Privacy Policy

Last Revised: Sept 10, 2024.

Mosaic Forest Management Corporation, timberland manager for TimberWest Forest Corp., Island Timberlands LP, and their respective subsidiary, parent and affiliated companies (collectively, “Mosaic”, “us”, “our” or “we”) value your privacy and care about the treatment of your personal information.

I. SCOPE – How does this Privacy Policy Apply?

This Privacy Policy (“Policy”) describes the personal information we may collect, use, disclose and otherwise process about individuals, as well as our personal information handling practices and the rights individuals have regarding their personal information. This Policy applies to visitors to our main website www.MosaicForests.com, as well as our affiliate website at BigCoastForest.com and websites that provide our real estate offerings: Couverdon.com, JubileeHeights.com, and PowellRiverBenchlands.com (each a “Site,” and collectively, the “Sites”). It also applies to:

Current, former, and prospective business partners, customers, vendors and service providers;
Individuals who register for or participate in our events, surveys, research, promotions, and applicable ‎sweepstakes we conduct; ‎
Individuals who subscribe to receive news, information, and marketing communications and ‎materials from us; ‎and
Individuals who communicate or otherwise interact or engage with us through our Sites or services.

Other Notices. Depending on how you interact or engage with us, we may provide you with ‎other privacy notices with additional details about our privacy practices. These additional notices ‎will control to the extent there is a conflict with this Policy. For example, this Policy does not ‎apply to the personal information that we collect and process about job applicants and ‎candidates for employment with us, or to employees or contractors in the context of our working ‎relationship with them.‎

In addition, this Policy does not apply to any personal information that is exempt under applicable privacy laws.

Additional Information and Rights. For additional information regarding the processing of personal information, including regarding the privacy choices you have regarding your personal information, review [Section VIII. Your Personal Information Rights] below, as well as [Section XII. Additional Information for Residents in Certain Jurisdictions], which includes additional information about privacy rights for residents of certain jurisdictions, including in residents located in the United Kingdom (“UK”), European Economic Area (“EEA”), and California. If these regions are applicable to you, please ensure you read the additional information provided therein along with the main body of this Policy. If you are a California resident, please see [Section XII.B Additional Information for California Residents] below for more information pursuant to California privacy laws.

By providing your personal information to us, you understand that our processing of personal information is subject to and you acknowledge this Policy. And you authorize Mosaic, its third parties and service providers to process your personal information (to the extent local privacy laws require and/or allow) for the purposes set out in this Policy or otherwise disclosed to you.

II. COLLECTION OF PERSONAL INFORMATION - What personal information do we collect?

For the purposes of this Policy, “personal information” is information about an identifiable individual or natural person and that directly or indirectly allows that person to be identified. For the purposes of this policy, personal information does not include information normally used to contact an individual at their place of business except as required by applicable privacy and data protection law.

Personal Information Collected Directly from You. While the personal information we collect about you ‎varies depending upon your use of our Site or Services and our interactions with you, in general, we may ‎collect the following personal information directly from you:

‎Information that is reasonably required to conduct business with Mosaic or for Mosaic’s operations. Depending on the nature of your business relationship with us, this may include, but is not limited to: name, contact information (e.g. email address, phone number(s), address), preferred means of communication, photograph, employer and job title (e.g., if working on behalf of one of our service providers).
Transactions and Billing Information: We also collect personal information about you in connection with a purchase or payment you submit to us. This may include collection of your name, address, payment method, and other transaction details. We work with third party payment processors and do not collect, receive, process, or store credit card or debit card numbers. Depending upon the Services, we may receive from those vendors your name, email, payment type, product(s) or service(s) purchased, and other transaction details, and we may maintain records of your purchase history.
Information Required to Conduct Real Estate Transactions: We may also collect personal information that is required by regulators for the purpose of real estate transactions, including, but not limited to for the purpose of meeting FINTRAC requirements.
Communications and Interactions. When you email, call, chat, or otherwise communicate or ‎interact with us, including if you sign up for our mailing lists, complete forms on our Services, ‎interact with our social media pages, post a product review or testimonial, submit content ‎in any online discussion groups, or otherwise enter information into public-facing ‎comment fields, blogs, or community forums sponsored by or affiliated with Mosaic, we ‎may collect, process, and maintain records of your contact details, communications and ‎interactions with us and others, including your posts or submissions, information about the nature of your inquiry and our responses and any other information that you choose to provide.
Promotional Information. If you agree to receive marketing communications from us, we ‎may collect your name, email address, phone number, preferences, and if relevant, ‎information about your profile, including the Services, Site and features you use in order to provide you with marketing communications about products and services we think you may like. If ‎you participate in special activities, offers, programs, promotions, or sweepstakes we ‎offer, we may also collect certain contact details, your age, and any other information ‎that may be required by law. If you win a contest, promotion, or sweepstakes, we may ‎also collect certain tax information and/or waivers and releases, depending on the prize ‎and as required by applicable law.‎
Events and Registration Details. We also may collect personal information related to your ‎ participation in our events, as well as other requests that you submit to us related to our ‎Services. For example, if you register for or attend an event that we host or sponsor, we may ‎collect information related to your registration for and participation in such event. ‎
Preferences and Other Requests. We may also collect information about your ‎preferences, including communications preferences, preferences related to your use of ‎our Services, and any other preferences or requests you provide when interacting with us.‎
Business Transfer and Operations Information. To operate our business and assess and pursue potential ‎business opportunities, we may collect, receive, and otherwise process personal ‎information about current, former, and prospective business partners, and vendors and ‎service providers, including contact information, where applicable privacy law considers such contact information to be personal information.‎

