Privacy Policy

Effective date: 18 February 2026 · Last updated: 18 February 2026

1. Who We Are

Mindemy ("we", "us", "our") is an online AI learning platform operated from Romania, a member state of the European Union. We offer structured, practical courses covering a range of AI tools, accessible via a one-time Lifetime Access purchase.

Mindemy is the data controller responsible for your personal data processed through our platform at mindemy.io.

For all privacy-related enquiries, please contact us at support@mindemy.io.

2. Data We Collect

Account & Profile Data

When you register or manage your account, we collect:

First name, last name, and username
Email address
Password (stored as a secure, salted hash — never in plain text)

Course & Progress Data

To deliver and track your learning experience, we collect:

Lessons completed and completion timestamps
Daily learning streaks
Quiz answers and attempt records
Achievements unlocked
Total time spent on lessons
Course start date

Technical & Analytics Data

Automatically collected when you use our platform:

IP address (used for security and rate-limiting)
Browser user agent
HTTP referrer (the page that linked you to us)
UTM campaign parameters (to understand how you found us)
Pages visited and timestamps (internal funnel analytics)
Login history (success/failure, IP, timestamp)

Payment Data

Payments are processed exclusively by Stripe. We do not store your card number, CVV, or bank account details. We receive from Stripe: a Stripe Customer ID, a Stripe Payment Intent ID, the amount charged, currency, and payment status.

Communications

If you submit a contact form or email us, we retain the content of that message along with your name and email address for up to 12 months.

3. Legal Basis for Processing

We process your personal data under the following legal bases established by the General Data Protection Regulation (GDPR), Article 6:

Performance of a contract (Art. 6(1)(b)): Creating your account, delivering course content, processing payments, sending transactional emails (e.g. email verification, password reset, payment confirmation).
Legitimate interests (Art. 6(1)(f)): Platform security (login audit log, rate limiting, brute-force protection), internal analytics to improve our service, attribution tracking to understand acquisition channels.
Legal obligation (Art. 6(1)(c)): Retaining payment and invoicing records in accordance with Romanian accounting and tax law.

4. How We Use Your Data

Account management: Creating, authenticating, and maintaining your user account.
Course delivery: Tracking progress, unlocking lessons sequentially, awarding achievements.
Payments: Processing your Lifetime Access purchase via Stripe, storing the transaction record for our accounts.
Communication: Sending email verification, password reset emails, and responding to support enquiries.
Security: Detecting and preventing fraud, brute-force login attempts, and abuse of our platform.
Analytics: Understanding how users navigate the platform so we can improve it. We use only our own first-party, anonymised analytics — no third-party advertising trackers.
Attribution: Understanding which marketing channels bring users to Mindemy (UTM parameters, referrer). This data is used internally only.
Advertising & Tracking: Using TikTok Pixel to track conversions, measure campaign effectiveness, and serve targeted advertisements based on your use of the platform.

We do not sell your personal data in the traditional sense, but we do share tracking data with advertising networks as described above.

5. Third-Party Data Processors

We use the following trusted third-party processors. Each is contractually required to process your data only on our instructions and to maintain appropriate security standards.

Stripe (Payment Processing)

Stripe processes payment card data. Stripe is PCI-DSS Level 1 certified. Your full card details never touch our servers. Stripe may process data outside the EEA; this transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission. Stripe Privacy Policy.

Resend (Transactional Email)

Resend delivers transactional emails such as email verification and password reset messages. Only your email address and the content of the transactional email are shared. Data may be processed outside the EEA under SCCs.

Supabase (Database Hosting)

Our database is hosted on Supabase (PostgreSQL). All account, progress, and analytics data is stored here. Data is encrypted at rest and in transit. Data may be processed outside the EEA; appropriate transfer mechanisms apply.

TikTok Pixel

We use TikTok Pixel, a tool provided by TikTok (including TikTok Information Technologies UK Limited and TikTok Technology Limited in the EEA/UK), to track user behaviour and conversions on our platform. This helps us measure the effectiveness of our advertising campaigns and understand how users interact with our site after viewing our videos or ads. TikTok may use this data to provide measurement services and targeted advertising across their platforms. The data processing by TikTok operates under the TikTok Privacy Policy. You can manage your advertising preferences directly within your TikTok account settings.

6. International Data Transfers

Some of our third-party processors (Stripe, Resend, Supabase) may process or store data in countries outside the European Economic Area (EEA). Where this occurs, we ensure that adequate safeguards are in place — primarily the Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46(2)(c), supplemented where appropriate by supplementary technical measures such as encryption.

You may request further information about these safeguards by contacting us at support@mindemy.io.

7. Data Retention

Account & profile data: Retained for as long as you maintain an active account. Upon account deletion request, we will delete or anonymise your personal data within 30 days, subject to the exceptions below.
Course progress data: Retained for the lifetime of your account.
Login history & page analytics: Automatically purged after 90 days via our data retention process.
Payment records: Retained for 7 years from the date of the transaction to comply with Romanian accounting and tax law (Law No. 82/1991). This data is kept even after account deletion.
Contact form messages: Retained for up to 12 months, then securely deleted.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of them, please contact us at support@mindemy.io. We will respond within 30 days (extendable by a further two months for complex or numerous requests, with notice).

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Correct inaccurate or incomplete personal data. You can update your name and email directly in Account Settings.
Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legal ground for us to retain it (e.g. payment records retained for tax compliance).
Right to restriction of processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format, and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right not to be subject to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects about you.

Supervisory Authority

You have the right to lodge a complaint with the Romanian data protection supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

You may also contact the supervisory authority in your country of residence if you are located in another EU member state.

9. Cookies

We use technically necessary, functional, and tracking cookies (such as those required by TikTok Pixel for advertising performance). For full details on the cookies we use and how to manage your consent, please see our Cookie Policy.

10. Children

Mindemy is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us at support@mindemy.io and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 14 days before the change takes effect. The updated policy will always be accessible at this URL with an updated "Last updated" date. Continued use of Mindemy after the effective date constitutes acceptance of the updated policy.

12. Contact Us

Mindemy — Privacy Enquiries

Email: support@mindemy.io
Country: Romania, European Union

Please use the subject line "Privacy Request — [type of request]" so we can direct your enquiry to the right team member promptly.