Data Privacy
GDPR compliance and data subject rights.
Last updated
Mistvine implements privacy-by-design principles and supports GDPR data subject rights.
Privacy Principles
| Principle | Implementation |
|---|---|
| Data minimization | Collect only what's needed |
| Purpose limitation | Use data only for stated purposes |
| Storage limitation | Enforce retention policies |
| Integrity | Prevent unauthorized modification |
| Confidentiality | Encrypt data at rest and in transit |
Consent Management
Mistvine tracks consent preferences with full audit trail:
- Required consents (Terms of Service, Privacy Policy)
- Optional consents (marketing, analytics)
- Consent grants and revocations are logged
GDPR Data Subject Rights
Right to Rectification (Article 16)
Users can update their personal information through their profile.
Right to Erasure (Article 17)
Users can request account deletion through Settings. Deletion is subject to:
- Identity verification
- Legal hold exceptions (Article 17(3)(e))
- Ownership transfer requirements
Right to Object (Article 21)
Users can withdraw consent for optional processing through consent preferences.
Account Deletion
Process
- User requests deletion
- Identity verification
- Prerequisite check (no legal holds, no sole ownership)
- Data anonymization
- Session termination
Data Handling
| Data Type | Treatment |
|---|---|
| Profile | Anonymized |
| Personal content | Deleted |
| Feedback given | Anonymized |
| Audit logs | Retained for 7 years (compliance) |
Feedback Privacy
Access-Controlled Anonymity
Peer feedback reviewer identities are stored for audit and legal compliance purposes, but access is controlled through configurable transparency levels. Who can see reviewer identities depends on organization settings:
- Reviewees see aggregated feedback, not individual reviewer identities
- Managers may see detailed feedback based on transparency configuration
- Administrators can access full records when required for compliance
This approach enables both psychological safety for routine feedback and accountability for legal holds or abuse investigation.
Cross-Border Transfers
For EU data subjects:
- Standard Contractual Clauses (SCCs) with vendors
- Data Processing Agreements (DPAs)
- Encryption in transit and at rest
Breach Response
In the event of a data breach:
- Contain and assess within detection
- Notify supervisory authority within 72 hours (if required)
- Notify affected users without undue delay (if high risk)