TryMosaic GDPR Notice
Effective Date: 8 March
Reflective MindApp Ltd | ICO Registration: ZB887508
1. Overview of GDPR
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Key GDPR Principles
Lawfulness, fairness, and transparency - Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation - Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimization - Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Accuracy - Personal data must be accurate and, where necessary, kept up to date.
Storage limitation - Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed.
Integrity and confidentiality - Personal data must be processed in a manner that ensures appropriate security of the personal data.
Accountability - The controller shall be responsible for and be able to demonstrate compliance with the GDPR principles.
2. Our Commitment to GDPR
At Mosaic, we are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles.
Our preparation for GDPR compliance has included:
Conducting comprehensive data mapping to identify all personal data we process and the lawful basis for processing it
Reviewing and updating our data protection policies and procedures
Implementing technical and organizational measures to ensure data protection by design and by default
Enhancing our security measures for data protection
Training our staff on GDPR requirements and data protection best practices
Appointing a Data Protection Officer to oversee our compliance efforts
Establishing procedures for data subject rights requests
Implementing data breach detection, investigation, and reporting procedures
We continually review and enhance our compliance program to maintain the highest standards of data protection.
3. Data Processing Principles
Mosaic adheres to the principles set out in the GDPR. Here's how we apply these principles:
3.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. Our Privacy Policy clearly explains what data we collect, how we use it, and the legal basis for processing.
3.2 Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes. If we intend to use data for a new purpose, we will notify you and ensure we have a valid legal basis for the new processing.
3.3 Data Minimization
We collect only the personal data that is necessary for the specific purpose we have communicated to you. We regularly review our data collection practices to ensure we are not collecting excessive information.
3.4 Accuracy
We take reasonable steps to ensure personal data is accurate and up to date. You can update your personal information at any time through your account settings, and we encourage you to notify us of any changes to your personal data.
3.5 Storage Limitation
We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our Privacy Policy outlines our retention periods for different types of data.
3.6 Integrity and Confidentiality
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Our security measures include encryption, access controls, regular security assessments, and staff training.
3.7 Accountability
We maintain records of our data processing activities and are able to demonstrate our compliance with GDPR principles. We regularly review and update our policies and procedures to maintain compliance.
4. Lawful Basis for Processing
Under GDPR, we must have a valid lawful basis in order to process personal data. Mosaic relies on the following lawful bases for processing personal data:
Consent
In specific situations, we collect and process your data with your consent. For example, when you opt-in to receive marketing communications or when you provide information about your neurodiversity type for personalized services.
Contractual Necessity
We process your data when it's necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. For example, when you create an account or subscribe to our services.
Legal Obligation
We process your data when it's necessary for compliance with a legal obligation to which we are subject. For example, we must keep certain records for tax purposes.
Legitimate Interests
We process your data when it's necessary for the purposes of our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. For example, we may use your data to improve our services or for fraud prevention.
For each type of processing activity, we identify and document the appropriate lawful basis. You can find more information about our lawful bases for specific processing activities in our Privacy Policy.
5. Your Data Rights
Under GDPR, individuals have enhanced rights regarding their personal data. At Mosaic, we respect and facilitate these rights:
Right to Be Informed
You have the right to be informed about the collection and use of your personal data. Our Privacy Policy provides clear information about how we process your data.
Right of Access
You have the right to access your personal data and supplementary information. You can request a copy of your personal data by contacting our Data Protection Officer.
Right to Rectification
You have the right to have inaccurate personal data rectified or completed if it is incomplete. You can update most of your personal information directly in your account settings.
Right to Erasure
You have the right to request the deletion of your personal data in certain circumstances. You can delete your account and associated data by contacting our Data Protection Officer.
Right to Restrict Processing
You have the right to request the restriction or suppression of your personal data in certain circumstances. Contact our DPO to exercise this right.
Right to Data Portability
You have the right to obtain and reuse your personal data for your own purposes across different services by contacting our Data Protection Officer.
Right to Object
You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing. You can manage your communication preferences in your account settings.
Rights Related to Automated Decision Making
You have rights related to automated decision making, including profiling. Mosaic does not make solely automated decisions that have significant effects on individuals.
To exercise any of these rights, please contact our Data Protection Officer at hello@trymosaic.co. We will respond to your request within one month. There is no charge for making a request, but we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
6. Data Processing Agreement
When Mosaic processes personal data on behalf of organizations (our customers), we do so as a data processor. In these cases, we enter into a Data Processing Agreement (DPA) with the organization, which acts as the data controller.
Our standard DPA addresses the requirements of GDPR Article 28 and includes:
The subject matter and duration of the processing
The nature and purpose of the processing
The types of personal data and categories of data subjects
The obligations and rights of the data controller
Subprocessor management and requirements
Technical and organizational security measures
Audit rights and compliance demonstration
Data transfer mechanisms
Data breach notification procedures
If you are an organization using Mosaic for your employees and need a DPA, please contact our Data Protection Officer at hello@trymosaic.co.
7. International Data Transfers
Mosaic is based in the United Kingdom and primarily stores data within the UK and European Economic Area (EEA). However, we may transfer personal data to countries outside the UK and EEA to provide our services.
When we transfer personal data outside the UK and EEA, we ensure that appropriate safeguards are in place to protect your data, such as:
Adequacy decisions by the European Commission or UK Government
Standard Contractual Clauses (SCCs) approved by the European Commission or UK Government
Binding Corporate Rules
Other appropriate safeguards as required by the GDPR
For more information about our data transfer mechanisms and the countries to which we transfer data, please see our Privacy Policy or contact our Data Protection Officer.
8. Data Breach Procedures
Mosaic has implemented robust procedures to detect, report, and investigate personal data breaches. In the event of a breach that may result in a risk to the rights and freedoms of individuals, we will:
Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach
Notify affected individuals directly when the breach is likely to result in a high risk to their rights and freedoms
Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken
Our notification will include:
A description of the nature of the breach
The name and contact details of our Data Protection Officer
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its possible adverse effects
If you become aware of a potential data breach related to your personal data, please contact our Data Protection Officer immediately at dpo@trymosaic.co.
9. Data Protection Officer
Mosaic has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR requirements. The DPO's responsibilities include:
Informing and advising Mosaic and its employees about their obligations under the GDPR and other data protection laws
Monitoring compliance with the GDPR and other data protection laws
Providing advice regarding Data Protection Impact Assessments (DPIAs)
Cooperating with supervisory authorities
Acting as the contact point for supervisory authorities on data processing issues
Handling data subject rights requests
Our DPO is independent and reports directly to the highest level of management at Mosaic.
10. Contact Us
If you have any questions about our GDPR compliance or wish to exercise your data rights, please contact our Data Protection Officer:
Data Protection Officer: hello@trymosaic.co
If you are not satisfied with our response or believe we are processing your personal data in a way that is not compliant with the law, you can complain to the Information Commissioner's Office (ICO) in the UK or another relevant supervisory authority in the EU.