This policy applies to Mosaic Finance ("we", "us"), including the web service at mosaicfinance.xyz and the Mosaic Finance Chrome Extension. It describes what data we collect, why, where it goes, and the controls available to you.
Summary
- We do not sell your data.
- The Chrome extension does not read the contents of the pages you visit. It scans page text locally for ticker patterns (like $AAPL); only matched symbols are sent to our backend to fetch quotes.
- If you sign in, we receive your Google-verified email, display name, and profile photo so we can sync your watchlist across devices.
- We use Google Analytics 4 to count installs and feature usage (anonymous client ID, never your page URLs).
- Uninstalling the extension removes all locally stored data.
1. Data We Collect
1.1 Data you provide
- Google email, name, profile photo— only if you click "Sign in with Google". Used for account identification and syncing your watchlist across devices.
- Watchlist symbols (e.g. AAPL, MSFT) — stored locally via chrome.storage.sync and transmitted to our backend to fetch quotes for them.
- Search queries — when you type in the extension omnibar, the query is sent to our search endpoint to return matching symbols.
1.2 Data collected automatically
- Detected ticker symbols from the page you are viewing — sent to our backend to render hover cards. We do not receive the page URL, title, or content.
- Anonymous client ID and session ID (random UUIDs) for Google Analytics 4 event correlation, stored locally.
- Product analytics events: extension_installed, extension_opened, tab_viewed, ticker_searched, watchlist_added, watchlist_removed, signed_in, signed_out, hover_card_shown, omnibar_opened, setting_changed.
- Basic request metadata (IP, user agent) received by our backend in standard server logs for abuse prevention and debugging.
1.3 Data we do NOT collect
- The URL, title, or content of pages you visit
- Your browsing history
- Form inputs, passwords, or keystrokes outside our omnibar
- Financial account credentials or brokerage data
2. How We Use Your Data
- Serve the product (fetch quotes, fundamentals, sparklines for detected tickers)
- Sync your watchlist across devices when signed in
- Authenticate you via Google OAuth and Firebase Identity Toolkit
- Measure aggregate product usage via Google Analytics 4
- Debug and improve reliability using server logs
We do not use your data for advertising or profiling, and we do not share it with data brokers.
3. Third Parties That Receive Data
- Google (OAuth) — your Google account email, name, and photo via chrome.identity, for sign-in.
- Google / Firebase (Identity Toolkit) — Google OAuth access token exchanged for a Firebase ID token that authenticates API calls.
- Google Analytics 4 — anonymous client ID, event names, and minimal event parameters.
- Mosaic Finance backend — detected tickers, watchlist symbols, search queries, and your Firebase ID token.
We use no other third-party processors.
4. Data Retention
- Local extension storage — removed automatically when you uninstall the extension or clear its data.
- Watchlist on our backend (if signed in) — retained until you delete the entry or your account.
- Google Analytics events — retained for 14 months per GA4 defaults.
- Server logs — retained for up to 30 days.
5. Your Rights and Controls
- Sign out at any time from the extension popup. This clears your Firebase token and local auth state.
- Remove watchlist items individually from the popup.
- Uninstall the extension to wipe all local data.
- Request account deletion by emailing support. We will remove your account and associated watchlist data within 30 days.
- Opt out of analytics by blocking requests to google-analytics.com at the browser or network level. A native opt-out toggle is on our roadmap.
Depending on where you live, you may have additional rights under GDPR (EU/UK), CCPA (California), or similar laws — including the right to access, correct, delete, or port your data. Contact us to exercise those rights.
6. Security
- All backend API traffic uses HTTPS.
- We never store Google passwords; sign-in uses Google's OAuth flow.
- Firebase ID tokens are short-lived and scoped to our API.
- Our Firebase API key is a public client credential restricted by Google to our extension ID and web origin.
No system is perfectly secure. If you believe you have found a vulnerability, email [email protected].
7. Children's Privacy
Mosaic Finance is not directed at children under 13 and we do not knowingly collect data from them.
8. Changes to This Policy
We will update the "Last updated" date above when material changes occur. For significant changes, we will also surface a notice in the extension popup on your next launch.