Regional Privacy Addendum

For data processed in connection with the MindWiki Service, the data controller is MindWiki, a US-based operation. Privacy requests, complaints, and DPA queries: dpo@mindwiki.io.

MindWiki does not maintain a separately-incorporated EU or UK entity at this time. For users in the EU, UK, Brazil, or other regions with extraterritorial scope, MindWiki acts as the controller; correspondence in English to dpo@mindwiki.io is the primary contact channel.

Lawful bases

• Performance of a contract — to deliver the Service you signed up for: account creation, sync, billing, support.
• Legitimate interests— security monitoring, fraud prevention, abuse detection, product analytics in aggregated form, defending against legal claims, communicating service updates. We've assessed these against your fundamental rights; you may object at any time.
• Consent — optional features (marketing emails, optional AI features beyond the baseline, microphone / camera / photos access). Withdrawable at any time without affecting prior processing.
• Legal obligation — responding to law-enforcement requests, tax / accounting record retention, CSAM reporting.

International transfers

Data is transferred to the United States and other countries where our subprocessors operate. We rely on:

• EU Standard Contractual Clauses (Module 2 or Module 3 as applicable).
• The UK International Data Transfer Addendum (IDTA) to the EU SCCs for UK data.
• The Swiss FDPIC's recognition of SCCs (revised version).
• Subprocessor certifications under the EU–US Data Privacy Framework where the provider participates.

Your rights

• Access, rectification, erasure.
• Restriction and objection to processing.
• Data portability.
• Withdrawal of consent.
• Not to be subject to solely automated decisions with legal or similarly significant effects.
• To lodge a complaint with your national supervisory authority. A list of EU national authorities is at edpb.europa.eu. UK users can contact the Information Commissioner's Office at ico.org.uk. Swiss users can contact the FDPIC at edoeb.admin.ch.

EU Representative

We will appoint and publish an EU GDPR Article 27 representative once required by the volume of EU users. Until then, contact us directly at dpo@mindwiki.io.

US state privacy laws (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, CTDPA in Connecticut, UCPA in Utah, TDPSA in Texas, FDBR in Florida, and the increasing number of similar laws in other states) grant residents of those states a similar set of rights:

• Right to know what personal information is collected, used, disclosed, and (in some jurisdictions) sold or shared.
• Right to access and portability — receive a copy.
• Right to delete.
• Right to correct inaccuracies.
• Right to opt outof the "sale" or "sharing" of personal information (where the law defines those terms). MindWiki does not sell personal information for money and does not share personal information for cross-context behavioral advertising. Our position is that no opt-out is triggered, but we honor signals like the Global Privacy Control as opt-outs out of an abundance of caution.
• Right to limit use of sensitive personal information — California-specific. We use sensitive PI only for the disclosed purposes (operating the Service, security, fraud prevention) and not for profiling.
• Right to non-discrimination for exercising any of the above.
• Right to appeal a denied request — appeals to appeals@mindwiki.io.

Authorized agents may submit requests on a resident's behalf with valid documentation (signed power of attorney; verified identity of the underlying consumer).

California Shine the Light: we do not share personal information with third parties for their direct marketing purposes.

California Civil Code §1798.83 contact: dpo@mindwiki.io.

• Lawful bases mirror GDPR (consent, contract, legitimate interests, legal obligation, protection of life, exercise of rights, public interest).
• Rights include access, correction, anonymization / blocking / deletion, portability, information about entities with whom data has been shared, revocation of consent, and opposition to processing.
• The data protection authority is the Autoridade Nacional de Proteção de Dados (ANPD); complaints at gov.br/anpd.
• We will appoint a Brazilian DPO if required by the volume of Brazilian users. Contact dpo@mindwiki.io in the meantime.

• Rights to access, correction, and withdrawal of consent.
• We provide information about international transfers and the safeguards that protect data when it leaves Canada.
• Quebec residents have additional rights including data portability and the right to refuse automated decision-making.
• Complaints: the Office of the Privacy Commissioner of Canada at priv.gc.ca and the relevant provincial commissioner.

• Rights to access and correction.
• We disclose international transfers consistent with APP 8 and rely on contractual safeguards with our subprocessors.
• Complaints: the Office of the Australian Information Commissioner at oaic.gov.au.

• Rights to access, correction, deletion, suspension of processing.
• Sensitive personal information is processed only with separate consent where required.
• Complaints: the Personal Information Protection Commission at pipc.go.kr.

• Rights to disclosure, correction, suspension of use, deletion, and disclosure to third parties.
• International transfers disclosed; we provide information about the receiving country's data protection laws on request.
• Complaints: the Personal Information Protection Commission (PPC) at ppc.go.jp.

For users in jurisdictions not specifically named above, we apply privacy principles consistent with GDPR as a baseline. If your jurisdiction grants stronger rights than what we describe in the Privacy Policy, those rights apply.

For specific local requirements (Switzerland nFADP, Argentina PDPL, South Africa POPIA, India DPDP, etc.) contact dpo@mindwiki.io and we will confirm how the right is exercised in our system.

• Privacy Policy
• Privacy Choices & Data Rights
• Subprocessors
• AI Processing Policy