Moonshot Pirates Foundation – Privacy Policy

Effective as of May 31, 2025

Your privacy matters to us. This Privacy Policy explains how Moonshot Pirates (“we” or “us”) collects, uses, shares, and protects personal information about you (“Personal Data”), and what choices and rights you have regarding your information. We are committed to safeguarding the privacy of our community members in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws. Moonshot Pirates is a global movement empowering youth (15–24) to innovate, and we handle data with care especially given many of our participants are minors under 18 who merit specific protection. This Policy should be read in conjunction with our Terms & Conditions and our Child Safeguarding & Protection Policy. By using our websites, applications, or participating in our programs, you agree to the practices described in this Policy. If you do not agree, please do not use our Services.

1. Who We Are (Data Controller)

Moonshot Pirates Foundation is a non-profit organization registered in Austria, and is the sole owner of beapirate GmbH, a Vienna-based social enterprise​. Beapirate GmbH operates the Moonshot Pirates website and sub-sites on behalf of the Foundation​. In essence, Moonshot Pirates Foundation and beapirate GmbH work together to bring you our programs – for simplicity, this Policy refers to them collectively as “Moonshot Pirates” or “we/us.” For GDPR purposes, beapirate GmbH (Moonshot Pirates) is the primary data controller responsible for processing your Personal Data, under the oversight of the Foundation. Our contact details are provided at the end of this Policy.

We have appointed internal personnel responsible for data protection compliance. If you have any questions or concerns about data privacy, you can reach out to us at .

2. What Information We Collect

We only collect Personal Data that is relevant and necessary for the purposes of our programs and operations. The types of information we collect fall into several categories:

• Information You Provide Directly: When you interact with Moonshot Pirates, such as by registering on our website, applying for a program, filling out a contact form, or corresponding with us, you may give us information about yourself. This includes:
  • Contact Details: Your name, email address, telephone number, postal address, and other basic contact info.
  • Profile Information: Age or date of birth, gender (if you choose to provide it), country of residence, nationality, spoken languages, and possibly your photo or a bio if you upload one. We ask for your age to ensure you meet our age criteria and to determine if parental consent is needed (see Section 7: Children’s Privacy).
  • Education/Background: We may ask for information like your school/university or occupation, areas of interest or expertise (e.g. technology, sustainability), and skills or experience relevant to our innovation programs. This helps us tailor the program experience (for example, matching you with appropriate mentors or forming balanced teams).
  • Program Application Data: If you apply for specific programs, we might request additional information like motivation statements, project ideas, portfolios, or references. This information is used to evaluate your application and organize program content.
  • Event Logistics Data: For in-person events, we might collect travel details (flight times, etc.), accommodation needs, dietary requirements, emergency contact persons, and medical or allergy information but only if necessary for your safe participation. We treat health and emergency data with special care and only use it for planning and emergency preparedness.
  • Payment Information: If a program requires a fee or deposit, we (or our payment processor) will collect necessary billing details. This may include credit/debit card numbers or other payment account details, billing address, and transaction amount. Note: We typically use reputable third-party payment gateways (e.g., Stripe) and do not store full card numbers ourselves.
  • Communications: The content of any messages or inquiries you send us (emails, chat messages, survey responses, etc.) will be collected. This can include feedback, questions, or any other information you choose to provide.
