Website Privacy Notice
Version: 1.0
Last Updated: April 2025
Controller: Nextminder
The controller of your personal data collected on this website NextMinder, a company dedicated to market research and digital product development.
Email: contact@nextminder.com (for privacy inquiries)
DPO Contact: dpo@nextminder.com
This means NextMinder determines the purposes and means of processing personal data obtained through this site. If you have any questions or requests regarding your personal data, you may contact us at the above email. Our Data Protection Officer (DPO) can be reached at the provided email address.
We may collect and process the following personal data from you through forms, cookies, and third-party services on our website.
Contact Information: If you fill out a contact form, sign up for a newsletter, or register an account, we collect personal identifiers such as your name, email address, phone number, and any information you choose to provide in the message field. For example, our "Contact Us" form asks for name, company, email, and your inquiry.
Browsing Information: When you navigate our site, we automatically collect certain technical data like your IP address, browser type, device information, and pages visited, via analytics tools and cookies (see our Cookie Policy). This may include information such as referral source (how you arrived at our site), time spent on pages, and clickstream data.
Account Data: If we offer account creation for accessing products or demos, we will collect login credentials (such as username/email and password) and any profile information you provide (like a profile name or preferences).
Survey or Product Data: If you participate in surveys or provide data through our products, we collect the information you submit. This could include responses to research survey questions, feedback, or other content. In some cases, survey data might include personal or demographic information (age, professional role, etc.), always voluntarily provided by you.
Cookies and Tracking Data: As detailed in our Cookie Policy, we use cookies that may collect personal data or unique identifiers (like a cookie ID or device ID). For instance, HubSpot tracking cookies might collect behavioral data tied to your email if you have interacted with our emails and site.
Third-Party Integrations: Our site may use third-party plugins (like a LinkedIn "Follow" button or an embedded video). These may collect data (like your interactions or viewing history). For example, if we embed a YouTube video, YouTube may collect usage data under their policies.
We do not intentionally collect any special categories of personal data (such as race, religion, health, etc.) through the site, nor do we knowingly collect personal data from children under 16 without parental consent. Our site is not directed at children.
We use the data collected for the following purposes:
Provide Services and Website Functionality: To deliver the features of our website and any services you request. For example, if you fill out a form to request information or a demo, we use your contact information to respond to your inquiry. If you create an account, we process your data to maintain your login and account preferences.
Respond to Inquiries and Provide Support: To reply to messages or support requests you send us. If you ask a question via chat or email, we will use your data to address your concerns and follow-up as necessary.
Marketing and Communications (with Consent): To send you newsletters, updates, or marketing communications about our services or products, but only if you have consented to such communications (or if you are an existing client and we do so under legitimate interest as allowed by law). For example, if you subscribe to our mailing list, we will use your email to send periodic news or promotional content. You can opt-out at any time.
Improve Our Website and Services: To analyze usage of our website so we can enhance user experience and content. We use analytics data (e.g., pages visited, time on site) to understand what is of interest to users and to improve navigation and site content. This helps us refine our market research offerings and website functionality.
Personalize User Experience: If you consent to marketing cookies, we may tailor content shown to you on our site or ads on other platforms based on your interactions. For instance, we might show you content relating to a service you viewed. We also use HubSpot to personalize website content or future communications (e.g., if you visited certain pages, we might send you an email related to those topics – if you have opted into emails).
Security and Fraud Prevention: To protect our website, company, and users from security threats, fraud, or other malicious activity. We log IP addresses and monitor activity to detect and block unauthorized access or attacks. If you log in, we may use your data to enforce security (like multi-factor authentication or login alerts).
Service Development: Aggregated data (that does not identify you personally) from surveys or site analytics might be used for internal research and development. For instance, learning that many users are interested in a certain product feature could guide our development priorities.
We will not use your personal data for any purpose incompatible with the original purposes without obtaining your consent or as required/permitted by law.
Under the GDPR, we rely on the following legal bases for processing your personal data:
Consent (Art. 6(1)(a) GDPR): We process certain data based on your consent. This includes sending marketing emails or newsletters (when you subscribe or opt-in) and setting analytics/advertising cookies on your device (per your consent via the cookie banner). Also, if you participate in a survey or provide data for research, we often do so on the basis of your informed consent.
