This document outlines how we process personal data in compliance with applicable data protection laws including GDPR, CCPA, and other privacy regulations.
1. Purpose and Scope
This Data Processing Agreement ("DPA") sets forth the terms and conditions under which Next Mind Project processes personal data on behalf of and at the direction of our users and subscribers. This DPA is designed to meet the requirements of:
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Other applicable data protection and privacy laws
2. Definitions
For the purposes of this DPA:
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Data Controller" means the entity that determines the purposes and means of processing personal data.
"Data Processor" means the entity that processes personal data on behalf of the Data Controller.
3. Nature and Purpose of Processing
Processing Activity
Purpose
Data Categories
Account Management
User registration and authentication
Name, email, preferences
Service Delivery
Providing educational content and resources
Usage data, progress tracking
Payment Processing
Subscription management and billing
Payment information (via third parties)
Communications
Customer support and updates
Contact information, communication history
Analytics
Service improvement and optimization
Usage patterns, device information
4. Data Subject Categories
We process personal data of the following categories of data subjects:
• Website visitors and prospective customers
• Registered users and subscribers
• Customer support contacts
• Newsletter subscribers and marketing contacts
5. Legal Basis for Processing
We process personal data based on the following legal grounds:
Contract Performance: Processing necessary for the performance of our service agreement with you
Legitimate Interest: Processing for our legitimate business interests, such as improving our services and preventing fraud
Consent: Where you have given explicit consent for specific processing activities
Legal Obligation: Processing required to comply with applicable laws and regulations
6. Data Security Measures
We implement comprehensive security measures to protect personal data:
Technical Safeguards:
• End-to-end encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for admin access
• Regular security audits and penetration testing
• Automated backup and disaster recovery systems
Organizational Safeguards:
• Staff training on data protection principles
• Access controls on a need-to-know basis
• Regular review of data processing activities
• Incident response and breach notification procedures
• Confidentiality agreements with all personnel
7. Data Subject Rights
Data subjects have the following rights regarding their personal data:
Right of Access: Obtain confirmation that personal data is being processed and access to such data
Right to Rectification: Correct inaccurate or incomplete personal data
Right to Erasure: Request deletion of personal data under certain circumstances
Right to Restrict Processing: Limit how personal data is processed
Right to Data Portability: Receive personal data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or direct marketing
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
8. Data Retention
Data Type
Retention Period
Justification
Account Information
Duration of account + 2 years
Legal obligations, dispute resolution
Payment Records
7 years after last transaction
Tax and financial regulations
Marketing Data
Until consent withdrawn
Consent-based processing
Support Communications
3 years after resolution
Service improvement, quality assurance
Website Analytics
26 months (Google Analytics)
Service optimization, legitimate interest
9. International Data Transfers
When personal data is transferred outside the country of collection, we ensure adequate protection through:
• Adequacy decisions by relevant data protection authorities
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) where applicable
• Certification schemes and codes of conduct
• Explicit consent from data subjects where required
10. Data Breach Procedures
In the event of a personal data breach, we will:
• Detect and assess the breach within 24 hours
• Notify relevant supervisory authorities within 72 hours (where required)
• Notify affected data subjects without undue delay (where required)
• Document the breach and our response measures
• Implement additional safeguards to prevent future breaches
11. Sub-processors
We may engage sub-processors to assist in providing our services. Current sub-processors include:
Sub-processor
Service
Location
Google Analytics
Website analytics
United States
Payment Processors
Payment processing
Various (as required)
Cloud Hosting Providers
Infrastructure and hosting
United States, EU
12. Contact and Compliance
For questions about data processing or to exercise your data subject rights, contact:
Data Protection Officer: dpo@nextmindproject.com
Legal Department: legal@nextmindproject.com
Subject Line: Data Processing Inquiry
Response Time: We will respond to requests within 30 days
13. Updates to This Agreement
We may update this Data Processing Agreement to reflect changes in our practices or applicable laws. Material changes will be communicated through our usual channels with at least 30 days' notice before taking effect.