Legal

Privacy policy

Last updated · 14 May 2026

We take privacy seriously. This policy explains what personal data we collect when you visit gomoso.ai, sign up for early access, or book a call with us, why we collect it, who we share it with, and the rights you have over your data.

It is written to comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the French Data Protection Act (Loi Informatique et Libertés n° 78-17), and the ePrivacy Directive as implemented in French and EU law.

If anything here is unclear, email us at contact@gomoso.ai and we will rewrite the unclear bit.

1. Who we are

MOSO AI ("Moso", "we", "us", "our") is the controller of the personal data described in this policy.

Registered office: 173 rue de Courcelles, 75017 Paris, France
Legal status: Société en cours d'immatriculation au Registre du Commerce et des Sociétés de Paris (company in the process of being registered with the Paris Commercial Registry — SIREN, SIRET and RCS Paris numbers will be added here once registration completes)
Contact for all privacy matters: contact@gomoso.ai

We are not currently required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, but the email above reaches the person responsible for privacy at Moso.

2. Scope of this policy

This policy applies to:

The gomoso.ai marketing website.
The early-access waitlist form on the site.
The founders' booking widget (Cal.com) embedded on the site.
Any direct correspondence you have with us (e.g. email replies to your waitlist signup).

It does not yet cover the Moso product itself, because the product is in private development. Design partners using the product receive a separate Data Processing Agreement covering product data.

3. What we collect and why

3.1 When you join the early-access waitlist

When you submit the waitlist form, we collect:

Data	Source	Purpose	Lawful basis
Email address	You	Contact you about early access; create your record in our CRM	Legitimate interest (responding to a request you initiated); pre-contractual steps under Art. 6(1)(b)
Company name (optional)	You	Qualify your fit for the design-partner programme	Legitimate interest
LinkedIn profile URL (optional)	You	Verify identity and understand your role	Legitimate interest
How you use AI in marketing today (optional)	You	Match Moso to your use case during selection	Legitimate interest
Tools you currently use (optional)	You	Same as above	Legitimate interest
IP address	Automatic (request headers)	Rate-limit the form to prevent spam and abuse; derive approximate country	Legitimate interest (security and fraud prevention)
Approximate country	Derived from IP	Understand geographic distribution of interest	Legitimate interest
Marketing attribution data	Automatic (URL parameters and `document.referrer`)	Understand which channels bring qualified leads, so we spend marketing budget responsibly	Legitimate interest
Time spent on page before submission	Automatic	Bot detection (we silently drop sub-1.5-second submissions)	Legitimate interest (security)
CTA placement	Automatic	Understand which calls-to-action perform best	Legitimate interest

The "marketing attribution data" referenced above is limited to: utm_source, utm_medium, utm_campaign, utm_term, utm_content, gclid, fbclid, li_fat_id, the URL you landed on, and the referring URL. This is standard B2B marketing measurement and does not include any cross-site tracking pixels or advertising cookies.

3.2 When you book a call with our founders

When you click "Talk to founders" or a similar CTA, the booking widget is provided by Cal.com and runs in an embedded iframe. Cal.com collects whatever you submit to schedule the call (typically your name, email, time zone, and any notes you add). That submission is processed by Cal.com under their own privacy policy, and the resulting booking data is sent to us by email and added to our calendar.

See §5 Sub-processors and third parties for the full list of providers involved.

3.3 When you email us

If you email contact@gomoso.ai (or any other Moso address), we receive your email address, the contents of your message, and any attachments. We retain that correspondence so we can follow up and so we have a record of what was discussed.

3.4 Audience measurement (PostHog, cookieless)

We use PostHog (EU-hosted, eu.posthog.com) as a strictly limited audience-measurement tool to understand how the marketing site is used. Our PostHog deployment is configured to qualify for the CNIL's exemption from prior consent for "audience measurement" (Délibération n° 2020-091, as updated):

What we measure	What we do not measure
Pages viewed and the order they are viewed in	Cross-site browsing on other websites
Clicks on key calls-to-action (e.g. "Join the waitlist", "Talk to founders")	Session replays or screen recordings
Approximate country and browser / device type, derived from a truncated IP address	Heatmaps, mouse-movement tracking, or keystroke logging
Aggregated funnels (e.g. how many visitors who saw the hero went on to submit the waitlist)	Persistent identifiers across visits — your visit is anonymous and ends when you close the tab

To meet the exemption, our PostHog configuration:

Uses the EU host so events stay in Frankfurt.
Operates in memory-only mode — no cookies, no localStorage, no IndexedDB. There is no persistent identifier on your device, so you appear as a new, anonymous visitor on every visit.
Has session recording, heatmaps, surveys, and autocapture disabled.
Truncates IP addresses before they are written to storage.
Honours your browser's "Do Not Track" signal where it is sent.

