← Home

Privacy Policy

Last updated: April 1, 2026

1. Who We Are and What This Policy Covers

Mosaic Consulting LLC is a strategic advisory firm operating as a fully remote practice. We work with executive leadership teams on organizational strategy, operating model design, and transformation. We serve clients primarily in the French market and across Europe.

This Privacy Policy explains how we collect, use, retain, and protect personal information obtained through our website at consultingmosaic.com and through our professional business relationships. It applies to website visitors, individuals who contact us with inquiries, and people who become or are associated with our clients.

We take privacy seriously, not as a compliance exercise, but as a reflection of how we operate. We collect only what is necessary, use it only for the purposes described here, and do not commercialize it in any way. If you have any questions, our contact details are at the end of this policy.

2. What Information We Collect

Information you provide directly

When you contact us via the website form, by email, or through LinkedIn, you may provide your name, professional title, organization name, email address, and a description of your situation or inquiry. We collect this to respond to you and, if appropriate, to begin an engagement process.

If you subscribe to receive our publications or perspectives, we collect your email address and, optionally, your name and organization, for the sole purpose of sending you those communications.

Information collected automatically

Our website collects basic analytics information including page views, referral source, device type and browser, session duration, and approximate geographic region (country or region level). We use a privacy-respecting analytics tool. We do not use advertising-based tracking technologies, retargeting pixels, or cookies that follow users across websites.

Our web host may automatically collect standard server log information including your IP address, the time and date of your request, and the pages you accessed. This is used for security and infrastructure purposes only and is not linked to your identity.

Information received in the course of an engagement

When we work with a client organization, we may receive personal data about individuals in or connected to that organization. This includes names, titles, contact details, performance information, organizational role and responsibilities, and information shared during interviews, workshops, or diagnostic processes.

In these cases, the client organization is typically the data controller and we act as a data processor or joint controller, depending on the nature of the engagement. The handling of such information is governed by the confidentiality and data protection terms of the client agreement.

What we do not collect

We do not collect sensitive personal data (health, financial account, biometric, or criminal record information), payment card details, national identification numbers, or personal information from children under the age of 16. Our website is not directed at children and we have no reason to believe we receive information from anyone under 16.

3. How We Use Your Information

We use personal information for the following purposes only:

  • Responding to inquiries submitted through our website, by email, or through other channels.
  • Evaluating whether an engagement is appropriate and managing the early-stage relationship process.
  • Delivering advisory services under a client agreement, including all associated project communication, analysis, and deliverable production.
  • Sending publications, articles, or perspectives to individuals who have subscribed to receive them.
  • Improving our website by reviewing aggregated, anonymized analytics data.
  • Maintaining accurate business records and fulfilling legal and contractual obligations.
  • Protecting the security and integrity of our systems and communications.

We do not sell, rent, trade, or license personal data to third parties. We do not use personal information for automated decision-making, profiling, or any purpose unrelated to the above.

4. Legal Basis for Processing (EU/EEA)

For individuals located in the European Union or European Economic Area, we process personal data under the General Data Protection Regulation (GDPR) on the following legal bases:

  • Legitimate interests (Article 6(1)(f)): Responding to business inquiries, maintaining contact with prospective clients, and improving our services. We rely on this basis only where our interests are not overridden by your fundamental rights and freedoms.
  • Contractual necessity (Article 6(1)(b)): Processing necessary to perform a client engagement we have entered into, or to take steps at your request before entering into one.
  • Legal obligation (Article 6(1)(c)): Retaining records required by law, including those necessary for tax, accounting, and corporate compliance purposes.
  • Consent (Article 6(1)(a)): Where you have explicitly opted in, such as subscribing to receive our publications. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to our legal and contractual obligations. Our standard retention periods are as follows:

  • Website inquiry data (non-engagement): 24 months from the date of last contact, after which it is deleted unless a relationship is ongoing.
  • Client engagement data: 7 years from formal close of the engagement, to satisfy commercial and legal record-keeping requirements. Specific materials may be retained longer where required by applicable law or contract.
  • Publication subscriber data: Until you unsubscribe or we cease publication, plus a 90-day wind-down period.
  • Analytics data: 13 months on a rolling basis, after which it is deleted or fully anonymized.
  • Server logs: 90 days from generation, after which they are automatically deleted.

Where personal data is no longer required, we delete it securely or, where deletion is not technically possible, we anonymize it so that it can no longer be associated with you.

6. Your Rights

If you are located in the EU or EEA, you have the following rights under the GDPR. These rights are not absolute in all circumstances, but we will respond to valid requests promptly and transparently.

