Privacy Policy

Introduction and pledge

This policy applies to all personal information Mosaic receives either via a Mosaic website (Mosaic Publicity Ltd and its brands Mosaic PR & Digital and Mosaic Media Training), or information supplied to Mosaic by an individual or client.

Mosaic PR & Digital is both a data controller (our websites) and data processor (information given to us by our clients). In all cases we are committed to protecting the privacy of personal data. This policy explains how our business, and use any information you provide and the ways in which we protect your privacy. We ask you to read it carefully.

We treat any personal information (which means data from which you can be identified, including your name, address, e-mail address) that you give us, or that we obtain from you/our clients, in accordance with the provisions of the General Data Protection Regulations . Under these regulations we have a legal duty to protect any information we collect from you.

Any amendments to this policy will continue to be in accordance with the provisions of the General Data Protection Regulations. We ask you to check it occasionally to make sure you are aware of the latest version.

Nine Data Protection Principles

Mosaic shall comply with the following 9 Data Protection Principles when processing personal data:

1 Fairness and Transparency: Mosaic will process personal data fairly and provide individuals with information about how and why their personal data is processed.

  • the purposes for which their personal data is processed;
  • the legal basis for processing;
  • any legitimate interests pursued by Mosaic or a third party, if applicable;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from Mosaic access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time, if applicable;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    This privacy notice is included in each client engagement letter or service agreement.

Where a client provides personal data of third party data subjects to Mosaic, no notice will have to be provided to those third party data subjects by Mosaic if such information must remain confidential subject to an obligation of professional secrecy. Mosaic will never pass on this data.

2 Lawful Processing: Mosaic will only process personal data, including sensitive personal data, lawfully where it has a valid basis for the processing.

Generally, personal data must not be processed without a legal ground. In the context of Mosaic, personal data are typically processed on the basis of:

  • processing is necessary for the performance of a contract to which the data subject (e.g. the client) is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing necessary for the legitimate interests pursued by a client or Mosaic, except where such interests are overridden by the interests or fundamental rights and freedoms of the data This ground may apply to the processing of the personal data of any third party data subjects whose personal data are provided by the client;
  • a legal obligation to which Mosaic is subject and where compliance with such obligation necessitates the processing of personal data by Mosaic;
  • data subject’s consent, where such consent is procured from the client.

3 Purpose Limitation: Mosaic will only collect personal data for a specific, explicit and legitimate purpose. Any subsequent processing should be compatible with that purpose, unless Mosaic has obtained the individual’s consent or the processing is otherwise permitted by law.

Mosaic will typically process:

  • the personal data of its clients as required for the purposes of providing its professional services and the administration of its client relationships;
  • the personal data of its personnel as required for the administration of personnel;
  • the personal data of its suppliers as required for the administration of its supplier relationships, if applicable; and
  • the personal data of its clients, personnel and suppliers as is necessary in order to comply with its legal obligations.
  • Mosaic will generally not carry out any unsolicited electronic marketing, but to the extent it does, it will have to comply with the law.

4 Data Minimisation: Mosaic will only process personal data that is adequate, relevant and
limited to what is necessary for the purpose for which it was collected.

Mosaic asks that each client ensures that only the minimum necessary personal data is provided in connection with the professional services sought.

5 Data Accuracy: Mosaic takes reasonable steps to ensure personal data is accurate,
complete, and kept up-to-date.

  • Mosaic asks that each client ensures that any personal data provided in connection with the professional services sought is accurate, complete and up to date.
  • Mosaic will endeavour to keep an accurate record of personal data in relation to its clients and personnel.

6 Individual Rights: Mosaic allows individuals to exercise their rights in relation to their personal data, including their rights of access, erasure, rectification, portability and objection.

  • Mosaic will ensure that all Individual Rights Requests are correctly identified and appropriately responded to, subject to any applicable exemptions.


7 Storage Limitation: Mosaic only keeps personal data for as long as it is needed for the purpose for which it was collected or for a further permitted purpose.

  • Mosaic will keep all records as long as required by applicable law or as may be necessary having regard to custom, practice or the nature of the documents concerned.
  • Mosaic will annually clear out and dispose of personal information received from data controllers which is no longer required.
  • Save for personal data included in records which must kept for a prescribed period or preserved permanently in compliance with any legal obligations to which Mosaic is subject, personal data shall be kept for no longer than necessary for the relevant purpose. For example, all personnel records will be kept for no longer than 12 months following the termination of employment or contract, unless a longer retention is required under applicable
  • Data Security: Mosaic uses appropriate security measures to protect personal data.

