Mozaic

Subscription Agreement

Privacy Policy

MOZIAC PAYMENTS, INC – GDPR COMPLIANT PRIVACY POLICY

This GDPR Compliant Privacy Policy addresses customer data protection as it concerns the use and processing of Consumer Data in Connection with Payment Processing Services, as well as safeguards that are in place when transfers of international data exist (this “Attachment I”). This Attachment I shall have an effective date of what is stated in the Data Retention Policy (the “Agreement).

This Attachment I applies to any product, service, or other offering where Mozaic Payments, Inc. (“Mozaic”) provides card and/or direct debit processing, gateway and/or fraud protection services (the “Payment Services”) to its consumers or Merchants. This Attachment I shall be considered part of the applicable Data Retention Policy (the “Agreement”) between you (“you” or “Merchant”) and Mozaic Payments, Inc. that governs Mozaic’s Payment Services to you.

In the event there is any conflict between the terms of this Attachment I and the Agreement, the terms of this Attachment I will control. Capitalized terms used but not defined in this Attachment I have the meaning set out in the Agreement.

We may amend this Attachment I from time to time. The revised version will be effective at the time we post it on https://mozaic.io/ (our “website”) unless otherwise specifically stated. If our changes reduce your rights or increase your responsibilities, we will post a notice on our website. If you do not agree with any change or amendment to this Attachment I, you may discontinue your use of the Payment Services.

Definitions

The following terms have the following meanings when used in this Attachment I:

Controllermeans an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar data protection and privacy roles) is defined in Data Protection Law, “Controller” shall have the meaning as defined in the applicable Data Protection Law including a “Business” as defined in the California Consumer Privacy Act (“CCPA”).

Customer” means your consumer or customers who use the Payment Services.

Customer Data” means the Personal Data that

  1. the Customer provides to you and which you pass on to Mozaic through the use by you of the Payment Services AND
  2. Mozaic may collect from the Customer’s device and browser through use by you of the Payment Services.

Data Protection Laws” means any applicable data protection laws, regulations, directives and regulatory requirements applicable to Mozaic’s provision of the Payment Services, including any amendments thereto and any associated regulations or instruments (e.g., the California Consumer Privacy Act 2018, Cal. Civ.

Code § 1798.100 et seq (“CCPA”), the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 in the Commonwealth of Australia (Cth), the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).

“Mozaic” means Mozaic Payments, Inc. and all company entities and subsidiaries which Mozaic, or its successor(s), directly or indirectly from time to time owns or controls.

Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Process” or “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.

1. Processing of Customer Data in Connection with the Payment Service

  1. The parties to this Attachment I acknowledge and agree that the Merchant and Mozaic are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services that Mozaic provides its Customers. As such, Mozaic independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data.
  2. The parties acknowledge and agree that Mozaic is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
    1. as reasonably necessary to provide and improve the Payment Services to Merchant and its Customers, including in connection with its fraud protection tools;
    2. to monitor, prevent and detect fraudulent payment transactions and to prevent harm to Merchant, Mozaic, and to third parties,
    3. to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which Mozaic is subject, including applicable anti- money laundering and identity verification obligations;
    4. to analyze, develop and improve Mozaic’s products and services;
    5. internal usage, including but not limited to, data analytics and metrics;
    6. to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Customer Data is not identifiable, including calculating your averages by region or industry;
    7. complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
    8. any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.

2. Controller Assigned

  1. Mozaic shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Attachment I (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Customer Data) and shall not knowingly do anything or permit anything to be done with respect to the Customer Data that likely would lead to a breach by Merchant of the Data Protection Laws. Mozaic shall only transfer Customer Data to third parties, sub-processors or members of Mozaic Payments, Inc. who shall sign written agreements which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Attachment I.

3. Notice to Customers

  1. Merchant shall use commercially reasonable efforts to (i) notify Customers in their privacy policy that Mozaic is an independent Controller for the purpose of Processing Customer Data as described in this Attachment I and (ii) include a link to the Mozaic privacy statement available at Mozaic’s website in Merchant’s privacy policy.

