Privacy Policy

Mosaic Singularity Inc. ("Mosaic Singularity," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information that we obtain through www.mosaicsingularity.com (the "Site"). It also explains your rights and how to contact us about them.

We are accountable for the personal information under our control. This Privacy Policy applies to the Site only. Use of the Heart Beat Agents platform is governed by a separate Data Processing Addendum executed between Mosaic Singularity and a customer organization.

1. Identity of the Data Controller

The data controller responsible for personal information collected through the Site is:

Mosaic Singularity Inc.
201 King Street
London, Ontario, N6A 1C9
Canada
Federally incorporated under the Canada Business Corporations Act

2. Privacy Officer

Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector (Law 25), we have designated a Privacy Officer who is accountable for our compliance with privacy law and this Privacy Policy. The Privacy Officer is the Chief Operating Officer of Mosaic Singularity Inc., and may be contacted at:

Email: legal@mosaicsingularity.com
Mail: Privacy Officer, Mosaic Singularity Inc., 201 King Street, London, Ontario, N6A 1C9, Canada

3. Personal Information We Collect

3.1 Information You Provide

When you submit a contact, demo, partner, or career form on the Site, we collect the information you provide, which may include your name, email address, telephone number, organization, role, country, language preference, and any message or context you choose to include.

3.2 Information Collected Automatically

When you access the Site, we and our service providers may automatically collect certain technical information, including your IP address, device and browser characteristics, referring URL, pages and content viewed, time on page, scroll depth, language, and approximate geographic region inferred from IP address. Automated collection beyond what is strictly necessary for the Site to function occurs only with your consent, as described in Section 8.

3.3 Cookies and Similar Technologies

We use cookies and similar technologies as described in our Cookie Policy.

3.4 Sensitive Personal Information

We do not knowingly collect Protected Health Information (PHI), payment card information (PCI), biometric identifiers, government-issued identifiers, or information about racial or ethnic origin, religious beliefs, genetic data, sexual orientation, or other categories regarded as sensitive under applicable law, through the Site. Please do not submit such information to us through the Site.

4. Why We Collect Personal Information

We use personal information for the following purposes:

• to respond to your inquiries, demo requests, and partnership applications;
• to operate, maintain, secure, and improve the Site;
• to measure aggregate engagement and content performance, with your consent;
• to communicate with you about Mosaic Singularity, our products, and our research, where you have opted in;
• to comply with legal, regulatory, and contractual obligations and to enforce our Terms of Use;
• to detect, investigate, and prevent fraud, abuse, security incidents, and violations of our policies.

5. Legal Bases for Processing

In jurisdictions that require a legal basis (including the European Economic Area, the United Kingdom, and Switzerland), we rely on the following bases under Article 6 of the GDPR and equivalent provisions of UK GDPR and the Swiss Federal Act on Data Protection:

• Consent for analytics, marketing, and other optional processing, including cookies and similar technologies;
• Legitimate interests in operating, securing, and improving the Site, in responding to inquiries, and in protecting our rights, where those interests are not overridden by your rights and freedoms;
• Performance of a contract or steps prior to entering a contract where you request information about our products or services;
• Compliance with a legal obligation, where applicable.

In Canada, we process personal information with your knowledge and consent, which may be express or implied depending on the sensitivity of the information and the circumstances, in accordance with PIPEDA and Quebec Law 25. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

6. How We Share Personal Information

We do not sell personal information. We share personal information in the limited circumstances described below.

6.1 Service Providers

We engage service providers (sub-processors) that perform functions on our behalf. They are bound by contract to use personal information only for the services we request and to maintain appropriate safeguards. Our current sub-processors are:

• Amazon Web Services, Inc. (cloud hosting, content delivery, and related infrastructure; processed in Canada and the United States);
• Google LLC (Google Analytics 4 and Google Tag Manager, used only with your consent for measurement; processed in the United States and other jurisdictions where Google operates).

We will update this list when we add or change material sub-processors.

6.2 Legal and Compliance

We may disclose personal information when we believe in good faith that disclosure is necessary to comply with applicable law, a lawful request from a public authority, or legal process; to enforce our Terms; to protect the rights, property, or safety of Mosaic Singularity, our users, or others; or to investigate or prevent fraud or security issues.

6.3 Business Transfers

We may disclose personal information in connection with the evaluation or consummation of a merger, acquisition, financing, restructuring, or sale of all or part of our assets, subject to confidentiality obligations and applicable law.

6.4 With Your Consent

We may share personal information for any other purpose with your consent.

7. International Data Transfers

Mosaic Singularity is based in Canada. The personal information we collect may be transferred to, stored, processed, or accessed in jurisdictions other than the one from which you provide it, including Canada, the United States, and other countries where our service providers operate. The data protection laws of those jurisdictions may differ from the laws of your jurisdiction.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland, we use appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the equivalent Swiss approach, together with supplementary measures where required.

