Your Data, Protected

Privacy Policy

We are committed to protecting your privacy and being transparent about how we handle your data. This policy explains our data practices in plain language.

Last Updated: February 6, 2026

Table of Contents

1. Introduction

Welcome to Mosco.ai ("Company," "we," "us," or "our"). Mosco.ai operates the M.O.S. Engine platform, a Software-as-a-Service ("SaaS") solution designed for home services businesses including HVAC, plumbing, electrical, roofing, landscaping, and related trades.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (mosco.ai), use our platform, or interact with our services. By accessing or using Mosco.ai, you agree to the terms of this Privacy Policy. If you do not agree with the practices described herein, please do not use our services.

This policy applies to all users of the Mosco.ai platform, including business owners, their employees, and end customers whose data may be processed through our platform.

2. Information We Collect

2.1 Personal Information

  • Full name, email address, phone number, and mailing address
  • Account credentials (encrypted passwords and authentication tokens)
  • Billing information (credit card details processed securely via Stripe; we do not store full card numbers)
  • Profile photos and user preferences
  • Communication records including emails, call recordings, text messages, and chat transcripts processed through the platform
  • Government-issued identification (only when required for identity verification or regulatory compliance)

2.2 Business Information

  • Business name, address, and contact details
  • Business license and insurance information
  • Service areas and types of services offered
  • Customer lists, lead information, and CRM data stored within the platform
  • Appointment schedules, job histories, and service records
  • Financial data including invoices, estimates, payment records, and revenue analytics
  • Review and reputation data from connected platforms
  • Marketing campaign data and advertising performance metrics

2.3 Usage Data

  • IP addresses, browser type and version, operating system, and device identifiers
  • Pages visited, features used, clicks, scroll depth, and navigation paths
  • Session duration, timestamps, and frequency of use
  • Error logs, crash reports, and performance metrics
  • Search queries and filters applied within the platform
  • AI interaction logs (prompts submitted to and responses generated by our AI modules)
  • API usage data and integration activity logs

2.4 Cookies and Tracking Technologies

  • Essential cookies required for platform functionality and authentication
  • Analytics cookies (Google Analytics) to understand usage patterns and improve our services
  • Marketing cookies to measure advertising effectiveness and deliver relevant content
  • Session cookies to maintain your login state and preferences
  • Third-party pixels and tags from advertising partners (Facebook Pixel, Google Ads tags)
  • Local storage and session storage for application state management

3. How We Use Your Information

3.1 Service Delivery

  • Providing, operating, and maintaining the Mosco.ai platform and all its modules
  • Processing and managing your account registration and subscription
  • Facilitating communications between you and your customers via phone, SMS, email, webchat, and messaging platforms
  • Processing payments, generating invoices, and managing billing
  • Providing customer support and responding to your requests
  • Scheduling appointments and managing your business calendar

3.2 AI Processing

  • Powering the AI Employee (AI Chat) for automated customer interactions and lead qualification
  • Running the AI Lead Profiler to analyze and score inbound leads
  • Generating AI-driven estimates and proposals through the AI Estimator module
  • Operating the Speed Dialer with AI-assisted call scripts and sentiment analysis
  • Creating content via the Content Engine using AI-powered generation
  • Conducting Database Reactivation campaigns with AI-personalized outreach
  • Providing AI-powered review response suggestions through Review Guardian
  • Training and improving our AI models using anonymized and aggregated platform data

3.3 Analytics and Improvement

  • Analyzing usage patterns to improve platform features and user experience
  • Generating ROI analytics and sales performance reports for your dashboard
  • Conducting A/B testing to optimize platform interfaces and workflows
  • Monitoring platform performance, uptime, and reliability
  • Identifying and resolving bugs, errors, and technical issues
  • Developing new features, products, and services based on aggregated usage insights

3.4 Communication

  • Sending transactional emails (account confirmations, password resets, billing notifications)
  • Delivering product updates, feature announcements, and platform notifications
  • Sending marketing communications (only with your consent; you may opt out at any time)
  • Providing onboarding guidance, training materials, and best-practice recommendations
  • Conducting customer satisfaction surveys and requesting feedback