4. Cross Border Data Transfers and GDPR Compliance

  1. The parties to this Attachment I agree that Mozaic may transfer Customer Data Processed under this Attachment I outside the country where it was collected as necessary to provide the Payment Services. If Mozaic transfers Customer Data protected under this Attachment I to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, Mozaic will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with applicable Data Protection Laws. See below for specific example.
    1.  For purposes of compliance with the GDPR, we rely on the EU’s SCC and Mozaic’s internal corporate binding rules for transfers of Customer Data within Mozaic Payments, Inc.
  2. With respect to your data transfers to Mozaic of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states or the United Kingdom, we each agree that (i) to the extent applicable, your signing of the Agreement will be deemed to be signature and acceptance of the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR (“EU Transfer Clauses”) by Merchant, as the data exporter and in the role of controller, and will be deemed to be signature and acceptance of the standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being, in force in the United Kingdom (the “UK Transfer Clauses”), as the data exporter (ii) to the extent applicable, Mozaic’s signature of the Agreement will be deemed to be signature and acceptance of the EU Transfer Clauses by Mozaic , as the data importer and in the role of controller, and will be deemed to be signature and acceptance of the UK Transfer Clauses, as the data importer; and (iii) the parties shall be subject to the Module 1 provisions of the EU Transfer Clauses. In the event the European Commission or the UK Secretary of State (or other applicable UK authorized body) revises and thereafter publishes new EU Transfer Clauses or UK Transfer Clauses, respectively (or as otherwise required or implemented by the European Commission or the UK Secretary of State (or other applicable UK authorized body)), the Parties agree that such new EU Transfer Clauses or UK Transfer Clauses, as applicable, will supersede the present EU Transfer Clauses or UK Transfer Clauses, as applicable, and that the parties agree to take all such actions required to effect the execution of the new EU Transfer Clauses or UK Transfer Clauses, as applicable. The EU Transfer Clauses (Module 1) and the UK Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:
    1. EU Transfer Clauses
      1. option 1 of Clause 17 (Governing law) shall apply and the laws of Luxembourg shall govern the EU Clauses;
      2. in accordance with Clause 18 (Choice of forum and jurisdiction), the courts of Luxembourg will resolve any dispute arising out of the EU Clauses; and
      3. The parties agree that the details required under the EU Transfer Clauses Appendix are as set forth on this Attachment 1.
    2. UK Transfer Clauses
      1. Clause II(h)(iii) is incorporated and signature of the Agreement by Mozaic will be deemed the requisite initials from Mozaic as the data importer;
      2. The parties agree that the details required under Annex B of the UK Transfer Clauses are as set forth on this Attachment 1 (to the extent applicable).

Attachment I

Appendix to the EU Transfer Clauses and Annex B of the UK Transfer Clauses

*The following is applicable, to the extent required, under the EU Transfer Clauses and the UK Transfer Clauses*

Each party agrees to be bound by the terms and conditions set out in this Attachment I Appendix, in exchange for the other party also agreeing to be bound by this Attachment I Appendix. Where this Attachment I Appendix uses terms that are defined in the Approved EU Standard Contractual Clause (SCC) those terms shall have the same meaning as in the Approved EU SCC. The Standard Contractual Clause shall mean the SCC that is set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the appropriate safeguards.

If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this Attachment 1 Appendix has been entered into.

Annex 1. A. List of Parties

  1. Data Exporter
    1. Name and Address: The data exporter is the Merchant and the address is as provided in the Agreement
    2. Contact person’s name, position and contact details: as provided in the Agreement
    3. Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement
    4. Signature and date: please see the “Cross Border Transfers” section of this Attachment I
    5. Role (controller/processor): controller
  2. Data Importer
    1. Name and Address: The data importer is Mozaic and the address is as provided in the Agreement
    2. Contact person’s name, position and contact details: as provided in the Agreement
    3. Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement Signature and date: please see the “Cross Border Transfers” section of this Attachment I
    4. Role (controller/processor): controller

Annex 1. B. Description of Transfer

  1. Data subjects Whose Personal Data is Transferred
    The Personal Data transferred concern the following categories of data subjects:
    1. The data exporter’s customers, employees and other business contacts
  2. Categories of Personal Data Transferred
    1. The personal data transferred may include the following categories of data: Name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by Mozaic under the Agreement.
  3. Sensitive data (if appropriate) and Safeguards
    1. As it concerns international data transfers and the appropriate safeguard, the Approved EU SCC is the governing authority in which is abided by as it concerns this Attachment I Appendix.
    2. The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
  4. Nature of the Processing
    As set forth in the Agreement.
  5. Purpose of the Transfer
    The transfer is made for the following purposes:
    1. Performance of the services provided by data importer to data exporter in accordance with the Agreement.
    2. To identify fraudulent activity and risk that is, or may, affect the data importer, the data exporter or other customers of the data importer.
    3. To comply with laws applicable to the data importer.
    4. As set forth in the Data Protection Laws and this Attachment I.

6. The Period for which the Personal Data will be Retained, or, if that is not Possible, the Criteria Used to Determine that Period

The data importer only retains the personal data for as long as is necessary with regards the relevant purpose(s) it was collected for (please see purposes above). To determine the appropriate retention period for personal data, the data importer considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which the personal data is processed and whether such purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

7. For transfers to Sub-Processors, also Specify Subject Matter, Nature and Duration of the Processing

The data importer may share personal data with third-party service providers that perform services and functions at the data importer’s direction and on its behalf. These third-party service providers may, for example, provide an element of the services provided under the Agreement such as customer verification, transaction processing or customer support, or provide a service to the data importer that supports the services provided under the agreement such as storage. When determining

the duration of the processing undertaken by the third-party service providers, the data importer applies the criteria provided above in this Annex1.B.

Annex 1.C. Supervisory Authority

In accordance with Clause 13(a) of the EU Transfer Clauses, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority.

Annex II. Technical and Organizations Measures Including Technical and Organizational Measures to Ensure the Security of the Data

  1. Mozaic’s policies ensure compliance with this principle and require the use of technical controls to prevent the risk of disclosure of personal data. Mozaic employs encryption in transit and at rest for all personal data. Mozaic has comprehensive policies that provide key obligations and processes to protect data when it is transferred within the enterprise and externally with third parties.
  2. Mozaic’s management process protects the ongoing availability and resiliency of data and systems throughout their lifecycle by ensuring that changes are planned, approved, executed, and reviewed appropriately. The Company’s business continuity management process provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders
  3. Mozaic regularly tests, plans, executes and reports on the results of the testing program to assess and evaluate the effectiveness of its technological and organizational measures. The program is managed through our enterprise risk and compliance team who work with relevant stakeholders to obtain and evaluate information required for testing, reporting and remediating as necessary.
  4. Mozaic’s internal security policies take into account global safety set forth in the requirements necessary to facilitate sounds safety and security processes, including physical security, in accordance with applicable laws and requirements. Special emphasis is placed on security systems and safeguards when constructing special or sensitive areas such as mail rooms, equipment storage, shipping and receiving areas, computer/server rooms, communications vaults or classified document/ information storage areas in accordance with Mozaic’s information security handling standard.
  5. Mozaic has outlined and defined event logging and monitoring types and attributes. Mozaic’s policies and supporting processes set forth a system configuration that must be implemented across all systems.
  6. Our policies require, through technical controls, that data elements collected and generated are those which are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Mozaic’s privacy impact assessment processes ensure compliance with these policies.
  7. Mozaic’s access and quality policy ensures that all personal data is correct, complete, and up to date, enabling individual users to access the system to correct and modify their particulars (e.g., address, contact details etc.), and, where a request for correction is received from a data subject, to provide a service which delivers their right to correction. Our data governance program monitors data quality, issues and remediations, as necessary. We require that all data be classified according to its business value with assigned retention periods, which is based upon Mozaic’s legal, regulatory, and business recordkeeping requirements. Upon expiration of the retention period, data and information is disposed, deleted, or destroyed.
  8. Mozaic has developed a set of information security, technology, data governance, third party management and privacy policies and principles that are aligned to industry standards and designed to engage stakeholder collaboration and partnership in awareness and compliance with such policies and controls across the organization to ensure participation and accountability from the top down across the organization. Each program defines accountabilities for cross-functional data related decisions, processes and controls.
  9. Mozaic has programs in place to ensure data subject rights are fulfilled, including access, correction and erasure. Data erasure requests are fulfilled unless Mozaic has a legal, regulatory obligation or other legitimate business reason to retain it. Mozaic’s policies ensures that erasure occurs throughout the customer lifecycle.
  10. The parties do not need the consent of any third party to make changes to this Attachment I Appendix, but any changes must be made in accordance with its terms.

