Privacy Policy

Introduction

Mosaic Biodata Inc. ("Mosaic," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website (https://mosaicbio.io), create an account, or interact with our services.

Important: For genetic testing kit registration and genetic data processing, please refer to our separate Genetic Data Consent Notice, which governs the collection and use of your genetic information.

Incorporated by Reference: This Privacy Policy should be read together with our Terms of Service, Cookie Policy, Kit Order Terms and Conditions, and Genetic Data Consent Notice.

Scope and Applicability

This Privacy Policy applies to all users worldwide and complies with applicable data protection laws, including:

United States:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

• Texas Data Privacy and Protection Act (TDPPA)

• Virginia Consumer Data Protection Act (VCDPA)

• Colorado Privacy Act (CPA)

• Connecticut Data Privacy Act (CTDPA)

• Other applicable state privacy laws

• Genetic Information Nondiscrimination Act (GINA)

International:

• EU General Data Protection Regulation (GDPR)

• UK GDPR and Data Protection Act 2018

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

• Australia's Privacy Act 1988

• Brazil's Lei Geral de Proteção de Dados (LGPD)

Corporate Information:

• Incorporated: Delaware, United States

• Principal Place of Business: Texas, United States

Key Definitions

Personal Information: Information that identifies, relates to, describes, or can reasonably be linked with you, including direct identifiers (name, email, phone number), indirect identifiers (device IDs, IP addresses), and inferred data (preferences, characteristics).

Genetic Information: Whole genome sequencing (WGS) data, including VCF files, genetic variants, and bioinformatics analysis results. Governed by our separate Genetic Data Consent Notice.

Sensitive Personal Data: Genetic and biometric data, health-related information, self-reported traits and lifestyle data, and racial or ethnic origin (where inferred from genetic data).

Processing: Any operation performed on personal data, including collection, storage, use, sharing, and deletion.

What Data We Collect

Personal Identification Information

• Full name (or chosen pseudonym)

• Email address (personal or anonymous email services accepted)

• Phone number (optional)

• Billing and shipping addresses

• Account credentials (username, encrypted password)

• Date of birth (for age verification only)

Payment Information

• Credit/debit card details (processed by PCI-compliant third-party payment processors)

• Billing address

• Transaction history and order details

Usage and Technical Information

Automatically collected:

• IP address and geolocation (city/region level)

• Device identifiers and characteristics

• Browser type, version, and language settings

• Operating system and hardware information

• Pages visited, time spent, and navigation patterns

• Referral sources and search terms

Communication and Support Data

• Customer support tickets and correspondence

• Live chat transcripts

• Phone call recordings (with notice and consent)

• Feedback submissions

• Newsletter and marketing preferences

Genetic Information

See Genetic Data Consent Notice for complete details.

Summary: If you purchase and register a genetic testing kit, we receive pseudonymized whole genome sequencing (WGS) data from CLIA-certified laboratory partners. This data is used solely to generate lifestyle reports (nutrition, fitness, sleep, hormones, athletics) as described in the Genetic Data Consent Notice.

Future Capability: We are developing the ability for users to upload VCF files obtained from other genetic testing providers. When this service launches:

• Separate consent and terms will be required.

• You will explicitly authorize us to process the VCF file you have uploaded.

• Additional file format and quality requirements will apply.

• Advance notice will be provided before launch

How We Collect Your Data

Directly from you:

• Account creation and profile setup

• Kit registration and activation

• Form submissions and surveys

• Customer support interactions

• Marketing communications enrollment

Automatically:

• Cookies and similar tracking technologies (see Cookie Policy for details)

• Web analytics tools

• Server logs and access records

• Security monitoring systems

From third parties:

• CLIA-certified laboratory partners (genetic data via encrypted APIs - see Genetic Data Consent Notice)

• Payment processors (transaction verification)

• Identity verification services (for account security)

Legal Basis for Processing

We process your personal data based on:

Consent: Explicit agreement for genetic data processing, marketing communications, and analytics cookies.

Contract Performance: Necessary for providing services, account management, order fulfillment, and customer support.

Legitimate Interests: Website functionality, security, fraud prevention, service improvement, and business operations.

Legal Obligation: Compliance with tax laws, regulatory requirements, and valid legal requests.

For Genetic Data Specifically: Always explicit consent, never processed on any other legal basis. See Genetic Data Consent Notice.

How We Use Your Data

Service Provision

• Generate and deliver purchased lifestyle reports.

• Manage user accounts and subscriptions.

• Process orders and payments

• Provide customer support

• Send service notifications and updates.

