Privacy, by design

Last updated · 15 May 2026

Miles Mosaic, currently run by Daan Zwets pending incorporation as Miles Mosaic Pte. Ltd. in Singapore (“Miles Mosaic”, “we”, “us”) operates the website at milesmosaic.com and the products available through it. This Privacy Policy describes what personal data we collect when you visit the site or use the product, how we use it, who we share it with, and what rights you have over it under applicable law, in particular the Singapore Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

We’ve done our best to write this in plain English. If anything is unclear, write to [email protected] and we will explain it.

1. Who this applies to

This policy applies to anyone who visits milesmosaic.com or registers a Miles Mosaic account, whether on the free Explorer tier or the paid Pro tier. The data controller for the processing described here is Miles Mosaic, operated by Daan Zwets and pending incorporation as Miles Mosaic Pte. Ltd. in Singapore. On incorporation, this policy will be updated with the ACRA UEN and registered office address. You can reach our privacy team, including our Data Protection Officer, at [email protected] (see section 16).

EU representative (GDPR Article 27). Engaged via a specialist EU representative service (paperwork in progress as of 15 May 2026). Once finalised, the named individual or organisation, full EU postal address, and dedicated email will appear here. EU and EEA residents may, once published, contact our EU representative directly on any matter relating to the processing of their personal data. In the meantime, please write to [email protected].

UK representative (UK GDPR Article 27). Engaged via a specialist UK representative service (paperwork in progress as of 15 May 2026). Once finalised, the named individual or organisation, full UK postal address, and dedicated email will appear here. UK residents may, once published, contact our UK representative directly. In the meantime, please write to [email protected].

2. Data we collect

We collect only the personal data we genuinely need to run the product, send you alerts, bill you (if you’re on Pro), and defend the service against abuse. We split it into four categories.

Account data

When you create an account we ask for an email address and a password. If you sign in through a third-party identity provider (for example Google) we receive your name and email address from that provider and we use them only to set up your account; we do not receive your password from them. You can also optionally provide a display name.

Programme data you enter

The tracker is built on data you type in yourself: the loyalty programmes you hold (for example AAdvantage, Flying Blue, Bonvoy), the current balance you choose to record, the elite tier you currently hold, the goal tier you’re tracking towards, the expiry dates of certificates, and any free-text notes you decide to attach. This is the core data the product is built around; without it the tracker has nothing to show you.

Subscription and billing data

If you subscribe to Pro we collect your billing address (for VAT/tax purposes), the last four digits of your payment card and its expiry month, the country your card was issued in, and the transactional records of your subscription (signup date, cancellation date, renewal events). We do not collect or store your full payment card number; that goes directly to our payment processor under their PCI DSS compliance.

Technical data

When you load a page or make an API request, our servers automatically log a small set of technical fields: the IP address the request came from, the user-agent string of your browser, the URL you requested, the HTTP response status, and the timestamp. These access logs are retained for up to 90 days and are used to investigate security incidents, identify automated abuse, and diagnose bugs.

3. Data we deliberately do not collect

The clearest way to describe Miles Mosaic’s privacy posture is to be specific about what we don’t do:

• We do not ask for, accept, or store your loyalty programme passwords. The tracker is built around balances you type in yourself or paste from your airline app. We do not log into airline accounts on your behalf.
• We do not connect to loyalty programmes by API or by scraping. If a programme launches an official public API we may evaluate it; we will not deploy any integration that requires storing programme credentials.
• We do not sell or rent personal data to marketing brokers, data brokers, list resellers, or advertisers. We do not maintain any ‘audience segment’ product for sale to third parties.
• We do not run cross-site tracking beacons for the purpose of building behavioural profiles outside our own site. The tags we do load (Google Analytics, AdSense) are described in their own sections below and are gated by consent.

4. Cookies and similar technologies

We use cookies and similar storage (local storage, session storage) for four purposes. Full details, including cookie names and lifespans, are in our Cookie Policy.

• Strictly necessary cookies: the session cookie that keeps you logged in, and the cookie that records your consent choices. These cannot be turned off because without them the site does not work.
• Analytics cookies: used by Google Analytics 4 to measure page views and aggregate behaviour. Set only after you grant analytics consent.
• Advertising cookies: used by Google AdSense on the Explorer tier to serve and measure ads. Set only after you grant advertising consent. Pro accounts are ad-free and we do not load AdSense for them.
• Preferences cookies: remember small choices like your preferred theme or locale.

5. Analytics

We use Google Analytics 4, loaded via Google Tag Manager, to understand at an aggregate level which pages are read, which articles convert to signups, and where the product is performing badly. We operate Google Analytics in Consent Mode v2: if you have not granted analytics consent, the tag still loads but no identifiers and no client ID are transmitted, and Google has agreed under that mode to use the hits only for aggregate modelled measurement.

We do not allow Google to use the data collected through Analytics for personalised advertising, and we do not link Google Analytics with Google AdSense impressions on a per-user basis. We have configured IP anonymisation and we do not store raw IP addresses in our analytics property.

