Privacy Policy
Version 1.1 — Effective 17 March 2026
This Privacy Policy explains what personal data MainDeck collects, why, how it is used, and what rights you have. We are committed to protecting your privacy and handling your data responsibly. Where applicable, we comply with the General Data Protection Regulation (GDPR) and other applicable EU privacy laws.
1. What data we collect
Account and profile data
- Name, email address, password (stored as a secure hash using argon2id — never in plain text)
- Profile information you choose to provide: headline, bio, location, work history, education, skills, profile photo
- Consent records: which version of the Terms and Privacy Policy you accepted, and when
Activity data
- Posts, articles, comments, reactions, and reposts you create
- Connections and follow relationships you form
- Messages you send (stored encrypted at rest using AES-256-GCM; access-controlled to conversation participants only)
- Notifications and how you interact with them
Technical data
- IP address (used for security and abuse prevention — stored as a one-way HMAC-SHA-256 hash; the original IP address cannot be recovered)
- Browser and device type (for session management and security)
- Pages visited and timestamps (for platform analytics and abuse prevention)
- Cookies and similar technologies (see Section 7)
2. Why we collect it (legal basis)
| Purpose | Legal basis |
|---|---|
| Providing the platform and your account | Performance of contract (Art. 6(1)(b) GDPR) |
| Security, fraud prevention, and abuse detection | Performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — NIS2 Directive, Art. 32 GDPR) |
| Sending account-related emails (verification, password reset) | Performance of contract (Art. 6(1)(b) GDPR) |
| Platform analytics (aggregate, anonymous) | Consent (Art. 6(1)(a) GDPR — opt-in only) |
| Marketing and newsletters | Consent (Art. 6(1)(a) GDPR — opt-in only) |
| Legal compliance and responding to lawful requests | Legal obligation (Art. 6(1)(c) GDPR) |
3. How long we keep your data
| Data type | Retention period |
|---|---|
| Active account data | While your account is active |
| Paused account data | While the account remains paused (you can reactivate or delete at any time) |
| Deleted account data | Permanently deleted after a 14-day grace period |
| Security logs (login events) | 90 days |
| Profile view records | 365 days |
| Notification records | 180 days |
| Raw analytics events | 90 days (aggregated stats kept for 24 months) |
| Payment records (if applicable) | 7 years (required by tax law) |
4. Who we share data with
We do not sell your personal data. We do not share your data with third-party advertisers for targeting purposes without your explicit consent. We may share data with:
- Service providers who help us operate the platform (hosting, email delivery) — under data processing agreements that restrict them to acting on our instructions only. All providers are EU-based or EU-headquartered entities (see Section 4a below).
- Law enforcement or regulatory authorities when required by a valid legal obligation under EU law or the law of an EU member state
- Other users — content you mark as public is visible to other members of the platform as you configure in your privacy settings
4a. Data processors (sub-processors)
| Processor | Country | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany 🇩🇪 | Server infrastructure and hosting |
| OVHcloud SAS | France 🇫🇷 | Backup infrastructure |
| Brevo SAS (Sendinblue) | France 🇫🇷 | Transactional email delivery |
We run our infrastructure exclusively on servers located in the European Union. We do not use US-based cloud providers, CDNs, or SaaS services that would be subject to the US CLOUD Act or similar extra-territorial data access laws. We do not transfer your personal data outside the European Economic Area.
5. Your rights
As a data subject under GDPR, you have the following rights:
- Access (Art. 15) — request a copy of all data we hold about you (Settings → Privacy → Download my data)
- Correction (Art. 16) — update inaccurate data directly in your profile or by contacting us
- Deletion (Art. 17) — permanently delete your account and associated data (Settings → Account → Delete account)
- Portability (Art. 20) — export your data in a machine-readable format (JSON/CSV)
- Restriction (Art. 18) — ask us to pause processing of your data while a dispute is resolved
- Withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time, without affecting the lawfulness of prior processing. You can do this in Settings → Privacy.
To exercise any of these rights, go to your account settings or contact us at privacy@maindeck.eu. We will respond within 30 days.
6. Children
MainDeck is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, please contact us and we will delete it promptly.
7. Cookies
We use the following categories of cookies:
- Strictly necessary: session and authentication cookies required for the platform to function. These cannot be disabled. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
- Functional: remember your preferences (language, theme, feed mode). Require consent. Legal basis: Art. 6(1)(a) GDPR.
- Analytics: anonymised page view counts to help us understand how the platform is used. Require consent. We use self-hosted analytics — no data is sent to any third-party analytics service. Legal basis: Art. 6(1)(a) GDPR.
- Advertising: used for contextual ad targeting. Require explicit opt-in. Legal basis: Art. 6(1)(a) GDPR.
You can manage your cookie preferences at any time via the “Cookie settings” link at the bottom of any page.
8. Security
We apply industry-standard technical and organisational measures to protect your data, including AES-256-GCM encryption for messages at rest, argon2id password hashing, HMAC-SHA-256 IP address hashing, TLS 1.3 in transit, strict access controls, and regular security reviews. No system is perfectly secure; in the event of a data breach that affects your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
9. Changes to this Policy
We may update this Privacy Policy from time to time. We will notify you by email at least 30 days before material changes take effect. The version number and effective date at the top of this page always reflect the current version.
10. Contact and complaints
For privacy questions or to exercise your rights, contact us at privacy@maindeck.eu.
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority (supervisory authority) in your country of residence. In Germany this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI); a full list of EU supervisory authorities is available at edpb.europa.eu.