• When you provide us with Personal Data, we will only use it for the purposes described at the time of collection or in this Policy. We endeavor to keep collected Personal Data confidential and secure​. We will not collect sensitive categories of personal data (like racial origin, political opinions, biometric data, etc.) unless there is a clear reason, such as a diversity survey where you have the option to provide such data voluntarily and with consent.
• Information We Receive from Third Parties: Occasionally, we may receive information about you from other sources:
  • Partners or Referrals: For example, if a school, youth organization, another participant, or corporate partner refers you to our program, they might provide us with your name and contact info to invite you. Or if you register through a co-branded event page managed with a partner, the information might be shared with us.
  • Public Sources: We might gather basic public information to verify eligibility or enrich your profile. For instance, we could look up your LinkedIn profile to understand your background better, or check public attendee lists from related conferences to invite relevant youth. We may also use third-party databases about students or entrepreneurs to reach out to potential participants​.
  • Payment Verification: To prevent fraud, we might use third-party services to verify payment information or assess risk when offering certain payment options (e.g., verifying a credit card or using a service that checks for fraudulent transactions)​.
• We treat any Personal Data obtained from third parties with the same care as data you give us directly, and in accordance with this Policy. We will also honor any additional restrictions placed on data that comes from a third-party source (for example, if it was collected with certain consent). If we combine third-party data with data we collected, we will handle the combined data under this Policy.
• Information We Collect Automatically: When you visit our websites or use our online platform, we (or service providers acting on our behalf) automatically collect certain technical information about your device and usage of our site. This may include:
  • Device and Browsing Info: Your device’s IP address, browser type, browser language, operating system, device identifiers or advertising IDs, and region/country.
  • Usage Data: How you interact with our site or app – e.g., the pages or screens you view, the features you use, the time and date of your visits, the links or buttons you click, the amount of time spent on pages, and the page you visited before coming to our site (referrer URL)​.
  • Cookies and Similar Tech: We use cookies, pixels, and similar technologies to collect and store some of this information (see “Cookies and Tracking” in Section 6 for details).
  • Analytics Information: We may collect analytics data or use third-party analytics tools (like Google Analytics) to help us measure usage and activity trends. These tools collect information such as your interactions with our website, where visitors come from, and which content is most popular. This information helps us understand our community’s interests and improve our web services​.
  • Location Information: We do not track precise GPS location, but from your IP address we can infer an approximate geographic location (such as city or country). This helps us understand our global reach and may be used to customize some content (for example, showing an event that’s in your region).
• This automatically collected data is generally used in aggregate form (not to identify you individually) but it may be linked with your account if logged in. Collecting this information is standard practice for most websites and it enables us to maintain security (e.g., detecting unusual logins), provide proper functionality (like remembering your language preference), and analyze how our site is used.
• Special Case – Images and Recordings: As noted in our Terms, we sometimes capture photos or videos during events and may collect those as Personal Data if you are identifiable in them. When we do so, it’s with the purpose of documenting and promoting our programs (see Media section in Terms). If we plan to use a photo of you in any publication, we try to get consent when practical (especially if you are a minor). If you prefer not to be included, we honor opt-out requests (see Terms Section 7). Any recorded video sessions (for example, a webinar) that are stored will be handled as personal data as well.