Personal Information Collected and Processed Automatically. We may collect and process personal information about how you use our Services and your interactions with us and others, including information we collect automatically (e.g., using cookies and pixel tags), as well as information we derive about you and your use of the Services. Such information includes:

Activity and usage information. When you visit our Site(s) and Services and when you communicate with us, we may collect information, including personal information, about how you interact with us, such as: domain name, pages you accessed and when, date and time of your visit, the links clicked, searches, features used, items viewed, and time spent within (i) Mosaic’s Site(s) including content viewed or downloaded, features used, links clicked, etc. and (ii) social media sites you access via links or plugins on the Site(s). We may also use pixels in HTML emails to understand if you read or open the emails we send to you.
Device and browser information. Like most websites and other Internet services, we may use cookies, log files, pixel tags and other technologies to automatically collect certain technical and device information, including personal information, about you when you interact with our Services, including but not limited to. device ID, internet browser, language, computer operating system used, IP address, general location, domain name of your internet service provider, access times, referring and exiting URLs, and other and similar device and usage information.

Personal Information from Other Sources. Where permitted by applicable law, we may collect personal information about you from third party sources, such as public databases, joint marketing partners, social media platforms or other third parties.

We may receive lead and prospect information from third parties, about prospective customers that may be interested in our Services. We may also engage with third parties to enhance or update our customer information and enhance customer profiles.
If you post information about us or engage with us on third party platforms, we may collect personal information about you from that third party platform or account. These third-party platforms and services control the information they collect, share and otherwise process about you. For information about how they may use and disclose your personal information, including any information you make public, please consult their respective privacy policies.

III. PURPOSE FOR COLLECTION, USE AND DISCLOSURE – Why do we collect your personal information?

Mosaic may collect, use and disclose your personal information for the following non-limited purposes:

To administer Mosaic’s provision of, and your payment for, products or services, and real estate purchases that you request from Mosaic;
To communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries and requests, customer support purposes;
To authenticate your identity;
To operate, customize and improve the quality of the Services, including our Sites, social media sites, advertisements, products and similar on and offline services;
To tailor content and ads we may send or display to you, including to offer location customization and ‎to otherwise personalize your experiences and offerings;
To monitor your compliance with any of your agreements with Mosaic;
To provide you with newsletters promotions, and other similar (electronic) commercial messages as well as information you may be interested in or request from Mosaic;
To improve our Services, for our internal purposes, and for other research and analytical purposes;
To provide information to you regarding Mosaic’s products, services and real estate offerings services or third party products and services, unless you opt-out of receiving that information;
For event planning and management, including registration, attendance, connecting you with other event attendees, and contacting you about relevant events and Services;
To assess and implement (including to negotiate) mergers, acquisitions, reorganizations, bankruptcies, and other ‎business transactions such as financings, and to operate our business and administer our ‎business, accounting, auditing, compliance, recordkeeping, and legal functions;
To conduct financial, tax and accounting audits, audits, and assessments of our ‎operations, including our privacy, security, and financial controls, as well as for risk and ‎compliance purposes. We may also use personal information to maintain appropriate ‎business records and enforce our policies and procedures;
To prevent and protect Mosaic, yourself and others from fraud and error and to safeguard Mosaic’s business interests;
To collect debts owed to Mosaic;
To obtain legal, accounting or other professional advisory advice; and
Otherwise with your consent or as required or authorized by applicable law.