Because no personal data is stored on your device and the data we collect is aggregated audience statistics, this processing falls within the CNIL exemption from prior consent and we do not show a cookie banner for it. The lawful basis under GDPR Article 6 is our legitimate interest in understanding how our marketing site performs (Art. 6(1)(f)). You can object to this processing at any time by emailing contact@gomoso.ai, and we will exclude your visits going forward.

We do not run advertising pixels (no Meta Pixel, no LinkedIn Insight Tag, no Google Ads conversion tracking) and we do not use Google Tag Manager. If we add any of these — or change PostHog out of its cookieless configuration — this policy is updated before the change ships, and a CNIL-compliant cookie consent banner is deployed at the same time.

4. How long we keep your data

Data	Retention period
Waitlist record (email + optional enrichment + attribution) in our CRM	Until you ask us to delete it, you tell us you are no longer interested, or three years pass with no contact between us — whichever is sooner
Approximate country and IP-derived data stored on the CRM record	Same as the waitlist record
Rate-limit data (hashed IP / email in Redis)	Maximum 1 hour, then automatically expired
Email correspondence	Up to three years from the last reply, then deleted unless still relevant to an active conversation
Cal.com booking data	Held by Cal.com under their retention policy, plus the calendar invitation in our calendar until the meeting passes plus 12 months

When the retention period expires we delete the data or anonymise it so it can no longer be linked back to you.

5. Sub-processors and third parties

We share personal data only with the providers below, and only to the extent needed for the purpose listed.

Provider	What it processes	Where it processes	Why
Vercel Inc.	All site traffic, IP addresses, request headers; hosts the site and edge functions	EU regions (Frankfurt, `fra1`) configured for production; some edge metadata is processed globally on Vercel's edge network	Hosting and content delivery
Attio Ltd.	Waitlist submissions: email, optional enrichment fields, attribution data, country	UK and EU regions per Attio's current configuration; transfers outside the EEA are covered by Attio's Standard Contractual Clauses	CRM for the early-access programme
Upstash, Inc.	Hashed IP addresses and email addresses used as rate-limit keys	EU region (Frankfurt)	Ephemeral rate limiting; data expires automatically within one hour
Cal.com, Inc.	Whatever you submit through the booking widget: name, email, time zone, notes	EU and US (covered by Cal.com's Standard Contractual Clauses)	Booking calls with the founders
PostHog Inc. (EU host)	Aggregated, cookieless audience-measurement events as described in §3.4 (no persistent identifier, truncated IP, no session recording)	EU region (Frankfurt) — `eu.posthog.com`	Audience measurement under the CNIL's consent exemption
Google Ireland Limited (Google Workspace)	Email correspondence with us, including the contents of any messages sent to or from our Moso addresses	EU (primary data hosted in EU regions in line with Google Workspace's Data Regions setting) and US (covered by EU Standard Contractual Clauses and Google's certification under the EU–US Data Privacy Framework)	Sending and receiving email

We are putting Data Processing Agreements (DPAs) in place with each of the providers above before the first real waitlist submission lands. As DPAs are completed they are kept on file and can be requested by emailing contact@gomoso.ai.

We do not sell your personal data, and we do not share it with anyone outside this list except where we are legally required to (for example, if compelled by a court or regulator).

6. International data transfers

Most of your personal data stays within the EEA. Where it is transferred outside the EEA — most often to the United States, where some of our sub-processors are headquartered — we rely on:

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2) in our agreements with each affected sub-processor; and / or
The EU–US Data Privacy Framework where the recipient is certified under it.

Where additional safeguards are appropriate (for example, encryption in transit and at rest), they are required as part of our sub-processor agreements.

You can request a copy of the safeguards in place for any specific transfer by emailing contact@gomoso.ai.

7. Cookies and similar technologies

The Moso marketing site does not set any first-party cookies for analytics or advertising purposes, and we do not display a cookie banner because none of the storage we use requires consent under Article 82 of the French Data Protection Act.

The browser-storage features we do use are listed below.

7.1 Strictly necessary

These are needed to deliver a service you have explicitly requested and are exempt from the consent requirement under CNIL guidance.

Mechanism	What it stores	Why	Lifetime
`sessionStorage` (`moso_attribution`)	Your first-touch UTM parameters, referrer, landing page, and session start time	So that if you submit the waitlist later in your visit we know where you came from	Cleared automatically when you close the browser tab
`localStorage` (theme preference)	Your selected dark / light theme	Remembers your visual preference between visits	Until you clear browser storage

7.2 Audience measurement (no storage)

The PostHog audience-measurement tool described in §3.4 operates in memory-only mode. It does not set any cookie or write to localStorage, sessionStorage, or IndexedDB. Because no information is stored on or read from your device, this falls outside the scope of Article 82 and no consent is required.