• Mentors Data Collection: Moonshot Pirates collects personal data from mentors including name, contact details, professional background, profile photos, and recorded sessions. This information is used to facilitate mentoring sessions, communication within the community, program evaluation, and promotional purposes. Mentors’ information and recorded sessions may be shared with participants, our organizational partners, and publicly on our digital channels, as agreed upon registration. Mentors can manage their data and privacy preferences by contacting us at .

3. How We Use Your Information

Moonshot Pirates uses the collected Personal Data to operate effectively and to fulfill our mission of empowering youth. We limit usage to what is necessary and relevant. Specifically, we may use your information in the following ways:

• Providing Our Services and Programs: First and foremost, we use data to enable you to participate in Moonshot Pirates activities. This includes processing registrations, forming teams or mentor pairings, delivering content (emails, videos, course materials), and generally organizing events. For example, we use participant information to create event schedules, to send out links to online sessions, to produce certificates of completion, and to communicate important updates (like changes in timing or requirements). If you are selected for a program, we use your contact and background info to onboard you and ensure you have what you need.
• Improving and Developing Our Services: We continuously seek to make our programs better. Personal Data (particularly feedback you provide and usage analytics) helps us understand what is working and what isn’t. We might analyze which resources are most accessed on our platform or which topics generate the most questions, and use that insight to improve content. We may also use data for internal research or innovation challenges; for example, analyzing demographics of applicants to ensure we are reaching diverse communities (in accordance with legitimate interest in evaluating and improving our outreach)​. All such processing is done with respect for your privacy – whenever possible, we use aggregated or anonymized data for analysis.
• Communication with You: We will use your contact information to communicate with you, such as:
  • Program Communication: sending confirmations, reminders, updates, and essential information about any program or event you have signed up for. For instance, we email detailed instructions before a program, or send a text message alert if there’s a last-minute change.
  • Account-Related Communication: if you have an online account, we might send notifications about your account security (e.g., password reset, login alert), or inform you of changes to our policies or terms that affect you​. These service-related communications are necessary for us to perform our contract with you and you may not opt out of them (except by not using the service).
  • Newsletters and Marketing: with your consent, we will send you our newsletter and information about new opportunities, events, or resources that Moonshot Pirates offers. We may also, if you opt-in, send messages on behalf of our partners or sponsors that could interest you. You are free to unsubscribe from marketing emails at any time; every marketing email will include an “unsubscribe” link or you can contact us to be removed. We will only share your contact info with an external partner for their direct marketing if you have explicitly agreed to that.
  • Responding to You: If you contact us with a question or request, we will use the return contact information (email, phone, etc.) to respond. We also may keep records of correspondence to help any future inquiries.
• Facilitating Program Activities: Some uses of data are integral to how our programs run. For example, in team-based challenges, we might share participant profiles (name, age, country, interests) with other participants to facilitate networking and team formation. In mentorship programs, we provide mentors with information about their mentees (such as your bio, project idea, and goals) so they can guide you effectively. We may set up internal communication channels (like Slack/Discord groups or email lists) that include participant contact details to enable collaboration. In doing so, we take care to limit what is shared and to create a safe environment (monitored forums, etc.). All participants are expected to respect privacy of information shared within the program.
• Social Sharing Features: If you choose to engage in any social sharing or community features on our platform, we use data to enable that. For instance, if our platform allows you to create a profile visible to other community members, you control what information is included, and we display it as per your settings. If you connect your account with social media (like a “Log in with Facebook” option or sharing content to Instagram), we use data to facilitate those actions as instructed by you​.
• Operating Our Website and Technical Functions: We use data to ensure our website and online platform operate smoothly and securely. This includes using logs and identifiers to troubleshoot issues, track outages or bugs, and protect against fraud or abuse. For example, IP addresses may be used to block malicious traffic, and cookies help us remember your session so you don’t have to log in repeatedly. Monitoring usage patterns (with analytics) also helps us manage server load and improve site navigation. Ensuring the integrity and security of our Services is part of our legitimate interests and also a benefit to our users​.
• Safety and Legal Obligations: Promoting safety and child protection is a core use of data. We may process personal information to verify identities (ensuring, for example, that an adult claiming to be a mentor is who they say, or verifying parental consent forms) and to monitor for any inappropriate behavior on our platforms​. For instance, we might review communications on official forums if we have reason to suspect bullying or abuse, and we keep records of any incidents reported as per our Safeguarding Policy. If necessary, we will use data to investigate and address violations of our Terms or law – this can include cooperating with law enforcement or child protection authorities, which might involve disclosing certain information (see Section 5 on disclosure). We will also use data as needed to comply with any legal obligations (such as keeping transaction records for tax purposes, or responding to lawful requests for information)​.
• Other Purposes (with Consent): If we intend to use your data for a purpose that is not outlined in this Policy and not obviously related to the original purpose, we will seek your consent. For example, if we consider sharing participant testimonials or contact details in a published report or on a partner’s platform, we would ask for your permission. Generally, we will not do anything new with your data that you wouldn’t reasonably expect from a youth program like ours, without letting you know and getting consent.

We always strive to base our data processing on a valid legal basis under GDPR. The main legal grounds we rely on are: (a) your consent (for optional uses like marketing or certain data sharing), (b) performance of a contract (providing the services you signed up for), (c) compliance with a legal obligation, and (d) our legitimate interests in running a safe, efficient, and effective non-profit program (we balance these interests with your rights). If you have any questions about the legal basis for a particular processing activity, just ask us.

4. How We Share or Disclose Information

Moonshot Pirates is not in the business of selling your data. We consider your information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may need to share your Personal Data with others, strictly for the purposes outlined above. The parties with whom we may share information include:

• Program Partners and Sponsors: We collaborate with various organizations (such as educational institutions, companies, and NGOs) to run our programs. If a third-party partner is directly involved in an event or program you join, we may share relevant participant information with them. For example, if a company co-hosts a challenge, we might share the list of participating team names and project topics, or if an event is at a partner’s venue, we could provide a list of attendee names for security. We will limit the information to what’s necessary (often just names and maybe affiliation or age group). Partners are generally given participant info only to support the program delivery or follow-up, not for their independent marketing use unless you have permitted that. Any strategic partner we work with is required to handle your data confidentially and use it only in connection with the event or purpose we agreed on. If a partner would like to contact you beyond the program (e.g., to offer an internship), they should obtain your consent directly or via us.
• Mentors, Judges, and Volunteers: As mentioned, individuals such as mentors or judges in our programs will receive certain Personal Data about participants so they can effectively perform their role. This could include your name, age, country, and summary of your project or application. These individuals are typically bound by our code of conduct and often by a confidentiality agreement or understanding that information is to be used only for mentoring/judging purposes. We also instruct them on safeguarding and privacy, especially when dealing with minors. If a mentor wants to retain your contact to keep mentoring you after the program, that’s great – but they should ask you directly for permission (and if you’re a minor, ensure your parent is aware). Moonshot Pirates does not give mentors a blank check to use participant data beyond the program scope.
• Service Providers (“Processors”): Like any organization, we rely on trusted third-party companies to help us run operations. These include:
  • Website and IT Hosting: Companies that host our website, cloud storage providers, and IT support services. They might process data that passes through our site or store backups of our database.
  • Email and Communication Tools: Platforms that manage our email newsletters or messaging systems. If you receive emails from us, your email address and name are processed by such providers.
  • Analytics and Tracking: Providers like Google Analytics​, or social media platforms where we may run analytics. These services may set their own cookies to gather usage data (see Section 6 on Cookies). They generally receive aggregated info, but Google Analytics will process your IP and device info as described.
  • Payment Processors: If you make a payment or donation, third-party processors handle the transaction data. They are responsible for storing card details securely and notifying us of success/failure. We receive only limited info (like your name, email, amount, and status) – sensitive financial info is handled by them.
  • Event Management Tools: For instance, if we use Eventbrite to handle RSVPs, or Zoom for webinars, those platforms will collect information as part of registration or usage. We choose reputable providers with their own privacy protections.
  • Marketing and Surveys: Sometimes we use survey tools to collect feedback, or marketing automation tools to segment our contacts. These tools process whatever data you input (e.g., survey answers, which could include personal info if you volunteer it).
• These service providers act under our direction and are contractually obligated to protect your data and use it only for the purposes we specify​. We sign Data Processing Agreements where required by law, ensuring they provide at least the same level of privacy protection. Some of these providers may operate in various countries – see International Transfers below for how we handle that.
• Legal Compliance and Protection: We may disclose personal information when required to do so by law or in a good-faith belief that such action is necessary to comply with a legal obligation. For example, responding to a court order or subpoena, or cooperating with a law enforcement investigation (this could include laws both within and outside your country of residence, if applicable)​. Additionally, if we believe that disclosure is necessary to protect our rights or the safety of you or others, investigate fraud, or respond to a government request, we may do so. For instance, if a participant is believed to be in danger or a danger to others, we might share information with authorities or seek help. Or if someone brings a legal claim against Moonshot Pirates, we might need to present relevant data as evidence. We will strive to limit the scope of disclosure and inform affected participants when legally permitted.
• Organizational Transitions: In the event that Moonshot Pirates undergoes a significant organizational change, such as a merger, acquisition, restructuring, or transfer of program operations to another non-profit entity, your personal information might be transferred as part of that change. If another entity were to take over running Moonshot Pirates programs, it would likely hold the participant database as part of continuity. However, your data would still be protected by equivalent safeguards and this Policy (unless you’re notified of changes and given a choice). We would inform you of any such transfer and the successor’s privacy policy. Please note, since we are a foundation, this scenario would typically involve transferring data to another charitable or educational organization with a similar mission, not a commercial sale of data.
• With Your Consent: Aside from the above, if there is any situation where we might want to share your data in a way not covered, we will ask for your consent. For example, if a media outlet wants to interview a participant and asks us for your contact, we would reach out to you to see if you’re interested and only connect you if you agree. Or if we ever consider sharing more detailed info with a sponsor for a special opportunity, we’d run it by you first. Your consent can be revoked at any time, and we will honor that going forward.

In all cases of sharing, we aim to share the minimum amount of information necessary for the purpose. We also require recipients to handle the data securely. If you have questions about third parties that may have your info, you can ask us for an up-to-date list of our main processors or partners.

5. Data Security and Storage

We take the security of your personal information seriously. Moonshot Pirates implements a variety of administrative, technical, and physical safeguards to protect the Personal Data we hold against unauthorized access, loss, theft, or alteration. These measures include:

• Technical Measures: Use of encryption (e.g., HTTPS SSL/TLS) for data in transit on our website – when you enter information, it’s transmitted securely. Important data in our databases may be encrypted at rest as well. We maintain firewalls and access controls on our servers to restrict access to authorized personnel only. Regular security updates and patches are applied to our systems and software. Where applicable, we pseudonymize or anonymize data that we don’t need to keep identifiable.
• Organizational Measures: Only staff or contractors who have a valid need (e.g., program managers, IT administrators) have access to personal information, and they are trained on confidentiality and data protection. Volunteers (like mentors) receive only necessary data as described, and they are informed of their duty to keep it confidential. We have procedures for handling data incidents and a response plan if a breach were to occur. We also review our information collection and storage practices periodically to ensure we only keep what we need.
• Payment and Sensitive Data: As noted, we do not store payment card details ourselves on our systems; those are handled by PCI-DSS compliant third parties. Any health or emergency information collected for events is accessible to a very limited set of staff and is deleted after the event (unless an incident requires us to retain a record, in which case we secure it).
• Device Security: We ensure that any devices (laptops, drives) used by our core team for processing participant data are encrypted and protected by strong authentication. Physical files (if any) are stored securely.
• Third-Party Security: When we engage service providers, we vet their security practices. Major providers like our cloud and email services have high security standards. Nonetheless, we understand that using any third-party involves some risk outside our direct control; we mitigate this with contracts and by not unnecessarily exposing data (for instance, by using unique identifiers instead of names where possible in certain tools).