Marketing and Communications

With your consent:

• Send newsletters and educational content.

• Provide health and wellness tips.

• Announce new features and services.

• Share relevant scientific discoveries.

You can withdraw consent and unsubscribe at any time.

Analytics and Improvement

• Analyze website usage patterns.

• Identify technical issues and optimize performance.

• Develop new features

• Conduct A/B testing

• Measure customer satisfaction

Legal and Security

• Comply with tax and regulatory obligations.

• Respond to valid legal requests.

• Prevent fraud and unauthorized access.

• Maintain data security and system integrity.

• Conduct internal audits

Data Storage, Security, and Retention

Security Measures

• Encryption: AES-256 for data at rest, TLS 1.3 for data in transit

• Access Controls: Multi-factor authentication, role-based access, principle of least privilege

• Infrastructure: SOC 2 Type II certified cloud providers

• Monitoring: 24/7 security monitoring, intrusion detection, DDoS protection

• Audits: Regular third-party security assessments and penetration testing

Data Residency

Data Storage Location:

• All Data: Stored in United States data centers (SOC 2 Type II certified)

• GDPR Compliance: International transfers protected by Standard Contractual Clauses (SCCs)

• Encryption: AES-256 at rest, TLS 1.3 in transit

• Access Restriction: No access permitted by foreign adversary entities

Retention Periods

Personal Information:

• Active accounts: Retained while the account is active

• Inactive accounts: Deleted after 3 years of inactivity (with prior notice)

• Financial records: 7 years for tax and compliance purposes

• Marketing data: Deleted immediately upon opt-out

Genetic Information:

• Minimum 6 years to support ongoing services and additional reports

• See Genetic Data Consent Notice for complete retention details.

• Deleted within 30 days of verified deletion request

Secure Deletion

Upon deletion request:

• Multi-pass overwriting of storage media

• Cryptographic key destruction for encrypted data

• Physical destruction of decommissioned hardware

• Written confirmation of deletion

Data Sharing and International Transfers

When We Share Data

Service Providers (with Data Processing Agreements):

• CLIA-certified laboratory partners for genetic analysis

• Cloud storage providers

• Payment processors (PCI DSS compliant)

• Customer support platforms

• Email and communication services

We Never Share With (without explicit consent or legal requirement):

• Employers or prospective employers

• Insurance companies or brokers

• Marketing companies or data brokers

• Government agencies (except under valid legal compulsion)

International Data Transfers

For International Users:

Your data is transferred to and stored in the United States. We implement appropriate safeguards for international data protection compliance:

EU/UK Residents (GDPR):

• Standard Contractual Clauses (SCCs) with cloud infrastructure providers

• Right to detailed information about safeguards (contact support@mosaicbio.io)

• Right to object to international transfers.

• Right to lodge a complaint with your supervisory authority.

• Right to delete data at any time

Other Jurisdictions:

• Compliance with PIPEDA (Canada), LGPD (Brazil), and applicable local laws

• Appropriate legal mechanisms for data transfers

• Enhanced security measures for cross-border data protection

Prohibited Transfers:

• No bulk genetic data transfers to countries designated as "countries of concern"

• Enhanced review for transfers to countries with inadequate data protection laws

• In alignment with U.S. government policies regarding bulk-sensitive data transfers

Third-Party Applications

If you choose to share your data with third-party applications:

• We share only the data you explicitly authorize

• Third-party apps have independent privacy policies.

• We cannot control how third parties use your data once shared

• Review third-party terms carefully before sharing.

Your Privacy Rights

Universal Rights

All users have the right to:

• Access: Request a copy of your personal data

• Rectification: Correct inaccurate or incomplete data

• Deletion: Request removal of your data ("right to be forgotten")

• Portability: Receive your data in a structured, machine-readable format

• Objection: Object to certain types of data processing

• Restriction: Limit how we process your data

• Withdraw Consent: Revoke consent at any time

How to Exercise Your Rights

Self-Service Options (available 24/7 through your account):

• Download your data

• Update personal information and preferences.

• Manage marketing and communication preferences.

• View data processing history.

• Request account deletion

Contact Methods:

• Email: support@mosaicbio.io with subject "Privacy Rights Request"

• Mail: Privacy Officer, 919 Congress Ave, Suite 525, Austin, TX 78701, USA

Response Timeline: We respond within 30 days (may extend to 60 days for complex requests under GDPR).

State-Specific Rights (U.S.)

California (CCPA/CPRA):

• Right to know what personal information is collected.

• Right to delete personal information

• Right to correct inaccurate information.

