Privacy policy
Last updated: May 2, 2026
Your privacy matters. This policy explains, in plain language, what data Mochi collects, why, how long we keep it and what you can do. Aligned with the EU GDPR, Spain's LOPDGDD and the equivalent laws in Mexico (LFPDPPP), Argentina (25.326), Colombia (1581), Chile (19.628) and other countries where we operate. Questions: privacy@heymochi.app.
1. Who we are
Mochi is a service operated in Spain by a natural person acting as data controller within the meaning of the GDPR.
For any privacy enquiry, rights request or complaint: privacy@heymochi.app
For general questions, support and feedback: hola@heymochi.app
Upon formal request for the exercise of your GDPR rights (access, rectification, erasure, portability, objection, restriction), we will provide the controller's full identifying details by email.
Mochi is our mobile app: a Spanish-first AI companion with five specialists (Mochi, Yumi, Pip, Tama and Halo) and a memory you alone control.
2. What data we collect
Only what we need for Mochi to work well.
2.1 Account — Apple or Google identifier (we don't store passwords), email (can be an Apple anonymous relay address), the display name you pick and your preferred language.
2.2 Conversations — the messages you send each specialist and their replies; the photos you upload to Yumi (to read a problem) or Halo (selfies for headshots); the text samples you paste into Pip to extract your writing voice (Pip does not record audio, it works on text); your Tama prompts.
2.3 Diary memory — facts, preferences and moments you add or that Mochi extracts with your permission. Each "little thing" carries a short text, a label, the specialist that captured it and a vector embedding (1536 dim, OpenAI text-embedding-3-small) used only so the app surfaces relevant memories during chat. Editable and deletable with one tap from the Diary tab.
2.4 Generated content — Tama images, Halo headshots and the structured voice profile (tone, cadence, marks) Pip extracts.
2.5 Subscriptions — active plan (Free or Mochi+), renewal dates, mocha-bean balance and a ledger with every movement, plus an anonymous RevenueCat identifier. We never see your card: Apple App Store and Google Play process payments.
2.6 Technical data — minimal security logs (timestamp, path, status, truncated IP, kept 90 days); per-call cost metrics (prompt_logs with provider, model, tokens and cost — never the prompt content); device model, iOS/Android version and system language.
2.7 What we do NOT collect — no advertising identifiers (IDFA, GAID), no cross-app/device tracking, no contacts, no location, no ads, no selling your data. We also use no product-telemetry tooling (no Mixpanel, PostHog, Amplitude, Sentry); if we add one, we'll declare it here and tell you in the app first.
3. Why we use your data and the legal basis
| Purpose | Data | GDPR legal basis |
|---|---|---|
| Create and maintain your account | §2.1 | Contract (art. 6(1)(b)) |
| Process chats, photos and memories | §2.2–2.4 | Contract (art. 6(1)(b)) |
| Charge and manage subscriptions | §2.5 | Contract + tax obligation (6(1)(b) and 6(1)(c)) |
| Prevent fraud and abuse | §2.6 | Legitimate interest (6(1)(f)) |
| Improve the app from aggregated cost/latency | Aggregated prompt_logs |
Legitimate interest (6(1)(f)) |
| Optional push notifications | Device token | Consent (6(1)(a)) |
| Comply with legal requirements | As applicable | Legal obligation (6(1)(c)) |
You can withdraw consent (notifications) at any time from system Settings.
4. Who we share your data with
We work with a small set of vendors. They all sign data processing agreements and contractually guarantee they do NOT use your data to train models.
| Vendor | Role | What it processes | HQ |
|---|---|---|---|
| Supabase | Processor | Auth, database, photo storage | US |
| Cloudflare | Processor | Workers (API), edge, CDN, rate limiting | US (global network) |
| RevenueCat | Processor | Entitlements and purchase webhooks | US |
| Anthropic | Sub-processor | Claude models (Haiku, Sonnet) for chat | US |
| Sub-processor | Gemini models (incl. Nano Banana) for Tama and Halo | US | |
| OpenAI | Sub-processor | text-embedding-3-small for Diary indexing; gpt-image-* if enabled |
US |
| Apple | Independent controller | App Store payments, Apple ID auth, push (APNs) | US / Ireland (EU) |
| Independent controller | OAuth, Play Store payments, push (FCM) | US / Ireland (EU) |
We never share your data with advertisers, data brokers or ad networks. We don't sell it.