4. Data Sharing and Third-Party Integrations

We do not sell your personal information. We share data with third parties only as necessary to provide our services, comply with legal obligations, or with your explicit consent. The following describes how data flows through our integrated services:

4.1 Communication Service Providers

  • Twilio: Handles voice calls, SMS messaging, and phone number provisioning. Call metadata, recordings, and message content are processed through Twilio's infrastructure. Twilio acts as a data processor under our direction.
  • WhatsApp (Meta Business API): Facilitates WhatsApp messaging with your customers. Message content and contact information are shared with Meta as required by the WhatsApp Business Platform terms.
  • Telegram Bot API: Powers Telegram-based customer communication. Message content and user identifiers are processed through Telegram's servers.

4.2 Advertising and Analytics Partners

  • Google (Google Ads, Google Analytics, Google Business Profile): We share conversion data, website analytics, and business listing information. Google may use this data in accordance with Google's Privacy Policy.
  • Facebook / Meta (Facebook Ads, Instagram): Conversion tracking data, audience information, and advertising performance metrics are shared via the Meta Pixel and Conversions API. Instagram integration enables direct messaging and content publishing.
  • Yelp: Business profile information, review data, and review response content are synchronized with your Yelp business listing.

4.3 Other Data Sharing

  • Payment processors (Stripe) for secure payment handling
  • Cloud infrastructure providers (AWS, Google Cloud) for data hosting and processing
  • Email delivery services for transactional and marketing emails
  • AI model providers for powering our natural language processing capabilities
  • Legal and regulatory authorities when required by law, subpoena, or court order
  • Business transfer parties in the event of a merger, acquisition, or sale of assets (with prior notice to users)
  • Professional advisors including attorneys, accountants, and auditors as necessary

5. Data Storage and Security

We take the protection of your data seriously and implement industry-standard security measures to safeguard your information:

5.1 Encryption

  • All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security)
  • Data at rest is encrypted using AES-256 encryption across all storage systems
  • Database backups are encrypted and stored in geographically separate locations
  • API communications between our platform and third-party integrations use encrypted channels
  • Sensitive credentials and tokens are stored using industry-standard secret management systems

5.2 Compliance and Certifications

  • SOC 2 Type II compliance for security, availability, and confidentiality controls
  • Regular third-party penetration testing and vulnerability assessments
  • Annual security audits conducted by independent cybersecurity firms
  • PCI DSS compliance for payment card data handling (via our payment processor Stripe)
  • TCPA compliance for all automated calling and text messaging operations

5.3 Access Controls

  • Role-based access control (RBAC) ensuring users only access data relevant to their role
  • Multi-factor authentication (MFA) available for all accounts and required for administrative access
  • Automatic session timeout after periods of inactivity
  • IP allowlisting available for Enterprise plan accounts
  • Comprehensive audit logging of all data access and administrative actions
  • Employee access to customer data is strictly limited on a need-to-know basis and subject to confidentiality agreements

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

6.1 Right of Access

  • You may request a copy of the personal data we hold about you
  • We will provide this information in a structured, commonly used, machine-readable format
  • Requests will be fulfilled within 30 days of verification of your identity

6.2 Right to Correction

  • You may request that we correct inaccurate or incomplete personal data
  • You can update most account information directly through your Mosco.ai dashboard settings
  • For data corrections that cannot be made through the platform, contact our support team

6.3 Right to Deletion

  • You may request the deletion of your personal data, subject to legal retention requirements
  • Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, financial records)
  • Aggregated and anonymized data that cannot identify you may be retained for analytical purposes

6.4 Right to Data Portability

  • You may request an export of your data in a standard format (CSV, JSON)
  • This includes your account data, customer records, communication logs, and business analytics
  • Data export requests are processed within 30 days

6.5 Right to Opt Out

  • You may opt out of marketing communications at any time via the unsubscribe link in any email or through your account settings
  • You may disable non-essential cookies through your browser settings or our cookie consent manager
  • You may opt out of AI-powered features and use manual alternatives where available
  • You may opt out of the sale or sharing of personal information (see CCPA section below)

7. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

Your CCPA Rights

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out: You have the right to opt out of the sale or sharing of your personal information. Mosco.ai does not sell personal information in the traditional sense; however, certain data sharing activities with advertising partners (e.g., Facebook, Google) may constitute a "sale" or "sharing" under the CCPA. You may opt out by contacting us or using our "Do Not Sell or Share My Personal Information" link.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level or quality of service for exercising your rights.
  • To exercise any of these rights, please contact us at contact@castells.media or call us. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

8. GDPR Compliance (European Economic Area Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional protections:

Legal Bases for Processing

  • Contractual Necessity: Processing your data is necessary to perform the contract between you and Mosco.ai (i.e., providing the services you have subscribed to).
  • Legitimate Interest: We process certain data for our legitimate business interests, such as improving our platform, preventing fraud, and ensuring security, provided these interests do not override your fundamental rights.
  • Consent: Where required, we obtain your explicit consent before processing personal data (e.g., for marketing communications and non-essential cookies). You may withdraw consent at any time.
  • Legal Obligation: We process data as necessary to comply with legal requirements applicable to our business.

Additional GDPR Rights

  • Right to Restrict Processing: You may request that we restrict the processing of your personal data under certain circumstances.
  • Right to Object: You may object to the processing of your personal data for direct marketing purposes or based on legitimate interests.
  • Right to Lodge a Complaint: You have the right to file a complaint with your local Data Protection Authority (DPA) if you believe your data protection rights have been violated.
  • Data Protection Officer: For GDPR-related inquiries, please contact our privacy team at contact@castells.media.

9. Children's Privacy

Mosco.ai is a business-to-business platform designed for use by adults operating home services businesses. Our services are not directed to individuals under the age of 13 (or 16 in the EEA).

We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete such information from our systems.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at contact@castells.media so that we can take appropriate action.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following outlines our general retention periods:

Retention Schedule

  • Active account data: Retained for the duration of your active subscription plus 90 days after account closure to allow for reactivation.
  • Communication records (calls, messages, emails): Retained for 3 years from the date of creation, or longer if required by applicable telecommunications regulations.
  • Financial and billing records: Retained for 7 years as required by tax and financial reporting regulations.
  • Usage and analytics data: Retained in identifiable form for 2 years; anonymized and aggregated data may be retained indefinitely.
  • AI training data: Anonymized and aggregated data used for AI model improvement is retained indefinitely. No personally identifiable information is used in training data.
  • Marketing consent records: Retained for 5 years from the date of consent or withdrawal to demonstrate compliance.
  • Security and audit logs: Retained for 3 years for security monitoring and incident investigation purposes.
  • Deleted account data: Purged from production systems within 30 days; removed from backup systems within 90 days of deletion request.

11. International Data Transfers

Mosco.ai is headquartered in Roseville, California, United States. Your data may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For users in the EEA, UK, or Switzerland, we ensure that international data transfers are protected by appropriate safeguards, including:

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries without an adequacy decision.
  • Data Processing Agreements (DPAs) with all sub-processors that include appropriate data protection obligations.
  • The EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations where applicable.
  • Supplementary technical and organizational measures including encryption in transit and at rest, access controls, and regular security assessments.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Notification Procedures

  • Post the updated Privacy Policy on this page with a revised "Last Updated" date.
  • Send an email notification to the address associated with your account for material changes.
  • Display a prominent notice within the Mosco.ai platform dashboard.
  • For changes that require consent under applicable law, we will obtain your consent before implementing the changes.
  • We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

Mailing Address

Mosco.ai
Roseville, California
United States

For privacy-specific requests (data access, deletion, or correction), please include "Privacy Request" in your email subject line. We aim to respond to all privacy inquiries within 10 business days. For CCPA or GDPR requests, we will acknowledge receipt within 48 hours and fulfill requests within 30 days as required by law.

This Privacy Policy is effective as of February 6, 2026.

Terms of Service|Cookie Policy|GDPR Compliance