  • Right of access (Article 15): You may request confirmation that we hold personal data about you and, if so, a copy of that data along with information about how it is used.
  • Right to rectification (Article 16): You may ask us to correct inaccurate or incomplete personal data we hold about you.
  • Right to erasure (Article 17): You may ask us to delete personal data in certain circumstances, including where it is no longer necessary for the purpose it was collected or where you withdraw consent.
  • Right to restriction of processing (Article 18): You may ask us to limit how we use your data while a dispute about its accuracy or our right to use it is resolved.
  • Right to data portability (Article 20): Where we process your data by automated means on the basis of consent or contract, you may request a machine-readable copy of that data.
  • Right to object (Article 21): You may object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your rights.
  • Rights related to automated decision-making: We do not make decisions about individuals through automated means. This right therefore has limited practical application to our processing.

To exercise any right, contact us at contact@consultingmosaic.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with your national supervisory authority. For individuals in France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr. For individuals in other EU member states, the relevant authority is your national data protection regulator.

7. International Data Transfers

Mosaic Consulting LLC is registered in the United States. When we receive personal data from individuals in the EU or EEA, that information may be processed or stored in the United States, a jurisdiction that the European Commission has not recognized as providing an equivalent level of protection to EU data protection law.

Where required, we implement appropriate safeguards for such transfers. For data shared in the context of a client engagement, the client agreement includes data transfer provisions and, where applicable, references to or incorporates the Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR.

For website inquiry data, transfers are based on our legitimate interests in operating a globally accessible practice and on the practical necessity of handling inquiries centrally. If you would like more information about the specific safeguards applied to your personal data, please contact us.

8. Third-Party Service Providers

We use a small number of carefully selected third-party providers to operate our website and manage our communications. These providers act as data processors on our behalf and are bound by data processing agreements that restrict use of personal data to the services they provide.

The categories of providers we currently use include: website hosting and infrastructure, email communication services, and privacy-respecting analytics. We do not use third-party advertising platforms, social media tracking pixels, customer relationship management systems with external data sharing, or any service that monetizes personal data.

We review our third-party service providers periodically and take reasonable steps to ensure that only those necessary for our operations receive access to personal data.

9. Cookies and Tracking Technologies

Our website uses a minimal set of cookies. We do not use advertising cookies, cross-site tracking cookies, or social media cookies of any kind.

  • Strictly necessary cookies: A small number of session cookies required for the website to function correctly. These are deleted when you close your browser and cannot be disabled without affecting your ability to use the site.
  • Analytics cookies: We use privacy-respecting analytics that may set a first-party cookie to distinguish sessions. This cookie does not contain personal identifiers and is not shared with advertising networks. It is used solely to understand aggregate usage patterns.

Because we use only functional and non-advertising analytics cookies, we do not currently present a cookie consent banner. If our cookie usage changes materially, we will update this policy and introduce appropriate consent mechanisms in line with applicable guidance.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, destruction, or disclosure. These measures include encrypted communication channels (HTTPS), access controls limiting who can view personal data, regular security reviews of our systems and third-party providers, and secure deletion practices for data that is no longer required.

Given the sensitive nature of the strategic engagements we undertake, we treat the security of all client-related information with particular care. Our engagement confidentiality practices go beyond what data protection law strictly requires.

No information system is completely immune to security incidents. In the event of a breach that creates a real risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours and, where legally required, inform affected individuals without undue delay.

11. Confidentiality of Client Information

Separate from our data protection obligations, we maintain strict professional confidentiality over all information received in the context of a client engagement. This applies to organizational information, strategic plans, personnel matters, financial information, and any other material shared with us in confidence.

We do not discuss client identities, engagement details, or findings with third parties. We do not use client information as reference material in other engagements without explicit written consent. Our confidentiality obligations persist beyond the conclusion of any engagement and are not subject to a time limit unless a specific exception is agreed in writing.

12. Children's Privacy

Our website and services are directed exclusively at business professionals and organizations. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have received personal data from a child under 16, we will delete it promptly. If you believe we may have such information, please contact us immediately.

13. Changes to This Policy

We may revise this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we update the "Last updated" date above. For material changes, we will take reasonable steps to notify affected individuals, such as by placing a notice on our website. We encourage you to review this policy periodically. Your continued use of the website after a policy update constitutes acceptance of the revised terms.

14. Contact and Data Controller Details

Mosaic Consulting LLC is the data controller for personal data collected through this website and in the context of our business relationships. For questions about this policy, to exercise a data right, or to raise a concern, contact us at:

Email: contact@consultingmosaic.com
We will acknowledge your request within 5 business days and respond fully within 30 days.