For individuals residing in the UK or EEA, please see additional information on lawful bases in Section XII.A. Additional Information for UK or European Economic Area Data Subjects below.

IV. DISCLOSURE OF PERSONAL INFORMATION - How do we share your personal information?

In order to fulfill the above purposes, Mosaic may disclose your personal information to third parties as required or permitted by law or where required by law, as consented to from time to time by you. The categories of organizations to which Mosaic may disclose personal information include, but are not limited to:

Government agencies;
Insurance companies;
Banks and other financial institutions;
Professionals advising or working on behalf of Mosaic such as lawyers, auditors and consultants;
Vendors and service providers to Mosaic, such as IT support and website hosting, product shipment and order fulfillment facilitators, marketing and ‎marketing research providers, customer support, data storage, data analytics providers: and
Affiliates and business associates of Mosaic, as reasonably required in connection with the operations of Mosaic.

We may also disclose your personal information in the following circumstances:‎

In Support of Business Transfers. If we or our affiliates are or may be acquired by, ‎merged with, or invested in by another company, or if any of our assets are or may be ‎transferred to another company, whether as part of a bankruptcy or insolvency ‎proceeding or otherwise, we may disclose or transfer the personal information we have ‎collected from you with or to the other company in accordance with applicable laws. We ‎may also disclose certain personal information as necessary prior to the completion of ‎such a transaction or other corporate transaction such as a financing or restructuring, to ‎lenders, auditors, and third-party advisors, including attorneys and consultants;
To Meet Compliance and Legal Obligations. We may also disclose personal information to third ‎parties to the extent required by applicable law and legal obligations. For example, we ‎may disclose information in response to subpoenas, court orders, and other lawful ‎requests by regulators, government entities, and law enforcement, or as otherwise required ‎by law or legal process. In addition, we may disclose the names of sweepstakes and ‎contests winners in accordance with applicable law;
Security and Protection of Rights. Where we believe doing so is necessary to protect ‎the Sites, our rights and property, or the rights, property, and safety of others. For ‎example, we may disclose personal information to (i) prevent, detect, investigate, and ‎respond to fraud, unauthorized activities and access, illegal activities, and misuse of the ‎Sites, (ii) situations involving potential threats to the health, safety, or legal rights of any ‎person or third party, or (iii) enforce, detect, investigate, and take action in response to ‎violations of our Terms of Use. We may also disclose personal information related to ‎litigation and other legal claims or proceedings in which we are involved, as well as for ‎our internal accounting, auditing, compliance, recordkeeping, and legal functions; and
Other Disclosures. We may disclose personal information in other ways not described ‎above if you direct us to do so or otherwise consented by you, or as otherwise ‎authorized or required by law.‎

LINKS TO OTHER SITES AND SERVICES

Links to Other Sites and Services. Our Services may contain links to third-party software, websites, applications or Internet resources ‎‎(“Third-Party Services”) that are provided solely for your convenience and information. When you click ‎on one of those links you are leaving our Services and your interaction with these Third-Party Services will be subject to their respective privacy policies and practices, not this Policy. We do not endorse, and cannot take any ‎responsibility or liability for, or control over, those Third-Party Services or their processing of your ‎personal information. We encourage you to read their privacy policies to learn how they process your ‎personal information. ‎

COOKIES, TRACKING AND ANALYTICS

To the extent permitted by applicable law and, where required, with your consent, Mosaic and our third-party providers may use cookies, pixels, clear GIFs/pixel tags, JavaScript, local storage, log files, and other tracking technologies (referred to herein as “cookies”) to collect browsing, activity, device and similar device and usage information within our Services. We may also combine this “usage data” with other personal information we collect about you for the purposes set furth under this Policy.

A “cookie” is a unique, alphanumeric identifier that we transferred to your computer’s hard drive through your web browser for record-keeping purposes and to customize your Mosaic website, or social media site experience. Some cookies can enhance your user experience by, for example, making it easier for you to navigate and log in to our Site(s), saving your preferences and personalizing your online experience), while other cookies are used to support the security and performance of the Services, or allow us to track aggregate and statistical information about user activity within the Services.
“Pixels” (sometimes referred to as tags, pixel tags or clear GIFs) and other technologies are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, pixels are embedded invisibly on web pages. Mosaic may use pixels (also referred to as web beacons, web bugs or pixel tags) in connection with our Services to, among other things, track the activities users of our Services, help us manage content, and compile statistics about usage of our Services. We and our service providers also use clear GIFs in HTML emails to you, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

Mosaic also uses the information collected via cookies for the purposes of helping to improve its Sites, social media sites and Services.

Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Some of the Services may not work properly if you disable cookies. Most web browsers automatically accept cookies, but you can usually change your browser settings to prevent accepting new cookies, notify you whenever you are sent a new cookie or disable cookies altogether (see the Help portion in the toolbar of your browser). This gives you the opportunity to decide whether or not to accept new cookies or disable cookies. Although you are not required to accept all cookies when you visit our Services, you may be unable to use all of the functionality of the site if you reject certain cookies.

Where required by local laws, we ensure we have your consent before placing any cookies that are not essential/strictly necessary.

Cookies can be first party cookies or third party cookies.

First-party cookies are set by Mosaic. These cookies are primarily used to ensure the technical functionality and security of the website.

Third-party cookies are set by someone other than the website you are visiting, such as by our partners and service providers. We use external platforms to monitor and evaluate the use of the website, e.g. by way of Google Analytics.

There are two types of cookies which last for different lengths of time:

Session cookies are stored for the time you use the Site(s) and are deleted when you close your browser.
Persistent cookies are stored on your device for a certain period or (where earlier) until you manually remove them.

Types of cookies. The types of cookies that Mosaic uses are set out in Cookie Preference Centre. You can choose which of these to consent to other than strictly necessary cookies which are required in order for the Site(s) to operate.

Necessary. Mosaic set these types of cookies in response to actions made by you which amount to a request for services, such as setting your (privacy) preferences, remembering items in your shopping cart, logging in or completing forms.
Third Party Performance & Analytics. Mosaic may work with analytics service providers (such as Google Analytics) who use cookies, pixels, and other tracking technologies to collect usage data about our Services and provide us with reports and metrics that help us evaluate usage of our Services and enhance performance and user experiences. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/partners/. You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.

Third-Party Advertising. Mosaic works with third-party ad networks, analytics, marketing partners, and others such as LinkedIn Advertising, Meta Business and Google Ads (“third-party ad companies”) to personalize content and display advertising within our Sites, as well as to manage our advertising on third-party sites. We and these third-party ad companies may use cookies, pixels tags, and other tools to collect browsing and activity information within our Services (as well as on third-party sites and services), as well as IP address, unique ID, cookie and advertising IDs, and other online identifiers. We and these third-party ad companies use this information to provide you more relevant ads and content within our Services and on third-party sites, and to evaluate the success of such ads and content. When you visit our Sites, our third-party ad companies may also use your personal information for their own business purposes, including for the third-party ad-company’s marketing programs.

Cross-Device Use. Mosaic and our third-party service providers may use the personal information we collect about you (whether directly from our Services, through your device(s), or from third party sources) to help us and our third-party service providers identify and associate you with other devices that you use (e.g., a mobile phone, tablet, other computer, etc.). We and our third-party service providers may also use the information we learn about you to serve targeted advertising or personalize content.. To opt-out of cross-device advertising, you may follow the instructions set forth below. Please note, if you opt-out of these targeted advertising cookies, the opt-out will be specific to the web browser, app, or device from which you accessed the opt-out. If you use multiple devices or web browsers or delete your device and/or browser settings, you will need to opt-out each browser or device that you use.

Changing your Cookie Preferences/Opt-Out of Targeted Advertising. We also make available several ways for you to ‎manage your preferences regarding cookies, targeted advertising, and other similar tracking ‎mechanisms within our Services, as set forth below. These settings are generally browser and device specific, which ‎means that you may need to set the preference for each browser and device you use to access ‎our Services. In addition, if you delete or block cookies, you may need to reapply these preferences ‎to each browser and/or device you use to visit the Services.

Cookies Preference Centre. You can use the link above to access the preference centre at any time and change your preference settings for cookies.
Browser Settings You can set your browser to block certain cookies or notify you when a new ‎cookie is set. You can also delete cookies. The “Help” portion of the toolbar on most ‎browsers will tell you how to prevent your device from accepting new cookies, how to ‎have the browser notify you when you receive a new cookie, or how to delete cookies altogether. ‎If you disable certain cookies, you will still be able to browse the Sites, but some ‎features may not function properly or be available to you.‎
Tracking and Profiling Technologies. Notwithstanding any provision to the contrary in ‎this Policy, we ‎will only collect your personal information using technology which allows ‎you to be located, profiled or ‎tracked (i) after having duly informed you of our intent to ‎use such technologies and (ii) if you choose ‎to activate such technologies.‎

V. CROSS-BORDER TRANSFERS

Mosaic may transfer your personal information outside of your jurisdiction of residence fulfill any of the above purposes, including to service providers located in the United States and other jurisdictions outside of Canada who may be subject to applicable disclosure laws in those jurisdictions in accordance with applicable law.

