Legal · GDPR

Privacy Policy

What we collect when you buy a ticket or visit theaiminds.ro, why we keep it, who else touches it, and how to make us delete it. Plain language, no dark patterns.

Last updated: 05.05.2026 GDPR (Reg. EU 2016/679) Romanian Law 190/2018
01 · Section

Data controller

CYBERSKILL SRL ("we", "the organizer") is the data controller for personal data processed in connection with AI Minds 2026.

CUI / VAT
RO33007390
Reg. com.
J2021005758239
Email
contact@theaiminds.ro
Phone
+40 751 887 719

We are not required by law to appoint a Data Protection Officer (DPO), but we operate as if we had one — every GDPR request is handled with the same care a DPO would apply.

02 · Section

Data we collect

What you give us directly

  • Name, email, phone, country — to issue your ticket and stay in touch about the event.
  • Job title, company, industry — to personalise your badge and produce aggregated, non-personal event statistics.
  • Billing details (company name, CUI/VAT, country, registered address) — only when you tick "I'm a legal entity" at checkout.
  • Newsletter consent — only if you explicitly opt in.
  • Per-attendee data for multi-ticket orders (name, email, optional company per invitee).

What we collect automatically when you buy

  • IP address, user agent (browser/OS), HTTP referrer, browser language.
  • Approximate IP geolocation: country, region, city, postcode, timezone, latitude/longitude (city-level), ISP/org, AS number — used for fraud screening.
  • Timestamps for every checkout attempt and successful purchase.

What we generate at the event

  • Ticket scan logs: scan timestamp, scanner identity (admin or volunteer), scanner IP / user agent, result (valid / already used / void / invalid), check-in location.

Payment data

Card details are entered directly on Stripe Checkout and are never seen, processed or stored by us. We retain only the Stripe identifiers Stripe sends back (session ID, payment intent ID, last 4 digits, card brand). PCI-DSS scope sits with Stripe.

03 · Section

Why we use it (legal bases)

Performance of contract — Art. 6(1)(b)

Issuing & validating your ticket, sending order confirmations, processing refunds, attendee assignment.

Legitimate interest — Art. 6(1)(f)

Fraud prevention, security logs, IP geolocation enrichment for abuse detection, scan audit trail to prevent ticket reuse.

Legal obligation — Art. 6(1)(c)

Bookkeeping, fiscal invoices, tax records — Romanian Accounting Law 82/1991, Fiscal Code (227/2015).

Consent — Art. 6(1)(a)

Newsletter, marketing emails, optional sponsor sharing. You can withdraw consent any time without affecting prior lawful processing.

04 · Section

Sub-processors

The third parties below process your data on our behalf under a Data Processing Agreement (DPA). Each operates inside the EEA or under EU Standard Contractual Clauses.

Sub-processorPurposeData sharedRegion
Stripe Payments Europe LtdCard payment processingCard token, billing email, amount, countryEEA · DPA
Oblio Software SRLFiscal invoicing & ANAF e-FacturaBuyer name, CUI, address, line itemsRomania
Google Ireland Ltd (Workspace SMTP)Outbound email (orders, check-in, newsletter)Recipient email, subject, bodyEEA · DPA
SendSMS.ro (TR Networks SRL)Admin 2FA SMS codes onlyAdmin phone & one-time codeRomania
Hosting provider (cyberskill / shared)Server infrastructure & databaseAll application dataRomania
ip-api.comIP geolocation lookup (anti-fraud)Visitor IP onlyEU · Privacy
Accountants & legal counsel of CYBERSKILL SRLBookkeeping, fiscal & legal adviceInvoices & ordersRomania · NDA

Sponsors and partners do not receive your contact data unless you explicitly opt in at the event (e.g., scanning a partner badge or dropping a business card).

05 · Section

Retention

We keep data only as long as needed for the original purpose, plus the minimum legal retention. Sample timelines:

CategoryRetentionReason
Orders, tickets, invoices10 yearsRomanian Accounting Law 82/1991
Stripe payment metadata10 yearsAligned with accounting
Ticket scan logs12 months after eventThen deleted
IP / geolocation enrichment12 monthsThen anonymised
Newsletter subscribers (confirmed)Until you unsubscribePending tokens auto-delete >14 days
Admin authentication & audit log12 monthsAuto-pruned by scheduled job
DB backups30 daysOff-public, encrypted at rest
06 · Section

Your rights under GDPR

Under Regulation (EU) 2016/679 you have the right to:

  • Access a copy of your data (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erasure when no longer needed (Art. 17)
  • Restrict processing in specific cases (Art. 18)
  • Portability in a machine-readable format (Art. 20)
  • Object to processing on legitimate interest (Art. 21)
  • Withdraw consent at any time (Art. 7)
  • Lodge a complaint with ANSPDCP

Write to contact@theaiminds.ro with subject "GDPR — <your right>". We respond within 30 calendar days. We may ask for proof of identity to prevent unauthorised disclosure.

07 · Section

International transfers

Where any sub-processor operates outside the EEA, transfers rely on EU Standard Contractual Clauses (SCCs) and the supplementary measures recommended by the EDPB (recommendations 01/2020). No transfers to countries without an adequacy decision are made without these safeguards.

08 · Section

Cookies & local storage

We set only the strict minimum cookies needed for the site to work:

  • Session — Laravel session, expires at logout / 2h.
  • XSRF-TOKEN — anti-CSRF protection, expires with the session.
  • locale (when you change language) — UX preference.

No third-party tracking, advertising, or analytics cookies are set. If we add analytics in the future, we will display a consent banner first and respect your choice.

09 · Section

Security

  • All traffic over HTTPS (TLS 1.2+).
  • Database access restricted to a minimum set of authorised personnel.
  • Secret keys (Stripe, OBLIO, SMTP) encrypted at rest.
  • Tickets validated against a single-use check-in flag — no QR can be scanned twice.
  • Admin authentication: bcrypt password hashing, session-bound CSRF tokens, login rate limiting (5 attempts / 15 minutes), SMS-based 2FA.
  • Audit log of every destructive admin action (refund, void ticket, settings change).
  • Daily DB backups, retained 30 days, stored outside the public webroot.
  • Vulnerability disclosure policy at /legal/security with safe harbour for security researchers.
10 · Section

Automated decision-making

We do not make any automated decision that produces legal or significantly similar effects on you within the meaning of GDPR Art. 22. Stripe runs internal anti-fraud scoring on cards — that decision is Stripe's, not ours, and is subject to Stripe's own privacy policy.

11 · Section

Children

The conference is intended for an adult professional audience. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided data, contact us and we will delete the records.

12 · Section

Changes to this policy

We may update this policy from time to time. Material changes are communicated by email to ticket holders and newsletter subscribers, and the "last updated" date at the top of this page is bumped. Trivial fixes (typos, link updates) are made without notice.

13 · Section

Contact

CYBERSKILL SRL · CUI RO33007390 · J2021005758239

Email: contact@theaiminds.ro · Press: adriana@theaiminds.ro · Phone: +40 751 887 719

Romanian Data Protection Authority: www.dataprotection.ro