5. International transfers
Anthropic, OpenAI, Cloudflare, RevenueCat and, depending on project region, Supabase are based in the US. Transfers rely on the Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework, with TLS 1.3 / AES-256 encryption and per-user isolation. Request a copy at privacy@heymochi.app.
6. How long we keep each thing
| Category | Retention | How to delete it sooner |
|---|---|---|
| Conversations and messages | Until you delete them or close the account | Settings → Delete history · or per-chat |
| Memories (Diary) | Until you "forget" them or close the account | Diary → little thing → Forget |
Photos in ephemeral/ (Yumi, Halo) |
Deleted when you delete the chat/account + automatic purge after 30 days via daily cron | Delete chat / message |
| Account data | While the account exists; +30 days of backups after deletion | Settings → Delete account |
| Subscriptions and purchase history | 6 years (Spanish General Tax Law, art. 66) | Legal obligation |
| Security logs | 90 days | — |
prompt_logs (cost and latency, no content) |
24 months | — |
When you delete the account we run a full purge (Postgres + Storage + auth.users) within 30 days.
7. Your rights
Under GDPR (arts. 15–22) and the equivalent laws in Latin America you have the right to:
| Right | How to exercise it in Mochi |
|---|---|
| Access (art. 15) | Settings → Export my data (JSON with conversations, memories, voice profile, account) |
| Rectification (art. 16) | Settings → Edit profile · Diary → edit |
| Erasure (art. 17) | Settings → Delete account · Delete history · Diary → Forget |
| Portability (art. 20) | The Access export already ships as structured JSON |
| Restriction (art. 18) | privacy@heymochi.app noting what to restrict |
| Objection (art. 21) | privacy@heymochi.app (for legitimate-interest processing) |
| No automated decisions (art. 22) | Mochi makes no automated decisions producing legal effects on you |
| Withdraw consent | System Settings → Mochi → Notifications |
We respond in writing within a maximum of 30 days (extendable to 60 if complex, with prior notice). If you're unhappy you can lodge a complaint with your supervisory authority: Spain (AEPD, aepd.es), Mexico (INAI), Argentina (AAIP), Colombia (SIC), Chile (Council for Transparency) or the one in your EU country of residence.
8. Children's data
Mochi is not directed at children under 13 and we don't knowingly collect data from minors. Between 13 and 14 in Spain (LOPDGDD art. 7) and between 13 and 16 in some EU countries, we require consent from a legal guardian. If we discover an account of a minor without that consent we close it and delete the data. Write to privacy@heymochi.app and we'll delete within 72 hours.
9. Cookies and similar technologies
Mobile app: Mochi uses no cookies. We use AsyncStorage (local, not transmitted) to keep your encrypted Supabase session, a "tour seen" flag and your UI preferences (language, theme).
Website (heymochi.app): Only strictly necessary technical cookies. No analytics, advertising or social-media cookies — confirmed in code: zero trackers (Plausible, Fathom, GA, Mixpanel, Posthog, Amplitude, Hotjar, Heap).
10. Security
Encryption in transit (TLS 1.3) and at rest (AES-256). Per-user isolation with Postgres Row-Level Security; storage paths always include the userId and the worker validates each request. Limited internal access, logged and audited. If a breach affects your data, we'll notify the competent authority within 72 hours and you directly when it poses a high risk. We don't claim certifications we don't hold (ISO 27001, SOC 2, etc.); if we obtain them, we'll say so here.
11. Changes to this policy
If we update something material we'll notify you in the app at least 7 days before substantial changes take effect, and by email if the change affects the legal basis or introduces new purposes. Prior versions available on request at privacy@heymochi.app.
12. Contact
| For | Address |
|---|---|
| Privacy, GDPR rights | privacy@heymochi.app |
| Anything else | hola@heymochi.app |
We reply within two business days (Madrid time).
Last updated: May 2, 2026. Version 2.0.