For data subjects residing in the UK or EEA, please see additional information on cross border transfers in Section XII.A. Additional Information for UK or European Economic Area Data Subjects below.

VI. RETENTION

Mosaic generally retains your personal information for the period of time required to meet the purposes for which it was collected, as identified in this Policy, except as otherwise required or authorized by applicable law, after which time your personal information will be destroyed.

For data subjects residing in the UK or EEA, please see additional information on retention timeframes in Section XII.A. Additional Information for UK or European Economic Area Data Subjects below.

VII. SECURITY

We have implemented reasonable precautions aimed to protect the information we collect from ‎loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware ‎that despite our best efforts, no data security measures can guarantee security.‎

Personal information is retained and destroyed by Mosaic in accordance with the applicable laws and its document and data retention practices.

VIII. YOUR PERSONAL INFORMATION RIGHTS

ACCURACY

We strive to maintain your personal information in as accurate as manner as possible. Please contact our privacy officer with any updates.

CONSENT

You have the right to withdraw consent to collect your personal information at any time, subject to limits in applicable law. Withdrawal of consent will not affect the validity or legality of the collection, use or disclosure of your personal information up to the date that you withdraw your consent.

REQUESTS FOR ACCESS OR CORRECTION

You may have a right to access to or request correction of your personal information ‎held by us. ‎These rights are not absolute but subject to limits in applicable law.‎ If you request a correction to your personal information and Mosaic is satisfied on reasonable grounds that there is an error or omission in your personal information, Mosaic will correct the personal information as soon as reasonably possible send the corrected personal information to each third party to whom the personal information was disclosed, all in accordance with applicable law. If we do not correct the information, we will annotate it to show that a correction request was made.

Where a request to access your personal information is refused, we will notify you in writing, ‎document the reasons for refusal ‎and outline further steps which are available to you.‎

Quebec ‎residents also have the ‎right ‎‎to: ‎

Request, in certain circumstances, that we cease disseminating your personal ‎information or to de-‎index any hyperlink that allows access to that personal ‎information by technological means, if ‎such dissemination contravenes applicable ‎law or a court; and ‎
Request that a copy of your personal information that we hold be communicated to ‎you in a ‎structured, commonly used ‎‎technological format, and that this information ‎be communicated ‎to any person or organization authorized by law to collect such ‎information.‎

For data subjects residing in the UK or EEA, please see additional information on data subject rights in Section XII.A. Additional Information for UK or European Economic Area Data Subjects below.

MARKETING COMMUNICATIONS

You may opt-out of marketing communications at any time by following the instructions provided to you in the communication. If you opt-out of marketing communications we may still send you transactional communications.

For data subjects residing in the UK or EEA, please see additional information on Marketing in Section XII.A. Additional Information for UK or European Economic Area Data Subjects below.

IX. CHILDREN

Our Sites are not designed for, or directed at, children under the age of 13 and we do not knowingly collect personal information from individuals in this age group. If you believe we have inadvertently collected personal information about a child, please contact us and we will take steps to delete this data.

X. CHANGES TO THIS POLICY

This Policy is current as of the Last Revised data above and subject to updates from time to time. We will post any changes to this Policy on our Sites, so please check back regularly to review any updates. If we make any changes to this Policy that materially affect how we process the personal information we have previously collected from you, we will endeavor to provide you with advanced notice for example by highlighting the changes on our Sites or notifying you electronically.

XI. CONTACT OUR PRIVACY OFFICER

If you have questions or concerns regarding the application of this Policy you may contact our Privacy Officer via email at privacy@mosaicforests.com, or via mail at Mosaic Forest Management, Suite 2000, 1055 West Hastings Street, Vancouver, BC V6E 2E9.

XII. ADDITIONAL INFORMATION FOR RESIDENTS IN CERTAIN JURISDICTIONS

Additional Information for UK or EEA Data Subjects

The following information is provided to cover processing activities undertaken under the requirements of the General Data Protection Regulation (“GDPR”) and/or UK version of the GDPR (“UK GDPR”) as applicable. If the contents of this Section XII.A. conflict with other sections of the Policy, then the content of this Section XII.A. shall apply.

