Privacy Policy – MINTvernetzt Community Platform

Notice: The German version serves as the legal basis. MINTvernetzt is the service and contact point for the community of MINT stakeholders in Germany. They are supported through networking spaces, transfer offerings, and innovation impulses to create innovative and sustainable MINT educational offerings that reach even broader and more diverse target groups.

These include in particular girls and young women. MINTvernetzt is funded by the Federal Ministry of Education and Research (BMBF) and is jointly implemented by employees of the Körber-Stiftung, matrix gGmbH, the Nationales MINT Forum e.V., the Universität Regensburg, and the Stifterverband.

The platform is therefore designed as a special-interest platform, and it is therefore of essential importance that certain basic information about the respective stakeholders is publicly visible and/or visible within the platform.

The data processing carried out in this context is jointly managed by

• Körber-Stiftung, Pariser Platz 4a, 10117 Berlin,
• matrix gGmbH, Düsseldorfer Str. 16, 40699 Erkrath,
• Stifterverband für die deutsche Wissenschaft e.V., Baedekerstraße 1, 45128 Essen,
• Nationales MINT Forum e.V., Rosenstraße 2, 10178 Berlin, and
• Universität Regensburg, Universitätsstraße 31, 93053 Regensburg
• (hereinafter collectively referred to as "consortium partners")

within the meaning of Art. 26 GDPR. The essential content of the agreement concluded between the consortium partners is explained below.

The following consortium partner is responsible for the platform, communication with data subjects, and the fulfillment of your data subject rights (more information about your rights can be found at the end of this privacy notice), unless a different arrangement of responsibility is stated at the relevant point:

You can reach the Data Protection Officer of matrix gGmbH at datenschutz.matrix@uimc.de or by post at the address stated above, with the recipient suffix "Attn: Data Protection Officer".

We use cookies (hereinafter collectively referred to as "cookies") on our platform. These are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your end device and do not contain any viruses, trojans, or other malicious software.

Information is stored in the cookie that arises in connection with the specific end device being used. However, this does not mean that we thereby immediately obtain knowledge of your identity. Cookies transmit your IP address, the referrer URL of the visited website, the time at which the platform was viewed, the browser used, and previously set cookie information to a web server. This enables us to perform and offer the services described in this privacy policy.

The use of cookies serves, on the one hand, to technically enable the basic use of our offering for you.

We use so-called session cookies or transient cookies to recognize that you are logged in to our platform. These are automatically deleted after one year. The data processed by these cookies is necessary for the aforementioned purposes in order to safeguard our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and technically pursuant to § 25 para. 2 no. 2 TDDDG in order to provide a service requested by you.

In addition, we use temporary cookies or persistent cookies for the purpose of optimizing user-friendliness, which are stored on your end device for a specific defined period of time. If you visit our site again to use our services, it will be automatically recognized that you have already visited us and what inputs and settings you have made. These cookies are also automatically deleted after one year. The data processed by these cookies is necessary for the aforementioned purposes in order to safeguard our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and technically pursuant to § 25 para. 2 no. 2 TDDDG in order to provide a service requested by you.

Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer, or so that a notice always appears before a new cookie is created. Completely disabling cookies may, however, result in your being unable to use all features of our platform. You can prevent the use of cookies on our pages through appropriate tools or browser add-ons (e.g., the "AdBlock" add-on for the Firefox browser).

In connection with data processing, data may be transferred to third countries, i.e., to recipients outside the EU or the European Economic Area (EEA). Where an adequacy decision by the European Commission exists with respect to the third country (cf. Art. 45 para. 3 GDPR), no additional measures are required for the data transfer. In the event of data transfers to recipients based in the USA, these are carried out on the basis of the so-called Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided that the recipient holds a corresponding certification. A list of currently certified companies is available here. In other cases, and in the case of data transfers to other so-called non-secure third countries, a transfer of data only takes place if the conditions of Art. 46 et seq. GDPR are met. Specifically, this means that a transfer to third countries only takes place if

• the recipient provides sufficient so-called safeguards pursuant to Art. 46 GDPR for the protection of personal data,
• you have explicitly consented to the transfer pursuant to Art. 49 para. 1 lit. a GDPR after we have informed you of the risks,
• the transfer is necessary for the fulfillment of contractual obligations between you and us, or
• another exception pursuant to Art. 49 GDPR applies.

