Privacy Policy

Version 1.2 (revision 2026-06-22) - Effective 10 April 2026 · Version history

This Privacy Policy explains what personal data MainDeck collects, why, how it is used, and what rights you have. We are committed to protecting your privacy and handling your data responsibly. We comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Data controller

MainDeck is operated by EnableNext (KvK 53538633), Oder 20, 2491DC The Hague, the Netherlands. For privacy questions or to exercise your data rights, please contact us.

1. What data we collect

Account and profile data

• Name, email address (encrypted at the application level using AES-256-GCM before storage; a deterministic hash index is used for account lookup - the original address is never stored in plain text), password (stored as a secure hash using argon2id - never in plain text)
• Profile information you choose to provide: headline, bio, location, work history, education, skills, profile photo
• Consent records: which version of the Terms and Privacy Policy you accepted, and when

Professional interests

• Topics and categories you select during onboarding and in your Profile (e.g. "Cybersecurity", "Software Development")
• Used to personalise your content feed, suggest relevant communities, and recommend connections with shared interests
• You can view and modify your interests at any time in your Profile

Activity data

• Posts, articles, comments, reactions, and reposts you create
• Events you create or attend, including attendance status (going, interested)
• Connections and follow relationships you form
• Messages you send (stored encrypted at rest using AES-256-GCM; access-controlled to conversation participants only)
• Notifications and how you interact with them
• Uploaded media (profile photos, post images, message attachments, document images) - filenames are randomised before storage, file content is validated by inspecting magic bytes (not just the declared file type), and EXIF metadata (including GPS coordinates and camera identifiers) is automatically stripped from images before they are stored

Technical data

• IP address - for security logging and session management, your IP is stored as a one-way HMAC-SHA-256 hash; the original address cannot be recovered. For abuse prevention (anti-scraping), your IP may be stored in its original form when anomalous behaviour is detected; these records are deleted after 90 days
• Browser and device type (for session management and security)
• Cookies and similar technologies (see Section 8)

Optional: data received from LinkedIn (only if you use the import feature)

If you choose to import your LinkedIn data into MainDeck, we receive a copy of selected fields from LinkedIn directly, on your explicit authorisation under your right to data portability (Art. 20 GDPR). LinkedIn is an independent data controller, not our processor; no Art. 28 data-processing agreement applies and is not required for this transfer.

The fields we may receive are: profile (name, headline, bio, location), positions (work history), education, certifications, skills, and (when you use the API-based import path rather than uploading a file) the names of your LinkedIn connections. Connection names are used solely to suggest matches against existing MainDeck users; names that do not match are discarded immediately and never persisted, and only the matched MainDeck user IDs are retained. We rely on the disproportionate-effort exception (Art. 14(5)(b) GDPR) for not individually notifying your connections, on the basis that we keep no record of names that don't match. Imported data is subject to the same retention, security, and deletion rights as any other data on your MainDeck profile. See our Trust page (Data sources) and the help article on importing from LinkedIn for the operational details.

2. Why we collect it (legal basis)

Anonymous analytics: We collect anonymous aggregate usage statistics (e.g. page view counts, feature usage, link clicks) to improve the platform. This data contains no user identity, session, or IP address and cannot identify any individual. Because it is not personal data, it falls outside the scope of GDPR and does not require consent or a legal basis.

3. How long we keep your data

4. Who we share data with

We do not sell your personal data. We do not share your data with third-party advertisers for targeting purposes without your explicit consent. We may share data with:

• Service providers who help us operate the platform (hosting, email delivery) - under data processing agreements that restrict them to acting on our instructions only. All providers are EU-based or EU-headquartered entities (see Section 4a below).
• Law enforcement or regulatory authorities when required by a valid legal obligation under EU law or the law of an EU member state
• Other users - content you mark as public is visible to other members of the platform as you configure in your privacy settings

4a. Data processors

We use a limited number of third-party service providers to operate the platform. All processors are EU-based and operate on sovereign EU infrastructure. All personal data is stored and processed exclusively within the EU. No personal data is shared with companies, services, or data processors outside the EEA. When you access content on MainDeck (such as another user's public profile), that content is delivered to your browser as part of the service - this is necessary for the platform to function (Art. 49(1)(b) GDPR).

For a current list of our data processors, see our Trust & Data Protection page.

5. Profile views

• When you view a profile - by default we do not record personal data identifying you as the viewer. If you turn on Introduce yourself in your account settings, we record your name and profile link and show it to the profile you visited. Lawful basis: consent (Art. 6(1)(a) GDPR). You can withdraw at any time by switching the setting off, and you can delete past introductions from your account settings (right to erasure, Art. 17).
• When your profile is viewed- you may see anonymous aggregate counts, named introductions from viewers who opted in, and, if a recruiter viewed you, that recruiter's company name. Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) for the aggregate counts; consent for named introductions.
• Retention windows are listed in Section 3. Your broader rights, including how to exercise them, are in Section 6.

6. Your rights

As a data subject under GDPR, you have the following rights:

• Access (Art. 15)- request a copy of all data we hold about you (Settings → Privacy → Download my data)
• Correction (Art. 16) - update inaccurate data directly in your profile or by contacting us
• Deletion (Art. 17)- permanently delete your account and associated data (Settings → Account → Delete account)
• Portability (Art. 20) - export your data in a machine-readable format (JSON/CSV)
• Restriction (Art. 18) - ask us to pause processing of your data while a dispute is resolved. Contact us to request this.
• Withdraw consent (Art. 7(3))- withdraw any consent you have given at any time, without affecting the lawfulness of prior processing. Marketing email preferences can be changed in Settings → Notifications. For other consent, contact us.

To exercise any of these rights, go to your account settings or contact us. We will respond within 30 days.

7. Children

MainDeck is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, please contact us and we will delete it without undue delay.

8. Cookies

We use the following categories of cookies:

• Strictly necessary: session and authentication cookies required for the platform to function. These cannot be disabled. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
• Functional: remember your preferences (language, theme, feed mode). Require consent. Legal basis: Art. 6(1)(a) GDPR.
• Advertising: MainDeck advertising is contextual by default (based on page content, not your behaviour) and uses no cookies. Behavioural ad personalisation is available only with your explicit opt-in and uses first-party cookies only - never shared with third parties. Legal basis: Art. 6(1)(a) GDPR for behavioural; no legal basis required for cookieless contextual ads.

Since we only use strictly necessary and functional cookies (no analytics or advertising cookies), no cookie consent banner is required under the ePrivacy Directive.

9. Security

We apply industry-standard technical and organisational measures to protect your data, including AES-256-GCM encryption for email addresses and private messages at rest, argon2id password hashing, HMAC-SHA-256 IP address hashing, TLS 1.3 in transit, strict access controls, multi-factor authentication (TOTP) available for all accounts, file upload content inspection (magic byte validation to prevent disguised files), automatic EXIF/GPS metadata stripping from uploaded images, and regular security reviews. No system is perfectly secure; in the event of a data breach that affects your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33-34 GDPR.

10. Changes to this Policy

We may update this Privacy Policy from time to time. The version number and effective date at the top of this page always reflect the current published version, and a dated history of every change is maintained at the bottom of this page so you can see exactly what was changed and when.

How we communicate changes depends on the nature of the change:

• Material changes (for example, a new category of data we collect, a new processing purpose, a new recipient that affects how your data is used, or any change that adds a third-country transfer) are announced by email at least 30 days before they take effect. The advance notice is intended to give you time to review the change and, if you disagree, to export your data and delete your account before the new version applies. Material changes increase the major version number (e.g. 1.2 to 2.0) at the top of this page.
• Minor revisions (clarifications, additions describing new optional features such as the LinkedIn import, or transparency improvements that do not change how we process data you have already entrusted to us) are published with a dated entry in the version history below. They do not require fresh acceptance, do not trigger an in-product modal, and are not announced by email. Minor revisions increase the minor version number (e.g. 1.2 to 1.3) at the top of this page.

The Privacy Policy is a transparency disclosure under Art. 13 and 14 GDPR, not a contract. Your use of MainDeck remains subject to the separately versioned Terms of Service, which IS a contract and which you may be asked to re-accept when materially changed.

11. Contact and complaints

For privacy questions or to exercise your rights, contact us.

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority (supervisory authority) in your country of residence. In Germany this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI); a full list of EU supervisory authorities is available at edpb.europa.eu.

Version history

Every change to this Privacy Policy is recorded below. Material changes (major version bumps) are also announced by email 30 days in advance; minor revisions are listed here without a separate notice.