GDPR & Data Subject Rights

1. Overview

Mindemy is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and the applicable Romanian data protection legislation.

Mindemy acts as the data controller for personal data processed through the Platform. This page explains in detail what rights you have under the GDPR, what personal data we process, on what legal bases, and how you can exercise your rights.

This page should be read alongside our Privacy Policy, which provides the full detail of our data processing practices.

2. Your Rights Under GDPR

The GDPR grants EU/EEA residents the following rights in relation to their personal data. These rights apply subject to certain exceptions provided for in the GDPR and applicable national law.

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process personal data concerning you, and if so, to receive a copy of that data together with supplementary information (purposes, categories of data, recipients, retention period, your rights, etc.).

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected without undue delay. You can update your name and email address yourself in Account Settings. For other corrections, please contact us.

Right to Erasure — "Right to Be Forgotten" (Article 17)

You may request deletion of your personal data where:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw consent and there is no other legal ground for processing.
• You object to processing and there are no overriding legitimate grounds.
• The data has been unlawfully processed.
• Erasure is required to comply with a legal obligation.

Please note that this right is not absolute. We are required to retain certain data (e.g. payment records) to comply with legal obligations under Romanian and EU law, even after account deletion.

Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your data in specific circumstances, for example while the accuracy of data is being contested, or where processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20)

Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller. This right applies to data you have directly provided to us (e.g. account profile, course progress).

Right to Object (Article 21)

You have the right to object at any time to processing of your personal data based on our legitimate interests (Article 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is for the establishment, exercise, or defence of legal claims.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects you. Mindemy does not engage in such automated decision-making. Lesson unlocking is a deterministic, rule-based system (not profiling) based on your own completion records.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

3. How to Exercise Your Rights

To submit a data subject rights request, please email us at support@mindemy.io using the subject line:

"GDPR Request — [Right Type] — [Your Name]"

For example: "GDPR Request — Right of Access — Jane Smith"

Identity Verification

To protect your privacy, we will verify your identity before processing any request. We may ask you to confirm information we already hold on file (e.g. your registered email address). We will not process a request unless we can verify the identity of the requester to a reasonable standard.

Response Timescales

• We will acknowledge receipt within 5 business days.
• We will respond substantively within 30 days of receiving a verifiable request.
• For complex or numerous requests, we may extend this period by a further two months. If we exercise this extension, we will notify you within the first 30 days and explain the reason for the delay.

Responses to data subject rights requests are provided free of charge. However, for manifestly unfounded or excessive requests (in particular, repetitive requests), we may charge a reasonable administrative fee or refuse to act on the request, and we will inform you of this decision.

4. Data We Hold About You

The following categories of personal data may be held about registered users:

Account & Identity Data

• First name, last name, username, email address, hashed password
• Account creation date, email verification status
• Subscription status and Stripe customer ID

Course Progress Data

• List of completed lessons with timestamps
• Daily streak count and course start date
• Quiz answers and attempt records (including whether answers were correct)
• Achievements unlocked (e.g. "First Step", "Week Warrior")
• Time spent on each lesson (lesson session records)

Technical & Security Data

• IP address at registration
• Browser user agent at registration
• Login history: IP address, user agent, timestamp, and success/failure status — retained for 90 days, then automatically deleted
• Page view analytics (path visited, IP, user agent, referrer, session ID) — retained for 90 days, then automatically deleted

Attribution & Marketing Data

• HTTP referrer from your first visit (which website linked you to Mindemy)
• UTM parameters captured at signup (source, medium, campaign)

Payment Data

• Stripe Customer ID, Stripe Payment Intent ID
• Amount paid, currency, payment date, and payment status
• We do not store card numbers, CVV, or bank account details. These are held exclusively by Stripe.

Communications Data

• Contact form submissions (name, email, subject, message) — retained for up to 12 months

5. Legal Bases for Processing

We process personal data under the following legal bases (GDPR Article 6):

• Contract performance (Art. 6(1)(b)): Providing your account, delivering course content, processing payments, and sending necessary transactional communications (verification emails, password resets, payment receipts).
• Legitimate interests (Art. 6(1)(f)): Platform security (login audit, rate limiting, fraud prevention), internal analytics (page views, completion rates) to improve the product, and attribution tracking to understand acquisition channels. We have assessed that these interests are not overridden by your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Retaining payment and financial records for the period required by Romanian accounting law (Law No. 82/1991) — typically 7 years.

We do not rely on consent as a legal basis for any ongoing processing. Where we obtain consent (e.g. cookie consent banner), you may withdraw it at any time without affecting the lawfulness of prior processing.

6. International Data Transfers

Some of the third-party data processors we use may transfer or store personal data in countries outside the European Economic Area (EEA). Specifically:

• Stripe — headquartered in the United States. Stripe participates in cross-border data transfer mechanisms under Standard Contractual Clauses (SCCs) approved by the European Commission.
• Resend — email delivery service. Data may be processed outside the EEA under SCCs.
• Supabase — database hosting. Data may be processed outside the EEA; Supabase implements appropriate transfer safeguards.

We rely on the Standard Contractual Clauses (Commission Decision of 4 June 2021) as the primary transfer mechanism for any data flows outside the EEA. You may request a copy of the relevant SCCs by contacting us at support@mindemy.io.

7. Right to Lodge a Complaint

If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with the Romanian data protection supervisory authority:

If you are based in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence or place of work.

We encourage you to contact us first at support@mindemy.io before lodging a complaint, as we will endeavour to resolve any concerns promptly and directly.

8. Contact Us