As developers, we do not have perfect legal knowledge about GDPR, like lawyers do. Because of this, from our end we cannot guarantee, that just by following these advices you will have full GDPR compliance for your website! If compliance is a critical requirement for your project, we recommend consulting a qualified expert in this matter.
From our end what we provide is, that if you see some GDPR compliancy issue on your website, and something in our codes could be done to avoid that, get in touch with us and we will try to help!
Connection between you and us (Nextendweb)
Tracking User Data
When you first launch Mosaic, and later in Global Settings, you can enable or disable the “Allow tracking usage data” option.
If enabled, the following usage-related (non-personal) data is collected:
- Which themes are imported
- Which items are inserted from the Component Library
- Whether a Component Library item was inserted through the wizard or the Assets modal
- The associated Mosaic theme ID/name where applicable
- A unique ID generated for your website by Mosaic
This data helps us improve the product experience and better understand how features are used.
License Validation
To ensure proper licensing, Mosaic verifies whether a website’s license is valid during license activation, and later when license-protected features are used. Mosaic checks whether the stored license token is still valid, and if it has expired or is close to expiring, it refreshes it through Nextendweb’s licensing server.
This may happen when:
- Opening Theme Library or Component Library admin screens
- Importing themes from the library
- Importing items from the Component Library
- Downloading Mosaic updates
The check is not sent continuously in the background; it is triggered only when Mosaic needs to access license-protected resources or verify the current license state.
During this process, only license-related data (such as the license key and domain) is used. No sensitive personal data is collected.
Connection between you and your website visitors
Google fonts
By default, Google Fonts collect user-related data when loaded from Google’s servers.
To avoid this, you can enable the Save fonts locally option in Global Settings.
This will:
- Store Google Fonts on your own server
- Prevent requests to Google’s servers
YouTube videos
YouTube videos collect user data and set cookies. Mosaic provides a “Privacy” option in the YouTube element, that makes videos load from youtube-nocookie.com. That reduces tracking, however, please note that even in privacy mode, some cookies may still be set by YouTube!
If you want to avoid any third-party tracking entirely, then do not use YouTube videos, but rather Video elements with a self-hosted MP4 video files.
Forms
Mosaic forms collect information directly from your visitors, so they deserve their own look at GDPR: what is stored, how long it stays, and where a third party might be involved.
Form submissions
When a visitor submits a Mosaic form, their answers are saved as a submission in your WordPress admin, so submissions can hold personal data such as names, email addresses, and messages, along with the visitor’s IP address and browser.
Submissions are stored indefinitely. Mosaic never deletes them automatically, so you decide what to keep: review them from time to time and delete what you no longer need. Deleting a submission is also how you handle a data-removal request, and it removes any files uploaded with it at the same time.
To store less in the first place, every field has a Data logging option: choose Mask to keep a value but hide it in the admin view, or Exclude to not store it at all. See Form submissions for how to review and delete them.
Uploaded files
Files sent through a File upload field are stored securely in a private folder that the web server does not deliver, so they cannot be reached by guessing a web address. They are kept with their submission and removed when you delete it, with no automatic expiry, and any secure download link Mosaic places in an email stops working after 30 days.
The exception is a field with Add to Media Library turned on: each uploaded file then also becomes a public, permanent part of your site, reachable by its web address and not removed when you delete the submission. Turn it on only for files you are comfortable making public and keeping, and be mindful of any personal data they may contain.
Spam protection
Mosaic’s built-in honeypot works automatically to filter spam. It stores no visitor data and makes no third-party requests.
The two optional CAPTCHA elements do involve a third party. Cloudflare Turnstile loads scripts from Cloudflare and is subject to Cloudflare’s privacy terms; it is designed to be privacy-preserving, and Mosaic stores no additional visitor data. Google reCAPTCHA loads scripts from Google and is subject to Google’s privacy terms, and Google asks that its badge or attribution text stays visible on any page that uses it. If you would rather make no third-party requests, use the honeypot on its own. See Spam protection.