Personal information for the purposes of the GDPR and/or UK GDPR as applicable includes business contact information. The Controller of your personal information is Mosaic and can be contacted using the contact details set out in the Policy.

LAWFUL BASIS FOR PROCESSING OF PERSONAL INFORMATION

We collect your data and use it for the following purposes on the legal basis set out in the table below:

Purpose for processing	Legal basis
To administer Mosaic’s provision of, and your payment for, products or services, including but not limited to real estate purchases that you request from Mosaic; To monitor your compliance with any of your agreements with Mosaic;	The processing is necessary for the performance of our contracts with you.
To authenticate your identity.	Our legitimate interest in ensuring any correspondence we have is with the correct individual.
To operate, customize and improve the quality of the Sites, social media sites, advertisements, products and service; To tailor content we may send or display on the Sites, including to offer location customization and ‎to otherwise personalize your experiences and offerings.	Our legitimate interest in improving our services and the customer experience and interactions with Mosaic.
To provide newsletters, electronic messages and information you request from Mosaic; To provide other information to you regarding Mosaic’s products and services or third party products and services, unless you opt-out of receiving that information;	Our legitimate interest in sending marketing communications to you.
To assess and implement mergers, acquisitions, reorganizations, bankruptcies, and other ‎business transactions such as financings, and to operate our business and administer our ‎business, accounting, auditing, compliance, recordkeeping, and legal functions; To protect Mosaic, yourself and others from fraud and error and to safeguard Mosaic’s business interests; To collect debts owed to Mosaic; To obtain legal, accounting or other professional advisory advice.	Our legitimate interest in assessing commercial business decisions, obtaining advice and conducting our business in a lawful manner.
To conduct financial, tax and accounting audits, audits, and assessments of our ‎operations, including our privacy, security, and financial controls, as well as for risk and ‎compliance purposes, including in respect of real estate transactions. We may also use personal information to maintain appropriate ‎business records and enforce our policies and procedures.‎	To fulfil our legal obligations.
Otherwise with your consent or as required or authorized by applicable law.	On your consent.

CROSS-BORDER TRANSFERS

Whenever Mosaic transfers your data internationally, we implement appropriate safeguards in accordance with applicable data protection laws including:

The EU Standard Contractual Clauses and additional measures to supplement such clauses as may be required in line with transfer impact assessments we carry out, to prevent interference by public authorities of third countries; and/or
The UK addendum to the EU Standard Contractual Clauses; and/or
By sending to countries that have an adequacy decision by the European Commission under the GDPR and/or the UK’s Information Commissioner Office under the UK GDPR.

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the EEA or UK as applicable. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.

DATA SUBJECT RIGHTS UNDER THE GDPR AND UK GDPR

In addition to the rights set out in Section VIII. Your Personal Information Rights, where the GDPR and/or UK GDPR is applicable to the processing of personal information, you also have the following additional rights.

You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is unfounded, repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond).

Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.

REQUEST FOR ERASURE

You can ask us to erase your personal information but only where:

it is no longer needed for the purposes for which it was collected; or
you have withdrawn your consent (where the data processing was based on consent); or
following a successful right to object (see “Restricting or objecting to processing” below); or
it has been processed unlawfully; or
to comply with a legal obligation to which we are subject.

We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary:

for compliance with a legal obligation; or
for the establishment, exercise or defence of legal claims.

There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.

RESTRICTING OR OBJECTING TO PROCESSING

You can ask us to restrict (i.e. keep but not use) your personal information, but only where:

its accuracy is contested (see “Requests for access or correction” above), to allow us to verify its accuracy; or
the processing is unlawful, but you do not want it erased; or
it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

we have your consent; or
to establish, exercise or defend legal claims; or
to protect the rights of another natural or legal person.

You can object to any processing of your personal information which has our ‘legitimate interests’ as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests.

Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

DATA PORTABILITY

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format or you can ask to have it ‘ported’ directly to another data controller, but in each case only where:

the processing is based on your consent or on the performance of a contract with you; an
the processing is carried out by automated means.

COMPLAINTS

You have a right to lodge a complaint with your local supervisory authority about our processing of your personal information. In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/). In the EEA, each member state has a regulatory authority to contact. We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

RETENTION

We maintain and apply a retention schedule with applicable retention timeframes to the personal information we hold. This incorporates required retention timeframes under applicable laws as well as other timeframes which Mosaic has deemed appropriate and proportionate to the processing activity taking place.