Registering for an account is an optional service provided in order to receive access to the platform services provided by Mozaic. Some of the Personal Information we will ask you to provide is required in order to create your account.

This is the Personal Information that is provided by you or collected by us to enable you to login and/or access your account and our platform services. This includes your name, phone number, and email address and may include your employer and occupation.

How We Use Information

  • To provide, maintain, personalize, and improve our Services.
  • To respond to your questions and requests.
  • To create, maintain, and personalize your account with us.
  • To provide customer support.
  • To notify you about changes to our Services.
  • To allow you to participate in interactive features of our Services.
  • To contact you with newsletters, marketing or promotional materials and other information that may be of interest to you.

This is the Personal Information provided by you to enable you to request a demo, access, or other information on your own behalf or on behalf of your employer concerning certain services provided by Mozaic. In order to request a demo, this Personal Information includes your name, email address, and company name. In order to request access to certain services, this Personal Information may include your name, email address, job title, your distributor’s name, average earnings per month from your distributor, Spotify artist profile link or similar streaming platform links, and social media platform links.

How We Use Information

  • To respond to your questions and requests.
  • To provide customer support.
  • To provide our Services.
  • To contact you with promotional information that may be of interest to you.

We may collect Personal Information if you elect to set up receipt of payments through our Services. The exact Personal Information will vary depending on the payment method and the country in which you are located but may include information such as:

  • Name
  • Bank account number and/or credit or debit card type, expiration date, and your card number;
  • Last 4 digits of your social security number
  • Date of birth
  • Billing address
  • Postal code; and
  • Phone number

We may also collect information concerning the services purchased or considered, or other purchasing or consuming histories or tendencies.

How We Use Information

  • To process payments and provide you with the products and services purchased.
  • To respond to your questions and requests.
  • To provide customer support.

This includes any information that you choose to provide, whether by phone, email, or web form, to our sales representatives or customer service representatives. Our general contact web form requires your name, company name, job title, email address, and any information you provide in the message box.

How We Use Information

  • To provide, maintain, personalize, and improve our Services.
  • To respond to your questions and requests.
  • To provide customer support.
  • To allow you to participate in interactive features of our Services when you choose to do so.

We may collect such Personal Information when you provide feedback or post on a Forum through our Services, including if you leave a comment on articles posted on the Services.

  • Date of birth
  • Gender
  • State/Region
  • Preferences

How We Use Information

  • To provide, maintain, personalize, and improve our Services.
  • To provide customer support.
  • To monitor the usage of our Services.
  • To gather analysis and assess trends and interests.

This includes both Personal Information and non-personally identifiable data from our affiliates, customers, partners or vendors, data brokers or public sources.

How We Use Information

  • To provide, maintain, personalize, and improve our Services.
  • To monitor the usage of our Services.
  • To gather analysis and assess trends and interests.
  • To provide you with advertising content in which we think you will be interested. As part of this customization, we may observe your behaviors on the Services or on other websites.