Contractual Necessity (Art. 6(1)(b) GDPR): If you request a service or enter into an agreement through our site (e.g., sign up for an account, or register for an event), we process your data to fulfill that contract or to take steps at your request prior to entering into a contract. For example, using your email to send you a report you requested, or using your details to set up an account is contractually necessary.
Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data for the legitimate interests of operating and improving our business, provided these are not overridden by your privacy rights. This includes: Improving our website's performance and content (we have a legitimate interest in understanding usage patterns to improve our service). Ensuring IT security and fraud prevention. Sending business-to-business marketing to existing clients about similar products/services (within what's allowed by law) – though you can opt out anytime. Basic analytics via first-party data (when consent is not strictly required by ePrivacy, though in practice we usually obtain consent for analytics). We always balance our interests, with your rights; for example, for analytics we anonymize data where possible to lessen impact on privacy.
Legal Obligation (Art. 6(1)(c) GDPR): If we are subject to any legal requirements to retain or disclose personal data, we will process data as needed to comply. For instance, we may need to keep web transaction records for tax or accounting if the site offers paid services or disclose data if required by a court order or regulator.
If we rely on consent, you have the right to withdraw that consent at any time (with effect for the future). If we rely on legitimate interests, you have the right to object to such processing (see Section 6 on your rights).
Some of the personal data we collect may be transferred to and processed by recipients outside the European Economic Area (EEA) In particular:
Our company uses cloud services and platforms based in the United States and other countries (e.g., AWS data centers, HubSpot, OpenAI, Alchemer, Microsoft). This means personal data (like contact info or survey responses) might be stored on servers in the US or accessed by our US-based service providers.
We have team members and contractors outside the EEA who might access data remotely (for example, a developer in Latin America accessing a database for maintenance).
When we transfer personal data internationally, we ensure appropriate safeguards as required by GDPR. Typically, we rely on:
Standard Contractual Clauses (SCCs): All our major vendors (AWS, Microsoft, HubSpot, etc.) have signed Standard Contractual Clauses committing to EU-level data protection. We have also put SCCs in place for any internal transfers to Iota Impact affiliates or contractors outside the EEA.
Transfer Impact Assessments: We evaluate the legal environment of the destination country and, if needed, apply additional measures (such as encryption) to ensure data protection (as detailed in our International Transfer Policy).
Other Measures: If applicable, some providers may be certified under schemes like the new EU-US Data Privacy Framework or similar (we monitor and use such frameworks once fully in effect and deemed adequate).
You can request more information about international transfers and obtain a copy of the relevant safeguards (e.g., SCCs) by contacting us at the email above. Despite the data being transferred, we uphold your rights and protections. Our U.S. providers are contractually obligated to protect your data, and we contractually require them to assist with GDPR obligations.
Under the GDPR (and equivalent UK or other privacy laws where applicable), you have various rights regarding your personal data.
Right of Access: You have the right to request confirmation of whether we process your personal data, and if so, to obtain a copy of that data along with supplemental information (purposes, categories of data, recipients, retention periods, etc. You can request, for example, "a copy of all personal data you have about me," and we will provide the data we hold, such as form submissions, account info, and browsing data linked to you.
Right to Rectification: If any of your personal data that we have is inaccurate or incomplete, you have the right to have it corrected. For instance, if you notice we have misspelled your name or you changed your email address, you can ask us to update it, and we will do so promptly.
Right to Erasure: You may request that we delete your personal data (the "right to be forgotten". We will honor this right and erase your data without undue delay if one of the GDPR grounds applies – for example, if the data is no longer necessary for the purposes collected, or you withdraw consent and no other legal basis exists, or you object to processing and we have no overriding interest. Note that certain data we may need to retain if required by law or if an exemption applies (we will inform you if so).
Right to Restrict Processing: You can ask us to restrict (pause) the processing of your data under certain circumstances. This can apply if you contest the accuracy of your data (for a period enabling us to verify it), or if you want us to preserve data you need for a legal claim while other data gets erased, or if you have objected to processing and await our verification of overriding grounds. When processing is restricted, we will store your data but not otherwise process it until the issue is resolved.
Right to Data Portability: For data you provided to us and which we process by automated means on the basis of consent or contract, you have the right to obtain it in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible. For example, if you provided us with a lot of content or profile data and you want to move to another service, we can export your data in a CSV or JSON format for reuse.
Right to Object: You have the right to object to certain processing: You can object to processing of your personal data based on our legitimate interests, on grounds relating to your particular situation. We will then cease processing unless we have compelling legitimate grounds that override your interests or it's needed for legal claims. For instance, you can object to our analytics processing – and we would likely stop or at least anonymize data further for you, given privacy interests. You also have an absolute right to object to use of your data for direct marketing purposes. If you object, we will stop using your data for marketing immediately. (Also, you can always use the "unsubscribe" link in our marketing emails to opt out of future emails).
Right not to be subject to automated decisions: We do not make any solely automated decisions (including profiling) that produce legal or similarly significant effects on you via the website. In the event we ever do, you would have the right to human intervention and to contest the decision. (This is more relevant for things like credit approvals, which we do not do on our site).
To exercise any of these rights, please contact us at contact@nextminder.com. Specify which right you wish to exercise and provide enough information for us to verify your identity (we may ask you to confirm some details we have on file to ensure we're dealing with the correct person. There is no fee for exercising rights, except in exceptional cases of manifestly unfounded or excessive requests, in which case we may charge a reasonable fee or decline.
We will respond to your request as soon as possible, and in any event within one month of receipt. If your request is complex or we have received numerous requests, we may extend this period by up to two further months, but we will inform you within the first month if an extension is needed and why.
If you believe we have not handled your request or your data in accordance with the law, you also have the right to lodge a complaint with a supervisory authority (see Section 10).
We only keep your personal data for as long as necessary to fulfill the purposes for which it was collected, unless longer retention is required or permitted by law. In practice:
Website Contact Data: If you contact us or request information, we keep your data for as long as needed to process your inquiry and follow-up. If it leads to a business relationship, it may be retained under client records. If not, we typically delete inquiry data after 2 years at most, to ensure we can reference recent correspondence if you contact us again, but not indefinitely.
Account Data: If you create an account on our site, we retain your account info as long as your account is active. If you delete your account or it's inactive for an extended period, we will remove or anonymize the personal data associated with it after a reasonable time (usually within 6-12 months of account deletion/inactivity, unless legal obligations require longer retention).
Mailing List: If you subscribed to our newsletter, we retain your email until you unsubscribe. Once you unsubscribe, we will remove you from the mailing list immediately, and only keep whatever info is needed to honor your decision to opt-out (e.g., your email on a suppression list to ensure we don't email you again by accident).
Survey Data: Personal data collected for research studies (via Nextminder or surveys) is retained as per our Data Retention Policy. Typically, identifiable survey data is kept for the duration of the research project and then either deleted or anonymized. For instance, raw survey responses with personal identifiers might be deleted or anonymized within 2 years after study completion. Summary or aggregate results without personal identifiers may be kept longer for research purposes.
Analytics Logs: Web server logs and analytics records are generally retained for 24 months or less, as configured in our analytics tools (Google Analytics retention is set to 26 months for user-level data, which is then automatically deleted by Google. We use aggregated analytics reports for business insights but do not maintain identifiable analytics data beyond that period.
Legal Compliance: If certain data needs to be kept longer to comply with legal obligations or to protect our legal rights, we will do so. For example, records of consents or communications may be kept for up to 5 years to defend against any legal claims (which is in line with typical statutes of limitations). Also, if an issue is under dispute or investigation, we retain relevant data until it is resolved.
After the retention period, we will either securely delete your personal data or anonymize it so it can no longer be associated with you. For example, we might delete user account details from our database but keep an aggregate count of how many users we had. If data is archived in backups, we have processes to delete or segregate personal data from backups once the retention period is over (with a potential short additional delay due to backup cycles).
You can request deletion at any time (as noted in your rights above), and we will delete data as long as we have no ongoing legitimate reason to keep it. For more details, see our internal Data Retention Policy which outlines specific timeframes per data category.
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the personal data we process. In accordance with GDPR Article 32, we have measures in place to protect data against unauthorized access, alteration, disclosure or destruction. These include:
Encryption: Our website is secured with HTTPS, meaning data entered is encrypted in transit using TLS. Sensitive personal data (if any) is also encrypted at rest on our servers or those of our cloud providers. For instance, any database storing personal information is encrypted (using mechanisms like AWS RDS encryption or Azure storage encryption). Portable devices used by our team (laptops) are full-disk encrypted to protect data in case of loss.
Access Control: We employ role-based access controls (RBAC) and the principle of least privilege. Only authorized personnel who need to process your data have access to it. For example, only our marketing team and DPO can access the mailing list; only IT admins can access server logs. Administrative accounts are protected with multi-factor authentication (MFA) and strong password policies. We also regularly review and revoke access that is no longer needed.
Data Minimization: We try to collect the minimum data needed and keep it only as long as necessary (as described in retention). By minimizing what we store, we reduce security risk. For example, if you unregister or opt-out, we remove your data rather than keep it indefinitely.
Network and Application Security: We utilize firewalls, intrusion detection systems, and anti-malware solutions on our systems. Our website and backend systems are routinely updated with security patches to address vulnerabilities. We conduct periodic security audits and penetration testing on our website and apps to identify and fix weaknesses. Our development practices include code reviews with an eye on security (e.g., preventing SQL injection, XSS).
Monitoring and Logging: Our systems log key activities (logins, data access) and we have monitoring in place to alert on suspicious activities. For instance, if multiple failed login attempts occur or an unusual data download is detected, our security team investigate. This helps us detect and respond to potential incidents swiftly.
Third-Party Assurance: We vet our processors for strong security. We choose reputable providers (like AWS, Microsoft) that have robust security certifications (ISO 27001, SOC 2, etc). We include data protection clauses in contracts ensuring they implement appropriate security. We also monitor their compliance. If a provider experiences a breach, they are obligated to inform us quickly so we can take action.
While we strive to protect your data, no system can be 100% secure. However, we have incident response plans to handle any suspected breach effectively (see our Security Incident Response Policy). If an unlikely data breach affecting your data occurs, we will notify you and the relevant authorities as required by law.
Please note:
You also play a role in security. Ensure that any account credentials you create are strong and kept confidential. If you suspect any unauthorized access to your account or personal data, please notify us immediately.
Our website uses cookies and similar tracking technologies to provide and improve our services. For detailed information on the cookies we use and how to manage your preferences, please refer to our [Cookie Policy]. In summary:
We use necessary cookies to enable basic site functionality (which do not require consent). We use analytics cookies (like Google Analytics) to understand how the site is used, only with your consent. These help us improve content and usability. We use marketing cookies (such as LinkedIn Insight, HubSpot) to measure marketing effectiveness and possibly tailor advertising, again only with your consent.
When you first visit, you will see a cookie consent banner. You can choose which categories of cookies to accept. Your choices will be remembered, but you can change them anytime via the cookie settings link on our site.
Certain personal data can be collected through cookies/tracking (like IP address, device ID, browsing behavior). We handle any such personal data in accordance with this Privacy Notice and only use it for the purposes stated (analytics to improve site, etc.).
If you disable or reject cookies, parts of the site may not function optimally (see Cookie Policy's guidance on this).
We may update this Website Privacy Notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users by posting a prominent notice on our website or by other means (e.g., email if appropriate). The "Last Updated" date at the top indicates when the latest changes were made.
For example, if we start collecting new data or use data in a new way, we will revise this notice accordingly and obtain new consent if required. We encourage you to review this page periodically to stay informed about how we are protecting your information.
Historic versions of this policy can be obtained by contacting us.
If you have any questions, concerns, or requests regarding this Privacy Notice or how we handle your personal data, please contact our Data Protection Officer at dpo@nextminder.com.
If you feel that we have not addressed your data protection concerns satisfactorily, you have the right to lodge a complaint with your local Supervisory Authority. For example, if you are in the EU, this could be the Data Protection Authority in your country of residence or where the issue occurred. In the UK, it is the Information Commissioner's Office (ICO).
We would, however, appreciate the chance to deal with your concerns before you approach the authority, so please consider reaching out to us first.