This document outlines how MindMup complies with the European Union General Data Protection Regulation, and how you can use your GDPR rights with MindMup.
A quick summary
At MindMup, we care about your privacy and data. Users are our most important stakeholders, not a product to be sold to shady information brokers. Because the optional MindMup Gold subscriptions make the service commercially sustainable for all users, even the people using MindMup for free, MindMup does not need to track users for advertising purposes.
We store the minimum information required to provide you with the service, share it only with GDPR-compliant processors when required for operational purposes, and do not let any other third-party link, track or access information about our users.
MindMup is operated by a company registered in the United Kingdom, so we work under the jurisdiction of the UK Information Commissioner’s Office.
We are glad to offer the same level of privacy protection to all our users, not just those resident in the EU.
What data processors does MindMup use?
For data processing, MindMup is using Amazon Web Services (AWS), which are GDPR compliant.
For signing into the application, only when instructed by our users, we may also share personal data with Google and Microsoft. The MindMup web site does not include any widgets or analytics that would allow Google or Microsoft to track users without their knowledge.
What personally identifiable information does MindMup store and process?
If you are using MindMup without signing in (free users), we are not collecting or processing any of your personal data.
If you are signing in using a third-party, such as Google or Microsoft, we will store your basic third-party profile information (such as the user account identifier and domain), along with the time of the authentication operation, in a database on AWS, for security and auditing purposes. This applies both to free and Gold users.
If you are signing in using a third-party, such as Google or Microsoft, and using MindMup Cloud storage, we will also store your e-mail for the purpose of enabling other users to share documents with you. If you are not using MindMup Cloud storage, we do not store this information.
If you subscribe to MindMup Gold, we will store your administrative e-mail, chosen account name and anonymised payment information in a database on on Amazon Web services for the purpose of securing your account and authenticating you when you use MindMup. We will share the payment information, as provided by you, directly with our payment processor. In most cases, this is Stripe. In the past, we also allowed users to subscribe using PayPal. Although we do not offer this to new subscribers, if you previously subscribed to MindMup Gold with PayPal, we have also stored your basic PayPal profile information in a database on AWS.
MindMup uses Google e-mail services. When you send us e-mails, or when MindMup sends you operational information by e-mail, the contents of the messages along with the recipient information are stored and processed using Google Mail.
In case of attempted payment fraud or security violations, we store the e-mail associated with the operation and the meta-data about the incident for security purposes and to prevent fraud.
What other types of data does MindMup store and process?
If you are using MindMup Cloud storage for your mind maps, MindMup stores the contents of those maps to the AWS Simple Storage Service (S3).
If you are using MindMup for Google Drive, MindMup does not store the contents of the maps, but instead shares it with Google Drive.
Regardless of the type of storage used, MindMup also collects operational information about user actions (such as opening pages on our web site, or managing the maps) for auditing and troubleshooting purposes. We may record the type of action taken and the time when the action occurred, along with the metadata about the user’s browser. We store this information using AWS.
Which countries is the personal data stored in?
We use the us-east-1 AWS data centre, located in the US.
For information on where the payment processors and authentication processors store information, please consult their support.
How long does MindMup store personal data for?
Any account-related information is preserved for the length of the subscription, and for a period of up to six months after the subscription is stopped or expires.
Any information related to security or auditing, including information on attempted payment fraud, may be stored indefinitely.
Is MindMup collecting personal data about users from any source other than the users?
When users sign into MindMup using a third-party authentication system, such as Google or Microsoft, we collect basic third-party profile information (name, e-mail, user account identifier and domain), directly from the authentication provider.
Is MindMup making automated decisions about users (including profiling)?
We use subscription information to decide what level of service to provide to users. Apart from that, there are no other automated decisions made.
Has any personal data been disclosed inadvertently in the past, or as a result of a security or privacy breach?
We are not aware of any security or privacy breaches related to data stored by MindMup.
Does MindMup keep data backups?
We keep a copy of key subscription and account information, along with the key fraud prevention data, for seven days on an external disk outside AWS. This data is destroyed after seven days.
How to get a copy of your personal data stored by MindMup?
Please send an e-mail to email@example.com.
How to request the removal of your information from MindMup?
Please send an e-mail to firstname.lastname@example.org.