Our commitment to protecting your data under the General Data Protection Regulation
Last updated: February 2026
Mosco.ai is fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and ensuring the highest standards of data protection for all individuals whose personal data we process.
We recognize that data protection is a fundamental right. We have implemented comprehensive technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; kept accurate and up to date; stored only for as long as necessary; and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage.
This page describes how Mosco.ai complies with the GDPR and outlines the rights available to data subjects under the regulation.
Under the GDPR, we must have a valid legal basis for each processing activity. Mosco.ai relies on the following legal bases:
Where you have given clear, affirmative consent for us to process your personal data for a specific purpose. This includes consent for marketing communications, non-essential cookies, and optional data collection. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes processing your account information, providing our platform services, managing your subscription, and processing payments.
Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your fundamental rights and freedoms. We rely on legitimate interest for product improvement and analytics, fraud prevention and security monitoring, customer support optimization, and internal research and development. We conduct Legitimate Interest Assessments (LIAs) to ensure the balance of interests is properly evaluated.
Where processing is necessary for compliance with a legal obligation to which Mosco.ai is subject, such as tax reporting, regulatory compliance, and responding to lawful government requests.
Under the GDPR, you have the following rights with respect to your personal data. Mosco.ai is committed to facilitating the exercise of these rights in a timely and transparent manner:
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights. We will provide a copy of your personal data free of charge within 30 days of your request.
You have the right to obtain the correction of inaccurate personal data and to have incomplete personal data completed. You can update most of your account information directly through the Mosco.ai platform settings, or contact us for assistance.
You have the right to request the deletion of your personal data when the data is no longer necessary for the purpose it was collected, you withdraw consent, the data has been unlawfully processed, or erasure is required by law. Certain data may be retained where we have a legal obligation or legitimate basis to do so.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance. This right applies to data you have provided to us and that is processed based on consent or contract performance.
You have the right to request the restriction of processing of your personal data when you contest the accuracy of the data, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification. When processing is restricted, we will only store the data and not further process it without your consent.
You have the right to object to the processing of your personal data at any time where processing is based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately. For other objections, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Mosco.ai has appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with the GDPR. The DPO is responsible for monitoring compliance, advising on data protection impact assessments, cooperating with supervisory authorities, and serving as the point of contact for data subjects.
Data Protection Officer
Mosco.ai
Email: dpo@mosco.ai
You may contact the DPO for any questions or concerns related to data protection, to exercise your data subject rights, or to lodge a complaint regarding our handling of your personal data.
Mosco.ai maintains a comprehensive Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. The following is a summary of our primary data processing activities:
| Activity | Data Categories | Legal Basis |
|---|---|---|
| Account registration & management | Name, email, company, phone | Contract |
| Platform service delivery | Usage data, communication records, lead data | Contract |
| Payment processing | Billing name, address, payment method | Contract |
| AI lead scoring & profiling | Lead behavior data, interaction history | Legitimate interest |
| Marketing communications | Name, email, preferences | Consent |
| Analytics & product improvement | Usage patterns, feature engagement, anonymized data | Legitimate interest |
| Customer support | Name, email, support tickets, communication logs | Contract |
| Security & fraud prevention | IP addresses, device data, access logs | Legitimate interest |
Mosco.ai engages the following sub-processors to assist in providing our services. Each sub-processor has been vetted for GDPR compliance and is bound by Data Processing Agreements (DPAs) that ensure appropriate safeguards for personal data:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data hosting, and computing services | US / EU (Frankfurt) |
| Google Cloud Platform | AI/ML processing, data analytics, and cloud services | US / EU (Belgium) |
| Stripe | Payment processing, billing management, and fraud detection | US / Ireland |
| Twilio | SMS, voice, and communication API services | US / Ireland |
| SendGrid (Twilio) | Transactional and marketing email delivery | US |
We will notify you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes. An up-to-date list of sub-processors is maintained and available upon request.
As some of our sub-processors are located outside the European Economic Area (EEA), personal data may be transferred internationally. Mosco.ai ensures that all international transfers of personal data are protected by appropriate safeguards as required by the GDPR:
For EU-based customers, we offer data residency options within the European Union upon request, with data hosted in AWS EU (Frankfurt) and Google Cloud EU (Belgium) regions.
Mosco.ai maintains a comprehensive Data Breach Response Plan in compliance with Articles 33 and 34 of the GDPR. Our procedure is as follows:
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Mosco.ai will notify the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected data subjects without undue delay. The notification will describe the nature of the breach in clear language, provide the contact details of our DPO, describe the likely consequences, and outline the measures taken to address and mitigate the breach.
Where Mosco.ai acts as a data processor on behalf of our customers, we will notify the affected customer (data controller) of any personal data breach without undue delay after becoming aware of the breach, enabling them to fulfil their own notification obligations.
Mosco.ai retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following outlines our standard retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30 days | Contract performance |
| Communication records | 2 years from creation | Legitimate interest |
| Billing & financial records | 7 years | Legal obligation (tax) |
| Marketing consent records | Until consent withdrawal + 1 year | Legal obligation |
| Support tickets | 3 years from resolution | Legitimate interest |
| Security & access logs | 1 year | Legitimate interest |
| Analytics data (aggregated) | Indefinite (anonymized) | Not personal data |
| Deleted account data | 30 days (recovery period), then permanently deleted | Contract / Consent |
Upon expiration of the retention period, personal data is securely deleted or anonymized using industry-standard methods. You may request earlier deletion by exercising your Right to Erasure (see Section 3).
Mosco.ai uses artificial intelligence and machine learning technologies as part of our platform services. In accordance with Article 22 of the GDPR, we provide full transparency about our automated decision-making processes:
Our AI lead scoring system analyzes lead behavior data, interaction history, demographic information, and engagement patterns to assign a predictive score indicating the likelihood of conversion. This scoring is used to prioritize sales outreach and optimize resource allocation.
Data used: Website interactions, email engagement, form submissions, communication history, publicly available business data.
Logic involved: Machine learning models trained on historical conversion data to identify patterns correlated with successful outcomes.
Significance: Lead scores influence the order and priority of sales follow-up but do not result in automatic decisions that produce legal effects or similarly significantly affect individuals.
You have the right to request human intervention, to express your point of view, and to contest any decision made solely by automated processing that produces legal effects concerning you or similarly significantly affects you. To request a human review of any automated decision, please contact our Data Protection Officer at dpo@mosco.ai.
You can exercise any of your data subject rights by contacting us through the following methods:
When submitting a request, please provide sufficient information to verify your identity and specify the right you wish to exercise. We may request additional information to confirm your identity before processing your request.
We will respond to all legitimate requests within 30 days. In exceptional circumstances, where requests are complex or numerous, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for the delay within the initial 30-day period.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data by Mosco.ai infringes the GDPR.
You may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities and their contact details can be found on the European Data Protection Board (EDPB) website.
We encourage you to contact our Data Protection Officer first so that we can attempt to resolve any concerns directly. However, this does not affect your right to lodge a complaint with a supervisory authority at any time.
For any questions, concerns, or requests related to GDPR compliance or data protection, please contact us:
Related Legal Documents: