Mocca

Last updated: 11 May 2026

Privacy

Plain-English version of what data Mocca stores about you, why, and how to get rid of it.

What we store

Just the things needed to run your workspace:

  • Your email. For login and any account-related emails (magic links, billing receipts).
  • Your chat conversations. Everything you and Mocca say to each other. Stored so you can scroll back later.
  • Files you upload. Stored in your workspace's private storage bucket. Only Mocca agents in your workspace can read them.
  • API keys / OAuth tokens you connect. Encrypted at rest with AES-256-GCM. Never shown back to anyone, not even you.
  • Usage records. Per-task cost in cents, timestamps, and the run output, for billing transparency and your activity log.

What we don't do

  • We don't sell your data. Ever.
  • We don't train AI models on your data.
  • We don't read your conversations except when you ask support to look at something specific.
  • We don't share your files or credentials with third parties beyond the processors listed below.

Who processes your data

We use a small set of third-party services to make Mocca work. Each one only sees the data it strictly needs to do its job:

  • Cloudflare R2. Stores your uploaded files and generated artifacts. Files are namespaced by workspace, so cross-workspace access is impossible by construction.
  • Anthropic / Google Gemini. When Mocca or one of your agents needs to think (read your prompt, plan a task, write a script), it sends the relevant context to these LLM providers. Per their terms, neither trains on API requests.
  • E2B. Runs the code Mocca writes inside an isolated sandbox per workspace. Each sandbox has access only to that workspace's files.
  • Resend. Delivers transactional email (magic-link logins, billing notifications). Receives just your email address and the message body.
  • Fly.io. Hosts the app servers and Postgres database. Operates the underlying infrastructure.

How long we keep it

As long as your workspace exists. When you delete the workspace, every row in our database tied to it is removed (cascading deletes on every related table) and every file in R2 under that workspace prefix is purged within minutes. Backups roll off after 30 days.

Your rights

  • Export your data. Email support@mocca.run and we'll send your chat history + files within 7 days.
  • Delete your account. Settings → Delete workspace. Gone in seconds. No "confirm deletion via email" friction.
  • Correct your data. Email any chat content, file, or row you want changed.
  • Stop using your data for service operations. That means stop using Mocca — there's no way to keep the service running without processing the conversations.

Security

  • TLS everywhere — both browser-to-server and server-to-third-party.
  • Encrypted-at-rest credentials (AES-256-GCM).
  • Workspace isolation enforced at the application layer: every skill call carries a workspace_id, no cross-workspace reads possible.
  • Sandboxed code execution — generated scripts run with no network egress to systems other than what they need.

Cookies

One session cookie to keep you logged in. One CSRF token. That's it. No analytics, no advertising trackers, no third-party JavaScript on the dashboard.

Children

Mocca is for professional use. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we'll delete the account.

Changes to this policy

If we materially change how we handle data, we'll email everyone with an active account at least 14 days before the change takes effect. Minor wording fixes get a "last updated" bump at the top.

Contact

Privacy questions: support@mocca.run. Reply within 48 hours during weekdays.