Privacy Policy

1. Introduction

Mosaic & Me Ltd (“we”, “us”, “our”) is committed to protecting the privacy and personal data of everyone who uses our platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Mosaic & Me platform, website at mosaicandme.com, and related services (the “Platform”).

We are the data controller for the personal data processed through the Platform. We are registered with the Information Commissioner’s Office (ICO) under registration number is pending.

Mosaic & Me Ltd is a company registered in England and Wales. Our company registration number is pending.

This Privacy Policy complies with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Data (Use and Access) Act 2025 (“DUAA”), and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

2. Data protection officer

We have appointed a data protection contact who can be reached at:

Email: privacy@mosaicandme.com

3. What personal data we collect

3.1 Data you provide directly

Candidate accounts:

• Full name and contact details (email address, phone number)
• Employment history, job titles, and career timeline
• Skills, competencies, and qualifications
• Education, certifications, and courses
• Working preferences (location, work arrangement, salary expectations, team size, company size)
• Cultural preferences and working style (structure, pace, collaboration, risk, hierarchy, direction)
• Generalist archetype assessment
• Languages spoken
• Projects, achievements, and contributions
• Any other information you choose to add to your Mosaic profile

Company accounts:

• Contact person name and email address
• Company name, size, industry, and location
• Role descriptions, requirements, and qualifications
• Working style and cultural preferences for roles
• Team size, management structure, and budget information

Interest registrations (companies without invitation):

• Full name
• Email address
• Company name (optional)

3.2 Data we generate

• Match scores between candidates and roles
• AI-generated professional summaries and assessments
• Seniority assessments based on title, influence, and experience
• Skill cluster analysis
• Cultural alignment scores
• Career journey analysis
• Company context and culture summaries

3.3 Technical data collected automatically

• IP address and approximate location (derived from IP)
• Browser type, version, and operating system
• Device information
• Pages visited, time spent, and navigation patterns
• Referral source
• Cookie and similar technology data (see section 11)

4. How we use your personal data

We process your personal data for the matching algorithm and the uesr controls what is shown to the company.

Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting us.

5. Automated decision-making and AI processing

5.1 How we use AI

The Platform uses artificial intelligence and automated processing to:

• Analyse skills from candidate profiles to generate skill clusters
• Generate match scores between candidates and roles
• Create professional summaries and seniority assessments
• Assess cultural alignment between candidates and companies
• Identify strengths, areas to explore, and gaps in candidate-role fit

5.2 Human oversight

Match scores and AI-generated assessments are designed to assist, not replace, human decision-making. Companies make all hiring decisions. Candidates are never automatically rejected or progressed based solely on automated processing.

5.3 Your rights regarding automated processing

Under the UK GDPR (as amended by the DUAA), you have the right to:

• Be informed that automated processing is being used.
• Request meaningful information about the logic involved in automated decisions.
• Request human intervention or review of any automated decision that significantly affects you.
• Express your point of view and contest any automated decision.

To exercise these rights, contact us at hello@mosaicandme.com.

6. Who we share your data with

6.1 Candidate data shared with companies

When a candidate is matched with a company role, the company may see:

• Your Mosaic profile (skills, experience, achievements, working preferences)
• Match scores and alignment assessments
• AI-generated summaries and seniority assessments
• Career journey and education details

Companies do not see your full name or direct contact details until you have mutually expressed interest or progressed to an agreed stage.

6.2 Company data shared with candidates

Candidates may see:

• Company name, industry, size, and location
• Role descriptions, requirements, and working arrangements
• Cultural alignment comparisons
• Match scores

6.3 Third-party service providers

We may share personal data with trusted third-party service providers who assist us in operating the Platform, including:

• Cloud hosting and infrastructure providers
• Email and communication service providers
• Analytics and performance monitoring tools
• Payment processors (for company subscriptions)
• Customer support tools

All service providers are bound by data processing agreements that require them to process personal data only on our instructions and in compliance with UK data protection law.

6.4 Legal and regulatory disclosures

We may disclose personal data where required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Mosaic & Me Ltd, our users, or others.

6.5 Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

7. International data transfers

We primarily store and process personal data within the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy regulations (transfers to countries deemed adequate by the Secretary of State)
• UK International Data Transfer Agreements (UK IDTAs) or UK Addendum to EU Standard Contractual Clauses
• Other lawful transfer mechanisms recognised under UK data protection law

You may request details of the safeguards applied to any international transfer by contacting us.

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to you.

9. Your rights

Under UK data protection law, you have the following rights:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to erasure: You may request that we delete your personal data, subject to legal retention requirements.
• Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Right not to be subject to solely automated decisions: You may request human intervention in respect of automated decisions that produce legal or similarly significant effects.
• Right to complain: Under the DUAA, you have the right to complain directly to us about our handling of your personal data. We will acknowledge your complaint within 30 days.

To exercise any of these rights, contact us at hello@mosaicandme.com. We will respond to your request within one calendar month. In complex cases, we may extend this by a further two months, but we will inform you of any extension within the first month.

There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

10. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication requirements
• Regular security assessments and vulnerability testing
• Staff training on data protection and security
• Incident response procedures
• Secure data backup and disaster recovery

No method of transmission or storage is completely secure. If you become aware of a security vulnerability or breach, please notify us immediately at hello@mosaicandme.com.

11. Cookies and tracking technologies

11.1 What cookies we use

We use cookies and similar technologies to operate the Platform, remember your preferences, and understand how you use our services.

• Strictly necessary cookies: Required for the Platform to function. These do not require consent.
• Analytics cookies: Used to understand how visitors use the Platform, helping us improve performance and user experience. Under the DUAA amendments to PECR, analytics cookies that pose a low risk to privacy and are used solely for statistical purposes may be placed without consent, provided we give you clear information and a prominent opt-out mechanism.
• Functional cookies: Used to remember your preferences and enhance your experience. Under the DUAA, functional cookies that enhance website appearance or user experience may be placed without consent, provided we inform you and offer an opt-out.
• Marketing cookies: We do not currently use marketing or advertising cookies. If this changes, we will update this policy and obtain your consent.

11.2 Managing cookies

You can manage cookie preferences through our cookie settings or through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Platform.

11.3 Third-party cookies

Some third-party services integrated with the Platform may set their own cookies. We are not responsible for third-party cookies. Please refer to the respective third-party privacy policies.

12. Children’s data

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it as soon as possible.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Platform. Material changes will be notified to you via email or through the Platform at least 14 days before they take effect. We encourage you to review this policy periodically.

The “Last updated” date at the top of this policy indicates when it was most recently revised.

14. Complaints

If you are not satisfied with how we handle your personal data, you have the right to:

• Complain directly to us at hello@mosaicandme.com. We will acknowledge your complaint within 30 days and provide a substantive response without undue delay.
• Lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk · Telephone: 0303 123 1113 · Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can try to resolve your concern directly.

15. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Mosaic & Me Ltd

Data Protection Contact: hello@mosaicandme.com