Privacy Policy

1. Who We Are

Data Controller:

• Engineering Leaders Community s.r.o.
• Czech Republic
• Contact Email: [email protected]

We are the “data controller” under GDPR Article 4(7), meaning we determine the purposes and means of processing your personal data when you use our mentoring platform.

Service Details:

• Primary Domain: elc.space
• Application Domain: app.elc.space
• Service: Premium mentoring marketplace connecting mentees with vetted mentors in engineering leadership, product management, and related disciplines

2. What Data We Collect

We collect personal data when you use our platform. Here is what we collect and how:

2.1 Information You Provide Directly

When you apply to use our mentoring platform, we collect:

• Name and Contact Details: Full name, email address, phone number (optional)
• Professional Information: Job title, company name, role/position
• Professional Links: LinkedIn profile URL (optional)
• Mentoring Intake: Motivations for seeking mentoring, specific goals you want to achieve, preferred mentoring topics (e.g., technical leadership, product strategy, organizational development), booking preferences (pay-as-you-go or packages)
• Business Details: Company address and VAT/tax ID (only if invoicing required)
• Manager Information: Manager name and email address (only for company-sponsored mentees)
• Referral Source: How you learned about our platform

This information is collected through:

• Application forms (powered by Tally)
• Onboarding questionnaires
• Your user profile

2.2 Session and Mentoring Data

During and after mentoring sessions, we collect and store:

• Session Information: Dates and times of booked sessions, session duration, which mentor you worked with
• Feedback and Ratings: Your satisfaction scores (1-10 scale), written feedback comments about each session
• Mentor Summaries: Notes and summaries created by your mentor about session discussions, insights, and action items
• Mentoring Journey Log (MJL): Detailed records of your mentoring progress including session notes, action items assigned to you, progress updates, and homework completion ratings
• Homework Tracking: Assignments given during sessions and your completion ratings
• Ownership Score: System-generated metric tracking your engagement and accountability

2.3 Communication Data

We keep records of:

• Email Communications: Type of email sent (confirmation, reminder, feedback request, etc.), date and time sent, delivery status, whether you opened the email
• Session Invitations: Calendar booking confirmations, pre-session reminders, post-session follow-ups

2.4 Financial and Payment Data

We collect and store:

• Pricing and Billing: Prices quoted or charged to you, your payment status (paid, pending, unpaid), invoice numbers and references
• Payment Provider References: Stripe transaction IDs and payment references (starting in MVP2 when payment processing is activated)

2.5 Data Collected Automatically

• Usage Data: Pages you visit on our platform, features you use, time spent on the platform
• Device and Browser Information: Device type, browser type, operating system (for troubleshooting and service improvement)
• Error Logs: Technical errors that occur while you use our platform, captured through our error tracking system (Sentry)

2.6 Data We Do NOT Collect

We do not:

• Track you across other websites or use advertising trackers
• Collect sensitive data including health information, financial account details, biometric data, or other “special category” data
• Use cookies for advertising or behavioral tracking
• Collect data about children (our service is exclusively for professional adults)

3. Why We Collect Your Data (Purposes and Legal Bases)

Under GDPR Article 6, we process your personal data only for specific, legitimate purposes. Here is why we collect and use your data:

3.1 Performing Our Contract With You (Article 6(1)(b))

We process your data to deliver mentoring services:

• Creating your user account and verifying your identity
• Matching you with appropriate mentors based on your goals and preferences
• Managing your session bookings and calendar invitations via Cal.com
• Sending session confirmations, reminders, and post-session materials
• Collecting your feedback and assessing session quality
• Processing payments and issuing invoices (once payment processing is active)
• Delivering mentor summaries and tracking your mentoring progress
• Managing homework assignments and your Ownership Score

Legal Basis: Our mentoring service agreement with you requires this processing to be delivered.

3.2 Our Legitimate Interests (Article 6(1)(f))

We process your data to improve our service and protect our business:

• Quality Assurance: Analyzing feedback and ratings to ensure mentors meet our 9/10+ quality standard. If a session scores below 7/10, quality guarantees apply.
• Platform Improvement: Understanding user behavior patterns to improve features, user experience, and onboarding
• Fraud Prevention: Detecting unusual booking or payment patterns to prevent fraudulent activity
• Legal Compliance: Maintaining records to meet tax and regulatory obligations in the Czech Republic
• Performance Monitoring: Analyzing mentor performance and mentee progress to ensure accountability

Balancing Test: These interests are balanced against your privacy rights. We limit data retention, use minimal tracking, and do not share data for marketing without consent.

3.3 Your Consent (Article 6(1)(a))

We collect and use specific data only with your explicit permission:

• Marketing Communications: Sending newsletters, product updates, or promotional content. You can opt out at any time.
• LinkedIn Collaboration: Using your name and mentoring relationship as a testimonial or case study on LinkedIn or public channels (only if you explicitly consent during onboarding)
• Testimonials: Sharing your success stories or feedback publicly (only with your specific written permission)
• Manager Notifications: Sharing session summaries with your manager (only for company-sponsored mentees, with consent during onboarding)

You can withdraw consent at any time by emailing [email protected]. Withdrawing consent does not affect the legality of processing before you withdrew it.

3.4 Legal Obligations (Article 6(1)(c))

We may process your data to comply with legal requirements:

• Tax and accounting regulations in the Czech Republic requiring us to retain financial records
• Court orders or regulatory investigations
• Anti-fraud and security investigations

4. How We Use Your Data

Your data is used in the following specific ways:

4.1 Mentoring Service Delivery

• User Account Management: We create and maintain your user profile with the information you provide
• Mentor Matching: We use your goals, preferred topics, and experience level to suggest appropriate mentors
• Calendar and Booking: We share your email address with Cal.com so it can send calendar invitations and manage session scheduling
• Session Execution: Your mentor receives session summaries and homework tracking to deliver personalized coaching
• Quality Feedback: We collect your satisfaction scores and comments to rate mentor performance and ensure quality standards

4.2 Mentoring Journey Log (MJL)

Your complete mentoring progress is stored in a shared Notion workspace:

• What is Stored: Session summaries written by your mentor, action items assigned to you, homework assignments, progress updates, and your ratings
• Who Can Access: You and your assigned mentor have access to view and edit your MJL. Your manager can access the MJL if you are a company-sponsored mentee
• Why: The MJL creates transparency and accountability throughout your mentoring relationship

4.3 Email Communications

• Transactional Emails: Session confirmations, reminders, feedback requests (essential for service delivery)
• Marketing Emails: Newsletter updates, new mentor announcements, platform feature updates (only if you opted in)
• Administrative Emails: Alerts about quality guarantees, payment issues, or account changes

We use Resend to send all emails. Email delivery status and open rates are tracked for service quality purposes only.

4.4 Financial Processing

• Invoicing: We create invoices with your name, email, and company details
• Payment Tracking: We record which sessions you have paid for and invoice status
• Stripe Records: Once payment processing is activated (MVP2), your payment information will be processed through Stripe. Stripe will receive only the minimum data required for payment processing

4.5 Quality Assurance and Continuous Improvement

• Feedback Analysis: We analyze session ratings and comments to identify coaching quality issues
• Automated Quality Waiver: If a session scores below 7/10, our system automatically waives your payment as part of our quality guarantee
• Performance Tracking: We track mentor performance metrics to ensure they meet our standards
• Platform Analytics: We analyze usage patterns to improve booking flows, email timing, and user experience
• Error Monitoring: Technical errors are logged to Sentry (anonymized) to identify and fix bugs

5. Who We Share Your Data With (Third-Party Data Processors)

We use third-party service providers to deliver our platform. These are “data processors” under GDPR Article 28, meaning they process data only on our instructions and under contract.

5.1 Essential Service Providers

5.2 Future Service Providers (Not Active in MVP1)

5.3 Data We Share With Mentors

Your mentor receives:

• Your name, job title, company, and mentoring goals
• Session notes and feedback you provided
• Your homework completion ratings
• Your Ownership Score (engagement metric)

Your mentor does NOT receive your email address, phone, or financial data.

5.4 Data We Share With Managers (Company-Sponsored Mentees Only)

If your company sponsors your mentoring, your manager receives:

• Session summaries (what was discussed, key insights)
• Your Ownership Score (tracking your engagement and accountability)
• Your progress towards stated mentoring goals

Your manager does NOT receive your session feedback scores or personal notes.

5.5 Data Sharing We Do NOT Permit

We do NOT share your data with:

• Advertising networks or marketing partners
• Data brokers or analytics companies
• Competitors or unauthorized third parties
• AI training systems (as of this policy date, February 2026)

6. International Data Transfers

Your data is stored primarily in the European Union (Supabase EU region), so transfers outside the EU are minimal.

