GDPR Privacy Notice
February 2026
This notice is provided pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) by Mosaic ("we", "us" or "Company"), acting as data controller in respect of your personal data.
1. Data Controller
| Company | Mosaic |
| Website | itsmosaic.app |
| privacy@itsmosaic.app |
2. Purposes and Legal Bases of Processing
We process your personal data for the following purposes and on the following legal bases under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Providing our platform services and managing your account | Contract — Art. 6(1)(b) |
| Responding to demo requests, enquiries and support | Consent — Art. 6(1)(a) |
| Platform security and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Product analytics and service improvement | Legitimate interests / Consent |
| Sending marketing communications | Consent — Art. 6(1)(a) |
| Compliance with legal obligations (tax, accounting) | Legal obligation — Art. 6(1)(c) |
3. Categories of Personal Data Processed
| Category | Examples |
|---|---|
| Identity and contact data | Name, email address, phone number, job title, company |
| Technical data | IP address, browser, device type, cookies, session logs |
| Platform usage data | Records, tasks and reports created within the platform |
| Financial data | Invoice details and payment records |
4. Recipients and International Data Transfers
| Recipient Category | Transfer Mechanism |
|---|---|
| Cloud infrastructure providers (AWS, Vercel) | Standard Contractual Clauses (SCCs) |
| Email delivery services | SCCs / Adequacy decision |
| Analytics tools (Google Analytics) | SCCs / Consent |
| Competent public authorities | Legal obligation |
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (EU Commission Decision 2021/914) under GDPR Article 46, or another appropriate safeguard.
5. Retention Periods
| Data Type | Retention Period |
|---|---|
| Demo and contact form submissions | 3 years from date of submission |
| Platform account and usage data | 90 days after account deletion |
| Contract and invoice records | 10 years (statutory obligation) |
| Web analytics data | 26 months (anonymised after that) |
| Marketing consent records | Until withdrawn |
6. Your Data Subject Rights (Articles 15–22 GDPR)
Under the GDPR you have the following rights:
- Right of access (Art. 15): Obtain a copy of your personal data and information about how it is processed
- Right to rectification (Art. 16): Have inaccurate or incomplete data corrected
- Right to erasure (Art. 17): Request deletion of your data where no longer necessary or where consent is withdrawn
- Right to restriction (Art. 18): Ask us to restrict processing in certain circumstances
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing
- Right not to be subject to automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce significant effects
7. How to Exercise Your Rights
To exercise any of your rights, please contact us at privacy@itsmosaic.app, including the following information:
- Your full name and email address associated with your account
- The specific right you wish to exercise
- Any additional information to help us identify and respond to your request
We aim to respond to all requests within 30 days. Where your request is particularly complex, we may extend this by a further two months and will notify you accordingly.
8. Right to Lodge a Complaint
If you are unhappy with how we handle your personal data or a rights request, you have the right to lodge a complaint with your national data protection supervisory authority. For EU residents, a list of national supervisory authorities is available at edpb.europa.eu.
9. Contact
| privacy@itsmosaic.app | |
| Website | itsmosaic.app |