7.3 Third-party widgets you actively load

Mechanism	Set by	When it loads	Lifetime
Cal.com booking widget cookies	Cal.com	Only when you click the "Talk to founders" button and the widget opens	Per Cal.com's cookie policy

If we ever introduce analytics or advertising cookies — or change PostHog out of its memory-only configuration — we will deploy a fully compliant cookie consent banner with a "Reject all" option of equal prominence to "Accept all", and we will update this policy first.

8. Your rights

Under the EU GDPR and the French Data Protection Act you have the right to:

Be informed about how we use your data (Articles 13–14 GDPR — this policy).
Access the personal data we hold about you (Article 15).
Rectify inaccurate or incomplete data (Article 16).
Erase your data ("right to be forgotten") where one of the grounds in Article 17 applies.
Restrict how we process your data in certain circumstances (Article 18).
Port your data — receive a copy in a structured, commonly used, machine-readable format (Article 20).
Object to processing carried out on the basis of legitimate interests, including profiling (Article 21).
Withdraw consent at any time where consent is the lawful basis (it isn't for any of the processing above, but where it ever is, withdrawal is as easy as giving consent — Article 7(3)).
Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you (Article 22). We do not currently make any such decisions.
Define directives concerning the storage, deletion and communication of your personal data after your death (Article 85 of the French Data Protection Act).
Lodge a complaint with a supervisory authority — see §14 below.

To exercise any of these rights, email contact@gomoso.ai. We will respond within one calendar month of receiving a request, in line with Article 12(3) GDPR.

We will not charge you a fee for exercising your rights, unless your request is manifestly unfounded or excessive (for example, repeated identical requests), in which case we may charge a reasonable administrative fee or refuse the request and explain why.

9. Automated decision-making and profiling

We do not currently make any decisions about you that are based solely on automated processing and that would produce legal effects or similarly significantly affect you.

The bot-detection logic on the waitlist form (which silently drops sub-1.5-second submissions and submissions that fill the hidden honeypot field) is a security measure and does not affect any decision about your access to the Moso programme.

When the Moso product launches, any AI features that meaningfully shape decisions about you (for example, lead-scoring within the product) will be disclosed and configurable by the customer who controls that workspace, in line with the EU AI Act's transparency obligations for limited-risk AI systems.

10. Security

We protect your personal data with reasonable and proportionate technical and organisational measures, including:

HTTPS (TLS 1.2+) on every endpoint.
Encryption at rest for all data stored by our sub-processors.
Least-privilege access to systems, with admin access limited to the smallest practical group.
Server-side rate limiting on the waitlist endpoint to prevent enumeration and abuse.
Secret management — API keys (Attio, Upstash) are server-only environment variables and are never exposed to the browser.
Vendor due diligence before adding any new sub-processor, with a signed DPA in place before any personal data is shared.

No system is perfectly secure. If you discover a vulnerability, please email contact@gomoso.ai before disclosing publicly and we will respond promptly.

11. Children

The Moso product and waitlist are aimed at B2B marketing operators acting in their professional capacity. The site is not directed at minors, and we do not knowingly collect personal data from children below the age of 15 (the digital-consent age set by Article 7-1 of the French Data Protection Act). If you believe we have collected data from a child, please email contact@gomoso.ai and we will delete it.

12. Changes to this policy

We may update this policy from time to time — for example, when we add a new sub-processor, change retention periods, or launch the Moso product to a wider audience.

When we make a material change, we will:

Update the "Last updated" date at the top of this page.
If you are on the waitlist, email you a summary of what changed before the new version takes effect.

We keep previous versions on file and will provide them on request.

13. Google API Services User Data Policy

This section applies to the Moso product (currently in private beta) when a user authorises Moso to access data from their Google account. The Moso marketing site itself does not use Google APIs.

Moso's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We use customer Google Drive content only to provide Moso's user-facing features — indexing for AI-grounded search, references, and citations in marketing content. We do not use customer Google data for advertising, do not sell it, and do not allow humans to read it except (a) with the user's explicit permission, (b) for security purposes, or (c) to comply with applicable law.
We do not use customer data (including Google data) to train or improve generalised AI/ML models. Customer data is used only within the requesting workspace and only to power Moso's features for that workspace.
Customer data is encrypted at rest by our infrastructure providers (Supabase, Pipedream, Vercel).
When a user disconnects an integration in Moso, all data synced from that integration — including raw content, embeddings, and metadata — is deleted from Moso's databases. When a user deletes their Moso account, all associated workspace data is deleted within 30 days.

14. Complaints

If you are unhappy with how we handle your personal data, please tell us first at contact@gomoso.ai so we can try to resolve it directly.

If you remain unhappy, you have the right to lodge a complaint with a supervisory authority. As MOSO AI is established in France, our lead supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715 75334 PARIS CEDEX 07, France Telephone: +33 (0)1 53 73 22 22 Website: www.cnil.fr

EEA residents may also lodge a complaint with the data protection authority of their country of residence or place of work, under Article 77 GDPR.