6. Advertising

Explorer is an ad-supported tier. We use Google AdSense to serve advertising on the editorial articles and on certain non-policy marketing pages. Where AdSense placements appear they are clearly labelled ‘Advertisement’ in a neutral grey strip above the slot, they sit in containers that are visually distinct from editorial, and we follow Google’s policies on ad density and placement.

When advertising consent has been granted, Google may use cookies (and similar identifiers) to serve ads based on your previous visits to this site and other sites. Google’s use of advertising cookies enables it and its partners to serve ads based on your visit to milesmosaic.com and/or other sites on the Internet. You can opt out of personalised advertising by visiting Google Ads Settings, or, more comprehensively, the Digital Advertising Alliance’s opt-out page.

Pro accounts are ad-free. When you are authenticated to a Pro account we do not load Google AdSense tags on any surface. We also do not load AdSense on the following pages regardless of tier, because they are not appropriate ad surfaces: signup, login, account settings, all auth flows, the contact page, the privacy / terms / cookies policies, the 404 and 500 error pages, and the dashboard itself.

7. Email and communications

We send two kinds of email.

Transactional email is sent to operate the product: account confirmation, password reset, expiry alerts on your tracked programmes, billing receipts (for Pro), security notifications about your account, and direct replies to support requests. We send these on the legal basis of performing the contract you have with us; you cannot opt out of them while you hold an active Miles Mosaic account. You can disable individual expiry-alert emails inside the dashboard.

The editorial newsletter is sent only to people who have opted in, either through the signup form or the newsletter form in the footer. We send the newsletter on the legal basis of consent. Every newsletter includes a single-click unsubscribe link in the footer; we honour unsubscribes within 24 hours.

8. Legal bases for processing

For users in the EEA and the UK, our legal bases under GDPR are:

• Performance of a contract for account and billing data, programme tracking data, transactional email.
• Consent for analytics cookies, advertising cookies, the editorial newsletter, and any other non-essential cookies. Consent can be withdrawn at any time without affecting the lawfulness of processing already carried out.
• Legitimate interests for the limited security logging described in section 2 (Technical data) and for defending the service from abuse and fraud. We have balanced these interests against your rights and concluded that they do not override them given how narrow the data is.
• Compliance with legal obligations where we are required to retain certain records for tax, accounting, or statutory purposes.

9. Your rights under GDPR (EU / UK)

If you are in the European Economic Area or the United Kingdom, you have the following rights over your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate data. You can do most of this yourself through the account settings.
• Right to erasure (‘right to be forgotten’): ask us to delete your personal data. You can delete your account from the settings, which removes your tracker data and most of your account record within 30 days. Some records (billing records, security logs) may be retained for the periods described in section 13.
• Right to data portability: receive your data in a machine-readable format. You can export your tracker as CSV from the dashboard at any time.
• Right to restriction of processing: in certain circumstances ask us to pause processing.
• Right to object: object to any processing carried out on the basis of legitimate interests.
• Right to withdraw consent: withdraw any consent you have given (for example, the analytics or advertising cookies, or the newsletter).
• Right to lodge a complaint with your national supervisory authority:
  • Singapore: Personal Data Protection Commission (PDPC).
  • EU and EEA: your local Data Protection Authority. A directory of EU/EEA DPAs is published by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.
  • United Kingdom: Information Commissioner’s Office (ICO).
  • California: California Privacy Protection Agency (CPPA); you may also write to the California Attorney General.
  • Other US states: your state attorney general. The National Association of Attorneys General publishes a directory at naag.org/find-my-ag/.

To exercise any of these rights, write to [email protected]. We will respond within 30 days and typically much faster.

Likely consequences of withdrawing consent

Under the Singapore PDPA Notification Obligation (and as good practice for EU/UK users), we tell you up front what will change if you withdraw a consent you have given us:

• Withdrawing consent to marketing emails (the newsletter): you will stop receiving editorial newsletter emails within 24 hours. Your account remains active and you will continue to receive transactional emails (security notifications, billing receipts, expiry alerts) because we send those on the basis of performing your contract with us.
• Withdrawing consent to analytics cookies: Google Analytics will stop tracking your sessions on this device. Your account, tracker data, and access to the product are unaffected.
• Withdrawing consent to advertising cookies (Explorer): we cannot serve personalised advertising to you. Non-personalised contextual ads may still appear; if you would prefer no ads at all, upgrade to Pro (Pro accounts are ad-free).
• Withdrawing consent to data processing for the Pro subscription: we will treat this as a request to cancel your Pro subscription. Your Pro subscription will end at the next renewal date, you will drop back to Explorer, and any settings tied specifically to Pro features will be deleted within 30 days. Your account and tracker data otherwise remain intact unless you also ask us to delete the account.
• Strictly necessary cookies cannot be withdrawn because they are required for the site to work. If you block them in your browser you will not be able to sign in.

