Privacy Policy

MosaicEd is operated by Robarts Fox LTD, a company registered in England and Wales.

For the purposes of UK data protection law — including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — Robarts Fox LTD is the data controller in respect of personal data we hold about you.

Company name:

Robarts Fox LTD

Email:

hello@mosaiced.co.uk

Data jurisdiction:

United Kingdom

2.1 Account and Organisation Data

• Name, email address, and job title of staff members who register for or use the platform.
• Organisation name, type, and address provided during onboarding.
• Authentication credentials managed securely via Clerk (we do not store passwords ourselves).

2.2 Student Data

As a platform for Alternative Provision settings, MosaicEd processes personal data about pupils on behalf of the schools, academies, or alternative provision providers that use the service (the data processors). This may include:

• Full name, date of birth, year group, and gender.
• Attendance records, behaviour incidents, and attainment data.
• Safeguarding notes and welfare information (where entered by the provision).
• Session assignments and timetable data.
• Reward points and merit history.
• Documents and files uploaded to the platform.

Student data is entered by authorised staff of the educational provision and is processed strictly on their instructions. MosaicEd does not use student data for any purpose other than operating the platform.

2.3 Usage and Technical Data

• IP address, browser type, and device type.
• Pages visited, features used, and session duration.
• Error logs and performance data used to improve the platform.

We use personal data for the following purposes, relying on the lawful bases indicated:

All personal data, including student records, is stored on servers located in the United Kingdom. We use Neon (PostgreSQL) with UK-region hosting. No personal data is transferred outside the UK or EEA without appropriate safeguards.

We implement the following security measures:

• All data in transit is encrypted using TLS 1.2 or higher.
• Database access is restricted by IP allowlist and role-based permissions.
• Authentication is handled by Clerk, which is ISO 27001 certified and SOC 2 Type II compliant.
• All platform access requires authenticated, organisation-scoped sessions.
• Regular dependency and security audits are performed.

We retain personal data only for as long as necessary:

• Active account data — retained for the duration of your subscription plus 90 days after cancellation to allow data export.
• Student records — retained for the period required by the educational provision and deleted on account closure, subject to any statutory retention obligations.
• Audit logs — retained for 12 months.
• Billing records — retained for 7 years to comply with HMRC requirements.

Upon account termination, you may request a full export of your data within 60 days. After this period, all data is securely deleted.

We do not sell, rent, or trade personal data. We share data only with the following categories of recipients:

• Clerk — authentication and user management (UK/EEA data processing).
• Neon — database hosting in the UK.
• Vercel — application hosting and content delivery (UK/EEA edge nodes).
• Resend — transactional email delivery.
• Legal authorities — where required by law, court order, or to protect the safety of individuals.

All third-party processors are bound by data processing agreements and are required to handle data in accordance with UK GDPR.

MosaicEd uses strictly necessary cookies only:

• Authentication cookies — set by Clerk to maintain your login session. These are essential for the platform to function.
• CSRF protection tokens — used to prevent cross-site request forgery attacks.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individuals.

As a data subject under UK law, you have the following rights:

• Right of access — you may request a copy of all personal data we hold about you.
• Right to rectification — you may ask us to correct inaccurate or incomplete data.
• Right to erasure — you may ask us to delete your data where there is no compelling reason to continue processing it.
• Right to restriction — you may ask us to restrict processing in certain circumstances.
• Right to data portability — you may request your data in a structured, machine-readable format.
• Right to object — you may object to processing based on legitimate interests.
• Rights related to automated decision-making — we do not make automated decisions with legal effects about individuals.

To exercise any of these rights, contact us at hello@mosaiced.co.uk. We will respond within 30 days. There is no charge for exercising your rights.

MosaicEd is a professional tool used by educational providers to manage records about pupils in their care. Pupils themselves do not directly access the platform. Student data is entered and managed solely by authorised staff of the educational provision.

We process student data under the instruction of the educational provision, which acts as the data controller for that data. Provisions must ensure they have appropriate legal grounds (including parental consent where required) before entering pupil data into the platform.

We may update this Privacy Policy from time to time. When we make material changes, we will notify account holders by email and display a notice within the platform at least 14 days before the change takes effect. Continued use of MosaicEd after that date constitutes acceptance of the updated policy.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK supervisory authority:

We would appreciate the opportunity to resolve your concern directly before you contact the ICO — please email us at hello@mosaiced.co.uk first.

For any privacy-related queries, data subject requests, or concerns: