Privacy Policy
February 2026
Mosaic ("we", "us" or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use our website (itsmosaic.app) and platform services. It has been prepared in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data Controller
Mosaic acts as the data controller in respect of personal data you provide to us directly (e.g. demo requests, contact forms, account registration).
| Company | Mosaic |
| Website | itsmosaic.app |
| privacy@itsmosaic.app |
Controller vs. Processor: When our customers upload data about their own contacts, customers or employees into the Mosaic platform, Mosaic acts as a data processor and processes that data solely on the customer's behalf and under their instructions.
2. Personal Data We Collect
We may collect personal data in the following categories:
Identity and Contact Data
- Full name, job title and company name
- Business email address and phone number
Technical Data
- IP address and browser information
- Device type and operating system
- Cookies, session tokens and log files
- Page views, clicks and navigation paths
Platform Usage Data
- Customer and supplier records entered by users
- Tasks, quotes and reports created within the platform
- API access logs and integration events
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Lawful Basis (GDPR Art. 6) |
|---|---|
| Providing and delivering our services | Performance of a contract (Art. 6(1)(b)) |
| Responding to demo requests and support enquiries | Consent (Art. 6(1)(a)) |
| Security, fraud prevention and platform integrity | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and service improvement | Legitimate interests / Consent |
| Marketing communications and newsletters | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Invoicing and financial record-keeping | Legal obligation (Art. 6(1)(c)) |
4. Sharing Your Data
We may share your personal data with third parties in the following circumstances:
- Service providers: Cloud infrastructure (AWS, Vercel), email delivery and analytics tools — bound by data processing agreements and permitted only to act on our instructions
- Legal requirements: Where required by a court order, regulatory authority or applicable law
- Business transfers: In connection with a merger, acquisition or sale of assets, with prior notice to you
We do not sell your personal data to third parties.
5. International Data Transfers
Your data is primarily processed within Turkey and the European Economic Area (EEA). Where transfers to countries outside the EEA are necessary, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Demo and contact form submissions | 3 years from submission |
| Platform account and usage data | 90 days after account deletion |
| Contract and invoice records | 10 years (statutory requirement) |
| Web analytics data | 26 months (anonymised) |
| Marketing consent records | Until consent is withdrawn |
7. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS 1.3 / AES-256 encryption in transit and at rest
- Role-based access control (RBAC) with least-privilege principles
- Regular security audits and penetration testing
- Automated vulnerability scanning
- Data protection training for all staff
- Breach notification procedures (72-hour GDPR notification obligation)
8. Cookies
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Session management, security | No |
| Analytics | Usage statistics (Google Analytics) | Yes |
| Preference | Theme, language settings | Yes |
You can manage or disable cookies through your browser settings. Disabling non-essential cookies may affect the functionality of certain features.
9. Your Rights
Under the GDPR, you have the following rights:
- Access: Obtain a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your data where no longer necessary
- Restriction: Ask us to restrict processing in certain circumstances
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests or for direct marketing
- Withdraw consent: Withdraw consent at any time without affecting prior processing
To exercise any of these rights, please email privacy@itsmosaic.app. We aim to respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.
10. Contact
| privacy@itsmosaic.app | |
| Website | itsmosaic.app |
Changes to This Policy
We may update this policy from time to time. Material changes will be announced on our website and, where appropriate, notified to registered users by email.