• Right to opt-out of sale or sharing of personal information (we do not sell data)

• Right to limit use of sensitive personal information.

• Right to non-discrimination

Texas, Virginia, Colorado, Connecticut, and Other States:

• Similar rights to access, delete, and correct data.

• Right to opt out of targeted advertising.

• Right to data portability

• Appeal process for denied requests

EU/UK Rights (GDPR)

Additional Rights:

• Right to lodge a complaint with the supervisory authority.

• Right to object to automated decision-making.

• Enhanced protections for genetic data (Article 9 special category data)

Supervisory Authorities:

• EU: Irish Data Protection Commission (for EU operations)

• UK: Information Commissioner's Office

Data Protection Officer: support@mosaicbio.io

International Rights

Canada (PIPEDA):

• Right to access personal information

• Right to correct information.

• Right to withdraw consent.

• Complaint process: Office of the Privacy Commissioner of Canada

Australia:

• Australian Privacy Principles (APP) rights

• Complaint process: Office of the Australian Information Commissioner

Brazil (LGPD):

• Comprehensive data subject rights

• Right to information about data sharing

• National Data Protection Authority (ANPD) oversight

Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential website functionality

• Analytics (with consent)

• Marketing (with explicit consent)

For complete details on cookie types, purposes, and management options, see our Cookie Policy.

Genetic Data Special Protections

Enhanced Protections:

• Always requires explicit consent.

• Treated as special category personal data under GDPR Article 9

• Additional security layers and access restrictions

• Separate consent process distinct from general terms

For complete details, see our Genetic Data Consent Notice, which governs all processing of genetic information.

Non-Discrimination Protections:

• Compliance with Genetic Information Nondiscrimination Act (GINA)

• GINA covers employment and health insurance discrimination

• Note: GINA does not cover life insurance, disability insurance, or long-term care insurance

Risks and Important Considerations

Data Security Risks:

• No system is perfectly secure; breaches are always possible.

• Genetic data, even pseudonymized, carries re-identification risks.

• Data sharing with third parties increases privacy exposure

For complete information about risks related to genetic data, see our Genetic Data Consent Notice.

Our Mitigation Efforts:

• Industry-leading security measures

• Data minimization practices

• Transparent communication about risks

• User control over data sharing

Children's Privacy

Age Requirements:

• Services are intended for users 18 years and older.

• We do not knowingly collect data from children under 18

• Users under 18 must have parent or guardian consent

If We Discover Child Data:

• Immediate deletion within 30 days

• Parent notification when feasible

• Account suspension until proper consent is obtained

Business Transfers

In the event of a merger, acquisition, or asset sale:

• Privacy protections continue under new ownership.

• 30-day advance notice to all users via email

• You may delete your data before transfer.

• New owners must honor existing privacy commitments.

• Per applicable law, genetic data cannot be transferred to foreign adversaries in bankruptcy proceedings.

Law Enforcement and Legal Compliance

Our Policy:

• Respond only to valid legal demands.

• Provide the minimum data legally required.

• Notify users unless legally prohibited.

• May challenge overly broad or invalid requests

Annual Transparency Report:

• Number and types of data requests received

• Responses to government and legal requests

• Data breach incidents and responses

Data Breach Notification

Our Response:

• Immediate assessment and containment (within 24 hours)

• Investigation and risk evaluation (within 72 hours)

• User notification when required by law

• Regulatory reporting as required (GDPR: 72 hours to the supervisory authority)

User Notification Methods:

• Email to registered address

• Account dashboard notification

• Website banner for widespread incidents

• Postal mail for serious incidents (where addresses are available)

Changes to This Policy

Notification Procedures:

For Material Changes:

• 60-day advance notice via email

• Prominent website notice

• Explanation of changes and their impact

• Opportunity to delete the account before changes take effect

For Non-Material Changes:

• Updated policy posted with new "Last Updated" date

• Brief account dashboard notification

Your Options:

• Accept changes by continuing to use services.

• Request information about specific changes

• Modify privacy settings

• Delete the account and export the data.

Contact Information

Privacy Inquiries:

• Email: support@mosaicbio.io

• Subject Line: Use "Privacy Policy Inquiry" for faster processing

• Response Time: Within five business days

Mailing Address:

Mosaic Biodata Inc. Privacy Officer 919 Congress Ave, Suite 525 Austin, TX 78701 United States

Data Protection Officer (for GDPR inquiries): support@mosaicbio.io

Business Hours: Monday-Friday, 9:00 AM - 6:00 PM Central Time