Privacy Policy

1. Introduction and Scope

We are committed to protecting your privacy and handling your personal data in an open and transparent manner.

This Privacy Policy ("Policy") explains how Mindclash ("we", "us", or "our") collects, uses, processes, shares, and protects your personal data when you:

• Visit our website https://mindclash.org (the "Website");
• Subscribe to our newsletters or other marketing communications;
• Register for or attend our events;
• Interact with us in any other way (e.g., by contacting customer support).

(Collectively referred to as the "Services").

This Policy also informs you about your privacy rights and how the law protects you. We encourage you to read this Policy carefully, along with any other privacy notices we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This Policy supplements other notices and privacy policies and is not intended to override them.

2. Data Controller

The data controller responsible for your personal data is:

If you have any questions about this Privacy Policy or our privacy practices, including any requests to exercise your legal rights, please contact us using the details above.

We are not currently required to appoint a statutory Data Protection Officer (DPO) under the GDPR. However, all privacy-related inquiries can be directed to the contact details above.

3. Overview of Data Processing Activities

This section provides a summary of the types of personal data we process, the categories of individuals affected (data subjects), and the main purposes of our data processing.

3.1. Types of Data We Process:

• Identity Data: Includes first name, last name, or similar identifier.
• Contact Data: Includes email address.
• Technical Data: Includes Internet Protocol (IP) address, browser type and version, time zone setting and location (country/city level from IP), browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website. This includes server log files.
• Usage Data: Includes information about how you use our Website and Services. This includes data collected via cookies and similar technologies (see our Cookie Policy for details).
• Marketing and Communications Data: Includes your preferences in receiving marketing from us and your communication preferences.
• Content Data: Includes any content you generate or share through our Services, such as feedback, comments, or information provided to customer support.

3.2. Categories of Data Subjects:

• Website Visitors: Individuals who browse our Website.
• Event Participants: Individuals who register for or attend our events.
• Communication Partners: Individuals who contact us or with whom we communicate.
• Newsletter Subscribers: Individuals who subscribe to our email marketing.

3.3. Purposes of Processing:

• Providing and managing our Website and events.
• Managing our relationship with you (e.g., notifications, support).
• Sending marketing communications (e.g., newsletters), where legally permitted.
• Improving our Website, services, marketing, customer relationships, and experiences (e.g., through analytics).
• Ensuring the security and integrity of our Services and IT infrastructure (e.g., server logs).
• Complying with legal obligations (e.g., tax, accounting).
• Enabling targeted advertising and measuring its effectiveness (e.g., via Google Ads, Facebook Pixel, etc. – see Cookie Policy).

4. Legal Bases for Processing Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances (as per GDPR):

• Consent (Art. 6(1)(a) GDPR): Where you have given us explicit consent to process your personal data for one or more specific purposes (e.g., for sending marketing newsletters, or for using non-essential cookies).
• Performance of a Contract (Art. 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract (e.g., to provide you with event registration services).
• Legal Obligation (Art. 6(1)(c) GDPR): Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., for tax purposes, financial reporting).
• Legitimate Interests (Art. 6(1)(f) GDPR): Where processing is necessary for the purposes of our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

In addition to the GDPR, national data protection regulations in Germany, such as the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and the Digital Services Act (Digitale-Dienste-Gesetz - DDG), may apply.

Where we rely on legitimate interests, we have carried out a balancing test to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms. You can obtain more information about this balancing test by contacting us.

5. Security Measures

We have implemented appropriate technical and organizational security measures (TOMs) to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption (SSL/TLS for data in transit).
• Access Controls.
• Regular Security Assessments.
• Data Minimization.
• Incident Response Plan.
• Secure Hosting (Hetzner, Germany).

While we strive to protect your personal data, please note that no method of transmission over the Internet or method of electronic storage is 100% secure.

6. Data Recipients and Disclosure of Personal Data

We do not sell your personal data. We may share your personal data with parties set out below for the purposes described in Sections 3 and 4:

• Service Providers (Data Processors):
  • Hetzner Online GmbH (Hosting in Germany).
  • Google LLC (Google Analytics, Google SMTP, Google Ads - with consent).
  • Eventbrite or Meetup (for event registration, if applicable).
• Professional Advisors: (lawyers, bankers, auditors, insurers).
• Legal Authorities: (if required by law).
• Business Transfers: (in case of merger, acquisition, etc.).

We require all third parties to respect the security of your personal data and treat it lawfully. We enter into data processing agreements (DPAs) with processors as required.

