Privacy Policy
Last updated: May 2026
1. Data Controller
SKAJ Ventures GmbH
Sonnenlandstraße 4, 14471 Potsdam, Germany
Email: support@ratemind.net
Data protection contact: Stefan Köhn, support@ratemind.net
2. Data We Collect
2.1 Account Data
When you register, we collect your name, email address, and a hashed password. Your email is stored in plaintext for authentication; your password is stored only as a bcrypt hash.
2.2 Survey and Feedback Data
When customers respond to surveys, we collect their ratings, text answers, and (if provided via email invitations) their email addresses. Customer email addresses are encrypted with AES-256-GCM before storage. Only the account that created the survey can decrypt them.
2.3 Payment Data
Billing is handled by Stripe. We store your Stripe customer ID and subscription ID. We never store credit card numbers or bank details on our servers. Stripe's privacy policy applies to payment processing.
2.4 Technical Data
We use session cookies only, strictly necessary for authentication. We do not use tracking cookies, analytics cookies, or any third-party trackers. No IP addresses or user agents are stored.
3. How We Use Your Data
3.1 Contract Performance (Art. 6(1)(b) GDPR)
We process your account data, survey data, and feedback data to provide the RateMind service as described in our Terms of Service. This includes sending survey invitations and reminders via email.
3.2 Legitimate Interest (Art. 6(1)(f) GDPR)
We process anonymized, aggregated analytics (topic extraction, rating averages) to improve service quality. We apply rate limiting and bot protection to secure the service against abuse. Our legitimate interest is operating a secure and functional platform.
4. Sub-processors
| Service | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and edge delivery | United States |
| Neon Inc. | PostgreSQL database hosting | United States |
| Stripe Inc. | Payment processing | United States |
Email sending is handled by our self-hosted SMTP infrastructure. No third-party email service is used.
Data transfers to the US are covered by the EU-US Data Privacy Framework where applicable, or by Standard Contractual Clauses (SCCs).
5. Data Subject Rights
Under the GDPR, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data via your account settings.
- Erasure (Art. 17): Request deletion of your account and all associated data.
- Restriction (Art. 18): Request that we limit processing of your data.
- Portability (Art. 20): Request your data in a machine-readable format (CSV/JSON).
- Objection (Art. 21): Object to processing based on legitimate interest.
To exercise these rights, contact us at support@ratemind.net.
6. Data Retention
- Email events (delivery tracking): 12 months (default), then automatically deleted.
- Invite data: 24 months, then automatically deleted.
- Feedback data: retained indefinitely for analytics purposes.
- Billing records: retained for 10 years per German tax law (§147 AO).
Business plan subscribers can configure custom retention periods. Account deletion triggers immediate removal of all personal data (crypto-shredding).
7. Cookies
RateMind uses only session cookies, strictly necessary for authentication and security. These cookies are:
- HttpOnly (not accessible to JavaScript)
- Secure (transmitted over HTTPS only)
- SameSite=Lax (cross-site request protection)
We do not use tracking cookies, analytics cookies, or any third-party cookies. No cookie consent banner is needed because we rely solely on the ePrivacy Directive exemption for strictly necessary cookies.
8. Security
We implement the following security measures:
- AES-256-GCM encryption for all customer PII (email addresses in surveys).
- TLS encryption for all data in transit.
- Pseudonymization via encrypted data tokens, so a database breach alone cannot link records to individual users.
- Passwords hashed with bcrypt (cost factor 12).
- Rate limiting on authentication endpoints.
9. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for our company is:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77, 14532 Kleinmachnow
https://www.lda.brandenburg.de
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates the most recent revision.