Conference & digital policies.

MEDIMUN's code of conduct, privacy, cookies, and terms — the policies that govern participation and use of our platform.

1. Who We Are

Mediterranean Model United Nations ("MEDIMUN", "we", "us", "our") is a non-profit educational programme organised by The English School, a registered educational institution located at:

The English School 0 Presidential Palace Road and Kyriacou Matsi Strovolos 1082 Nicosia, Cyprus

MEDIMUN operates the website www.medimun.org and the management platform MediBook (accessible at www.medimun.org/medibook).

For all data protection matters, The English School acts as the Data Controller in respect of all personal data processed through MEDIMUN's platforms.

Data Protection / Privacy Contact: 📧 info@medimun.org

2. Scope of This Policy

This Privacy Policy applies to:

All visitors to www.medimun.org
All registered users of MediBook, including:
- Delegates (student participants aged 15–19)
- School Directors (supervising teachers from participating schools)
- Secretariat members, Chairs, Members, Managers, Directors, and Senior Directors
All persons whose data is processed in connection with any MEDIMUN conference session

This policy does not apply to third-party websites linked from our platforms. We are not responsible for the privacy practices of third parties.

3. Legal Basis

MEDIMUN operates under the laws of the Republic of Cyprus and complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Cyprus Law on the Protection of Natural Persons with Regard to the Processing of Personal Data (Law 125(I)/2018).

Our legal bases for processing personal data are:

Creating and managing user accounts — Performance of a contract / Legitimate interests
Conference management, committee assignments, voting — Performance of a contract / Legitimate interests
Sending essential account notifications — Performance of a contract
Issuing participation certificates — Performance of a contract / Legitimate interests
Payment processing (schools only) — Performance of a contract
Platform security and fraud prevention — Legitimate interests
Analytics (authenticated users only) — Legitimate interests
Storing and displaying conference photos — Legitimate interests / Consent (where applicable)
Processing data of users under 16 — Consent obtained via school director on behalf of the institution

4. Minimum Age Requirement

You must be at least 15 years old to create a MEDIMUN account or use MediBook.

4.1 Users Aged 15–15 (Under the GDPR Age of Digital Consent in Cyprus)

The Republic of Cyprus has set the age of digital consent at 16 years under GDPR Article 8. Users aged 15 are therefore below this threshold.

By registering a school and submitting applications on MediBook, the School Director of each participating school expressly:

Represents and warrants that they have obtained valid parental or guardian consent for each student from their school who is under 16 years of age and will create a MEDIMUN account;
Accepts full legal responsibility and liability under GDPR and applicable Cypriot law for the registration and data processing of any under-16 student affiliated with their school on MediBook;
Agrees to inform parents and guardians of all under-18 students at their school about the existence of MEDIMUN accounts and the data stored therein, as described in this Privacy Policy;
Acknowledges that MEDIMUN does not directly collect parental consent forms and relies entirely on the School Director's compliance with this obligation.

MEDIMUN will not be held liable for any failure by a School Director to obtain or document the required parental consent.

4.2 Users Under 15

Persons under 15 years of age are strictly prohibited from creating an account or using MediBook. If we become aware that a user is under 15, we will immediately delete their account and all associated data without notice.

4.3 Parental / Guardian Rights for Under-18 Users

Parents or guardians of users under 18 may:

Request access to their child's personal data
Request correction of inaccurate data
Request deletion of their child's account and all associated data

Such requests must be submitted to info@medimun.org with proof of identity and guardianship.

5. Data We Collect

5.1 Account Registration Data

When a user creates a MediBook account, we collect:

Full legal name (first name and surname)
Email address
Date of birth
Nationality
School affiliation (the school the user declares membership of)
Phone number (required for delegates and school directors)
Password (stored as a cryptographic hash using bcrypt; we never store plain-text passwords)

Optional fields include:

Display name / preferred name
Gender and pronouns
Biography
Profile picture (photo)
Digital signature (for certificate issuance)

5.2 School Data

School Directors register their school on MediBook, providing:

School name, location (address, city, state/province, country, postcode)
School phone number and email address
School website
Student ID references (for identity matching)

5.3 Conference Participation Data

We collect and store:

Committee and country assignments
Delegation preferences and applications
Roll call attendance records
Voting records (for resolutions and clauses), including how each delegate / country voted (FOR, AGAINST, ABSTAIN)
Morning attendance codes and presence records
Position papers, resolution drafts, preambles, operative clauses, and amendment records
Chair feedback and document review history

5.4 Communication and Messaging Data

We store:

In-platform messages between users (including replies, reactions, and threading)
Group memberships and last-read timestamps
Notification history

5.5 Certificate and Achievement Data

We store:

Participation certificates issued per session
Certificate recipient details, custom names, and messages
Digital signatures attached to certificates
Void status and associated notes

5.6 Financial Data (Schools Only)

Delegates do not undergo payment processing through MediBook. Payments are made exclusively by schools. We store:

Invoice records (number, date, due date, items, amount, payment status)
Stripe Payment Intent IDs and Stripe Checkout session metadata
Receipt URLs
Payment status flags

Delegates who make purchases do so through a separate Shopify service on a different domain. MEDIMUN is not the data controller for Shopify transactions.

5.7 Technical and Authentication Data

We collect and store:

Last login timestamp
Last session activity timestamp
Password reset request codes (time-limited UUIDs)
Account status (active, disabled, blacklisted)
Session tokens (used for authentication only, not for tracking)

5.8 Analytics Data (Authenticated Users Only)

We use a self-hosted instance of Umami Analytics, which is deployed on MEDIMUN's EU-based infrastructure. Analytics data is:

Collected only for authenticated (logged-in) users
Not collected for unauthenticated website visitors — no tracking cookies are set before login
Anonymised and aggregated at the platform level
Never linked to third-party advertising networks

No analytics data is transferred to third parties.

