The compliant location-data layerv0.1.0 · April 2026

Source it. Use it.
Without the liability.

Mosaic is a privacy-engineered marketplace for location data. App publishers monetize signals through an SDK that strips PII before egress. Brands and analysts consume the result — pre-aggregated, auditable, risk-free for everyone in the chain.

SUPPLIERI have an app. I want to monetize location signals — compliantly.Integrate the SDK BUYERI need movement insights. I don't want to inherit the liability.Explore the data

Res 10H3 precision · ~15m

k≥50Anonymity threshold

0PII collected

LIVE H3 AGGREGATION · RES-10

GDPR alignedCCPA compliantApple ATT compatibleNo PII processedOn-device hashing

Two sides, one privacy guarantee

Mosaic sits between the apps that generate location data and the teams that need it — and engineers the risk out of both seats.

For suppliers

Monetize location signals — without the compliance overhead.

Drop our SDK into your app. We hash identifiers on-device, aggregate inside our perimeter, and pay you on the cleared revenue. Your users keep their privacy. Your team keeps its weekends.

01One SDK, hashed at the edge — no PII ever leaves the device.
02Revenue share on cleared, anonymized aggregates.
03Drop-in opt-in flow that satisfies ATT, GDPR, and CCPA.
04Open audit logs — show users exactly what's collected.

Integrate the SDK

For buyers

Real-world measurement that survives a privacy review.

Query foot traffic, audience reach, and competitive share through one API. Every result is pre-aggregated and ships with panel composition and confidence intervals — so legal signs off and analysts trust the answer.

01Aggregated counts only. You never receive raw paths or device IDs.
02Daily refresh. Stable schemas. Versioned semver.
03REST API and SQL access to the same model.
04Documented panel + confidence intervals on every query.

Explore the data

How it works

From the app to the answer — privacy is the pipeline, not a postscript.

SUPPLIERMOSAICBUYER

Signal at the edge

The SDK collects opt-in location events inside the publisher's app. Identifiers are k-hashed on-device. No raw device IDs ever leave the phone.

Aggregation in our perimeter

Hashed events land in Mosaic. We bucket them into H3 hex cells, audience segments, and category counts before anything is queryable.

Compliance, by construction

Identifier graphs are dropped, opt-out syncs within minutes, and every aggregate carries panel composition and a confidence interval.

Counts at the API

Buyers query the result through SDK, REST, or SQL. The smallest unit they ever receive is a cell, segment, or count — never a path, never a person.

For buyers · Use cases

Three questions Mosaic answers cleanly.

Measure what walks in.

Daily visit counts, dwell time, and trade-area shape for any place or chain in the country. Refresh daily, not next quarter.

AVisits, visitors, and dwell across 8M points of interest.

BTrade area polygons sized to your panel, not a generic radius.

CComparable methodology across regions and reporting periods.

VISITS · 24H ROLLINGSAMPLE · NOT LIVE

For suppliers · The SDK

A monetization layer that won't keep your privacy team up at night.

Most location SDKs collect first, ask later. Mosaic inverts that: identifiers are hashed before they leave the device, and only aggregates are eligible for payout. You ship one library; we handle the legal posture.

~14kbSDK · gzipped, iOS / Android

~0.2%Battery overhead · typical

~5minOpt-out sync · ConsentSyncer

Net-30Payouts on cleared aggregates

Drop-in consent flow

ATT-compliant prompt, GDPR + CCPA notice, and a user-facing audit screen — themed to your app, not a generic modal.

On-device hashing

k-anonymous hashing happens before any payload is composed. No raw MAID or location string ever crosses the wire.

Transparent revenue

Per-aggregate accounting. You can reconcile your statement against the rolled-up cells we sold.

Engineering you can read

Open changelog, signed releases, and a public threat model. We document what we drop, not just what we keep.

Vs. legacy location data

A different shape of data — by design, not by addendum.

Most location feeds were built on raw device records, then patched with policy. Mosaic was built the other way around: we ship aggregates because that's all we ever held — on either side of the marketplace.

Dimension

Legacy location data

Mosaic

Underlying records

×Raw lat/long pings tied to a device ID

&check;Pre-aggregated hex cells & segment counts

Identifier handling

×MAID retained, often re-shared

&check;Hashed at edge, dropped before storage

Smallest unit shipped

×Individual ping or device path

&check;Hex cell, segment, or category count

Supplier liability

×Inherited by the publisher

&check;Engineered out by the SDK

Buyer liability

×Inherited at ingest

&check;Engineered out before egress

Refresh cadence

×Quarterly, batch CSV

&check;Daily API, stable schemas

Why Mosaic

Built for both sides of the marketplace.

For publishers integrating the SDKSUPPLIER

●Zero App Store review escalations — no IDFA, no tracking flags.
●Net-30 payouts on cleared aggregates with per-cell reconciliation.
●Drop-in consent flow handles ATT, GDPR, and CCPA out of the box.

<14kbSDK footprint · gzipped

For teams buying location dataBUYER

●No 90-day legal review — aggregated pipeline means no PII to assess.
●Daily refresh replaces quarterly batch CSV delivery.
●Panel composition and confidence intervals on every query.

0Device IDs shipped

For compliance and security teamsBOTH

●On-device hashing — identifiers never leave the phone.
●Opt-out syncs within minutes via ConsentSyncer.
●Audit logs and open changelog for full transparency.

~5minOpt-out sync time

For developers

One SDK. Every access pattern.

Suppliers integrate the SDK to capture opt-in signals. Buyers access the same data model via typed client, REST API, or direct warehouse query. Every response carries panel composition and a confidence interval — so you can show your work.

AuthBearer token, scoped per dataset.

CellsUber H3 res-7 through res-10; bring your own polygons.

SLAAudit logs included. Uptime and latency targets per contract.

SchemasStable, versioned, semver. No silent breakage.

TypeScript

// Buyer: POI visitation for an H3 cell, last 7 days
const res = await fetch(
  "https://api.mosaicsdk.com/v1/analytics/poi-visitation?" +
    new URLSearchParams({
      h3_index: "8a2a1072b59ffff",
      date_from: "2026-04-24",
      date_to: "2026-04-30",
      consent_tier: "all",
    }),
  { headers: { Authorization: "Bearer $MOSAIC_TOKEN" } }
);

const data = await res.json();
// { h3_index, visits, panel_size, ci_low, ci_high }

Trust · For both sides

The privacy posture is the product.

We can't sell what we never had. The pipeline drops identifiers on the supplier side, aggregates inside our perimeter, and ships counts to the buyer — never paths.

Read the privacy whitepaper

No PII collected, ever

We don't ingest names, emails, phone numbers, or device advertising IDs.

● Engineered

Hashed at the edge

Identifiers are k-hashed on-device before any signal leaves the SDK.

● v0.1

Aggregated before egress

Hex-cell rollups happen inside our perimeter. No raw paths leave.

● Default

GDPR + CCPA aligned

Lawful basis tracked per partner, opt-out syncs within minutes.

● Audited

Apple ATT compatible

We do not require IDFA. Coverage holds without it.

● Compatible

Get started

Pick your seat. The privacy guarantee is the same.

Tell us whether you're sourcing the data or using it. We'll route you to the right team and the smallest, cleanest version of the answer.

SUPPLIER

Integrate the SDK and monetize compliantly.

Talk to publisher relations

BUYER

Query foot traffic, audience, and share — without the liability.

Talk to our data team

Source it. Use it.Without the liability.