6.1 EU Data Locations

• Database (Supabase): EU data centers (GDPR compliant)
• Email Service (Resend): Operates within EU legal framework
• Application Hosting (Vercel): EU-compliant infrastructure with DPA
• Notion: EU-compliant with standard data processing terms

6.2 Third-Country Transfers (If Any)

If your data must be transferred outside the EU (for example, if Stripe processes your data in the United States), we rely on:

• Standard Contractual Clauses (SCC) under GDPR Article 46
• Adequacy decisions by the European Commission
• Your explicit consent for specific transfers

We review and update our data transfer mechanisms regularly to comply with GDPR requirements and Czech law.

7. How Long We Keep Your Data (Retention Periods)

We keep your personal data only as long as necessary for the purposes described above. Here are our retention periods:

7.1 Active Mentee Accounts

During Active Mentoring Relationship:

• User profile information: Retained while you are actively using the platform
• Session records, feedback, ratings: Retained for entire mentoring relationship
• Mentor summaries and MJL: Retained indefinitely (your mentoring history)
• Email logs: Retained for 90 days after sending
• Technical logs and error records: Retained for 30 days

7.2 After Mentoring Ends (Paused or Terminated)

Upon Request to Close Your Account:

• Your email address: Retained for 2 years (for tax compliance and to prevent duplicate accounts)
• Session history and MJL: Retained indefinitely (part of your mentoring record and our track record)
• Feedback and ratings: Anonymized and retained for quality assurance
• Payment records: Retained for 7 years (Czech tax law requirement)

If You Do Not Respond to Engagement:

• Inactive accounts are reviewed after 12 months
• We will email you asking if you wish to continue
• If no response within 30 days, your account may be archived but data is retained (not deleted)

7.3 Special Cases

Marketing Emails:

• Retained until you unsubscribe
• If you opt out, we add you to a suppression list retained for 3 years (to avoid sending unwanted emails)

Quality Guarantees and Disputes:

• Session data relevant to quality claims retained for 2 years after the session

Legal Obligations:

• Tax and accounting records: 7 years (Czech law requirement)
• Court orders or regulatory investigations: As required by law

8. Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise any right, email [email protected] with your request.

8.1 Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you, including:

• Your complete user profile
• All session records, feedback, and ratings
• Communication logs
• Any data we have shared with third parties

How to Exercise: Email [email protected] requesting “access to my personal data under GDPR Article 15.” We will provide your data within 30 days (extendable to 60 days for complex requests). Data will be provided in a commonly used digital format (e.g., PDF or CSV).

8.2 Right to Rectification (Article 16)

You have the right to correct inaccurate personal data about you.

If your job title, company name, contact information, or other profile details are incorrect, you can:

• Update your profile yourself in the app
• Email [email protected] requesting specific corrections

We will correct the data within 30 days.

8.3 Right to Erasure / “Right to be Forgotten” (Article 17)

You have the right to request deletion of your personal data in certain circumstances:

We WILL delete your data if:

• You ask us to delete it and there is no legal reason to keep it
• You withdraw consent and we have no other legal basis to process the data
• Your data is no longer necessary for the purpose it was collected
• You object to processing based on our legitimate interest

We WILL NOT delete your data if:

• You are still actively using the mentoring service (deletion would prevent service delivery)
• We are legally required to keep it (tax records, 7 years)
• You have an outstanding invoice or payment dispute

How to Exercise: Email [email protected] requesting “erasure of my personal data under GDPR Article 17.” Specify which data you want deleted. We will respond within 30 days explaining whether we can delete it and why.

8.4 Right to Restrict Processing (Article 18)

You can ask us to limit how we use your data. For example:

• You dispute the accuracy of your data (we can keep it but cannot use it until the dispute is resolved)
• You object to our processing based on legitimate interest (we can keep it but stop using it for that purpose)
• We no longer need the data but you want us to keep it rather than delete it

How to Exercise: Email [email protected] requesting “restriction of processing under GDPR Article 18” and explain why.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON) and to transmit it to another service. This applies to data you provided or data generated through our service.

Portable Data Includes:

• Your profile information
• Session records and dates
• Your feedback and ratings you submitted
• Mentor summaries and action items

How to Exercise: Email [email protected] requesting “my personal data in portable format under GDPR Article 20.” We will provide it within 30 days in CSV or JSON format.