Despite all efforts, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of information. However, if we discover any incident affecting your Personal Data that poses a risk to you (such as a data breach), we will notify you and the relevant authorities as required by law. We appreciate your own efforts to maintain security too – for example, using a strong password for our platform and not sharing it, and being cautious about what info you share in any public forums we provide.

6. Cookies and Tracking Technologies

Our websites use cookies and similar tracking technologies to distinguish you from other users and to improve your experience. This section explains what these technologies are and your choices regarding them.

• What Are Cookies: Cookies are small text files that websites place on your device (computer, smartphone, etc.) when you visit. They often include an identifier that allows the site to recognize your device. Cookies can be “session cookies” (which expire when you close your browser) or “persistent cookies” (which remain until they expire or you delete them). Similar technologies include pixels (small images that track a visit) or local storage in your browser.
• How We Use Cookies: Moonshot Pirates and our service providers use cookies for several purposes:
  • Necessary Cookies: These are essential for the operation of our website and platform. For example, they enable you to log in, navigate to secure areas, or submit forms. Without these cookies, certain services you ask for (like remembering your event registration details in a session) cannot be provided.
  • Preferences Cookies: These allow our site to remember choices you make (such as your language or region, or if you’ve dismissed a popup already) to provide a more personalized experience. They may also be used to provide services you’ve requested, like watching a video (which might set a cookie from the video host).
  • Analytics Cookies: These cookies collect information about how visitors use our site, which pages are most visited, or if any errors occurred. We use this information to improve our website over time. For example, we use Google Analytics, which sets cookies to anonymously track things like how long users stay on a page, how they got to our site, and what pages they visit​. The data from these cookies is aggregated and not used to identify individuals. It helps us see usage trends and measure the effectiveness of outreach.
  • Advertising and Social Media Cookies: We do not host third-party ads on our site in the way commercial sites do, but we do use some social media and tracking pixels. For example, a Facebook or Instagram pixel may track that you visited our site, which helps us either measure our social media campaigns or show you Moonshot Pirates content on those platforms later. Similarly, if we embed a YouTube video, YouTube/Google may set cookies to track your play of the video​. These cookies can log that you performed certain actions on our site and may connect to broader tracking by those third parties. We only use these to promote our non-profit cause and not to bombard you with irrelevant ads.
• Third-Party Cookies: As indicated, some cookies on our site are set by external services we use. Notable examples: Google Analytics (Google), YouTube plugin (Google), possibly social share buttons (Facebook, LinkedIn, etc.) if present. Each of these parties has its own privacy policy. For instance, Google’s policies explain how Analytics data might be used and how you can opt out (see below). We do not have control over third-party cookies, but we ensure that we only integrate third-party services that are reputable and privacy-compliant.
• Your Choices: When you first visit our website, you may see a banner or notice about cookies, especially if required by local law. You can choose to accept or reject certain categories of cookies (except the strictly necessary ones). Moreover, most web browsers allow you to control cookies through their settings:
  • You can usually set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.
  • You can also block all cookies or delete cookies, but note that if you do so, some parts of our site might not work properly (for example, you might be unable to log in or your preferences may not be saved).
  • To learn more about cookies and how to manage or disable them, you can visit resources like aboutcookies.org.
• Google Analytics Opt-Out: Google provides a Browser Add-on that allows you to prevent your data from being used by Google Analytics​. You can download and install it for your browser (available at tools.google.com/dlpage/gaoptout). This opt-out is specific to Google Analytics and does not affect other cookies or tracking. We also respect any “Do Not Track” signals your browser may send, and our Analytics will not track users who have DNT enabled.
• Do Not Track Signals: Our website currently does not respond to every DNT signal automatically, due to the lack of a common industry standard on how to interpret them. However, as noted, you have the above options to control cookies and tracking. We continue to monitor developments around DNT and may adjust our practices if a clear standard emerges.
• Note: Disabling cookies does not mean you will stop seeing any communications from us. You may still receive contextual announcements (e.g., a popup on our site about a new program, which might not rely on cookies) or emails if you subscribed. Cookies mainly affect the web tracking and personalization aspect.

For more detailed information on the cookies and trackers in use, you can refer to our detailed Cookie Notice (if available on our site) or contact us with specific questions.

7. Children’s Privacy and Parental Consent

Moonshot Pirates focuses on youth aged 15 and up. We recognize that some of our participants are minors (under 18) and we take special care to protect their privacy and safety online, in line with GDPR Recital 38 which emphasizes that children merit specific protection of their personal data.