Where we transfer personal information from Quebec to a jurisdiction outside Quebec, we conduct privacy impact assessments and apply contractual and technical safeguards as required under Quebec Law 25.

8. Cookies, Consent, and Choice

We use cookies and similar technologies as described in the Cookie Policy. Optional cookies, including analytics cookies, are not loaded until you grant consent through our cookie banner. You can change your choice at any time using the controls described in the Cookie Policy.

We honor recognized opt-out signals, including the Global Privacy Control (GPC) signal where required by applicable law.

9. Retention

We retain personal information only as long as necessary for the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Indicative retention periods are:

• Inquiry and contact submissions: up to 24 months from your last interaction, unless a longer period is required for legal or contractual purposes;
• Analytics records: up to 26 months as configured in Google Analytics 4;
• Consent records: up to 5 years from collection, to demonstrate lawful basis where applicable;
• Security and audit logs: up to 12 months, longer where required to investigate or document an incident.

When personal information is no longer needed, we securely destroy, erase, or anonymize it in accordance with our records-retention schedule.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. Measures include encryption of personal information in transit, restricted and audited access to systems, separation of production and non-production environments, principle of least privilege, vendor due diligence, and ongoing security monitoring. While we work toward and benchmark against recognized frameworks such as SOC 2, we do not represent that we hold a current certification unless expressly stated. No system is perfectly secure, and we cannot guarantee absolute security.

11. Your Rights

Depending on the jurisdiction in which you are located, you have one or more of the following rights with respect to your personal information. To exercise any right, contact our Privacy Officer at legal@mosaicsingularity.com. We will respond within the time periods required by applicable law and may need to verify your identity before acting on your request.

11.1 Universal Rights

• Right to access the personal information we hold about you;
• Right to correct or rectify inaccurate or incomplete information;
• Right to request deletion or erasure of personal information, subject to legal exceptions;
• Right to withdraw consent where processing is based on consent;
• Right to file a complaint with the relevant regulator.

11.2 Canada (PIPEDA and Quebec Law 25)

You may request access to and correction of your personal information. You may also request information about our policies and practices and the names of any third parties to whom personal information has been disclosed. Quebec residents may also request that we cease the dissemination of personal information or de-index a link providing access to personal information where dissemination causes serious harm. You may file a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or, for Quebec residents, the Commission d'accès à l'information du Québec (www.cai.gouv.qc.ca).

11.3 European Economic Area, United Kingdom, and Switzerland

You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection, including objection to processing based on legitimate interests. You also have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. You may lodge a complaint with the supervisory authority of the EU Member State, the United Kingdom, or Switzerland in which you reside, work, or believe a violation occurred.

11.4 California (CCPA / CPRA)

California residents have the right to know what personal information we collect, use, disclose, and (where applicable) sell or share; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; the right to limit the use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising these rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise California rights, contact our Privacy Officer using the details above. You may also designate an authorized agent to make a request on your behalf, subject to verification.

11.5 Other United States Jurisdictions

Residents of jurisdictions with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others as enacted) have rights of access, correction, deletion, portability, and opt-out from targeted advertising, sale, and certain profiling activities. Contact our Privacy Officer to exercise these rights.

12. Automated Decision-Making

We do not use the personal information collected through the Site to make decisions based solely on automated processing that produce legal or similarly significant effects on you. Automated processing of customer data on the Heart Beat Agents platform, where applicable, is described in the Data Processing Addendum executed with the customer organization.

13. Children's Privacy

The Site is intended for users 18 years of age and older and is not directed to children. We do not knowingly collect personal information from children. If you believe we may have collected personal information from a child, please contact the Privacy Officer and we will delete it.

14. Breach Notification

We maintain incident-response procedures and will notify affected individuals and the relevant regulators of breaches involving personal information in accordance with applicable law, including PIPEDA, Quebec Law 25, the GDPR, the UK GDPR, and applicable U.S. state laws.

15. Third-Party Links

The Site may contain links to third-party websites and services that we do not operate. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices before providing them with personal information.

16. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. The Effective Date at the top of this document indicates when the policy was last revised. Material changes will be communicated through a banner on the Site or other prominent notice, and where consent is required, we will obtain renewed consent before applying the changes to optional processing.

17. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal information, contact our Privacy Officer:

Privacy Officer (Chief Operating Officer)
Mosaic Singularity Inc.
201 King Street
London, Ontario, N6A 1C9
Canada
Email: legal@mosaicsingularity.com

18. Language

The parties have requested that this Privacy Policy be drawn up in the English language. Les parties ont demandé que la présente politique soit rédigée en langue anglaise.