Legal
Last updated: 2 March 2026 · Effective date: 2 March 2026
This Privacy Policy describes how Mosaic ("we", "us", or "our") collects, processes, stores, and protects your personal data when you use the Mosaic web application and related services (collectively, the "Service"), accessible at mosaicapp-74sd2y96.manus.space.
The data controller responsible for your personal data is:
This Privacy Policy is issued in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), and the German Telecommunications-Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, "TDDDG"). Where applicable, the provisions of the German Telemedia Act (Telemediengesetz, "TMG") also apply.
We collect and process the following categories of personal data:
| Category | Data Points | Purpose |
|---|---|---|
| Account Data | Name, email address, login method, account creation date | Authentication and account management |
| Profile Data | Partner name, relationship start date, cultural backgrounds, languages | Personalisation of content and assessments |
| Assessment Data | Responses to the Cultural Identity Assessment questionnaire | Generating your Cultural DNA profile and personalised recommendations |
| Usage Data | Pages visited, modules completed, features used, session duration | Service improvement, analytics, and personalisation |
| Communication Data | Saved conversation prompts, exercise responses, notes | Providing the Conversation Toolkit feature |
| Subscription Data | Subscription plan, payment status, subscription dates | Managing access to premium features |
| Coaching Data | Booked sessions, coach preferences, session notes | Operating the Coaching Marketplace |
| Technical Data | IP address, browser type, device type, cookies | Security, fraud prevention, and service operation |
We do not collect special categories of personal data (Article 9 GDPR) such as health data, racial or ethnic origin, or religious beliefs, unless you voluntarily provide such information within the assessment or conversation tools, in which case your explicit consent is obtained.
We process your personal data only where a valid legal basis under Article 6 GDPR exists:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of a contract | Art. 6(1)(b) |
| Delivering the Service and its features | Performance of a contract | Art. 6(1)(b) |
| Processing subscription payments | Performance of a contract | Art. 6(1)(b) |
| Personalising content based on assessment | Consent | Art. 6(1)(a) |
| Analytics and service improvement | Legitimate interests | Art. 6(1)(f) |
| Security and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Marketing communications (opt-in only) | Consent | Art. 6(1)(a) |
We use your personal data to:
Provide, operate, and maintain the Mosaic Service, including authentication, content delivery, assessment processing, and coaching marketplace functionality. Generate your personalised Cultural DNA profile and relationship recommendations using the information you provide in the Cultural Identity Assessment. Process subscription payments and manage your access to premium features. Improve the Service through aggregated, anonymised analytics. Communicate with you about your account, bookings, and — where you have opted in — relevant updates and content. Comply with our legal obligations under German and European law.
We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review, as defined under Article 22 GDPR. Our AI-powered features (such as personalised advice) are advisory in nature and do not constitute automated decisions.
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
Service Providers: We engage trusted third-party processors to operate the Service, including cloud infrastructure providers, payment processors (Stripe, Inc., operating under a Data Processing Agreement), and authentication services. All processors are bound by contractual data processing agreements (Article 28 GDPR) and may not use your data for their own purposes.
Coaches and Therapists: When you book a coaching session, we share only the information necessary to facilitate that session (your name, contact details, and session notes you choose to share) with the relevant coach. Coaches are bound by confidentiality obligations.
Legal Requirements: We may disclose your data where required by law, court order, or to protect the rights, property, or safety of Mosaic, our users, or the public.
International Transfers: Where data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 GDPR).
We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Specifically:
Account and profile data is retained for the duration of your account and deleted within 30 days of account deletion. Assessment and conversation data is retained for the duration of your account. Subscription and payment records are retained for 10 years in accordance with German commercial and tax law (§ 257 HGB, § 147 AO). Technical logs and usage data are retained for a maximum of 90 days. Anonymised, aggregated analytics data may be retained indefinitely as it cannot be linked to an individual.
As a data subject under the GDPR, you have the following rights, which you may exercise at any time by contacting us at [email protected]:
| Right | Description | GDPR Article |
|---|---|---|
| Right of Access | Obtain a copy of the personal data we hold about you | Art. 15 |
| Right to Rectification | Correct inaccurate or incomplete personal data | Art. 16 |
| Right to Erasure | Request deletion of your personal data ('right to be forgotten') | Art. 17 |
| Right to Restriction | Restrict processing of your data in certain circumstances | Art. 18 |
| Right to Data Portability | Receive your data in a structured, machine-readable format | Art. 20 |
| Right to Object | Object to processing based on legitimate interests or for direct marketing | Art. 21 |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent | Art. 7(3) |
| Right to Lodge a Complaint | File a complaint with a supervisory authority | Art. 77 |
We will respond to your request within one month of receipt. In complex cases, we may extend this period by a further two months, of which we will notify you. We will not charge a fee for reasonable requests.
You have the right to lodge a complaint with the competent supervisory authority. In Germany, the relevant authority is the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI), or the data protection authority of the German federal state in which you reside.
We use strictly necessary cookies to operate the Service, including session cookies required for authentication. We do not use third-party advertising cookies or tracking pixels. Analytics data is collected in an aggregated, anonymised form.
In accordance with § 25 TDDDG (formerly § 15 TMG), we obtain your consent before placing any non-essential cookies on your device. You may withdraw consent at any time by adjusting your browser settings or contacting us directly.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include encrypted data transmission (TLS/HTTPS), secure server infrastructure, access controls and authentication, and regular security reviews.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected users without undue delay (Articles 33–34 GDPR).
The Mosaic Service is intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected data from a child under 16 without verifiable parental consent, we will delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice on the Service or by email. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.
For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact our data controller: