Terms & Conditions for Companies

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws is:

[COMPANY NAME GMBH]
[STREET]
[POSTCODE] [CITY]

Email: datenschutz@mandateiq.com
Phone: [PHONE NUMBER]

For data protection matters, please contact us directly at the email address above.

We process personal data only insofar as permitted by law or you have given your consent. Personal data is all data relating to an identified or identifiable natural person.

Legal bases for processing:
– Art. 6(1)(a) GDPR: Consent
– Art. 6(1)(b) GDPR: Performance of contract (usage agreement)
– Art. 6(1)(c) GDPR: Compliance with legal obligations
– Art. 6(1)(f) GDPR: Legitimate interests (e.g. system security, fraud prevention)

Registration is required to use MandateIQ. We collect the following data:

– Name
– Email address
– Password (stored encrypted, not in plaintext)
– Role (candidate or company)
– Preferred language

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

The email address is used for verification of your account (double opt-in), for communication about your matches, and for sending system notifications.

Storage period: Your account data is stored for the duration of the contractual relationship. After termination, personal data is deleted within 30 days, unless statutory retention periods apply.

Candidates can create a detailed profile comprising the following data categories:

– Professional qualifications, industry experience, language skills
– Governance and ESG knowledge
– Personality traits (questionnaire)
– Diversity data (voluntary, pursuant to Art. 9(2)(a) GDPR with separate consent)

Identity data (full name, date of birth, contact details) is stored with AES-256 encryption and is accessible only for authorised system functions (e.g. after mutual opt-in). All access to identity data is logged.

Matching results are generated based on an algorithmic scoring process. Candidates remain completely anonymous towards companies until mutual opt-in.

Legal basis: Art. 6(1)(b) GDPR and Art. 9(2)(a) GDPR (for special categories of personal data).

For payment processing, we use the payment service provider Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). Stripe acts as a data processor within the meaning of Art. 28 GDPR.

During payment transactions, Stripe directly processes your payment data (credit card number, bank account details, etc.). We do not store complete payment data; only payment status and transaction identifiers are stored by us.

Stripe is certified under the EU-US Data Privacy Framework. For more information, please refer to Stripe's privacy policy at: https://stripe.com/privacy

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

When visiting our platform, the web server automatically records the following data:

– IP address (anonymised after 7 days)
– Date and time of access
– URL accessed
– Browser and operating system used
– HTTP status code
– Referrer URL

This data serves system security, error resolution and defence against attacks. It is not merged with other personal data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system security).
Storage period: 30 days, then automatically deleted.

We send you transactional emails within the scope of the contractual relationship, in particular:

– Registration confirmation and email verification
– Welcome email with GTC attachment
– Notifications about new matches and messages
– Cancellation confirmations
– System notifications (e.g. password reset)

No promotional emails are sent without explicit consent.

Emails are sent via our configured SMTP server and logged in the system for 90 days (sender, recipient, subject, status — without full content for sensitive emails).

Legal basis: Art. 6(1)(b) GDPR.

We use the following processors with whom data processing agreements pursuant to Art. 28 GDPR have been concluded:

– Stripe, Inc. (USA): Payment processing
– [HOSTING PROVIDER] ([COUNTRY]): Server hosting and data storage
– [EMAIL PROVIDER] ([COUNTRY]): Email delivery

A complete list of our processors can be provided upon request.

Personal data is only transferred to third countries where appropriate safeguards exist (e.g. EU-US Data Privacy Framework, standard contractual clauses pursuant to Art. 46 GDPR).

Your data is not passed on to third parties for advertising purposes.

We store personal data only for as long as necessary for the respective purpose or as required by statutory retention periods:

– Account data: Duration of contractual relationship + 30 days after termination
– Invoice and payment data: 10 years (§ 147 AO)
– Email logs: 90 days
– Server logs: 30 days
– Identity access logs: 90 days
– Deletion requests (documentation): 3 years

After expiry of retention periods, data is automatically or upon request deleted.

You have the following rights with regard to the personal data concerning you:

– Right of access (Art. 15 GDPR): You can request confirmation of whether and which personal data we process.

– Right of rectification (Art. 16 GDPR): You can request the correction of inaccurate data.

– Right of erasure (Art. 17 GDPR): Under certain conditions, you can request the deletion of your data.

– Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request restriction of processing.

– Right to data portability (Art. 20 GDPR): You can request the release of your data in a machine-readable format.

– Right to object (Art. 21 GDPR): You can object to the processing of your data based on legitimate interests.

– Withdrawal of consent (Art. 7(3) GDPR): Consent given can be withdrawn at any time with effect for the future.

To exercise your rights, please use the privacy section in your account or contact us at datenschutz@mandateiq.com. We respond to requests within 30 days.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR (Art. 77 GDPR).

The competent supervisory authority for us:
[NAME OF COMPETENT DATA PROTECTION AUTHORITY]
[ADDRESS]
Website: [URL]

You may also contact the supervisory authority of your place of habitual residence or workplace.

Our platform uses technically necessary cookies that are required for the operation of the platform. These cookies do not store personal data beyond the session duration.

Technically necessary cookies include:
– Session cookie (authentication and CSRF protection)
– Language cookie (preferred language)

We do not use tracking, analytics or advertising cookies.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation of the platform). No consent is required for technically necessary cookies (§ 25(2) TTDSG).

We reserve the right to adapt this privacy policy if the legal situation, technical processes or our data processing changes. The current version is always available on our platform.

For material changes, registered users will be notified by email. Continued use of the platform after the amended privacy policy comes into effect constitutes acknowledgement thereof.