• Minimum Age: We do not knowingly collect personal information from children under 15 years of age. Our programs and Services are not directed to children below that age. If you are under 15, please do not attempt to register or send any personal data about yourself to us. If we learn that we have inadvertently collected information from a child under 15, we will delete that information as quickly as possible. Parents or guardians who believe we might have any information from or about a child under 15 should contact us immediately so we can take appropriate action.
• Participants Aged 15-17: For individuals who are between 15 and 17 (inclusive), we require consent from a parent or legal guardian to participate in certain Moonshot Pirates activities (particularly any offline events or intensive programs)​. Even for general use of our online platform, we ask that minors have their parent/guardian’s permission. We may verify this by requesting a signed parental consent form, informing the parent via email or similar documentation when you register​. By providing personal data to us (for example, filling out a profile or application), a minor participant is representing that they have obtained such consent. We reserve the right to contact a parent/guardian to confirm consent or to provide notifications regarding a minor’s participation.
• Parental Rights: If you are a parent or guardian of a participant under 18, you have the right to review what personal information we have collected about your child, to correct or update it, or to request deletion of your child’s personal data (subject to some exceptions if we must keep certain data for legal reasons or to protect the child or others). If at any time you wish to exercise these rights, please contact us at . We may need to verify your identity and relationship (we only release data to the verified parent/guardian). Note that we generally will not require more data from a minor than an adult for the same process; we try to minimize data collection overall for youths.
• Use of Data for Minors: Any personal information about minor participants is used strictly for the purposes of their involvement in our programs and ensuring their well-being. We do not profile or target children for marketing. We may send program-related communications directly to minors (since much of our program interaction is with the youth themselves), but any marketing-type communications (like newsletters about unrelated events) will be sent only if the minor (if above the age of consent for such communications in their jurisdiction, often 16) has opted in, or if a parent has. We avoid collecting sensitive personal data from minors unless necessary (for example, health info for an event with parental consent). We do not share minors’ data with third parties for any reason outside of program operation, safety, or legal compliance. For instance, we would never sell a list of teen participants or allow outside advertising to target them.
• Social Media and Minors: If we feature participants (e.g., spotlighting a project winner) on our website or social media, we typically only include their first name, age, and country – or we may use no last name or a pseudonym – especially if they are under 18, to protect identity. We encourage minors to be cautious about what they share in our public forums or social media groups. Our moderators monitor our youth community spaces to prevent any exploitation or inappropriate contact.
• Educational Exception (COPPA, etc.): Although our focus is not on under-13, should any educational context arise (for example, a special program with schools involving 13-14 year olds with parental consent), we would adhere to the U.S. Children’s Online Privacy Protection Act (COPPA) and any similar laws. This would involve obtaining verifiable parental consent before collecting personal data from children under 13, and clearly disclosing the data use. As of now, we do not offer services to that age group directly.

In summary, we strive to create a safe environment for all our young participants. If at any point a participant or parent has concerns about privacy or safety, we urge you to contact us. We also direct you to our Child Safeguarding & Protection Policy, which outlines additional measures we take to protect minors in our programs.

8. Data Retention

We keep personal data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law, whichever is longer​. How long we retain data can vary depending on the type of information and the context:

• Active Program Data: For participants in an ongoing program, we retain your data throughout the duration of the program (which could be days, weeks, or months). This includes your contact info, application details, work submitted, and any communications. We need this to manage the program effectively.
• User Accounts: If you create an account on our platform, your profile data is retained until you delete your account or it’s deemed inactive. Inactivity: if you have not logged in or interacted for a long period (e.g., 2 years), we may reach out to ask if you wish to retain your account. If not, we may delete or anonymize it.
• Alumni Data: After a program ends, we generally keep basic participant info (name, contact, program attended, year) as part of our alumni records. This can be used for issuing certificates, verifying past participation if you request it, inviting you to alumni opportunities, and measuring our impact over time (e.g., tracking how many people we’ve engaged). We consider this a legitimate interest, but we also respect requests to remove data. So if an alum no longer wants us to keep any info, they can let us know (except we may still need to keep minimal records to note that we shouldn’t contact them).
• Communication History: Emails or messages you send us might be stored for a certain period depending on our email system backups and archive policies (commonly 2-5 years), unless you request deletion sooner and we have no overriding need to keep them.
• Analytics Data: Web analytics data (from cookies etc.) is usually retained for a shorter period in identifiable form. For instance, Google Analytics retains user-level data for 14 months by default, after which it is deleted or anonymized. We don’t keep raw logs longer than necessary, typically not more than a few months unless investigating security issues. Aggregated analytics (with no personal identifiers) might be kept longer for historical comparison.
• Legal and Financial Records: We retain certain information to comply with legal obligations and financial regulations. For example, records of any payments or donations are kept for the duration required under Austrian accounting/tax law (often 7 years) and any applicable reporting obligations for grants. Similarly, if we obtained parental consent forms or liability waivers for an event, we might keep those on file for a number of years as a protective measure.
• Incident Records: If a safeguarding incident or disciplinary issue occurred, we may retain the investigation records and related personal data as long as deemed necessary to protect the well-being of participants and the organization (this could be several years, often at least until the minor involved reaches adulthood or longer if needed for potential legal follow-up). These are kept highly confidential.
• Deleted Data: When you request deletion of your data or close your account, we will erase personal information from our active systems and further use, except for logs or archives where it may inadvertently persist for a short time until those are cycled out, or any data we must retain (as noted above). We may keep a note of your deletion request (to ensure we don’t accidentally recreate your profile, for instance). Backups: our systems may have routine backups; deleting data from active database will ensure it’s not used, and backups will eventually expire or be destroyed per our schedule.