Mosaic has the following security measures:

Physical security measures

  • confidential documents kept in locked cabinets;
  • reduced access privileges to only those needed;
  • access granted to only such personnel who need to have access in connection with their duties;
  • Mosaic disposes of confidential documents using a cross cut shredder;

Organisational security measures

  • Mosaic vet personnel and suppliers on a continuing basis;
    Mosaic implement non-disclosure agreements – if requested – prior to entering into formalised agreements;
    Mosaic provide training to personnel where appropriate;

Technical security measures

  • firewalls which are properly configured and using the latest software;
  • real-time protection anti-virus, anti-malware and anti-spyware software;
  • unique passwords of sufficient complexity and regular (but not too frequent) expiry;
  • encryption of all portable devices ensuring appropriate protection of the key;
    data backup;

We have implemented reasonable technical and organisational measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration or disclosure. However, the Internet is an open system and we cannot guarantee that unauthorised third parties will never be able to defeat those measures or use your personal information for improper purposes.

  • Accountability: Mosaic must take steps to comply with, and be able to demonstrate compliance, with the Data Protection Principles.

Mosaic has implemented appropriate governance processes as set out in this policy.

Personal information we collect on our websites

You do not have to give us any personal information in order to use most of the website.

However, if you wish to contact us about a product or service or employment via our enquiry form, subscribe to receive content, request more information or volunteer feedback we may collect the following personal information from you:

  • name, address, phone number and email address; and
  • employment details, employer details

When we request information from you, a statement will appear near or next to that part of the website, where the capture of data occurs, explaining what we need your data for and with a reference to this privacy statement.

In addition, we may automatically collect information about the website that you came from or are going to. We also collect information about the pages of this website that you visit, IP addresses, the type of browser you use and the times you access this website. However, this information is not used to identify you.

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

No user-specific data is collected by either Mosaic or any third party.

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

We store the data you use in our contact form for marketing purposes in a digital format.

How we will use your personal information
The personal information we collect via our website allows us to:

  • respond to your enquiry;
  • provide the products and services you have ordered;
  • administer our website and provide customer services;
  • meet legal, regulatory and compliance requirements;
  • gather management information to form statistical and trend analysis;
  • communicate with you;
  • contact you about our products and services which we think might be of interest to you (where we have the appropriate permissions to do so);
  • contact you regarding employment opportunities.

Marketing communications

Where you have given us the appropriate permissions during the registration process to the website/website services (as applicable), we may from time to time contact you by email or telephone or post about our products and services that may be of interest to you.

If at any point, you would like to opt-out of receiving marketing communications from us please email us, stating your preferences, at If requested all your personal data stored will be deleted entirely from our system.

Where your personal data is held

Any information obtained via our website, is held electronically at Mosaic Publicity, Suite 6, Oyster House, Severalls Lane, Colchester, CO4 9PD and via a third party which provides a secure and fully encrypted CRM solution. If requested, all the personal data we hold can be disclosed to you.

Should we discover that our data has been breached you will be notified within 72 hours.

Third parties

We do not sell, trade or rent your information to other parties.

We may employ the services of third party service providers to help us in certain areas, such as website hosting, maintenance and print. In some cases, the third party may receive your information. However, at all times, we will control and be responsible for the use of your information.

We may disclose your information if required to do so by law for information such as a court order, witness summons, or complaint from governmental authorities

Cookie use

Cookies are pieces of data that are often created when you visit a website and are stored in the cookie directory of your computer either temporarily or permanently. We only use cookies to measure how you interact with our site; this does not include any personal information and remains anonymous.

Data Processing Assurance

Mosaic will ensure, by way of training or otherwise, that staff carry out their tasks in a way that will ensure compliance with data protection laws (including GDPR). Each member of staff shall have access to this policy and shall have an obligation to comply with it.

Mosaic will comply with data protection obligations in accordance with its service agreement including, where appropriate, a data processing agreement.

Mosaic shall periodically review this Policy and other policies to ensure that they continue to comply with the relevant legal requirements.


Our website may contain links to other websites. We are not responsible for privacy policies or practices of other websites to which you choose to link from this site. We encourage you to review the privacy policies of those other websites so you can understand how they collect, use and share your personal information.

How to contact us

If you have any questions about this policy or your personal information, please contact us at



Controller A party which determines the purposes and means of the data processing.
Data Any information which is recorded electronically or, where recorded in a manual format (e.g. on paper), is organised by reference to an individual.
Data subject The individual to whom the personal data relates.
Individual Rights Request A request from a data subject in respect of their personal data, e.g. to access, erase, or rectify their personal data, or object to its processing.
Personal data Any data relating to an identified or identifiable natural person. This can include (but is not limited to) names, addresses, email addresses, positions held, photographs, job applications, personnel files and correspondence to and from an individual.
Personnel All employees of Mosaic at all levels.
Processing Any operation performed on personal data, such as collection, recording, storage, retrieval, use, combining it with other data, transmission, disclosure or deletion.
Processor A party processing personal data on behalf of a controller, under the controller’s instructions.
Supplier Any external vendor, supplier, consultant or similar third party engaged to provide services to Mosaic.