Privacy Policy

MOSA (Mesh Offline Secure Architecture) is a secure offline mesh communication system developed by Talivio Technology OÜ, an Estonian company registered in the European Union. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use MOSA services. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the ePrivacy Directive 2002/58/EC, and Estonian data protection laws.

The data controller responsible for processing your personal data is: Talivio Technology OÜ Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia Registration Code: 16991406 VAT ID: EE102744206 Email: [email protected] Phone: +372 8272 1454 As an Estonian company operating within the European Union, we are subject to EU data protection regulations and Estonian national laws.

MOSA implements a Zero-Knowledge architecture, which means: • We cannot access, read, or view your message content, even if we wanted to • All messages are encrypted end-to-end using military-grade encryption algorithms (Ed25519 for digital signatures, X25519 for key exchange, ChaCha20-Poly1305 for message encryption) • Gateway operators cannot access message content due to mathematical encryption guarantees • Your data is stored locally on your device using SQLCipher (AES-256-GCM encryption) • We do not maintain central servers that store your messages • Forward Secrecy ensures that even if a session key is compromised, past messages remain secure This architecture provides mathematical privacy guarantees that exceed standard GDPR requirements.

MOSA collects minimal personal data: 4.1. Message Content: NONE • Messages are encrypted end-to-end and never stored on our servers • Message content is only stored locally on your device • We have no technical ability to access message content 4.2. Personal Identifiers: MINIMAL • Basic mesh communication does not require phone numbers or email addresses • Optional features (Bridge services) may require email addresses for account management • Device identifiers (anonymized) may be used for network routing purposes 4.3. Technical Data: MINIMAL • Device type and operating system (for compatibility purposes) • Network topology data (for mesh routing, anonymized) • App version (for update notifications) 4.4. Optional Analytics: OPT-IN ONLY • If you enable the ConnectLog plugin, anonymous usage statistics may be collected • Analytics are fully anonymized and cannot be linked to your identity • You can disable analytics at any time in settings

Under GDPR Article 6, we process your personal data based on: • Article 6(1)(b) - Contract: Processing necessary for the performance of the service contract • Article 6(1)(f) - Legitimate Interest: Network routing, security, and service improvement • Article 6(1)(a) - Consent: For optional features like analytics (explicit opt-in required) We do not process special categories of personal data (Article 9 GDPR) unless you explicitly provide it, and we do not use automated decision-making or profiling.

6.1. Local Storage: • All message data is stored locally on your device using SQLCipher encryption • We do not have access to locally stored data • You can delete all local data by uninstalling the app 6.2. Server Storage: • We do not maintain central servers that store your messages • Optional Bridge services may store minimal metadata (message routing information, not content) • Server logs are retained for 90 days for security purposes, then automatically deleted 6.3. Retention Periods: • Message content: Stored locally until you delete it or uninstall the app • Account data: Retained while your account is active, deleted within 30 days of account closure • Analytics data: Anonymized and retained for up to 2 years for service improvement • Legal obligations: Some data may be retained longer if required by law

7.1. No Message Content Sharing: • We never share your message content with third parties • Gateway operators cannot access message content 7.2. Service Providers: • We may use third-party service providers for infrastructure (hosting, CDN) • All service providers are GDPR-compliant and bound by data processing agreements • Service providers are located within the EU/EEA or have adequate safeguards (Standard Contractual Clauses) 7.3. Legal Requirements: • We may disclose data if required by law or court order • We will notify you of such requests unless legally prohibited • We comply with Estonian and EU legal requirements

As a data subject, you have the following rights: • Right of Access (Article 15): Request a copy of your personal data • Right to Rectification (Article 16): Correct inaccurate or incomplete data • Right to Erasure (Article 17): Request deletion of your data ('right to be forgotten') • Right to Restrict Processing (Article 18): Limit how we use your data • Right to Data Portability (Article 20): Export your data in a machine-readable format • Right to Object (Article 21): Object to processing based on legitimate interests • Right to Withdraw Consent (Article 7): Withdraw consent for optional features at any time • Right to Lodge a Complaint (Article 77): File a complaint with Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) To exercise these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR.

We implement industry-standard security measures: • End-to-end encryption (Ed25519, X25519, ChaCha20-Poly1305) • Local database encryption (SQLCipher, AES-256-GCM) • Secure key exchange protocols • Regular security audits and penetration testing • Access controls and authentication • Network security measures • Incident response procedures However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but use best practices to protect your data.

10.1. EU/EEA Operations: • Our primary operations are within the EU/EEA (Estonia) • Data processing occurs within the EU/EEA 10.2. Third-Party Transfers: • If we transfer data outside the EU/EEA, we ensure adequate safeguards: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions by the European Commission - Binding Corporate Rules (where applicable) 10.3. Your Consent: • We will inform you of any international transfers • You have the right to object to such transfers

MOSA is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we become aware that we have collected data from a child under 16, we will delete such data promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by: • Posting the updated policy on our website • Sending an email notification (if you have provided an email address) • In-app notification The 'Last updated' date at the top indicates when this policy was last revised. Continued use of MOSA after changes constitutes acceptance of the updated policy.

For privacy-related questions, data subject requests, or to exercise your GDPR rights: Email: [email protected] Phone: +372 8272 1454 Address: Talivio Technology OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia Data Protection Officer: [email protected] Estonian Data Protection Inspectorate: Andmekaitse Inspektsioon Tatari 39, 10134 Tallinn, Estonia Email: [email protected] Website: https://www.aki.ee

14.1. Acknowledgement: This Privacy Policy is between you and MOSA, and not with Apple or Google. MOSA is solely responsible for the service and its content. 14.2. Maintenance and Support: MOSA is solely responsible for providing any maintenance and support services with respect to the app. Apple and Google have no obligation whatsoever to furnish any maintenance and support services with respect to the app. 14.3. Warranty: MOSA is solely responsible for any product warranties, whether express or implied by law. Apple and Google have no warranty obligation whatsoever with respect to the app. 14.4. Product Claims: MOSA is responsible for addressing any claims by you or any third party relating to the app or your possession and/or use of the app, including, but not limited to: (i) product liability claims; (ii) any claim that the app fails to conform to any applicable legal or regulatory requirement; and (iii) claims arising under consumer protection or similar legislation. 14.5. Intellectual Property Rights: In the event of any third-party claim that the app or your possession and use of the app infringes that third party’s intellectual property rights, MOSA, not Apple or Google, will be solely responsible for the investigation, defense, settlement, and discharge of any such intellectual property infringement claim.