profiling, or any purpose unrelated to providing and improving the Service.

No AI Model Training. We do not use your conversations, Agent Data, or any content you create or process through the Service to train, fine-tune, or improve any artificial intelligence or machine learning models, whether our own or any third party's.

4. Disclosure of Information

We may disclose your Personal Information to the following categories of recipients, solely for the purposes described in this Policy:

4.1 Sub-processors and Service Providers

We engage trusted third-party Sub-processors to assist in providing the Service. Each Sub-processor is contractually obligated to Process Personal Information only as instructed by us, to maintain appropriate security measures, and to comply with applicable privacy legislation. Our current categories of Sub-processors include:

• Cloud infrastructure providers (hosting, storage, compute, and content delivery).
• Payment processors (payment processing, billing, and fraud detection).
• LLM providers (language model inference for agent conversations — see Section 5).
• Email delivery services (transactional email delivery).
• Analytics providers (aggregate, de-identified usage analytics).

4.2 Connected Third-Party Integrations

When your agents invoke tools from integrations you have connected (e.g., Google Workspace, Salesforce, GitHub, Slack), relevant data is transmitted to and from those third-party services as necessary to execute the requested action. We transmit only the minimum data required for each tool invocation. The third-party service's own privacy policy governs their handling of that data. You are responsible for reviewing the privacy practices of any third-party service you connect.

4.3 Legal and Regulatory Disclosures

We may disclose Personal Information where we reasonably believe disclosure is required:

• To comply with applicable law, regulation, legal process, or enforceable governmental request.
• To enforce our Terms of Service or other agreements.
• To protect the rights, property, safety, or security of Mosaic Singularity, our users, or the public.
• To detect, prevent, or address fraud, security incidents, or technical issues.

Where permitted by law, we will provide you with notice of any such disclosure and will limit the scope of disclosure to the minimum information reasonably necessary.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, receivership, or sale of all or a portion of our assets, your Personal Information may be transferred to the successor entity. We will provide notice of any such transfer and any choices you may have regarding your data, in accordance with applicable law.

5. Artificial Intelligence and LLM Provider Data Processing

When your agents process conversations, message content is transmitted to the configured large language model (LLM) provider (which may include OpenAI, Anthropic, Google, Mistral, Cohere, Meta, DeepSeek, or locally hosted open-source models via Ollama) for inference. Key safeguards:

• We configure all commercial LLM provider integrations with data retention opt-outs and zero-data-retention agreements where available, meaning providers are contractually prohibited from retaining or using your conversation data for their own model training or improvement.
• For users running local models via Ollama, no conversation data leaves your machine. All inference occurs locally.
• We do not transmit your Personal Information, integration credentials, or billing data to LLM providers. Only the conversation content necessary for inference is transmitted.
• We recommend reviewing each LLM provider's privacy policy for their specific data handling commitments.

6. Data Storage, Security, and Residency

6.1 Security Measures

We implement and maintain industry-standard administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction:

• Encryption at rest: All data is encrypted using AES-256-GCM encryption. Database volumes, backups, object storage, and integration credentials are encrypted at the infrastructure level with per-tenant key management.
• Encryption in transit: All data transmitted between your devices, our servers, and third-party services is encrypted using TLS 1.3 with forward secrecy.
• Access controls: Internal access to customer data is restricted to authorized personnel on a strict need-to-know basis, enforced through role-based access control (RBAC), multi-factor authentication, and audit logging.
• Infrastructure security: Our infrastructure is protected by network segmentation, firewalls, intrusion detection and prevention systems, continuous vulnerability scanning, and regular penetration testing.
• Incident response: We maintain a documented incident response plan. In the event of a data breach involving Personal Information, we will notify affected individuals and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR; as soon as feasible under PIPEDA).

6.2 Data Residency

By default, data is stored in Canada and the United States through our cloud infrastructure providers. Enterprise customers may request dedicated data residency in the European Union or other supported regions. Please contact us for data residency options and associated terms.

6.3 International Transfers

Where Personal Information is transferred outside of Canada, the European Economic Area, or your jurisdiction of residence, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms under applicable law.

7. Data Retention

We retain Personal Information only for as long as reasonably necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods:

• Account data: Retained while your account is active. Upon account closure or deletion request, removed from active systems within 30 days. Backup copies are purged within 90 days.
• Agent Data (conversations, configurations, memory): Retained while your account is active. You may delete individual conversations, memory entries, and agent configurations at any time through the dashboard or API.
• Integration credentials: Revoked and deleted immediately upon disconnection of the integration or account closure.
• Usage and log data: Retained for 12 months for security, debugging, and service improvement purposes, then automatically purged.
• Billing records: Retained for 7 years as required by Canadian tax legislation and applicable financial reporting regulations.
• Communications: Support correspondence is retained for 3 years from resolution, then deleted.

Notwithstanding the above, we may retain certain data for longer periods where required by law, regulation, or legal proceedings, or where necessary to establish, exercise, or defend legal claims.

8. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your Personal Information. We will honor all rights to the extent required by applicable law:

8.1 Rights Under Canadian Law (PIPEDA and Law 25)

• Access: You have the right to request access to the Personal Information we hold about you and to be informed of how it has been used and to whom it has been disclosed.
• Correction: You have the right to request correction of inaccurate or incomplete Personal Information.
• Withdrawal of consent: You may withdraw consent to the collection, use, or disclosure of your Personal Information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect our ability to provide the Service.
• De-indexation: Under Quebec Law 25, you have the right to request that your Personal Information be de-indexed from search results or any other dissemination mechanism.
• Complaint: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec.

8.2 Rights Under GDPR (EEA/UK Residents)

• Access: You have the right to obtain confirmation of whether we Process your Personal Information and to receive a copy of that data.
• Rectification: You have the right to request correction of inaccurate Personal Information without undue delay.
• Erasure (“Right to be Forgotten”): You have the right to request deletion of your Personal Information where retention is no longer necessary, where you withdraw consent, or where Processing is unlawful.
• Restriction: You have the right to request restriction of Processing while accuracy or lawfulness is contested.
• Data portability: You have the right to receive your Personal Information in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller.
• Objection: You have the right to object to Processing based on legitimate interests, including profiling. We will cease Processing unless we demonstrate compelling legitimate grounds that override your interests.
• Automated decision-making: You have the right not to be subject to decisions based solely on automated Processing that produce legal or similarly significant effects.
• Complaint: You have the right to lodge a complaint with your local supervisory authority.

8.3 Rights Under CCPA/CPRA (California Residents)

• Right to know: You have the right to request disclosure of the categories and specific pieces of Personal Information we have collected, the sources, the business purposes, and the categories of third parties with whom we have shared it.
• Right to delete: You have the right to request deletion of your Personal Information, subject to certain exceptions under the CCPA/CPRA.
• Right to correct: You have the right to request correction of inaccurate Personal Information.
• Right to opt-out of sale/sharing: We do not sell or share (as defined by the CCPA/CPRA) your Personal Information. Accordingly, no opt-out mechanism is required; however, if our practices change, we will provide a conspicuous “Do Not Sell or Share My Personal Information” link.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted under the CCPA/CPRA.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

8.4 Exercising Your Rights

To exercise any of the above rights, submit a request to privacy@heartbeatagents.com. We will verify your identity before processing any request and will respond within the timeframes required by applicable law (generally 30 days under PIPEDA, 30 days under GDPR, and 45 days under CCPA/CPRA, with extensions permitted where necessary). You may also designate an authorized agent to submit requests on your behalf, provided that we can verify the agent's authority.

You may export your agent configurations, conversation history, and memory data in standard JSON format at any time through the dashboard or API.

9. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect Personal Information from children. If we become aware that we have collected Personal Information from a child without verified parental consent, we will take steps to delete that information promptly. If you believe that we have collected information from a child, please contact us at privacy@heartbeatagents.com.

10. Do Not Track Signals

The Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. We do not engage in cross-site tracking, behavioral advertising, or interest-based profiling.

11. Cookies and Tracking Technologies

We use only strictly necessary cookies required for session management, authentication, and security. These cookies are essential to the operation of the Service and cannot be disabled without impairing core functionality. We do not use:

• Advertising or marketing cookies.
• Third-party tracking cookies.
• Social media tracking pixels.
• Cross-site tracking technologies.

You may configure your browser to block or delete cookies; however, doing so may prevent you from using the Service.

12. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications. This Policy does not apply to the practices of third parties. We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to read the privacy policy of every third-party service you access.

13. Changes to This Policy

We reserve the right to update or modify this Policy at any time. When we make material changes, we will: (a) update the “Last Updated” date at the top of this page; (b) post a prominent notice on the Service; and (c) send notification to the email address associated with your account at least 30 days before the changes take effect. Non-material changes (such as typographical corrections or formatting updates) may be made without prior notice.

Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the updated terms. If you do not agree with the revised Policy, you must discontinue use of the Service before the effective date.

14. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of law principles. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Province of Ontario, Canada, except where applicable law requires otherwise (for example, GDPR grants EEA residents the right to bring proceedings in their member state of residence).

15. Severability

If any provision of this Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the invalidity of that provision shall not affect the validity of the remaining provisions, which shall continue in full force and effect.

16. Contact Information

If you have questions, concerns, or complaints about this Policy, our data practices, or your privacy rights, you may contact us at:

• Privacy Inquiries: privacy@heartbeatagents.com
• General Inquiries: legal@heartbeatagents.com
• Mail: Mosaic Singularity Inc., Attn: Privacy Officer, Ontario, Canada

We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within the timeframes required by applicable law.

If you are not satisfied with our response, you have the right to file a complaint with the applicable supervisory authority, including:

• Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
• Quebec: Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
• European Union: Your local data protection authority
• United Kingdom: Information Commissioner's Office (ico.org.uk)
• California: California Attorney General (oag.ca.gov/privacy)