TryMosaic Privacy Notice
Effective Date: 8 March
Reflective MindApp Ltd | ICO Registration: ZB887508
1. Introduction
This Privacy Notice explains how Reflective MindApp Ltd (trading as TryMosaic, “we”, “us”, or “our”) collects, uses, stores, and protects personal information when you use our workplace adjustments management platform, including the website at https://trymosaic.co and any associated applications (the “Service”).
TryMosaic is a workplace adjustments management platform that enables employees to document workplace needs, managers to respond, and HR teams to maintain a compliant and auditable record of reasonable adjustments under the Equality Act 2010.
Reflective MindApp Ltd is registered in England and Wales under company number 16003951.
Registered office: 7 Chatsworth Road, Bristol, BS4 3EX
Privacy enquiries: hello@trymosaic.co
ICO registration: ZB887508
2. Who is the Data Controller?
Where your employer or organisation uses TryMosaic to manage workplace adjustments:
Your employer acts as the Data Controller
TryMosaic acts as a Data Processor on their behalf
This means your employer determines the purposes and lawful basis for processing your personal data, and TryMosaic processes that data only in accordance with their instructions.
In some cases, the customer may act as both a Data Controller and a Data Processor on behalf of their own clients. Where this applies, TryMosaic acts as a Sub-Processor. The relevant roles will be set out in the Data Processing Agreement
3. Information We Collect
We collect the following categories of personal information depending on how you interact with the Service.
Account Information
Name, email address, job title, department, and organisation.
Workplace Adjustment Information
Information relating to disability, health conditions, neurodivergence, and associated workplace adjustment needs, including adjustment requests, manager responses, and HR actions. This may constitute special category data under UK GDPR.
Uploaded Documents
Where you choose to use our optional AI feature, you may upload occupational health reports or similar documentation. Uploading documents is entirely voluntary. We advise you to redact personally identifiable information before uploading if you prefer
Usage Data
Information about how you access and use the Service, including login times, pages visited, and actions taken within the platform. This data supports audit logging, service security, and platform improvement.
Communications
Any correspondence you send to us, including support requests.
4. Special Category Data
TryMosaic processes special category data (health and disability information) as defined under Article 9 of the UK GDPR.
Lawful Basis
Where employees choose to input information about health, disability, or neurodivergence into the platform, this information is processed:
with the employee’s explicit consent within the platform interface, and
in support of the employer’s management of workplace adjustments.
Employees are asked to confirm explicit consent when entering or uploading special category data.
Consent may be withdrawn at any time by contacting your employer or TryMosaic. Withdrawal will not affect processing already carried out.
Data Minimisation
Employees are not required to provide more information than they are comfortable sharing. The platform is designed to collect only the information necessary to support workplace adjustments.
5. How We Use Your Information
Personal information may be used for the following purposes.
Providing the Service: Processing workplace adjustment requests, enabling manager responses, and maintaining HR records.
Maintaining Audit Trails: Recording actions taken within the platform to support employers’ compliance with workplace obligations under the Equality Act 2010.
Optional AI Assistance: Where you choose to upload an occupational health report, AI tools may be used to extract relevant workplace adjustment suggestions. This feature is optional and can be bypassed.
Administrative Reporting: Generating anonymised or aggregated reports for HR teams. Data used for reporting is stripped of identifying information before processing.
Service Improvement: Using anonymised or de-identified data to improve the platform and user experience. Identifiable personal data is never used to train AI models.
Communications: Responding to enquiries and providing service-related updates.
6. Lawful Bases for Processing
Under UK GDPR we rely on the following lawful bases.
Performance of a contract (Article 6(1)(b)): Processing necessary to deliver the Service under our agreement with your employer.
Legitimate interests (Article 6(1)(f)): Maintaining platform security, reliability, and service improvement.
Legal obligation (Article 6(1)(c)): Where processing is required to comply with applicable law or regulatory requirements.
Explicit consent (Article 9(2)(a)): For processing special category data relating to health or disability.
7. AI Features
TryMosaic includes an optional AI feature that allows users to upload occupational health reports in order to identify potential workplace adjustments.
Use of this feature is entirely optional
Users may bypass it and manually select adjustments
Users are encouraged to redact personally identifiable information before uploading documents
Documents are processed transiently to extract adjustment recommendations
Uploaded documents are not stored by the AI provider
Uploaded data is not used to train AI models
Where processing occurs outside the UK, appropriate safeguards are applied including Standard Contractual Clauses and/or the UK International Data Transfer Agreement.
We are actively working to migrate AI processing to a UK or EU hosted provider.
8. Data Storage and Security
All personal data is stored at rest in the United Kingdom.
Our primary database is hosted on Google Cloud Firestore in the europe-west2 (London) region, certified to ISO 27001 and SOC 2.
We implement appropriate technical and organisational safeguards including:
Encryption of data at rest and in transit (TLS)
Role-based access controls following the principle of least privilege
Two-factor authentication for administrative access
Security monitoring and vulnerability management
Audit logging of platform activity
An incident response process including GDPR-compliant breach notification
9. Who We Share Your Data With
Personal data may be shared with the following parties where necessary.
Your Employer: Your employer acts as the Data Controller. Authorised HR staff and managers may access relevant adjustment information within the platform.
Sub-processors: We use a limited number of third-party service providers to operate the Service. These providers process data only on our instructions and are contractually required to maintain appropriate security measures. The full list of sub-processors is available in our Data Processing Agreement.
Legal or Regulatory Authorities: Where required by law or regulatory obligation.
We do not sell personal data and do not share personal data with advertisers.
10. International Transfers
All personal data is stored at rest in the UK.
Where processing by a sub-processor occurs outside the UK, appropriate safeguards are applied including Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA).
These safeguards ensure that personal data continues to receive protection consistent with UK GDPR.
11. Data Retention
Where TryMosaic acts as a Data Processor, retention periods are determined by the employer as Data Controller.
Our standard contractual retention period is the life of the contract plus 6 years, aligned with the UK limitation period for contractual claims. Shorter retention periods may be agreed with employers where appropriate.
For trial deployments, all data is deleted at the conclusion of the trial.
Upon termination of a customer agreement, personal data will be deleted or returned within 30 days, unless retention is required by law.
Anonymised data that can no longer be linked to an individual may be retained for service improvement and research.
12. Your Rights
Under UK GDPR individuals have the following rights:
Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object
Right to withdraw consent
Because employers act as the Data Controller, requests should normally be directed to your employer in the first instance.
You may also contact us at hello@trymosaic.co. We will respond within one month.
13. Cookies
Our website and platform use strictly necessary cookies only.
These cookies are required for the Service to function correctly, including maintaining secure user sessions, enabling login authentication, and supporting essential platform functionality.
These cookies are used solely for security and authentication purposes. They do not track users for advertising, analytics, or behavioural profiling.
Because these cookies are strictly necessary for the operation of the Service, they do not require consent under the UK Privacy and Electronic Communications Regulations (PECR).
If you disable cookies in your browser, some parts of the Service may not function correctly.
14. Children
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
15. Changes to This Privacy Notice
We may update this Privacy Notice from time to time. Where changes are significant, we will notify users via the platform or by email.
The most current version will always be available at https://trymosaic.co/privacy.
16. Complaints
If you have concerns about how we handle personal data please contact: hello@trymosaic.co
If you are dissatisfied with our response you may lodge a complaint with the Information Commissioner’s Office (ICO).
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk