for builders

privacy policy.

Effective: 15 June 2026 · Version 3.0 · Supersedes the version dated 6 November 2025.

Your privacy matters to us. This Privacy Policy explains how Moonshot Pirates ("we" or "us") collects, uses, shares, and protects personal information about you ("Personal Data"), and what choices and rights you have regarding your information.

We are committed to safeguarding the privacy of our community in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws. Moonshot Pirates is a global movement empowering young people aged 15–24 to build impact ventures, and we handle data with particular care because many of our participants are minors under 18 who merit specific protection.

This Policy should be read in conjunction with our Terms & Conditions and our Child Safeguarding & Protection Policy. By using our websites, applications, or participating in our programs, you agree to the practices described in this Policy. If you do not agree, please do not use our Services.

1. Who we are

Moonshot Pirates Foundation is a registered non-profit association under Austrian law (gemeinnütziger Verein, ZVR 1020512239), based at Co-Innovation Factory, Absberggasse 27/1/3, 1100 Vienna, Austria. The Foundation is the sole owner of beapirate GmbH (FN 530030 g), our wholly-owned social enterprise, which operates our digital platforms and commercial activities on behalf of the Foundation.

For GDPR purposes, beapirate GmbH (Moonshot Pirates) is the primary data controller responsible for processing your Personal Data, under the oversight of the Foundation. In this Policy, "Moonshot Pirates," "we," or "us" refers to both entities operating together.

Privacy contact
Marko Londa, Co-Founder & Chief Changemaker — [email protected]
Formal requests
[email protected]

At our current operational scale, Moonshot Pirates is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. Privacy oversight is handled directly by the founders, with external legal review on a periodic basis. We will appoint a formal DPO if and when we meet the thresholds requiring one.

2. What information we collect

We only collect Personal Data that is relevant and necessary for the purposes of our programs and operations.

Information you provide directly

We do not collect sensitive categories of personal data (racial origin, political opinions, biometric data, etc.) unless there is a clear and lawful reason, such as a voluntary diversity survey with explicit consent.

Information we receive from third parties

Information we collect automatically

When you visit our websites:

Mentor data

Mentors register through our platform and provide their name, contact details, professional background, profile photo, and other information relevant to their role. With consent, mentoring sessions may be recorded for safeguarding, quality assurance, and (separately) promotional purposes. Mentor data may be shared with assigned participants and partner organizations as agreed at registration.

Donor data

When you donate, we collect your name, email address, donation amount, and (optionally) community affiliation. Donors may remain anonymous. We do not sell, share, or trade donor information. Payments are processed by Stripe.

Images and recordings

We may photograph or record participants at events for documentation and promotional purposes. See our Terms & Conditions Section 7 (Media) for opt-out information. For participants under 18, additional consent rules apply as set out in our Safeguarding Policy.

3. How we use your information

We use your Personal Data only for purposes consistent with running our programs and fulfilling our mission. Specifically:

Legal bases under GDPR

4. How we share or disclose information

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

Program partners and sponsors

We may share limited participant information (typically names, project topics, age groups) with partners directly involved in delivering a program. Partners are contractually required to use this data only for the agreed purpose and to keep it confidential. They may not contact you for independent marketing without your separate consent.

Mentors, judges, and volunteers

Mentors and judges receive participant information necessary to fulfill their role (name, age, country, project summary). All mentors and judges sign a confidentiality and data handling agreement and complete safeguarding training before engaging with participants. They may not retain or use participant data beyond the program scope without your separate consent.

Service providers (data processors)

We use the following categories of service providers, each bound by a Data Processing Agreement under GDPR Article 28:

We choose providers that meet GDPR standards and limit data shared to what is necessary for the service.

Legal compliance and protection

We may disclose information when required by law, when responding to a court order or law enforcement request, or when necessary to protect the safety of participants or others. We will limit disclosure to what is required and notify affected individuals where legally permitted.

Organizational transitions

If Moonshot Pirates merges with, is acquired by, or transfers operations to another non-profit entity with a substantially similar mission, participant data may be transferred. We will notify affected individuals at least 30 days in advance where practicable and provide an opportunity to request deletion before any transfer.

