Conference & digital policies.
MEDIMUN's code of conduct, privacy, cookies, and terms — the policies that govern participation and use of our platform.
MEDIMUN's code of conduct, privacy, cookies, and terms — the policies that govern participation and use of our platform.
Last updated: 16 June 2026 · Version 2.0
This Privacy Policy explains how MEDIMUN, a programme of The English School (Cyprus), collects, uses, stores, shares, and protects your personal data when you visit www.medimun.org or use the MediBook platform, and the rights you have under the General Data Protection Regulation. It is written to be read by students, parents, teachers, and school administrators alike. If anything here is unclear, contact us at info@medimun.org and we will explain it in plain language.
Mediterranean Model United Nations ("MEDIMUN", "we", "us", "our") is a non-profit educational programme organised by The English School, a registered educational institution located at:
The English School Presidential Palace Road and Kyriacou Matsi Strovolos 1082 Nicosia, Cyprus
MEDIMUN operates the public website www.medimun.org and the management and debate platform MediBook (accessible at www.medimun.org/medibook).
MEDIMUN is not a separate legal entity. It is a programme and activity of The English School. For all data protection matters, The English School acts as the Data Controller in respect of all personal data processed through MEDIMUN's website and platforms, and determines the purposes and means of that processing.
Because the Data Controller is established within the European Union (Republic of Cyprus), no Article 27 EU representative is required.
Data Protection / Privacy Contact 📧 info@medimun.org 🌐 www.medimun.org
You may direct any privacy question, data subject request, or complaint to this address. We treat the inbox as our data protection point of contact and route requests internally to the responsible members of MEDIMUN's senior management.
To keep this policy precise, the following terms are used:
This Privacy Policy applies to:
This policy does not apply to third-party websites, services, or platforms that we link to or integrate with, except to describe the limited data we share with our own sub-processors. We are not responsible for the independent privacy practices of third parties; please review their policies separately.
Where a separate notice, consent form, or supplementary statement is provided for a specific activity, that notice operates alongside this policy.
MEDIMUN operates under the laws of the Republic of Cyprus and complies with:
We rely on the following legal bases under Article 6(1) GDPR, and, where relevant, the conditions in Article 9 GDPR for special-category data:
Where we rely on legitimate interests, we have carried out a balancing assessment and concluded that our interests do not override your fundamental rights and freedoms, taking into account that many of our users are minors. You may object to processing based on legitimate interests at any time (see Section 11).
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
You must be at least 15 years old to create a MEDIMUN account or use MediBook.
Under Article 8 GDPR, the Republic of Cyprus has set the age of digital consent at 16 years. Users aged 15 are below this threshold. For any user under 16, the processing of personal data based on consent requires the authorisation of a person holding parental responsibility.
MEDIMUN does not accept applications from individuals; only schools may apply, through an authorised School Director. By registering a school and submitting applications on MediBook, the School Director of each participating school expressly:
MEDIMUN will not be held liable for any failure by a School Director to obtain, document, or retain the required parental consent. This allocation of responsibility is restated in our Terms of Service and is a condition of school registration.
Persons under 15 years of age are strictly prohibited from creating an account or using MediBook. If we become aware that a user is under 15, we will suspend the account, notify the relevant School Director where one exists, and delete the account and associated personal data without undue delay, except where short-term retention is required to handle the matter lawfully.
The parent or guardian of a user under 18 may, on the child's behalf:
Such requests should be submitted to info@medimun.org, together with sufficient information for us to verify the requester's identity and parental responsibility. We may decline to act on a request where we cannot reasonably verify it, or where acting on it would prejudice the rights of others.
Because a large proportion of our users are minors, we apply heightened care:
We collect only the data we need to operate the programme. The categories below describe everything we routinely process.
When a user creates a MediBook account, we collect:
Optional fields a user may choose to provide include: a display/preferred name, gender, pronouns, a short biography, a profile photograph, a profile colour, a "best time to reach" preference, and a digital signature used for certificate issuance.
For minors, and where collected, we may store limited contact details of up to two parents or guardians (name, surname, and email address) for the purpose of welfare, consent, and emergency contact. This data is provided by the user or School Director and relates to the parent/guardian as a data subject; we process it on the basis of legitimate interests and legal obligation in safeguarding minors.
School Directors register their school on MediBook, providing: the school's name and short name, location (address, city, region/state, country, postcode), school phone number and email address, the school website, and student identity references used for matching delegates to the correct school.
We collect and store, as applicable: committee and country/entity assignments; delegation preferences and applications; roll-call attendance and morning-registration records; voting records for resolutions and clauses (including how each delegate or country voted: FOR, AGAINST, or ABSTAIN); position papers; resolution drafts, preambulatory and operative clauses, amendments, and alliance/co-submission records; chair feedback; and document review history.
We store: in-platform messages between users (including replies, edits, soft-deletions, reactions, threading, and attachments); chat and group memberships; last-read timestamps and unread state; and a history of essential notifications. Messages are visible according to the access rules of the relevant chat (direct message, committee chat, department chat, or custom group), with hidden administrative oversight reserved to platform administrators for safety and moderation.
We store: participation and award certificates issued per session; recipient details, custom names, and certificate messages; the digital signature applied to a certificate; certificate verification codes; and any void status and associated notes.
Delegates do not undergo payment processing through MediBook. Conference participation fees are paid exclusively by schools. We store: invoice records (number, date, due date, line items, amount, and status); Stripe payment-intent and checkout-session identifiers and metadata; receipt URLs; and payment-status flags. We do not store full card numbers or card security codes — card data is collected and processed directly by Stripe under its own PCI-DSS-compliant environment.
Any purchases a delegate may make in a separate MEDIMUN online store operated on a different domain and platform are governed by that store's and that platform's own terms and privacy notices; MEDIMUN MediBook is not the data controller for those transactions.
We use Vercel Web Analytics, provided by Vercel Inc., to understand aggregate, anonymous usage of our website and platform (for example, which pages are visited and how features perform). This measurement:
We do not use Google Analytics, Meta Pixel, advertising trackers, or any third-party cookie-based analytics. Full detail is provided in our Cookie Policy.
Files uploaded to the platform — including profile photographs, conference documents and photo albums, drive files, message attachments, and signatures — are stored using Vercel Blob object storage on cloud infrastructure located in the European Union. We store the corresponding file references in our database. Photography and recording at the conference itself are also governed by our Code of Conduct.
We collect and store: last-login and last-activity timestamps; time-limited password-reset codes; account status (active, disabled, blacklisted); and authentication session tokens. Authentication tokens are used to keep you securely logged in and are not used to track you across other websites.
When you access our platform, standard server and security logs may record IP addresses, browser user-agent strings, request paths, and timestamps. These logs are retained for security, abuse-prevention, debugging, and operational purposes only, and are not used for marketing or behavioural profiling. We also process limited data to operate bot-protection (Google reCAPTCHA) on sign-up and public forms, as described in our Cookie Policy.
We use personal data for the following purposes:
We do not: use your data for targeted advertising; sell, rent, or trade your data; or carry out automated decision-making that produces legal or similarly significant effects on you without human involvement.
MEDIMUN does not sell, rent, or trade personal data. We share data only with a limited set of vetted sub-processors who process it strictly on our documented instructions, under data processing agreements that incorporate the GDPR Article 28 obligations. Each is engaged for a specific function and is not authorised to use personal data for its own purposes.
Our current sub-processors are:
Vercel Inc. (United States) — application hosting, serverless compute, content delivery, cookieless Web Analytics, and Vercel Blob object storage for uploaded files. Compute and blob storage are configured to operate within the European Union. Transfers to Vercel as a US-incorporated provider are covered by the EU–U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses.
Neon Inc. (United States) — the managed PostgreSQL database that holds the core personal data described in this policy. The database is hosted on Amazon Web Services in the eu-central-1 (Frankfurt, Germany) region, within the European Union. Transfers are covered by the EU Standard Contractual Clauses.
Amazon Web Services (AWS) — the underlying cloud infrastructure on which our database and certain EU-region storage and caching run. The relevant resources are provisioned in AWS European Union regions. AWS maintains EU data-residency options and recognised security certifications.
Upstash, Inc. (United States) — managed Redis used for session-validity caching, the real-time event queue, and short-lived security tokens. Provisioned in an EU region on AWS. Transfers are covered by the EU Standard Contractual Clauses.
Hetzner Online GmbH (Germany, EU) — hosts the real-time WebSocket server that powers live features (messaging, voting state, collaborative editing). This server processes data in transit to deliver real-time events; it is located within the European Union.
