TryMosaic GDPR Notice

Effective Date: 8 March 2025 Reflective MindApp Ltd | ICO Registration: ZB887508

1. Overview of GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Key GDPR Principles

Lawfulness, fairness, and transparency - Processing must be lawful, fair, and transparent to the data subject. Purpose limitation - Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Data minimization - Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Storage limitation - Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed. Integrity and confidentiality - Personal data must be processed in a manner that ensures appropriate security of the personal data. Accountability - The controller shall be responsible for and be able to demonstrate compliance with the GDPR principles.

2. Our Commitment to GDPR

At TryMosaic, we are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. Our preparation for GDPR compliance has included: Conducting comprehensive data mapping to identify all personal data we process and the lawful basis for processing it Reviewing and updating our data protection policies and procedures Implementing technical and organizational measures to ensure data protection by design and by default Enhancing our security measures for data protection Ensuring all team members understand GDPR requirements and data protection best practices Establishing procedures for data subject rights requests Implementing data breach detection, investigation, and reporting procedures We continually review and enhance our compliance program to maintain the highest standards of data protection.

3. Data Processing Principles

TryMosaic adheres to the principles set out in the GDPR. Here's how we apply these principles:

3.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. Our Privacy Policy clearly explains what data we collect, how we use it, and the legal basis for processing.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes. If we intend to use data for a new purpose, we will notify you and ensure we have a valid legal basis for the new processing.

3.3 Data Minimization

We collect only the personal data that is necessary for the specific purpose we have communicated to you. We regularly review our data collection practices to ensure we are not collecting excessive information.

3.4 Accuracy

We take reasonable steps to ensure personal data is accurate and up to date. You can update your personal information at any time through your account settings, and we encourage you to notify us of any changes to your personal data.

3.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our Privacy Policy outlines our retention periods for different types of data.

3.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Our security measures include encryption, access controls, regular security assessments, and team awareness of data protection obligations.

3.7 Accountability

We maintain records of our data processing activities and are able to demonstrate our compliance with GDPR principles. We regularly review and update our policies and procedures to maintain compliance.

4. Lawful Basis for Processing

Under GDPR, we must have a valid lawful basis in order to process personal data. TryMosaic relies on the following lawful bases for processing personal data:

Consent

In specific situations, we collect and process your data with your consent. For example, when you provide information about health, disability, or neurodivergence within the platform for the purposes of identifying workplace adjustments.

Contractual Necessity

We process your data when it's necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. For example, when you create an account or when your employer subscribes to our services.

Legal Obligation

We process your data when it's necessary for compliance with a legal obligation to which we are subject. For example, we must keep certain records for tax purposes.

Legitimate Interests

We process your data when it's necessary for the purposes of our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. For example, we may use your data to improve our services or to maintain platform security. For each type of processing activity, we identify and document the appropriate lawful basis. You can find more information about our lawful bases for specific processing activities in our Privacy Policy.

5. Your Data Rights

Under GDPR, individuals have enhanced rights regarding their personal data. At TryMosaic, we respect and facilitate these rights:

Right to Be Informed

You have the right to be informed about the collection and use of your personal data. Our Privacy Policy provides clear information about how we process your data.

Right of Access

You have the right to access your personal data and supplementary information. You can request a copy of your personal data by contacting us at hello@trymosaic.co.

Right to Rectification

You have the right to have inaccurate personal data rectified or completed if it is incomplete. You can update most of your personal information directly in your account settings.

Right to Erasure

You have the right to request the deletion of your personal data in certain circumstances. You can request deletion of your account and associated data by contacting us at hello@trymosaic.co.

Right to Restrict Processing

You have the right to request the restriction or suppression of your personal data in certain circumstances. Contact us at hello@trymosaic.co to exercise this right.

Right to Data Portability

You have the right to obtain and reuse your personal data for your own purposes across different services by contacting us at hello@trymosaic.co.

Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing. You can manage your communication preferences in your account settings.

Rights Related to Automated Decision Making

You have rights related to automated decision making, including profiling. TryMosaic does not make solely automated decisions that have significant effects on individuals. To exercise any of these rights, please contact us at hello@trymosaic.co. We will respond to your request within one month. There is no charge for making a request, but we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

6. Data Processing Agreement

When TryMosaic processes personal data on behalf of organisations (our customers), we do so as a Data Processor. In these cases, we enter into a Data Processing Agreement (DPA) with the organisation, which acts as the Data Controller. Our standard DPA addresses the requirements of GDPR Article 28 and includes: The subject matter and duration of the processing The nature and purpose of the processing The types of personal data and categories of data subjects The obligations and rights of the data controller Subprocessor management and requirements Technical and organizational security measures Audit rights and compliance demonstration Data transfer mechanisms Data breach notification procedures Our Data Processing Agreement and current sub-processor register are available at trymosaic.co/subprocessors.

7. International Data Transfers

TryMosaic is based in the United Kingdom and stores all personal data at rest within the UK. However, we may transfer personal data to countries outside the UK and EEA to provide our services. When we transfer personal data outside the UK and EEA, we ensure that appropriate safeguards are in place to protect your data, such as: Adequacy decisions by the European Commission or UK Government Standard Contractual Clauses (SCCs) approved by the European Commission or UK Government The UK International Data Transfer Agreement (IDTA) Other appropriate safeguards as required by the GDPR For more information about our data transfer mechanisms and the countries to which we transfer data, please see our Privacy Policy or contact us at hello@trymosaic.co.

8. Data Breach Procedures

TryMosaic has implemented robust procedures to detect, report, and investigate personal data breaches. In the event of a breach that may result in a risk to the rights and freedoms of individuals, we will: Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach Notify affected individuals directly when the breach is likely to result in a high risk to their rights and freedoms Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken Our notification will include: A description of the nature of the breach The name and contact details of our data protection lead The likely consequences of the breach The measures taken or proposed to address the breach and mitigate its possible adverse effects If you become aware of a potential data breach related to your personal data, please contact us immediately at hello@trymosaic.co.

9. Data Protection Lead

Ryan Hoare, Founder and CEO, acts as the designated data protection lead for TryMosaic. Responsibilities include: Overseeing TryMosaic's data protection strategy and ensuring compliance with UK GDPR and the Data Protection Act 2018 Monitoring data processing activities and maintaining records of processing Providing guidance on Data Protection Impact Assessments (DPIAs) Cooperating with the ICO on data protection matters Handling data subject rights requests Contact: hello@trymosaic.co

10. Contact Us

If you have any questions about our GDPR compliance or wish to exercise your data rights, please contact: Data Protection Lead: hello@trymosaic.co If you are not satisfied with our response or believe we are processing your personal data in a way that is not compliant with the law, you can complain to the Information Commissioner's Office (ICO). Information Commissioner's Office (UK)