With your consent

Any sharing not described above will require your explicit consent.

5. Data security and storage

We implement administrative, technical, and physical safeguards to protect your data:

No method of transmission or storage is 100% secure. In the event of a data breach posing risk to you, we will notify you and the relevant Data Protection Authority as required by GDPR Article 33.

6. Cookies and tracking

Our website uses Cloudflare Web Analytics, which is cookieless. No tracking cookies, advertising pixels, or third-party trackers are set on our website by us.

The only cookies that may be set are:

Because we do not use non-essential cookies, no cookie consent banner is displayed on our website. If our cookie practices change in the future, we will update this Policy and implement an active consent mechanism as required by law. For our existing program platform at app.moonshotpirates.com (Bubble), separate cookie practices apply and are disclosed within that platform.

7. Children's privacy and parental consent

Moonshot Pirates programs are open to participants aged 15 and above. We do not knowingly collect Personal Data from children under 13 from any jurisdiction. We acknowledge that the age of digital consent under GDPR Article 8 varies across EU member states (between 13 and 16), and that the age of majority in most jurisdictions is 18.

Minimum age

Our minimum participation age is 15. If we learn that a child under 13 has provided us with Personal Data, we will delete it promptly.

Participants aged 15–17

For participants between 15 and 17, we require active parental or guardian consent to register for our programs and to process their Personal Data beyond what is strictly necessary for participation. We collect this consent through a digital consent form during signup, and the parent/guardian receives confirmation by email. The signed consent form is retained alongside the participant's record.

COPPA compliance (US under-13)

We do not offer services to children under 13 in the United States or any other jurisdiction. The US Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent for processing data of US children under 13; we comply by simply not collecting such data.

Parental rights

Parents and guardians of participants under 18 may review the Personal Data we hold about their child, request corrections or updates, request deletion (subject to legal retention exceptions), and withdraw consent at any time. Contact [email protected] to exercise these rights. We will verify your identity and relationship to the child before releasing any data.

Use of minor data

We use minor Personal Data only for program operation and participant well-being. We do not profile minors for marketing or share their data with third parties for commercial purposes. Where we feature minor participants publicly (e.g., spotlighting a project winner), we typically use first name only and a country, never full name and identifying details, unless the minor and their guardian explicitly consent otherwise.

Safeguarding

Our Child Safeguarding & Protection Policy contains additional protections for minors, including communication channel restrictions, mentor verification requirements, and reporting procedures. The Safeguarding Policy is incorporated into this Privacy Policy by reference.

8. Data retention

We retain Personal Data only for as long as necessary:

You may request earlier deletion at any time via [email protected].

9. International data transfers

Moonshot Pirates operates from Austria, but we work with service providers based in the EU, the United States, and other jurisdictions. Where we transfer Personal Data outside the EU/EEA, we rely on:

We transfer only the data necessary for the service. We monitor legal developments (such as Schrems II rulings and updates to SCCs) and adjust our practices accordingly. If a particular transfer cannot be adequately safeguarded, we will ask for your explicit consent.

10. Your rights

Under GDPR and applicable laws, you have the right to:

To exercise these rights, contact [email protected]. We will verify your identity and respond within 30 days, with one possible extension of up to 60 days for complex requests. We do not charge for these requests, except in cases of manifestly unfounded or excessive demands.

Lead authority
Österreichische Datenschutzbehörde (Austrian Data Protection Authority), Barichgasse 40-42, 1030 Vienna, Austria — [email protected] · dsb.gv.at

You may also contact the Data Protection Authority in your country of residence.

11. Updates to this policy

We may revise this Policy from time to time. For material changes, we will update the effective date and version number at the top, notify registered users by email at least 30 days before the changes take effect, and where required, request renewed consent.

Non-material changes (clarifications, wording adjustments) take effect upon posting. Continued use of our Services after the effective date constitutes acceptance of non-material changes only. Material changes require active acceptance. Prior versions are available on request.

12. Contact

Privacy
[email protected]
Privacy contact
Marko Londa — [email protected]
Safeguarding
[email protected]
General
[email protected]
Post
Co-Innovation Factory, Absberggasse 27/1/3, 1100 Vienna, Austria
Phone
+43 670 507 9815