Which of the aforementioned legal bases applies in each individual case will be indicated to you in the context of the respective processing activity.

Data transfers to recipients based in the USA who do not hold a DPF certification and for whom an adequate level of data protection cannot be established through safeguards within the meaning of Art. 46 GDPR are carried out exclusively with your consent within the meaning of Art. 49 para. 1 lit. a GDPR. We hereby point out that, for recipients based in the USA without DPF certification, an adequate level of data protection comparable to that within the EU cannot be guaranteed. Such a transfer of personal data therefore entails the following risks: There is a risk that US authorities may gain access to personal data on the basis of surveillance programs supported by Section 702 of the FISA (Foreign Intelligence Surveillance Act), namely PRISM and UPSTREAM, as well as on the basis of Executive Order 12333 or Presidential Policy Directive 28. EU citizens do not have effective legal remedies against such access either in the USA or in the EU.

Further information as well as a copy of or reference to the respective adequate safeguards can be found in the description of the respective service.

Below you will be informed about the processing activities carried out on our platform.

In order to ensure the secure and reliable provision of our platform, we automatically collect technical access data each time the platform is accessed, which is necessary for the operation and security of the web servers. This data enables us to detect potential threats at an early stage, ensure the stability of the platform, and guarantee the smooth operation of the services. The data processed includes, for example:

• IP address of the accessing end device
• Date and time of access
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status / HTTP status code
• Amount of data transferred in each case
• Website from which the request originates
• Browser, operating system and its interface, as well as language and version of the browser software.

The processing of this data is essential to ensure the functionality and security of our platform. It enables us to identify and resolve potential technical issues, fend off unauthorized access or attacks, and ensure the continuous operation of our systems.

The data processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, in order to ensure the security, stability, and efficiency of our web presence.

The recipient of the data is DigitalOcean, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA, as our hosting service provider. We also use the service Sentry for error management, which is offered by Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Furthermore, we use Supabase as a Backend-as-a-Service (BaaS) solution (Supabase, Inc., a Delaware corporation with offices located at 970 Toa Payoh North #07-04, Singapore 318992). We also use GitHub, a cloud-based platform on which we store and share our code. GitHub is offered by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

It cannot be ruled out that, for example, your IP address may be transferred to servers in the USA when using the services Sentry, DigitalOcean, and Supabase. However, these companies are certified under the EU-US Data Privacy Framework (DPF), so that an adequate level of data protection is guaranteed.

The data is generally retained for a maximum period of 30 days and subsequently deleted, provided no security-relevant incidents are identified.

You can create a profile for yourself or your organization on our platform. Using the profile, you can create projects and events, as well as connect with other users.

Creating a profile on our platform requires prior registration. Users must provide the following data for this purpose:

• First name
• Last name
• Email address
• Password
• MINT ID, if applicable

After entering your details, you will receive an email to confirm your registration (so-called double opt-in), in order to validate the process once more on your end and to prevent abusive profile creation by third parties.

When editing the profile, additional data may be voluntarily provided, such as:

• Title
• Profile picture
• Position
• MINT focus areas
• Funding institution
• Address, email, phone number
• Brief personal description
• Areas of activity
• Region, competencies, interests
• Links to own social media profiles and websites
• Details on "I offer" and "I am looking for"

You can edit and change your profile data at any time.

Once a profile has been created, we use the data stored therein to suggest users to one another for networking purposes.

Users can view the profile and make contact with one another via the displayed email address. Participation in events and membership in projects and organizations is displayed on the profile.

The data processing is carried out to provide the platform functionalities and to facilitate the networking of users.

The processing of the data required for registration and profile creation is justified pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR, as this is the only way our offering via the platform can be used. Voluntarily provided data beyond this is processed on the basis of Art. 6 para. 1 lit. f GDPR, as we have a legitimate interest in giving users the opportunity to design their profile individually.

Personal data is stored for as long as the profile is active. Once the profile is deleted, the data is generally also deleted.

Users can partly determine themselves which voluntary details are to be publicly visible. Further information on these settings can be found in your profile settings.

The processing of personal data is carried out for the organization and conduct of events, including the provision of the technical infrastructure, such as video conferencing via Zoom or the interaction capabilities via Mural, in order to enable as interactive a participation as possible even online.

The processing of data is carried out pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in facilitating events. Where these are our own events, we base the data processing on Art. 6 para. 1 sentence 1 lit. b GDPR, insofar as the processing is necessary for the performance of the contract.

Recipients of personal data are Zoom Video Communications, Inc., 55 Almaden Blvd, 6th Floor, San Jose, CA 95113, USA, for the provision of video conferencing services at online or hybrid events, and Tactivos, Inc. (Mural), 655 Montgomery St, San Francisco, CA 94111, USA, for the provision of interaction capabilities during events.

Where we offer events jointly with another organization, we process the data arising in this context under joint controllership pursuant to Art. 26 GDPR. We are responsible for fulfilling the information obligations and data subject rights. You can assert your rights at any time against the organizations and against us.

It is possible that personal data may be transferred to the USA when the services of Zoom are used. Both companies are certified under the EU-US Data Privacy Framework (DPF), so that an adequate level of data protection is guaranteed.

Personal data is generally deleted upon deletion of the profile on the platform. Transmissions or interactions via Zoom are deleted upon conclusion of the event, unless a statutory retention obligation exists or longer storage is required for contractual reasons.

We enable the embedding of YouTube videos on our platform. Should these be videos from our YouTube channel, we provide information about the data processing taking place there in this privacy notice.

For the embedding of videos, we use the so-called "Privacy-Enhanced Mode" of YouTube. In this mode, a cookie is only stored on your device when you play the video. According to YouTube, however, no personal cookie information is stored for the playback of videos in Privacy-Enhanced Mode. You can find further information on Privacy-Enhanced Mode on YouTube here. By playing the video, data is sent to YouTube over which we have no influence.

The embedding of videos serves to illustrate content.

We process your data on the basis of your consent upon activation pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR (for data processing) and § 25 para. 1 TDDDG (for technical provision). You can withdraw your consent at any time with effect for the future.

The parent company of Google Ireland is Google LLC, based in the USA. The information generated by YouTube is transferred to servers of Google LLC in the USA and processed there. On 10 July 2023, the EU Commission adopted an adequacy decision for the Data Privacy Framework, which confirms an adequate level of data protection for certified recipients such as Google LLC.

Your data will be deleted as soon as the purpose of the processing no longer applies.

You can set up notifications to be sent to you by email about news on the platform.

The processing of your data is carried out for the purpose of sending email notifications and information that may be relevant to you.

The processing of your data is based on your explicit consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by using the unsubscribe link contained in every email, by unchecking the box in your profile settings, or by contacting us directly.

Your data will be stored for as long as you have consented to email notifications. After withdrawal of your consent, your data will be deleted promptly, provided no statutory retention obligations exist.

You can contact our support via email. To do so, you can either click the "Contact Support" button and your email program will open automatically, or you can write to us directly at support@mint-vernetzt.de.

We process your data in order to handle and respond to your inquiry.

The processing of your data is carried out either on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR, if your inquiry is related to a contract. If this is not the case, we process your data on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in responding to inquiries directed at us.

