MindWeaveBoard Docs

Appearance

GDPR compliance

MindWeaveBoard is built and operated for European customers. We are a data processor for customer content and a data controller only for the limited account data we need to provide the service. This page covers the formal posture; for the day-to-day data practices see Data hosting and privacy.

Roles under the GDPR

  • Your organisation is the data controller for board content, member records, and anything else uploaded by you or your members.
  • Socintel FlexKapG (the legal entity behind MindWeaveBoard) is the data processor for that customer data, acting on your instructions.
  • Socintel FlexKapG is the data controller for the limited subset of data we need directly: your billing contact, organisation administrator name and email, and login telemetry.

The split matters for data-subject requests: requests about your employees' usage of your board come to you; requests about MindWeaveBoard accounts come to us.

Lawful basis for processing

We rely on:

  • Contract — to deliver the service you've subscribed to.
  • Legitimate interest — for security, fraud prevention, and product improvement based on aggregate metadata only.
  • Consent — for marketing communications (you can opt in or out at any time from Settings → Communications).

We do not rely on consent for the core service — it would be invalid to claim "consent" as the basis for processing data that's required to run the product you're paying for.

Data subject rights

Members of your organisation have the standard GDPR rights:

  • Access — request a copy of their data. Available from Settings → Account → Export my data, which produces a JSON archive.
  • Rectification — correct inaccurate personal data. Most fields are editable directly in Settings → Profile.
  • Erasure — request deletion of their account. Available from Settings → Account → Delete account; the deletion completes within 30 days.
  • Restriction — limit processing. Effected by setting their role to Viewer or by suspending the account.
  • Portability — receive their data in a machine-readable format. The Export my data feature provides JSON.
  • Objection — object to specific processing. Contact privacy@mindweaveboard.com; we respond within 30 days.

For requests routed via your organisation (where you are the controller), provide the request to us via the contact form — we'll fulfil our processor obligations within 5 business days.

Data Processing Agreement (DPA)

A signed DPA is part of your Enterprise contract by default. Starter and Advanced customers can request a DPA at any time — it's the same template, just signed when needed rather than at onboarding.

The DPA covers:

  • Subject matter, duration, nature, and purpose of processing.
  • Categories of data and data subjects.
  • Subprocessors (list maintained in the DPA appendix and on the security page).
  • Security measures (Article 32).
  • Sub-processing obligations (Article 28).
  • International transfers (currently: none — all processing is in the EU).

Subprocessors

We use a small number of subprocessors for specific operations:

  • Hosting (infrastructure provider) — EU-resident, ISO 27001 certified.
  • Payment processing (Stripe Payments Europe Ltd) — Ireland.
  • Transactional email (Resend) — EU-resident processing.
  • AI inference (per service) — processing for the specific request only, never used for training.

The current subprocessor list is in the DPA appendix; we notify customers at least 30 days before adding or changing a subprocessor.

International transfers

By default there are no international transfers of customer data — everything stays in the EU. If your contract negotiates an alternative region, transfers are covered by Standard Contractual Clauses (SCCs) plus our internal transfer impact assessment.

Breach notification

We notify affected customers within 72 hours of becoming aware of a personal-data breach affecting their data, as required by Article 33. Notification includes the nature of the breach, categories of data affected, expected consequences, and the measures taken.

Contact

  • Privacy / DPO mattersprivacy@mindweaveboard.com.
  • DPA requests — your account contact, or the same email.
  • Data subject rightsprivacy@mindweaveboard.com for requests where we are the controller.

MindWeaveBoard — where minds weave brilliance together. Privacy · Terms · Imprint

© 2026 Socintel FlexKapG · Vienna, Austria · FN 630566 d