What We Cannot Provide: We cannot provide mentor feedback about you (which is their intellectual property) or mentor ratings (which belong to the mentor, not to you).

8.6 Right to Object (Article 21)

You have the right to object to our processing of your data based on our “legitimate interest” legal basis. This includes:

• Objecting to quality assurance analysis of your feedback
• Objecting to platform improvement analytics
• Objecting to marketing emails (you can also unsubscribe directly)

How to Exercise: Email [email protected] requesting to “object to processing under GDPR Article 21” and specify which processing you object to.

If you object to processing necessary for service delivery, we may not be able to provide the mentoring service.

8.7 Right to Withdraw Consent (Article 7)

For any processing we do based on your consent (marketing emails, LinkedIn testimonials, manager notifications), you can withdraw consent at any time without penalty.

How to Exercise:

• For marketing emails: Click the unsubscribe link in any email
• For other consent-based processing: Email [email protected] requesting to “withdraw consent” and specify what you are withdrawing consent for

Withdrawing consent only affects future processing, not past processing done with consent.

8.8 Right to Lodge a Complaint (Article 77)

If you believe we have mishandled your personal data or violated your rights, you have the right to lodge a complaint with the Czech Data Protection Authority:

Czech Data Protection Authority (UOOU):

• Telephone: +420 224 096 999
• Email: [email protected]
• Website: https://www.uoou.cz/
• Address: Pstrossova 1, 110 00 Prague 1, Czech Republic

You can also lodge a complaint with the data protection authority in your country of residence.

9. Automated Decision Making and Profiling

9.1 Quality Guarantee Automation

We use an automated decision system for our quality guarantee:

The Decision: If a session receives a feedback score below 7/10, our system automatically waives the mentee’s payment (refund or credit).

Your Rights:

• You have the right to know how this decision is made
• You have the right to human review if you disagree with the decision
• You can request manual review by emailing [email protected]

No Significant Adverse Effect: This automated decision is not used to make inferences about you or to target you for other decisions. It is purely a transactional quality guarantee.

9.2 No Profiling or Algorithmic Decision Making

We do NOT use profiling, machine learning, or algorithmic decision-making to:

• Determine your eligibility for mentoring
• Match you with mentors (matching is manual)
• Assess your job performance or suitability for roles
• Make predictions about your future behavior

10. Cookies and Tracking

10.1 What Are Cookies?

Cookies are small files stored on your device that track your activity. We use cookies minimally and only for essential functionality.

10.2 Cookies We Use

Essential Cookies (Required for Service):

• Session cookies: Keep you logged in while using the app
• Security cookies: Prevent unauthorized access
• Preference cookies: Remember your language and timezone settings

No Tracking Cookies:

• We do NOT use advertising cookies
• We do NOT use behavioral tracking cookies
• We do NOT use analytics cookies that track you across sites
• We do NOT sell cookie data to third parties

10.3 Cookie Consent

Essential cookies are necessary for the service to work, so they are placed automatically. You cannot disable essential cookies without breaking the app functionality.

We do not place non-essential cookies, so no cookie consent banner is required.

10.4 Your Cookie Controls

You can control cookies in your browser settings:

• Clear cookies at any time
• Block all cookies (though this will break app functionality)
• Set browser preferences to limit cookie duration

11. Data Security

11.1 Security Measures We Use

We implement technical and organizational security measures to protect your data from unauthorized access, loss, or misuse:

Technical Controls:

• Encrypted data transmission (HTTPS/TLS for all web traffic)
• Encrypted data storage (at rest in Supabase)
• Row Level Security (RLS) in our database to isolate user data
• Regular automated backups with encryption
• Access controls limiting who can view your data

Organizational Controls:

• Employees are trained on data protection and privacy
• Data access is limited to staff who need it to provide services
• Third-party vendors are required to meet GDPR and security standards
• Regular security audits and vulnerability assessments

Signed Token Authentication:

• Email action links (feedback buttons, homework ratings) use HMAC-signed tokens
• Tokens expire after 7 days
• Tokens are single-use (cannot be reused)

11.2 What We Cannot Guarantee

No security system is 100% secure. While we invest significantly in security, we cannot guarantee:

• Complete protection against unauthorized hacking or breaches
• Protection against insider threats or employee misconduct
• Protection if you share your email password with others

If a security breach occurs:

• We will notify you within 72 hours (as required by GDPR Article 33)
• We will notify the Czech Data Protection Authority (UOOU) if the breach poses a risk to your rights
• We will provide guidance on steps you can take to protect yourself

11.3 Your Security Responsibilities

You are responsible for:

• Keeping your email account secure (email is your identity in our system)
• Not sharing your session links or tokens with unauthorized people
• Logging out if using a shared device
• Reporting suspicious activity to [email protected]

12. Children and Minors

Our mentoring service is exclusively for professional adults. We do not knowingly collect data from anyone under 18 years old.

