Privacy Policy

Last updated: September 2022

We are Mosaic Health, a company limited by shares (company number 12748409) based at 85 Great Portland St, London, W1W 7LT.

We manage a healthcare membership fund, with the purpose of providing our members frictionless access to the supplemental healthcare that they need.

This Privacy Notice outlines how we use, share, and store personal data relating to our customers and the users of our website. We decide on the means and purposes for processing this data and this makes us the data controller.

How we collect personal information about you?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • To enter into a contract for our services
  • To manage our delivery of services to you and your employees
  • To enquire or provide feedback about our services

We may also collect personal information indirectly as follows:

  • We may collect your name, job title and contact details from publicly available sources (eg: LinkedIn), where you have been identified as a potential customer
  • We collect analytics information about your use of our website, where you actively consent to this

The type of personal information we collect

We currently collect and process the following information:

  • Current and prospective customer contact names, job titles and contact details
  • Content of (current and prospective) customer communications including content provided via forms on our website
  • Analytics information on the use of our website, this may include your IP address and device identifiers

How we use personal information and our legal basis for processing

Legitimate Interest – we process information under the legitimate interest legal basis in order to:

  • Provide our services to the company you represent, including to:
    • Manage our arrangement with you and invoice for our services
    • Engage sub-processors to deliver our services to you
    • Address enquiries and feedback about our services
  • Secure future business, by
    • Engaging prospective customers
    • Promoting our services
    • Onboarding customers using our website onboarding form
    • Conducting customer market research
  • Pay our Supplier invoices
  • Provide an effective and responsive service, this includes responding to enquiries and feedback submitted via our website ‘contact us’ form or ‘live chat’
  • Establish, exercise or defend legal claims

Where we rely on legitimate interest as grounds for processing your personal information, we carry out a ‘Legitimate Interest Assessment’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests.

Consent – we rely on the consent legal basis to:

  • Use analytics information to understand how our website is being used, this is so we can ensure it continues to meet our customers’ needs

Who has access to your personal information?

We will never sell your personal information or share it for marketing purposes. Your personal information is available to the members of our staff who are involved in distribution – access is limited to those with a genuine business ‘need to know’.

We may share your information with cloud services we use to manage elements of our business, and with sub-processors we engage to deliver our services to you.

Where we do share your information, this is done under strict contract terms that protect your rights and the security of your data. We may otherwise disclose your personal information:

  • If we are under a legal or regulatory obligation to disclose
  • To enforce, apply, or to investigate potential breaches of, our Terms and other agreements
  • To protect the rights, property or safety of Mosaic Health, our customers, or others
  • Where disclosure is required due to a transfer of company ownership

International transfers

  • We may use cloud providers who are based overseas, where this is the case, we undertake a transfer impact assessment and implement appropriate safeguards to protect your data.

How we store and dispose of your personal information

Your information is securely stored on secure Amazon Web Services servers on UK locations.

Where we have a contract with you, we will generally keep your contact information and correspondence for a period of 10 years following contract end. Other data is held for shorter timeframes, for example, website contact us forms are held for 12 months, and prospective customer details are held for 2 years.

When establishing and/or reviewing retention periods, the following is considered:

  • The objectives and requirements of the company
  • The type of personal data in question
  • The purpose(s) for which the data in question is collected, held, and processed
  • The company’s legal basis for collecting, holding, and processing that data
  • The category or categories of data subject to whom the data relates

When the retention period has expired and we no longer need your data, we will dispose of it by securely deleting it from electronic sources and shredding any hardcopy.

Where we engage a sub-processor to support us in delivering your contracted services, they are bound by our retention limits and by strict contract terms to keep your data safe and secure.

What about third-party sites?

Our website may contain links to other independent third-party websites or mobile applications.

These Third-party Sites are not under our control and will provide their own distinct privacy notices. You will need to make your own independent judgement regarding your interaction with any Third-party Sites, including the purchase and use of any services or products accessible through them.

What about third-party tracking?

Mosaic Health uses third party tracking analytics software in order to better understand how users use our product:

  • Hotjar to understand how user are navigating on our site
  • Segment to understand how features are used

What rights do you have?

Under data protection law, you have a number of rights including:

Access - You have the right to ask us for copies of your personal information.

Rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Erasure - You have the right to ask us to erase your personal information in certain circumstances.

Restrict processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Withdraw consent - You have the right to withdraw your consent where we are relying on this for processing, this will not affect anything that has previously been done under this consent.

You also have rights in relation to automated decision making (including profiling), however Mosaic Health does not undertake any of this type of processing.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact our Data Protection Officer at [email protected] if you wish to make a rights request or query our use of your data.

You also have the right to complain to the Information Commissioner’s Office if you are unhappy with our use of your data or are unsatisfied with our response to a related complaint; see Make a complaint | ICO for more details.

Changes to the privacy notice

This Privacy Notice is reviewed regularly to ensure that it accurately reflects how we use your information. When minor changes are made, we will post the updated Privacy Notice on our website; we will notify existing customers of any substantive changes by email or post.