The data will be deleted after your inquiry has been fully processed, provided no statutory retention obligations exist.

We use the web analytics service Matomo on our platform. In doing so, information about your usage behavior on our platform is collected via cookies and similar technologies. The collected data includes, for example:

• IP address (in anonymized form)
• Time of access
• Pages visited
• The referrer URL (the previously visited website)
• Information about the operating system and browser used

The IP address is anonymized immediately after collection, so that no inferences about your person are possible.

The use of Matomo serves to analyze visitor behavior on our platform, in order to optimize the platform and make it more user-friendly.

The processing is based on your consent to data processing pursuant to Art. 6 para. 1 lit. a GDPR and the technical use pursuant to § 25 para. 1 TDDDG. You can withdraw your consent at any time with effect for the future.

The data collected by Matomo is processed exclusively on our own servers and is not passed on to third parties.

No third-country data transfer takes place, as the data is stored exclusively on servers within the European Union.

The raw data collected is anonymized and stored for a maximum of 30 days. Thereafter, anonymized, aggregated reports are generated from it and stored permanently.

You are entitled to certain rights under the GDPR. You can assert these rights against all consortium partners. You can also contact the following company directly:

Your rights are as follows:

Pursuant to Art. 15 GDPR, you have the right at any time to request information from us about all data we store about you. This includes in particular information about

• the purposes for which we process your data,
• the categories of data we process about you,
• the specific recipients or, if these are not known, the categories of recipients to whom we transmit your data,
• the duration for which we store your data or, if this cannot be determined, the criteria under which we store your data, and
• where applicable, the origin of the data, if we have not collected it directly from you.

Should the data processed by us about you be inaccurate or incomplete, you may at any time request the rectification or completion of this data from us pursuant to Art. 16 GDPR.

Should the original legal basis for data processing no longer apply, or should you have withdrawn your consent, objected to the processing, or should we be prohibited from further processing your data for any other reason stated in Art. 17 para. 1 GDPR, you may request the erasure of your personal data from us pursuant to Art. 17 GDPR.

This right does not apply if the processing is necessary for the exercise of the right to freedom of expression and information, for safeguarding public interests, if a corresponding legal obligation exists, or if it is necessary for the establishment, exercise, or defense of legal claims.

Pursuant to Art. 18 GDPR, you may also request the restriction of processing. This right applies if you contest the accuracy of the data, the processing is unlawful, we no longer need the data for the stated purposes, or you have objected to the processing and in the latter two cases we are not permitted to continue processing the data on another lawful basis.

Furthermore, you may request from us pursuant to Art. 20 GDPR the transfer of your data in a structured, commonly used, and machine-readable format to yourself or to another controller.

If you have provided your consent as the legal basis for the processing of your data by us, for example pursuant to Art. 6 para. 1 sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR, you may withdraw this consent at any time pursuant to Art. 7 para. 3 GDPR. If you do so, we will cease the processing of your data; however, the lawfulness of processing carried out prior to the withdrawal shall remain unaffected.

Pursuant to Art. 77 GDPR, you may also lodge a complaint with a supervisory authority. As a rule, this should be the supervisory authority of your usual place of residence or workplace; alternatively, you may direct your complaint to the supervisory authority of the registered office of the controller.

PURSUANT TO ART. 21 GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA IF WE PROCESS YOUR PERSONAL DATA SOLELY ON THE BASIS OF OUR LEGITIMATE INTERESTS AND THERE ARE GROUNDS ARISING FROM YOUR PARTICULAR SITUATION THAT SPEAK AGAINST SUCH PROCESSING. IF YOUR OBJECTION IS DIRECTED AGAINST DIRECT MARKETING, YOU HAVE A GENERAL RIGHT TO OBJECT WITHOUT STATING ANY SPECIFIC GROUNDS. YOU MAY DECLARE YOUR OBJECTION BY EMAIL TO info@matrix-ggmbh.de.