7. International Data Transfers

Your personal data is primarily processed and stored in Germany (Hetzner). However, some third-party providers (e.g., Google, Eventbrite/Meetup) may be based outside the EU/EEA or process data internationally. For such transfers, we ensure protection through mechanisms like Adequacy Decisions, Standard Contractual Clauses (SCCs), or the EU-U.S. Data Privacy Framework (DPF) where applicable and providers are certified. Contact us for more details.

8. Data Retention and Deletion

We retain personal data only as long as necessary for the purposes it was collected, including legal, tax, or reporting requirements. General guidelines:

• Mailing List Data: As long as subscribed/consented + e.g., 3 years for proof. Opt-out lists kept indefinitely to respect unsubscribe requests.
• Server Log Files: Short periods (e.g., 7 days), then anonymized/deleted.
• Inquiries: Until resolved + legal retention requirements.

Data is securely deleted or anonymized thereafter.

9. Your Legal Rights as a Data Subject (GDPR)

Under the GDPR, you have the following rights:

• Right to be Informed (Art. 13, 14).
• Right of Access (Art. 15).
• Right to Rectification (Art. 16).
• Right to Erasure ('Right to be Forgotten') (Art. 17).
• Right to Restrict Processing (Art. 18).
• Right to Data Portability (Art. 20).
• Right to Object (Art. 21) (especially to direct marketing).
• Right to Withdraw Consent (Art. 7(3)).
• Rights related to Automated Decision-Making including Profiling (Art. 22). (We do not currently engage in such).
• Right to Lodge a Complaint (Art. 77) with a supervisory authority. For Germany, you can find authorities via the BfDI website (https://www.bfdi.bund.de/). The authority for Dmitry Dugarev if based in Hesse, Germany would be the Hessian Commissioner for Data Protection and Freedom of Information.

To exercise rights, contact us at privacy@mindclash.org. We may request identity verification. We aim to respond within one month.

10. Specific Data Processing Activities in Detail

10.1. Provision of Our Website and Web Hosting (Hetzner)

• Data: Technical Data (IP, logs).
• Purpose: Deliver, secure, optimize Website.
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Recipients: Hetzner GmbH.
• Retention: Short log retention.

10.2. Use of Cookies and Similar Technologies

• Data: Usage, Technical, Profile Data.
• Purpose: Functionality, analytics, personalization, ads.
• Legal Basis: Consent (Art. 6(1)(a) GDPR) for non-essential; Legitimate interest/necessity for essential.
• Details: See our Cookie Policy (managed via the cookie banner).

10.3. Contact and Communication Management

• Data: Identity, Contact, Content Data.
• Purpose: Respond to inquiries, support.
• Legal Basis: Contract/pre-contractual (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
• Recipients: Internally, Google SMTP.
• Retention: Until resolved + legal requirements.

10.4. Email Marketing and Newsletters

• Data: Identity, Contact, Marketing/Communications Data.
• Purpose: Send marketing, measure effectiveness (with consent).
• Legal Basis: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR) for existing customers where permitted (with opt-out).
• Recipients: Internal systems, Google SMTP.
• International Transfer (Google SMTP): Yes (USA).
• Opt-out: Via unsubscribe link or contact us.

10.5. Web Analytics and Optimization (Google Analytics with consent)

• Data: Technical, Usage, Profile Data.
• Purpose: Improve services, user experience.
• Legal Basis: Consent (Art. 6(1)(a) GDPR).
• Recipients: Google LLC.
• International Transfer: Yes (USA).
• Details: See Cookie Policy.

10.6. Online Marketing and Advertising (Google Ads, Facebook Pixel, LinkedIn Tag, X Pixel)

• Data: Technical, Usage, Profile Data via cookies/pixels.
• Purpose: Targeted ads, measure campaign effectiveness, remarketing.
• Legal Basis: Consent (Art. 6(1)(a) GDPR).
• Recipients: Google, Meta, LinkedIn, X Corp.
• International Transfer: Yes (mostly USA).
• Details: See Cookie Policy.

11. Children's Privacy

Our Services are not intended for children under 16 (or applicable local age). We do not knowingly collect data from children under this age. If you believe we have, please contact us to delete it.

12. Changes to This Privacy Policy

We may update this Policy. Changes will be posted here with an updated "Last Updated" date. Material changes will be communicated as required by law. Please review periodically.

13. Contact Information

For questions, concerns, complaints, or to exercise your rights, please contact us: