PRIVACY notice.

Mindful Smart Cities is operated by Dr Shima Beigi as an independent sole operator based in Brussels, Belgium. The site publishes editorial writing on the future of cities, offers a paid SaaS platform for urban-readiness assessment, and provides advisory services to public and private institutions. For the purposes of the General Data Protection Regulation (GDPR), the data controller is Dr Shima Beigi.

You can reach us at contact@mindfulsmartcities.com. For privacy-specific requests, please put the word privacy in the subject line so we can route it correctly.

We try to collect as little as possible, and only what we genuinely need to run the service.

Under Article 6 of the GDPR, every piece of data we hold has a clear legal basis:

• Newsletter: your consent (Art. 6(1)(a)), given when you submit the form. You can withdraw it any time by clicking unsubscribe — every email we send carries that link.
• Paid services: performance of a contract (Art. 6(1)(b)) — we need your data to actually deliver the service you paid for.
• Security & fraud prevention: our legitimate interest (Art. 6(1)(f)) in keeping the service running and abuse-free. You can object to this at any time.
• Tax & accounting records: a legal obligation (Art. 6(1)(c)) — Belgian tax law requires us to keep payment records for seven years.

We use a small number of carefully chosen third parties to run the service. Each of them is a “data processor” under the GDPR, bound by a data processing agreement and obliged to handle your data only on our instructions.

• Supabase — database and authentication provider for accounts, newsletter records, and assessment data (EU region).
• Stripe — payments and subscription billing provider. Card and payment data are processed by Stripe under their PCI-DSS-certified infrastructure; we never see or store full card details.
• Resend — transactional email and newsletter delivery provider.
• Anthropic — AI processing provider used to generate kiosk roadmap reports. Data submitted through the API is processed under Anthropic’s enterprise/API privacy terms.
• Vercel — hosting, infrastructure, and content delivery provider.

We do not sell your data. We do not share it with advertisers. We do not allow our processors to use it for their own purposes.

Some of our processors (notably Stripe, Anthropic, and Vercel) are headquartered in the United States. Where data leaves the European Economic Area, the transfer is covered by the European Commission’s Standard Contractual Clauses (2021/914) and, where applicable, the EU–US Data Privacy Framework. We’ve picked providers that have committed publicly to GDPR-grade protections and that offer EU-region processing wherever that’s a choice.

• Newsletter: until you unsubscribe, plus 30 days for audit trail, then deleted.
• Account data: for the life of your account. If you delete your account, we erase your data within 30 days (except where law requires longer — see payment records below).
• Kiosk reports: while your account is active. If you bought a one-time kiosk run without an account, we keep the report and email for 12 months and then delete it.
• Payment & invoice records: 7 years, as required by Belgian accounting and tax law (Code Civil, Code de Commerce).
• Server logs: 30 days, then automatically deleted by Vercel.

The GDPR gives you significant rights over your personal data:

• Access — you can ask for a copy of everything we hold about you (Art. 15).
• Rectification — you can ask us to correct anything that’s wrong (Art. 16).
• Erasure — the “right to be forgotten” — you can ask us to delete your data, subject to the retention rules above (Art. 17).
• Restriction — you can ask us to stop processing for a while if you’re contesting accuracy or the lawful basis (Art. 18).
• Portability — you can ask for your data in a structured, machine-readable format (Art. 20).
• Objection — you can object to any processing based on legitimate interest (Art. 21).
• Withdraw consent — at any time, with no cost or penalty, wherever processing was based on your consent (Art. 7(3)).

To exercise any of these, email us at contact@mindfulsmartcities.com with “privacy” in the subject line. As required by Article 12(3) of the GDPR, we will respond within one month of receiving your request — usually much sooner. Where the request is complex, we may extend by a further two months and will tell you so within the first month.

You have an absolute right — under Article 21(2) of the GDPR — to object to the processing of your personal data for direct marketing purposes at any time, free of charge, and without giving any reason.

For our newsletter, the simplest way to exercise this right is to click the unsubscribe link at the bottom of any email we send you. The moment you do, we stop sending. You can also email us at contact@mindfulsmartcities.com with the word “unsubscribe” in the subject line, and we’ll handle it manually.

In rare cases, we may be legally required to disclose personal data to public authorities — for example, in response to a court order, a tax investigation, or a request from law enforcement acting under proper legal authority. We comply with such requests only when they are valid under Belgian and European law, and where the law permits, we will inform the affected user.

We try to keep cookies minimal. The site uses a small number of strictly necessary cookies for authentication (so that when you sign in, the next page remembers you). We do not currently use analytics cookies, advertising cookies, or any third-party tracking. If that changes in the future, we’ll add a cookie banner and ask for your consent before setting non-essential cookies.

Mindful Smart Cities is intended for adult readers and professional users. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data to us, please let us know and we’ll erase it.

If you’re not satisfied with how we’ve handled your data, you have the right to complain to the Belgian Data Protection Authority:

Autorité de Protection des Données / Gegevensbeschermingsautoriteit
Rue de la Presse 35, 1000 Bruxelles
autoriteprotectiondonnees.be

We’d much rather hear from you first, though — if something feels wrong, email us and we’ll try to make it right.

If we materially change how we handle your data, we’ll let you know — by email to newsletter subscribers, by in-app notice to account holders, and by updating the effective date at the top of this page. Minor wording changes won’t trigger a notification.