10. Your rights under CCPA / CPRA (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

• Right to know what categories of personal information we have collected about you and how we have used it.
• Right to delete personal information we have collected about you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the “sale” or “sharing” of personal information. We do not sell personal data. We may ‘share’ personal data in the CCPA sense of cross-context behavioural advertising for non-logged-in visitors of our editorial pages where they have granted advertising consent through our cookie banner. You can opt out at any time using either of the following:
  1. The ‘Do Not Sell or Share My Personal Information’ link in our website footer.
  2. A browser Global Privacy Control (GPC) signal. We honor the Global Privacy Control as a valid request to opt out of the ‘sale’ or ‘sharing’ of personal information under the CCPA. If your browser sends a Sec-GPC: 1 header, we treat that as an opt-out for the current session and any future visits from that browser, and we display a confirmation that your signal has been received as required by CPPA Regulations §7025 (effective 1 January 2026).
  Logged-in Pro users are not subject to any ‘sharing’ regardless of GPC signal because we do not load advertising tags on Pro accounts.
• Right to limit use of sensitive personal information. Among the categories CCPA defines as ‘sensitive personal information’ (Civil Code §1798.140(ae)), we collect only your account log-in credentials: your email plus a hashed password, or your linked Google identity, together with the session token that keeps you logged in. We use these solely to authenticate you and to maintain your session. We do not use this category of information for advertising, for profiling, or for any purpose beyond providing the Service. You may exercise your right under Civ. Code §1798.121 to direct us to limit our use of this information to those authentication and security purposes by writing to [email protected]; we already operate under that limit by default.
• Right to non-discrimination for exercising any of the above.

To submit a CCPA request, write to [email protected] or use the ‘Do Not Sell or Share My Personal Information’ link in the footer.

11. Children’s privacy

Miles Mosaic is not directed at children under the age of 13 (or under 16 where local law sets a higher threshold). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, write to [email protected] and we will delete the account and any associated data without delay.

12. International transfers

Miles Mosaic is operated from Singapore and our primary data centres are in the European Union. Where personal data is transferred out of Singapore or out of the EEA/UK, we comply with the Singapore PDPA Transfer Limitation Obligation and with Chapter V of the GDPR / UK GDPR.

Recipient countries and transfer mechanisms per processor. The table below names the specific transfer mechanism we rely on for each material recipient:

• Stripe (United States): payment processing. Mechanism: EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, together with Stripe’s data-protection addendum. Stripe is also self-certified under the EU–US Data Privacy Framework, so we additionally rely on the European Commission’s adequacy decision of 10 July 2023 for transfers to Stripe.
• Google Analytics 4 (United States): measurement infrastructure. Mechanism: EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, with IP anonymisation enabled at the tag level so raw IP addresses are not stored. Google LLC is self-certified to the EU–US Data Privacy Framework.
• Google AdSense (United States): ad serving on Explorer for visitors who have granted advertising consent. Mechanism: EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, plus Google’s Data Privacy Framework self-certification.
• OAuth identity providers (United States or country of the provider): the country and mechanism vary per provider (currently Google). We rely on the consent you give at the moment of the OAuth handshake as the transfer basis, together with the provider’s own SCCs and (for Google) the EU–US Data Privacy Framework.
• Hosting and transactional-email providers: primary hosting is in the European Union (Ireland). Transactional email may transit through a US-headquartered provider; the SCCs apply.

A current list of sub-processors with category, role, and country is available on request from [email protected]; we respond within five working days.

13. Data retention

We retain personal data only as long as we need it.

• Account and tracker data: for as long as you have an active account, plus 30 days after deletion to allow for accidental-deletion recovery.
• Billing records: for 7 years after the date of the relevant invoice, as required by Singapore tax law (IRAS).
• Security logs (access logs): up to 90 days.
• Editorial newsletter subscription: for as long as you remain subscribed, plus a short suppression record after you unsubscribe so we don’t accidentally email you again.

14. Security measures

We hold personal data on infrastructure that uses encryption in transit (TLS 1.2+) and encryption at rest on the underlying storage. Database access is restricted to a small number of named administrators, all of whom use hardware-key MFA. Account passwords are stored hashed using a modern, work-factor-tuned algorithm (bcrypt); they are not recoverable in plaintext. We run periodic restore tests on our backups.

No system is perfectly secure. If we ever experience a data breach that involves personal data and meets the GDPR notification threshold, we will notify the Singapore Personal Data Protection Authority within 72 hours and, where required, notify affected users directly without undue delay.

15. Updates to this policy

We may update this Privacy Policy from time to time. When we do, we will update the ‘Last updated’ stamp at the top of the page. For material changes (changes that meaningfully expand what we collect, who we share with, or how long we retain) we will additionally notify registered users by email at least 14 days before the change takes effect, and we’ll keep the previous version available on request for at least 12 months.

16. Contact us

For any privacy question, request, or complaint, write to our privacy team or our Data Protection Officer. We answer in plain English; you do not need to cite the GDPR article number.