If you choose to access, visit, and/or use any of our pages on social media platforms such as Instagram, Facebook, Twitter, or LinkedIn (“Social Media Platforms”), we may receive aggregate information and analysis about visitors’ usage of our pages on such Social Media Platforms. You may choose to provide Personal Information through Social Media Platforms, including without limitation your name, phone number, or address when you communicate with us on the Social Media Platforms, post suggestions or comments for us, or through other such interactions on the Social Media Platforms.

How We Use Information

  • To respond to your questions and requests.
  • To provide customer support.
  • To gather analysis and assess trends and interests.

This can be Personal Information and non-Personal Information that is collected about you when you are using our Services, and this may include:

  • Information about your interactions with our Services, which includes the date and time of any information you enter into our Services and your interactions with other users of our Services and what content or features you interacted with.
  • User content you post to our Services including messages you send through our web forms or Forums and your interactions with our customer service team and other users.
  • Technical data which may include URL information, cookie data, web beacons, pixels, and other tracking technology information, your IP address, the types of devices you are using to access or connect to our Services, unique device IDs, device attributes, network connection type (e.g., WiFi, 3G, LTE, Bluetooth) and provider, network and device performance, browser type, language, and operating system. Further details about the technical data that is processed by us can be found below.

Our Services uses cookies, unique identifiers and similar technologies to collect information over time and across different websites when you use or visit our Services. We or our third-party partners use common tracking tools to collect information about the pages you view, our Services functions that you access, the buttons and icons you click, and to remember your login information and Services settings to make it easier and more efficient for you to use our Services, and to provide advertising content that we think may be of interest to you.

Cookies

Cookies are small data files that are downloaded onto your computer or mobile device when you use our Services, which are unique to your device or account. Cookies make it easier for you to use our Services by saving your preferences so that we can use these to improve your next and subsequent visits to our Services. Cookies help us learn which areas of our Services are useful and which areas need improvement.

Cookies may be either persistent or temporary (or session) cookies. A persistent cookie retains user preferences for a particular website, app or service, allowing those preferences to be used in future use sessions and remains valid until its set expiry date (unless deleted by the user before the expiry date). A temporary cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

You can choose whether to accept cookies by changing the settings on your browser or device. For more information regarding your choices with respect to cookies and other tracking technologies, please see “Your Rights and Choices Regarding Your Information” below . However, if you choose to disable this function, your experience with our Services may be impaired and some features may not work as they were intended. When we use cookies or other similar technologies, we may set the cookies ourselves or ask third parties to do so to help us.

Pixels, Web Beacons

We or third party partners may use invisible pixels or beacons on our Services to count how many users access or use certain pages, features or content. This information is collected and reported in the aggregate. We may use this information to improve our current Services offerings, develop new products or services, and target information to you that may be helpful and useful to you based upon your use of our Services.

How We Use Information

  • To administer our Services and system.
  • To create, maintain, and personalize your account with us.
  • To provide, maintain, personalize, and improve our Services.
  • To provide customer support.
  • To monitor the usage of our Services.
  • To gather analysis and assess trends and interests.
  • To allow you to participate in interactive features and Forums of our Services.
  • To detect, prevent, and address technical issues and provide customer support.
  • To provide you with advertising content in which we think you will be interested. As part of this customization, we may observe your behaviors on the Services or on other websites.
  • To help monitor the security of our Services.

We use anonymized and aggregated information that may be created or derived from your Personal Information or usage of our Services for purposes that include data analysis, improving our Services, advertising, and developing new features and functionality within our Services.

How We Use Information

  • To provide, maintain, personalize, and improve our Services.
  • To monitor the usage of our Services.
  • To gather analysis and assess trends and interests.
  • To detect, prevent, and address technical issues.
  • To help maintain the safety, security, and integrity of our Services and technology assets.