Privacy Policy

Last updated April 30, 2026

1. Summary

mossyrune is an educational site for exploring and practicing languages. This page describes what we collect, why, and who it is shared with. See our Terms of Service for rules on how the Service may be used. If you have a question, email hello [at] mossyrune.com (replace “[at]” with “@” when sending) or use the Feedback button in the lower-right of the site.

2. What we collect

If you do not sign in

  • Local preferences — selected languages, target languages, quiz state, and notes are stored in your browser’s localStorage and never leave your device unless you use an AI feature or sign in.
  • Analytics — if analytics are enabled and not blocked by your browser, we use PostHog to record pageviews, page-leave, and a small number of custom events (e.g. you rated a page, you submitted feedback). An anonymous identifier is assigned.
  • Technical metadata — when your browser connects to our servers, standard request metadata is visible to Cloudflare (our hosting provider): IP address, user agent, country, and timestamps. We do not store raw IP addresses; we store a truncated one-way hash.

If you sign in

  • Account — email address, display name, authentication provider (email, Google, or GitHub) via Supabase Auth.
  • Profile — your spoken and target languages and related preferences, stored so they sync across devices.
  • Notes workspace — widgets, pages, and rows you create in the Notes section.
  • Feedback and ratings — anything you submit through the in-site feedback widget or page-rating buttons.

When you use AI features

  • Prompts and outputs — the text you submit (including voice input after speech-to-text), the AI model’s reply, token counts, and latency. These are stored alongside your user ID (or a hashed IP if you are anonymous) and the endpoint that was called.
  • Game state — for the Immerse game, scenario, NPC, and play events (conversations, mission completions, gesture triggers) are logged so we can debug and improve the game.

3. Why we collect it

  • Operating the Service — signing you in, loading your notes, showing your preferences on the right devices.
  • Improving the Service — product analytics help us see which features are used and which crash.
  • Abuse response and safety — AI prompt logs let us investigate if someone tries to misuse the Service (e.g. prompting for illegal content) and respond appropriately, including at the request of our upstream AI providers.
  • Paid provider compliance — Anthropic, OpenAI, Google, Groq, and ElevenLabs require us to be able to identify and act on policy violations; logs support that.

4. Third parties we share data with

We do not sell your data. We share specific data with specific processors strictly for the purpose of running the Service:

  • Cloudflare — hosting, static assets, Workers (edge request handling), R2 (audio cache for text-to-speech), and Turnstile (anti-abuse challenge on sign-up, password reset, feedback, and ratings). All traffic routes through Cloudflare.
  • Supabase — database and authentication. Stores your account, profile, notes, feedback, ratings, immersion logs, and AI prompt logs.
  • Anthropic (Claude) — when you use AI features like Immerse chat, Interpret, Translate, or word/phrase helpers, your prompt is forwarded to Anthropic’s API and the response is returned. Anthropic retains inputs/outputs per its own policy and does not use consumer API traffic to train its models.
  • Google Gemini — used in some alpha scenarios when selected. Same forwarding model as Anthropic.
  • Groq and OpenAI (Whisper) — speech-to-text transcription when you use voice input. Audio is sent to the transcription provider, transcribed, and the text is then processed like any other input.
  • ElevenLabs, OpenAI, Google Translate — text-to-speech for NPC voices. The text spoken is sent to the TTS provider.
  • PostHog — product analytics. Pageviews, custom events, and an anonymous identifier.

5. How long we keep data

  • Account, profile, notes — for as long as your account exists. You can delete your account at any time.
  • AI prompt and response logs — retained for 180 days, then deleted on a rolling basis. We may keep a specific log longer if it is part of an active abuse or safety investigation, or if we are required to by an upstream AI provider. Do not submit anything you would not want reviewed by a human admin or passed to an upstream AI provider during a safety investigation.
  • Immersion play logs — retained for debugging and product analysis; tied to your user ID if signed in, otherwise to an anonymous session identifier.
  • Analytics — retained by PostHog for the retention window configured in our PostHog project.

6. Your rights

If you are in Mexico, the EU, the UK, California, or another jurisdiction with data-subject rights, you can ask us to:

  • confirm what personal data we hold about you (Access);
  • provide a copy of that data;
  • correct inaccurate data (Rectification);
  • delete your account and the data tied to it (Cancellation / Erasure);
  • object to specific uses of your data (Opposition).

Mexican users: these are the ARCO rights granted by the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).

Send requests by email to hello [at] mossyrune.com (replace “[at]” with “@” when sending; we write it this way to deter spam) with the subject “Privacy request,” or use the Feedback button in the lower-right corner of the site. We will respond within the window required by applicable law (typically 20–30 days).

7. Children

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has submitted data to us, use the Feedback button and we will delete it.

8. Cookies and local storage

We use localStorage (not cookies) for most of our client-side state — language selectors, notes, and the AI-disclosure acknowledgment. Supabase Auth uses a secure cookie/session for signed-in users. PostHog sets cookies for analytics when enabled. You can clear localStorage and cookies through your browser at any time; clearing them signs you out and removes local preferences but does not affect account data synced to Supabase.

9. Changes

We may update this policy as the Service evolves. Material changes will be reflected by an updated “last updated” date at the top.

10. International data transfers

mossyrune is operated from Mexico. Some of our processors (Cloudflare, Supabase, Anthropic, OpenAI, Groq, Google, ElevenLabs, PostHog) operate servers outside Mexico, including in the United States and the European Union. By using the Service you understand that your data may be processed in those jurisdictions, subject to the safeguards described above.

11. Contact

For questions about this policy or to make a data request, email us at hello [at] mossyrune.com (replace “[at]” with “@” when sending; the address is written this way to deter spam). You can also use the Feedback button in the lower-right corner of the site.

enzhesfrpt