moss
Log inRequest access
Privacy policy

How moss handles your data

Effective 15 May 2026.

Controller: Overporten AS, Kongens gate 6, 0153 Oslo, Norway. Organisation number 925 000 000.

This policy explains what data moss collects, why, and what we do with it. The short version: we collect the minimum needed to run the product, we do not sell data, we do not run advertising on moss, and you can request a copy of your data or its deletion at any time by emailing privacy@mossfold.com.

1. Who we are

moss is operated by Overporten AS, a private limited company registered in Norway at Kongens gate 6, 0153 Oslo, organisation number 925 000 000. For the purposes of GDPR and UK GDPR, Overporten AS is the controller of the personal data held in moss accounts.

When you use moss as part of a workspace owned by your employer, that employer is the controller of the workspace data, and Overporten AS is the processor acting on their instructions. We sign a Data Processing Addendum on request.

Reach our data protection contact at privacy@mossfold.com. We aim to reply within two working days.

2. What data we collect

We collect the minimum needed to run your account. The categories are:

  • Account data. Your email address, the display name you choose, and an optional avatar image.
  • Authentication data. Login is passwordless. We send a 6-digit one-time code to your email. The code is stored hashed, expires 10 minutes after it is issued, and is invalidated on first use. We do not store passwords because moss does not use them.
  • Workspace data. The tools, people, processes, work maps, and finance records you enter, along with their relationships. Work Maps are drawn with tldraw and stored as document snapshots in our database.
  • Session data. A signed session cookie, the IP address and user agent of the request that created the session, and the time of last activity. Sessions are stored server-side and can be revoked.
  • Technical data. Errors caught by Sentry, which can include the URL path, the browser type, and a stack trace. We do not attach the contents of forms or workspace records to error reports.
  • Email logs. The fact that we sent you a login code or an account notice, the recipient address, the timestamp, and the delivery result. We do not log the code itself.

The only cookies the product sets are the session cookie and a small theme preference cookie (light or dark). Neither is used for tracking.

3. What we do not collect

Stated affirmatively, so there is no ambiguity:

  • No advertising identifiers. moss does not run advertising and is not part of an ad network.
  • No cross-site tracking. We do not place pixels, beacons, or third-party cookies on the product.
  • No third-party analytics SDKs. No Google Analytics, no Mixpanel, no Segment, no equivalent.
  • No purchased data. We do not buy data about you from data brokers.
  • No enrichment. We do not enrich your account with data from people-search, contact-enrichment, or social-graph services.

4. Why we collect it

Our lawful bases under Article 6 of GDPR are as follows.

  • Contract (Article 6(1)(b)). Running the account you signed up for: authenticating you, storing your workspace, sending the emails the product needs to function.
  • Legitimate interest (Article 6(1)(f)). Keeping the service secure, detecting fraud and abuse, and measuring basic service health (uptime, error rates, slow endpoints). We have weighed this against your rights and limited the scope to what the operation of the service requires.
  • Consent (Article 6(1)(a)). Anything optional that needs your permission, such as a future feature that requires access to a third-party calendar or storage account. We will ask explicitly and you can withdraw at any time.
  • Legal obligation (Article 6(1)(c)). Retaining invoices and tax records as required by Norwegian bookkeeping law once paid plans exist.

5. Who we share it with

We use a small set of trusted subprocessors to run moss. Each has a data processing agreement with us and processes data only on our instructions.

ProviderWhat it handlesRegion
VercelApplication hosting and edge deliveryEU and US regions
NeonPostgres database and backupsEU region (Frankfurt)
ResendTransactional email (login codes, account notices)EU and US regions
SentryError tracking and crash reportingEU region

We do not sell personal data, we do not share it with advertisers, and we do not transfer it to partners for their own marketing. If we add or change a subprocessor, we update this page and email account owners in advance.

6. Where data is stored and for how long

The primary database is hosted in the EU. Backups are encrypted at rest and retained for 30 days. Specific retention windows:

  • Account and workspace data. Kept while your account is active, and for 30 days after deletion. After 30 days we purge the data from primary stores. Encrypted backups are rotated out within a further 90 days.
  • Session data. Sessions expire after a fixed period of inactivity. Expired session rows are removed within 24 hours.
  • Error logs in Sentry. Retained for 30 days, then deleted.
  • Email send logs in Resend. Retained for 90 days, then deleted. Login code values are never written to these logs.
  • Invoices and tax records. Once paid plans exist, retained for the period required by Norwegian bookkeeping law (currently five years).

7. Your rights under GDPR

Under GDPR and UK GDPR you have the right to:

  • Access the personal data we hold about you, and receive a copy of it.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data (the right to be forgotten), subject to legal retention duties.
  • Restrict processing while a dispute is being resolved.
  • Receive your data in a portable, machine-readable format, and have it sent to another controller where technically feasible.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, where consent is the basis of processing.

To exercise any of these rights, email privacy@mossfold.com. We respond within 30 days, the period set by GDPR. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or with the supervisory authority of the country you live in.

8. International transfers

Primary storage of your data is in the EU. Some processing happens outside the EEA, for example when a Vercel edge function serves a request from a US region, or when Resend routes a transactional email through US infrastructure.

Where data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses, and on the EU-US Data Privacy Framework where the recipient is certified under it. Each subprocessor agreement names the applicable safeguard.

9. Security

  • All traffic is encrypted in transit with TLS 1.2 or above.
  • Data is encrypted at rest at the database layer.
  • Login is passwordless. There is no password store to breach.
  • Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • Sessions expire after a fixed period of inactivity and can be revoked from the account screen at any time.
  • Access to production data is restricted to a small set of named engineers, governed by least-privilege roles, with auditable access.
  • We patch dependencies on a regular cadence and run static analysis on every pull request.

10. Children

moss is built for adult professional use. We do not knowingly collect data from anyone under the age of 16. If you believe a child has created an account, email privacy@mossfold.com and we will remove the account and any related data.

11. Changes to this policy

We update this policy when the product changes, when a subprocessor is added or replaced, or when a law that applies to us changes. Material changes are announced in-product and by email to account owners at least 14 days before they take effect. Minor edits (typos, clearer wording) take effect when the effective date at the top of this page is updated.

12. Contact

Privacy questions, data requests, and DPA requests: privacy@mossfold.com.

Postal address: Overporten AS, Kongens gate 6, 0153 Oslo, Norway.

This page is not a substitute for legal advice. If you operate moss on behalf of a company that processes personal data in the product, sign a Data Processing Addendum with us before going live by emailing privacy@mossfold.com.