Where your personal information is no longer required, we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

MARKETING COMMUNICATIONS

Where you are a consumer under UK or EEA marketing laws, we require your consent to send you marketing via email or phone about our service and products, other than where communications relate to products or services similar to those you have previously purchased or entered negotiations to purchase. You may opt-out of marketing communications at any time by following the instructions provided to you in the communication. If you opt-out of marketing communications, we may still send you communications about your products and services that you have received from us.

REQUIREMENT TO PROVIDE PERSONAL INFORMATION

Where we require you to provide certain personal information and you do not provide this information to us, we may not be able to fulfil your request and/or provide you with products/services.

AUTOMATED DECISION MAKING

We do not engage in automated decisions about you, but we will notify you if this changes.

B. Additional Information for California Residents

In this Section XII.B., we provide additional information to California residents about the categories of personal information we collect about you and your privacy rights under applicable California privacy laws, as required under California privacy laws including the California Consumer Privacy Act (“CCPA”). This Section does not address or apply to our collection and processing of data that is exempt from CCPA (including publicly available information lawfully made available by state or federal government records or other personal information that is exempt under the CCPA), or information about our employees, personnel, applicants and candidates.

For the purposes of this Section XII.B of the Policy, “personal information” is information that relates to, describes, or is reasonably associated or linked or likable to a specific individual, or identifies an individual.

Categories of Personal Information under the CCPA. While our collection, use and disclosure of personal information varies based upon our relationship and interactions with you, in this Section we describe, generally, how we have collected and disclosed personal information about California residents in the prior 12 months (from the Last Reviewed date above).

The table below identifies, generally, the categories of personal information (as defined by the CCPA) that we may collect about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose. In addition to the categories of third parties set forth below, we may disclose personal information to our vendors and services providers and others where required by applicable law.

Categories of Personal Information Collected	Categories of Third Party Disclosures
Identifiers: Such as your name; business or personal address, email address, phone number and other contact information; account name/user ID; IP address and online identifiers; and other unique identifiers.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
In limited circumstances, we may also collect Social Security number, driver’s license number, passport number, tax ID and other government identifiers (such as where necessary to verify identity or comply with our legal obligations).	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries
B. Categories of personal information described in Cal. Civ. Code § 1798.80: Other Personal Information as part of your Customer Record, such as your telephone number, and bank account information, credit card number; account or user name, contact information, and financial or payment information; other information that individuals provide us in order to purchase or obtain our products and services.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries
C. Characteristics of classifications protected by California and federal law: Such as your age, race, color, national origin, citizenship, religion, physical or mental disability, sex, gender, and sexual orientation.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries
D. Internet or network activity information: Such as your browsing history, information on your interaction with a website, application, or advertisement, including clickstream data, search history, and information regarding interactions with our Sites, Services or advertisements, and other usage and activity data related to your use of any of our Sites or Services.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
E. Commercial information: Such as records of products or services purchased or consuming histories or tendencies.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
F. Geolocation data: Such as your physical location or movements.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
G. Audio, visual and other electronic data: Such as audio, electronic, visual, thermal, olfactory, or similar information, such as CCTV footage (e.g., collected from visitors to our [stores/offices/premises], photographs and images (e.g., that you provide us or post within the Services) and call recordings (e.g., of customer support calls).	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
H. Inferences: Such as inferences drawn from other personal information that we collect to create a profile based on your activities, that reflect your preferences, characteristics, behavior, attitude, and abilities related to the Services.	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Advertising networks Data analytics providers Internet service providers Operating systems and platforms
I. Sensitive Personal Information: Such as government-issued identifying numbers (e.g. driver’s license, passport, or SSN); [financial account details that allow access to an account, such as credit card number or access code, precise geolocation,]	Advisors and agents Government entities and law enforcement Affiliates and subsidiaries Operating systems and platforms

Sales and Sharing of Personal Information. Under the CCPA, a ‘sale’ is defined broadly to include disclosing or making available personal information to a third party in exchange for monetary compensation or other benefits or value, and ‘share’ broadly includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. As such, while we do not disclose personal information to third parties in exchange for monetary compensation, we may, pursuant to the CCPA, sell or share Identifiers, Customer records, Commercial information, and Internet or network activity information with advertising networks and third-party ad companies, data analytics providers and social networks in order to analyze use of the Services, optimize and develop our products and services, improve and measure our ad campaigns, and reach you with more relevant and personalized ads and content. However, we do not knowingly sell or share personal information about California residents who are younger than 16.