In summary, we try not to keep personal data longer than we truly need it. When data is no longer required, we delete it or anonymize it (removing identifying details so it can be used for statistical purposes without identifying you). If you have specific questions about retention for certain data, feel free to ask.

9. International Data Transfers

Moonshot Pirates operates out of Austria (in the European Union), but our community is global, and we use digital services that may be located in various countries. Therefore, your Personal Data may be transferred to, stored, or processed in a country different from your home country. In particular:

• Many of our core systems (website hosting, cloud storage, email communications) are based in the European Economic Area (EEA), so if you are outside the EEA, your data will be transferred to our servers in the EEA.
• We also use service providers in the United States and other countries outside the EEA. For example, Google (Analytics, cloud) and other tools (Zoom, Slack, etc.) may process data in the U.S. or globally.
• Additionally, if you interact with mentors or participants in other countries, there is a practical aspect of data flow (e.g., an email from you in Germany to a mentor in Japan, or your profile being viewed by someone in another country).

Data protection laws vary by country. Countries in the EEA are all governed by GDPR or equivalent laws, which are robust. Some other countries may not have the same standard of data protection as the EEA. When we transfer personal data out of the EEA (or UK, or other regions with data transfer restrictions), we take steps to ensure it remains protected:

• We primarily rely on Standard Contractual Clauses (SCCs) approved by the European Commission​. These are legal clauses we include in contracts with our service providers to commit them to GDPR-level protection of your data regardless of where it’s processed. For example, our contract with an email provider in the US would have SCCs.
• We also consider whether the receiving country has an “adequacy” decision by the EU (meaning the EU deems its privacy laws sufficient). For instance, transfers to countries like Canada, Japan, or the UK are covered by adequacy decisions (if applicable in our context).
• For intra-organization transfers (between the Foundation and beapirate GmbH and potentially any affiliated chapters in other countries) we also ensure compliance with GDPR standards through internal agreements and policies.
• In all cases, we only transfer data to the minimum extent necessary – e.g., if a database is in EU but accessed by a staff member traveling abroad, that’s a transfer but under our control and policies.
• If none of the above safeguards are available for a particular transfer, we would ask for your explicit consent before transferring personal data to a risky jurisdiction, and you would have the right to refuse.

By using our Services or participating in our programs, you understand that your personal data may be transferred internationally as described. We understand our responsibility in these transfers and continuously monitor legal developments (like updates to SCCs or new rulings like Schrems II) to remain compliant. If you have questions about cross-border data handling (for example, “Will my data go to the US and how is it protected?”), we’re happy to provide more specific info.

10. Your Rights and Choices

We want you to have control over your personal information. Under GDPR and other privacy laws, individuals have certain rights with respect to their personal data. We have outlined many of these in Section 6 (Privacy Choices) of the Terms and earlier in this Policy, but to recap and add context:

• Right to Access: You can request confirmation whether we are processing your personal data, and if so, request a copy of the data we hold about you​. This is commonly known as a Subject Access Request. We will provide you with all information required by law – typically this includes the categories of data, purposes of processing, recipients (or categories) who have seen the data, storage period, and the data itself in an understandable format.
• Right to Rectification: If you believe any personal data we have is inaccurate or incomplete, you have the right to request correction​. For example, you can ask us to update your contact number or fix a misspelled name. If we have shared incorrect data with others, we will (where possible) inform them of the correction.
• Right to Erasure: Also known as the “right to be forgotten,” this allows you to request deletion of your personal data in certain circumstances. You can request erasure if: the data is no longer necessary for the purposes collected, or you withdraw consent (and we have no other lawful basis), or you object to processing (and we have no overriding grounds), or we processed it unlawfully, or we must erase it to comply with law. If your case meets these criteria, we will erase the data and also notify any processors to do the same. Keep in mind this right is not absolute – if an exemption applies (like we need to keep data for legal claims or freedom of expression or legal obligation), we will let you know.
• Right to Restrict Processing: You can ask us to limit the processing of your data under certain scenarios, for instance: if you contest the data’s accuracy (we’ll restrict while verifying), or the processing is unlawful but you prefer restriction over deletion, or we no longer need the data but you need it for a legal claim, or you have objected (pending our assessment of override). When restricted, such data will only be processed with your consent or for specific reasons like legal claims. We will inform you before lifting a restriction.
• Right to Object: You have the right to object to certain processing activities. You can object to direct marketing at any time – we will stop sending you marketing communications (this is often managed by the unsubscribe link). You can also object to processing based on our legitimate interests or public interest tasks; in such cases, we will evaluate your objection and will stop processing unless we demonstrate compelling legitimate grounds that override your interests, or if it’s needed for legal claims. Notably, you can object if we were to do any profiling (we currently do not profile individuals in a way that produces legal effects).
• Right to Data Portability: For data you provided to us and which we process by automated means based on consent or contract, you can request to receive it in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller (or ask us to, where technically feasible). This mostly applies to typical scenarios like transferring your account info to another service. In our context, if you wanted your core registration/profile data exported, we can provide it likely as a CSV or JSON file.
• Right to Withdraw Consent: If we rely on consent for any processing, you can withdraw that consent at any time. This will not affect the lawfulness of processing done before withdrawal. For example, if you gave consent for us to share your email with a partner for a one-time event, you can later withdraw – and while we can’t undo what was already done, we will cease any further sharing. Withdrawing consent may mean we can’t provide certain services (like sending newsletters or certain opportunities to you), but of course we will respect your decision.
• Right to Lodge a Complaint: If you believe your rights were violated or that we are not complying with our data protection obligations, you have the right to file a complaint with a Data Protection Authority. As we are based in Austria, our lead authority is: Österreichische Datenschutzbehörde (Austrian Data Protection Authority) at Barichgasse 40-42, 1030 Vienna, Austria, . However, you can typically choose to contact the authority in your country of residence, work, or where the issue occurred. We would appreciate the chance to address your concerns directly first, so we encourage you to reach out to us with any complaint, and we will do our best to resolve it amicably.

To exercise any of your rights, you can contact us via email at . Please clearly state what right you wish to exercise and provide necessary information to verify your identity (we need to ensure we’re giving data to the right person). We may ask for additional info to confirm identity, especially for sensitive requests. We will respond within one month of receiving a request, or inform you if we need more time (we can extend by two further months for complex requests, but we’ll let you know why). Generally, we will not charge a fee for handling a request. If a request is manifestly unfounded or excessive (like repetitive requests), we may charge a reasonable fee or refuse to act on it​, but we will provide our reasoning in such case.

Finally, we want you to know that you are not required to provide personal information to us. But if you choose not to provide certain data, we may not be able to offer you some services (for example, we can’t register you for a program without a name and email). We will always indicate which information is optional. And if at any time you’re uncomfortable or unsure about something we’re asking for, just ask us why we need it and we’ll gladly clarify.

11. Updates to This Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we update the Policy, we will post the new version with an updated effective date at the top. For any significant changes, we will provide a more prominent notice – for example, we might email you or show a notice on our website (especially if you are an account holder)​. Significant changes could include any new purposes for data processing, change in data sharing practices, or changes in rights. Non-material changes (clarifications, wording changes) will take effect immediately upon posting of the updated Policy​.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. If you continue to use our Services after changes to the Privacy Policy are in effect, it means you have accepted the revised terms. Should you not agree with the changes, you have the choice to discontinue use and request deletion of your data.

For historical reference, previous versions of our Privacy Policy are available upon request. We maintain an archive of changes to ensure transparency about how our practices evolve.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or any aspect of your privacy when dealing with Moonshot Pirates, please contact us:

Moonshot Pirates – Privacy Inquiry
Co-Innovation Factory, Absberggasse 27/1/3,
1100 Vienna, Austria
Email:
Phone: +43 670 507 9815 (ask for the Data Protection Officer/Privacy Team)

We are here to help and will gladly assist you with any questions about your personal data or our privacy practices. Your trust is crucial to us, and we will do everything we can to uphold it.

Thank you for taking the time to read our Privacy Policy. We value your participation in the Moonshot Pirates community and are dedicated to protecting your personal information as you shoot for the moon!