(Stripe Payments Europe, Ltd., Ireland, with Stripe, Inc. in the United States) — payment processing for . Stripe is an independent controller of certain payment data under its own privacy policy. International transfers are covered by the EU Standard Contractual Clauses.
We may also disclose personal data where required to do so by law, by a valid order of a competent court or authority, or where necessary to protect the rights, safety, or property of MEDIMUN, our users, or the public — including the welfare of minors.
We maintain an internal list of sub-processors and review it when our infrastructure changes. We will update this policy and notify registered users of material changes to our sub-processors in accordance with Section 14.
The primary, persistent storage of personal data processed through MediBook is located within the European Union. In particular, the core database is hosted on Amazon Web Services in Frankfurt, Germany (eu-central-1) via Neon, and uploaded files and cached data are held in EU-region infrastructure via Vercel Blob and Upstash. The real-time WebSocket server is operated within the EU by Hetzner in Germany.
Some of our sub-processors are incorporated outside the EU (notably in the United States). Where personal data is transferred to, or accessible from, a country outside the European Economic Area, that transfer is protected by an appropriate safeguard under Chapter V GDPR — principally the EU Standard Contractual Clauses, the EU–U.S. Data Privacy Framework (where the recipient is certified), and supplementary technical and organisational measures such as encryption in transit. We do not transfer personal data to a third country in the absence of such a safeguard.
You may request further information about the specific safeguards applied to a given transfer by contacting info@medimun.org.
By registering a school on MediBook, every School Director:
Accepts responsibility for ensuring that all students they register or affiliate with their school account are eligible to participate (aged 15–19) and have appropriate parental/guardian consent where required;
Undertakes to inform the parents and guardians of all under-18 students from their school that:
Bears full legal liability for any breach of these obligations, including any claim arising from a failure to obtain parental consent for under-16 students;
Acknowledges that MEDIMUN is not liable for any harm, loss, or regulatory action arising from a School Director's failure to comply with this section.
School Directors have access to the personal data of students who have declared affiliation with their school on MediBook, with the exception of gender and pronouns, which are not visible to School Directors. School Directors must treat student data confidentially, use it only for legitimate delegation-management purposes, and comply with their own institution's data protection obligations.
As a data subject, you have the following rights, which you may exercise free of charge (subject to the limited exceptions the GDPR allows):
To exercise any of these rights, contact info@medimun.org. We will respond without undue delay and within one month of receipt, extendable by up to two further months for complex or numerous requests (we will tell you if an extension applies). We may ask you to verify your identity before we act, and — for requests concerning a minor — we may require evidence of parental responsibility.
You also have the right to lodge a complaint with the supervisory authority:
Office of the Commissioner for Personal Data Protection Iasonos 1, 1082 Nicosia, Cyprus 📧 commissioner@dataprotection.gov.cy 🌐 www.dataprotection.gov.cy
We would, however, appreciate the chance to address your concerns directly before you approach the Commissioner.
We retain personal data only for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations. Our standard retention periods are:
When you request account deletion, we will delete or irreversibly anonymise your personal data within 30 days, except for data we are required to retain by law (such as financial records) or that we must keep to establish, exercise, or defend legal claims. Backups are cycled out on a rolling basis; data in backups is overwritten in the ordinary course.
We implement appropriate technical and organisational measures to protect personal data, including:
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and affected individuals without undue delay, as required by Articles 33–34 GDPR.
We may update this Privacy Policy from time to time to reflect changes in our practices, our infrastructure, or the law. When we make material changes, we will notify registered users by email and update the "Last updated" date and version number at the top of this document. Non-material changes (such as clarifications) take effect when published. Your continued use of MediBook after the effective date of any change constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
This Privacy Policy should be read together with our:
For any privacy-related question, data subject request, or complaint:
MEDIMUN — Data Protection 📧 info@medimun.org 🌐 www.medimun.org
Data Controller The English School Presidential Palace Road and Kyriacou Matsi Strovolos 1082, Nicosia, Cyprus
Google LLC (United States) — Google reCAPTCHA bot-protection on sign-up and public forms, used to prevent automated abuse and fraudulent account creation. Transfers are covered by the EU–U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses.
Resend (United States) — delivery of transactional emails (account, security, application, invoice, and certificate notifications) from our notifications.medimun.org sending domain. Transfers are covered by the EU Standard Contractual Clauses.