Sources of Personal Information. In general, we may collect the categories of personal information identified in the table above directly from you, automatically, and the following categories of third party sources:

Data analytics providers;
Social networks;
Internet service providers;
Operating systems and platforms;
Government entities;
Third-party and publicly available data sources; and
Business customers

Purposes for Collecting and Disclosing. As described in more detail in Section III [Purpose for Collection, Use and Disclosure], in general, we collect, use, disclose and otherwise process your personal information as set forth in the table above as directed or consent by you and for the following business or commercial purposes:

Provide and administer Services and support;
Communications;
Identity authentication;
Improve our Services, research and analytics;
Customization and personalization;
Monitor compliance;
Marketing and advertising;
Planning and managing events;
Assess, Implement and negotiate business transfers;
Legal proceedings and obligations;
Detection and prevention of fraud;
Security and protection of rights; and
General business and operational support, including financial, tax and accounting audits, legal support, compliance and other audits and assessments of our ‎business operations

Retention. We retain the personal information we collect only as reasonably necessary for which it was collected, such as the purposes described above and under Section IV or otherwise disclosed to you at the time of collection. For example, we will retain transactional data for as long as necessary to comply with our tax, accounting and recordkeeping obligations, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, comply with legal obligations and as may otherwise be required by law.

Browser Signals. To the extent required by applicable law, if our Services detect that your ‎browser is transmitting an opt-out preference signal, such as a “global privacy control” (or ‎GPC) signal, we will apply that signal to opt that particular browser on your device out of ‎targeting cookies on our Services. If you come to our Site from a different device or from a ‎different browser on the same device, you will need to apply GPC for that browser and/or ‎device as well.‎

California Residents’ Privacy Rights. In general, California residents have the following rights with respect to their personal information:

Do not sell or share (opt-out). To opt-out of our sale and sharing of their personal information by us, by using our Cookies Preference Centre.
Right to limit use of sensitive personal information. The right to limit the use or disclosure of sensitive personal information to those uses authorized by the CCPA.
Right to deletion. To request deletion of their personal information that we have collected about them and to have such personal information deleted (without charge), subject to certain exceptions.
Right to correct. To request correction of inaccurate personal information that we maintain about them.
Right to know/access. With respect to the personal information we have collected about them in the prior 12 months, to require that we disclose the following to them (up to twice per year and subject to certain exemptions):
- categories of personal information collected;
- categories of sources of personal information;
- categories of personal information about them we have disclosed for a business purpose or sold;
- categories of third parties to whom we have sold or disclosed for a business purpose their personal information;
- the business or commercial purposes for collecting or selling their personal information; and
- a copy of the specific pieces of personal information we have collected about them.

Right to non-discrimination. The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.

Submitting Requests to Know, Correct and Delete. California residents may submit requests to know, correct and delete their personal information through:

Via email to: [privacy@mosaicforests.com]

When you submit a request to know, correct, or delete, we will need to verify your identity before processing your request, which may require us to request additional personal information from you or require you to log in to your account, if you have one. In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems, or as permitted by law. Authorized agents may initiate a request on behalf of another individual by contacting us at [privacy@mosaicforests.com]; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verifies their identity and the authority of the authorized agent.

Requests to Opt-Out of Sales and Sharing. California residents may submit a request to opt out of sales or sharing by us, by:

Using our Cookies Preference Manager. The Preference Centre can be accessed by clicking the “Do Not Sell or Share My Personal Information” or “Cookie Preferences” link in the footer of each of our Sites.
Turning on the Global Privacy Control—or “GPC”—signal through your browser. If our Site(s) detect that your browser is transmitting a GPC signal, we will process that as a request to opt you out of sales and sharing for that browser and device. Please note that if you come back to our Site(s) from a different device or use a different browser on the same device, you will need to opt out (or set GPC for) that browser and device as well.

Rights under California’s Shine-the-Light Law. If you are a California resident and you believe your personally identifiable information has been shared by us with third parties for their own direct marketing purposes or you have general questions about how your information may have been shared for such purposes, you may contact us by requesting a list of the third parties to which we have disclosed personally identifiable information about you for their own direct marketing purposes. You may make one request per year. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by contacting us via the contact details set out in Section XI Contact our Privacy Officer.