← Back to home

Privacy Policy

Last updated: June 2025

LateralDeck is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains who we are, what data we collect, why we collect it, how we use it, how long we keep it, and what rights you have under the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Portuguese data protection law.

Please read this policy carefully. If you have any questions, contact us at info@neurodisruptors.com.

Section 1: Who we are (Data Controller)

LateralDeck is a product operated by Kuma Partners, registered in Portugal. Kuma Partners acts as the data controller for all personal data processed through LateralDeck.

Company website: www.kuma.partners

Contact email: info@neurodisruptors.com

Data Protection contact: Sven Mulfinger — info@neurodisruptors.com

As data controller, Kuma Partners determines the purposes and means of processing your personal data and is responsible for ensuring that processing complies with applicable data protection law.

Section 2: What data we collect and why

We collect only the minimum personal data necessary to provide the LateralDeck service. Below is a complete list of every category of data we may collect, the legal basis for processing it, and why we need it.

2.1Session participation data

Data collected:

  • Your first name (entered when joining or hosting a session)
  • The room code of the session you joined
  • The card you were dealt, your assigned thinking colour or hat (depending on mode)
  • The time you joined the session

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) — necessary to provide the core session functionality you have requested by joining a session.

Why we need it: To identify participants within a session, display their name to other participants during the reveal, and assign thinking cards correctly.

2.2Host data

Data collected:

  • Host first name and company name (entered when creating a session)
  • Session creation date and time
  • Problem statement entered by the host

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) — necessary to create and manage the session.

Why we need it: To display session context to participants, personalise the session experience, and attribute the session to its host.

2.3Email address (optional)

Data collected:

  • Your email address, if you voluntarily provide it when joining a session
  • Your marketing opt-in preference (whether you checked the box to receive follow-up information)

Legal basis: Consent (Article 6(1)(a) GDPR) — you provide your email address voluntarily and explicitly opt in to receive follow-up communication. Providing an email address is not required to use LateralDeck.

Why we need it: If you have opted in, we send a single follow-up email after the session ends with information about how to run your own LateralDeck session. We do not send newsletters, promotional emails, or any other unsolicited communication.

You may withdraw your consent at any time by contacting us at info@neurodisruptors.com. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

2.4Technical data

Data collected:

  • Session metadata (room code, mode selected, thinking time set)
  • Timestamps of session events

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) — necessary for the technical operation of the service.

Why we need it: To ensure sessions function correctly in real time and to maintain service integrity.

We do not collect:

  • IP addresses stored beyond the immediate session request
  • Device identifiers or fingerprints
  • Cookies beyond those strictly necessary for session function
  • Location data
  • Any special categories of personal data (Article 9 GDPR)

Section 3: How we use your data

We use your personal data solely for the following purposes:

  • To operate the LateralDeck session you have requested
  • To display your name and card to other participants in your session as part of the exercise
  • To send you a single follow-up email if you have explicitly opted in
  • To maintain the technical integrity and security of the service

We do not use your data for:

  • Behavioural advertising or tracking
  • Profiling or automated decision-making with legal or significant effects
  • Sale or transfer to third parties for their own purposes
  • Any purpose incompatible with the original purpose for which it was collected

Section 4: Data retention

We apply strict data minimisation and retention principles:

Session data (participant names, cards, session content): automatically and permanently deleted 24 hours after the session is created. No manual intervention is required — deletion is automated.

Email addresses and opt-in preferences: retained for a maximum of 90 days from the date of collection, after which they are permanently deleted. If you opt in and we send the follow-up email, your email address is deleted immediately after the email is sent successfully.

Host data (name, company, problem statement): deleted with the session, 24 hours after creation.

Billing and payment data (when paid plans are introduced): retained for the period required by Portuguese tax law (currently 10 years from the date of the transaction), after which it is permanently deleted.

No personal data is retained beyond these periods. We do not archive session data or use it for historical analysis.

Section 5: Who we share your data with

We do not sell your personal data. We do not share your personal data with third parties for their own purposes.

We use the following data processors who act strictly on our instructions:

Supabase (database infrastructure)

  • Purpose: storing session and participant data in real time
  • Data transferred: session data, participant names, cards, opt-in preferences
  • Supabase processes data in accordance with GDPR. For transfers outside the EEA, Supabase relies on Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Supabase privacy policy: https://supabase.com/privacy

Resend (email delivery)

  • Purpose: delivering the optional post-session follow-up email to participants who have opted in
  • Data transferred: participant first name and email address only
  • Resend processes data in accordance with GDPR and relies on SCCs for any transfers outside the EEA.
  • Resend privacy policy: https://resend.com/legal/privacy-policy

No other third parties have access to your personal data.

Section 6: International data transfers

Kuma Partners is registered in Portugal and operates within the European Economic Area (EEA). Where our data processors transfer data outside the EEA, such transfers are conducted under appropriate safeguards as required by Chapter V of the GDPR, specifically Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914.

You may request a copy of the relevant safeguards by contacting us at info@neurodisruptors.com.

Section 7: Cookies and tracking

LateralDeck uses only strictly necessary cookies required for the technical operation of the service (for example, maintaining your session connection). We do not use:

  • Analytics cookies
  • Advertising or tracking cookies
  • Third-party social media cookies
  • Any form of cross-site tracking

Because we use only strictly necessary cookies, we are not required to obtain cookie consent under the ePrivacy Directive. No cookie banner is shown.

Section 8: Your rights under GDPR

As a data subject under GDPR, you have the following rights. You may exercise any of these rights by contacting us at info@neurodisruptors.com. We will respond within 30 days.

Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

Right to rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay.

Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing is unlawful. Note that most session data is deleted automatically within 24 hours.

Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances.

Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to object (Article 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent (Article 7(3)): Where processing is based on consent (email opt-in), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint: You have the right to lodge a complaint with the Portuguese supervisory authority:

Comissão Nacional de Proteção de Dados (CNPD)

Website: www.cnpd.pt

Address: Rua de São Bento, 148, 3º, 1200-821 Lisboa, Portugal

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

Section 9: Automated decision-making and profiling

LateralDeck does not carry out automated decision-making or profiling within the meaning of Article 22 GDPR. The assignment of thinking cards, colours, and hats is a random distribution mechanism with no legal or similarly significant effect on any individual.

Section 10: Data security

Kuma Partners implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

  • Encrypted data transmission (HTTPS/TLS) for all data in transit
  • Database access controls limiting access to authorised systems only
  • Automatic data deletion after 24 hours eliminating long-term exposure risk
  • Use of reputable, GDPR-compliant infrastructure providers

No method of transmission over the internet is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours as required by Article 33 GDPR, and where required, notify affected individuals without undue delay.

Section 11: Children's data

LateralDeck is intended for professional use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@neurodisruptors.com and we will delete it promptly.

Section 12: Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify users of material changes by displaying a prominent notice within the app. The date at the top of this page indicates when the policy was last updated.

Continued use of LateralDeck after changes are posted constitutes acceptance of the revised policy. If you do not agree with the revised policy, you should stop using the service.

Section 13: Contact and data subject requests

For any questions about this Privacy Policy, to exercise your data subject rights, or to raise a concern:

Kuma Partners

Email: info@neurodisruptors.com

Website: www.kuma.partners

Data Protection contact: Sven Mulfinger

We aim to respond to all requests within 30 days. For complex requests, we may extend this by a further two months, in which case we will inform you within the initial 30-day period.