Our Policy:

• We target professionals (engineers, product managers, leadership roles)
• Onboarding requires professional email and job title
• We do not market to children
• If we learn a user is under 18, we will delete their account and data

If you believe a child has created an account, please contact [email protected] immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy as our service evolves, legal requirements change, or we add new features.

13.1 How We Notify You

Minor Updates (clarifications, formatting, non-material changes):

• Published on our website
• No notification required

Material Changes (new data collection, new third parties, changes to your rights):

• We will email you at least 30 days before the change takes effect
• Material changes require your explicit consent if they expand data collection or change the purpose of processing

13.2 Your Rights If We Change the Policy

If we make material changes you do not agree with:

• You can request deletion of your account (subject to legal retention requirements)
• You can stop using the service
• You maintain all GDPR rights including the right to lodge a complaint

14. Third-Party Links and Services

Our platform includes links to external services:

• Cal.com (calendar booking)
• Notion (mentoring progress tracking)
• LinkedIn (optional profile links)
• Google Meet (video calling)

When you visit these services, their privacy policies apply. We are not responsible for their data practices. Review their privacy policies before providing your information.

15. How to Contact Us

15.1 Privacy Questions and Requests

For any privacy-related questions or to exercise your GDPR rights:

Email: [email protected]

In Your Email, Please:

• State the subject clearly (e.g., “Data Access Request Under GDPR Article 15”)
• Provide enough detail so we can identify you
• Explain what you are requesting

Response Time: We aim to respond within 5 business days. Complex requests may take up to 30 days.

15.2 Reporting Data Misuse

If you believe we have mishandled your data, please:

1. Email [email protected] with details
2. Lodge a complaint with the Czech Data Protection Authority (UOOU): https://www.uoou.cz/

15.3 Legal Complaints and Disputes

For legal disputes regarding data privacy (not GDPR rights):

• Address: Engineering Leaders Community s.r.o., Czech Republic
• Jurisdiction: Czech courts

16. Additional Information for Specific Users

16.1 For Company-Sponsored Mentees

If your company sponsors your mentoring:

• Your company may have a separate data processing agreement with us
• Your manager may receive limited data (session summaries, Ownership Score)
• You should contact your HR or Data Protection Officer with privacy concerns
• You retain all GDPR rights independently of your company

16.2 For Mentors

If you are a mentor using our platform:

• This policy applies to your data as well
• You have separate terms governing mentor terms, commission, and confidentiality
• Contact [email protected] regarding mentor-specific privacy questions

16.3 For EU Residents Outside Czech Republic

This Privacy Policy complies with GDPR and applies to all EU residents. You have the right to lodge complaints with your local data protection authority:

• Austria: https://www.dsb.gv.at/
• Germany: https://www.bfdi.bund.de/
• Poland: https://www.uodo.gov.pl/
• Slovakia: https://dataprotection.gov.sk/
• Other EU countries: Check your country’s official data protection authority

17. Definitions

Data Controller

The entity that decides what data to collect and why (Engineering Leaders Community s.r.o.)

Data Processor

A third party that processes data on the controller’s behalf under contract (Supabase, Cal.com, Resend, etc.)

Personal Data

Any information that identifies you or can be linked to you (name, email, IP address, etc.)

Processing

Any action on personal data (collection, storage, use, sharing, deletion, etc.)

Legitimate Interest

A lawful reason to process data, balanced against your privacy rights

GDPR

General Data Protection Regulation (EU Regulation 2016/679)

Mentoring Journey Log (MJL)

Your personal mentoring progress record stored in Notion

Ownership Score

Our engagement metric tracking your accountability and homework completion

Quality Guarantee

Our promise that if a session scores below 7/10, you do not pay

Summary: Your Key Rights at a Glance