VathusPrivacy Policy
Vathus (“we,” “our,” “us”) is an independent software studio based in the United Kingdom. This policy describes what personal data we collect when you use our software (including the desktop application Mockingbird), why we collect it, how long we keep it, and the rights you have over it.
The data controller is the natural person operating Vathus as a UK sole trader. For data-subject requests write to [email protected].
1. What data we collect and why
| Category | Purpose | Legal basis (UK GDPR Art. 6) | Retention |
|---|---|---|---|
| Account details — email address and tier selection you provide at sign-up | To identify your account, apply your subscription tier, and send service notifications (billing receipts, security alerts). | Contract necessity (Art. 6(1)(b)) | For the lifetime of your account and 90 days after deletion. |
| Billing details — payment method token + last-4 of card (held by Stripe, not us) | To charge your subscription and provide statements. | Contract necessity | As required by HMRC (6 years). |
| Anonymous usage counters (telemetry) — event counts, error codes, app version | Product health + debugging. Strictly opt-in: off by default, enable in Settings → Telemetry. | Consent (Art. 6(1)(a)) | 12 months or until you disable telemetry / request deletion, whichever is sooner. |
| Crash reports — stack traces, OS/app version (scrubbed of transcripts, document content, email addresses) | Identifying and fixing crashes. Strictly opt-in: off by default, enable in Settings → Crash reports. | Consent | 90 days. |
Data that stays on your device
The core of Mockingbird is local-first. The following categories never leave your computer unless you explicitly opt into a feature that requires a third-party cloud service (e.g. bringing your own Deepgram key for cloud transcription):
- Live audio captured from your microphone or system output
- Transcripts of your sessions
- Documents you upload (resumes, job descriptions, rubrics, STAR stories, battlecards)
- Practice Loop reviews, scores, and rewrites
- Spaced-repetition drill cards
- BYOK API keys (Anthropic, OpenAI, Deepgram) — encrypted at rest via the operating system keychain (macOS Keychain / Windows DPAPI / Linux libsecret)
2. Third parties we share data with
We use the smallest practical set of third-party processors. Each is listed explicitly below.
| Processor | What they handle | Where | Their privacy policy |
|---|---|---|---|
| Stripe, Inc. | Subscription billing (card token, address) | United States (EU SCCs) | stripe.com/privacy |
| Clerk, Inc. | Authentication (email, session token) | United States (EU SCCs) | clerk.com/legal/privacy |
| Vercel, Inc. | Hosting for vathus.ai, webhook endpoints | United States (EU SCCs) | vercel.com/legal/privacy-policy |
| Sentry (Functional Software) | Only if you enable crash reports. Stack traces, OS/app version. | United States (EU SCCs) | sentry.io/privacy |
| PostHog, Inc. | Only if you enable telemetry. Anonymous event counters. | European Union (hosted in Frankfurt) | posthog.com/privacy |
We do not sell, rent, or otherwise make your personal data available to data brokers, advertising networks, or any other third party outside of the processors listed above. We do not use analytics or advertising SDKs in the desktop app.
Bring-your-own-key (BYOK) cloud providers
If you paste a third-party API key (Anthropic, OpenAI, Deepgram) into the app's Account page, that key is used to connect your device directly to that provider. Your transcripts, prompts, and responses travel between your device and the provider using your credentials — Vathus does not act as a proxy and does not see that traffic. Each provider's privacy policy governs what happens to data you send them; we recommend reviewing them.
3. Your rights under UK GDPR
You have the following rights over your personal data. To exercise any, write to [email protected]; we'll respond within 30 days.
- Access — a machine-readable copy of every row we hold about you (Art. 15).
- Rectification — correction of inaccurate data (Art. 16).
- Erasure — deletion of your account and all associated data (Art. 17). The Mockingbird desktop app exposes a one-click “Delete all my data” button in Settings that drops every row and wipes the keychain.
- Restriction of processing (Art. 18).
- Data portability — a machine-readable gzipped JSON bundle (Art. 20). The desktop app exposes this via Settings → Export all data.
- Object to processing (Art. 21).
- Withdraw consent — you can disable telemetry and crash reports at any time in Settings.
If you believe we have mishandled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
4. International transfers
Some of our processors (listed above) are based in the United States. Where personal data leaves the UK, transfers are protected by the UK Addendum to the EU Standard Contractual Clauses, which each listed US processor has signed.
5. Cookies and similar technologies
The Mockingbird desktop app does not use cookies. The public website at
vathus.ai uses only strictly-necessary first-party cookies for
session continuity and does not embed advertising, analytics, or tracking
cookies. No cookie banner is required for purely strictly-necessary usage,
but if this ever changes we will post a banner first.
6. Changes to this policy
We'll post the new version here and update the “Last updated” date. If a change materially reduces your rights or expands how we use your data, we'll email registered users before the change takes effect.
7. Contact
For privacy enquiries: [email protected]
For general enquiries: [email protected]