5.9 Photos and Media

Conference photo albums are stored via Google Drive (managed by MEDIMUN). We store Google Drive folder and file identifiers in our database. Users' profile pictures are stored on MEDIMUN's own server infrastructure.

5.10 Automatically Collected Data

When accessing our platform, standard server logs may record IP addresses, browser user-agent strings, and request timestamps. These are retained for security and operational purposes only and are not used for profiling or marketing.

6. How We Use Your Data

We use personal data for the following purposes:

Account creation and management — enabling you to log in, manage your profile, and access your session data
Conference administration — assigning delegates to committees, tracking attendance, managing voting, issuing certificates
Communication — sending essential notifications about your account, application status, conference updates, and password resets
School management — enabling School Directors to manage their delegations and view data for students affiliated with their school
Payment processing — generating and managing invoices for school fees
Platform security — detecting fraud, abuse, and unauthorised access
Analytics — understanding platform usage to improve MediBook (authenticated users only)
Legal compliance — complying with our obligations under GDPR and applicable law

We do not use your data for:

Targeted advertising
Sale or rental to third parties
Automated decision-making with legal or significant effects on individuals

7. Data Sharing and Third-Party Processors

MEDIMUN does not sell, rent, or trade personal data with any third party.

We use a limited number of trusted data processors who process data strictly on our instructions:

Hetzner Online GmbH — Hosting and infrastructure (servers, database, file storage) — EU (Germany / Finland)
Stripe, Inc. — Payment processing (school invoices only) — EU / USA (Standard Contractual Clauses apply)
Google LLC (Google Drive) — Storage of conference documents and photo albums — EU / USA (Standard Contractual Clauses apply)
Self-hosted Umami — Analytics (authenticated users only, cookieless) — EU (MEDIMUN-controlled server)
Email service (Nodemailer / SMTP) — Transactional email delivery — EU

All processors are bound by data processing agreements. We do not authorise any processor to use personal data for their own purposes.

All primary data storage is located within the European Union, on servers operated by Hetzner Online GmbH.

8. School Directors' Obligations and Liability

By registering a school on MediBook, every School Director:

Accepts responsibility for ensuring that all students they register or affiliate with their school account are eligible to participate (aged 15–19) and have appropriate parental/guardian consent where required.
Undertakes to inform parents and guardians of all under-18 students from their school that:
- The student will have a MediBook account
- The account stores personal data including name, email, date of birth, nationality, phone number, profile photo, voting records, and academic/committee activity
- Data is stored in the European Union
- The student or their parent/guardian can request deletion of the account and all data by contacting info@medimun.org
Bears full legal liability for any breach of this obligation, including any claim arising from failure to obtain parental consent for under-16 students.
Acknowledges that MEDIMUN is not liable for any harm, loss, or regulatory action arising from a School Director's failure to comply with their obligations under this section.

School Directors have access to the personal data of students who have declared affiliation with their school on MediBook, with the exception of gender and pronouns, which are not visible to school directors.

9. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, and in accordance with applicable legal requirements.

Active user accounts — Until account deletion request or inactivity for 5+ years
Conference session records — Indefinite (for historical record-keeping purposes)
Payment/invoice records — 7 years (Cypriot tax and accounting law)
Password reset codes — 24 hours from issuance
Server access logs — 90 days
Analytics data — Rolling 24 months

When a user requests account deletion, we will delete all personal data within 30 days, except where retention is required by law (e.g., financial records).

10. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of access (Article 15) — request a copy of all personal data we hold about you
Right to rectification (Article 16) — request correction of inaccurate or incomplete data
Right to erasure / "right to be forgotten" (Article 17) — request deletion of your account and personal data
Right to restriction of processing (Article 18) — request that we limit how we use your data
Right to data portability (Article 20) — request your data in a machine-readable format
Right to object (Article 21) — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at info@medimun.org. We will respond within 30 days. We may request proof of identity before fulfilling a request.

You also have the right to lodge a complaint with the Commissioner for Personal Data Protection of Cyprus:

Office of the Commissioner for Personal Data Protection Iasonos 1, 1082 Nicosia, Cyprus 📧 commissioner@dataprotection.gov.cy 🌐 www.dataprotection.gov.cy

11. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Passwords hashed using bcrypt with a cost factor of 12
HTTPS encryption for all data in transit
Role-based access controls limiting data access to authorised personnel only
Infrastructure hosted on ISO 27001-certified Hetzner data centres in the EU
Regular security reviews of platform code and dependencies

Despite these measures, no system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33–34.

12. Cookies

Please refer to our separate Cookie Policy for full details.

In summary:

No tracking or advertising cookies are set for unauthenticated visitors to www.medimun.org
Session cookies are set when you log in to MediBook (essential for authentication)
No third-party analytics cookies are used at any time

13. Children's Data — Additional Safeguards

Given that many of our users are minors, we apply heightened care:

Delegate profiles are not publicly indexed or searchable on the open internet
Voting records and personal data are visible only to the user themselves, relevant MEDIMUN management, and the affiliated School Director (except gender and pronouns)
Minor users' data is never used for any form of advertising or profiling
School Directors are contractually obligated to inform parents/guardians of their students' accounts (see Section 8)

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and by updating the "Last updated" date at the top of this document. Continued use of MediBook after the effective date of any changes constitutes acceptance of the updated policy.

15. Contact Us

For any privacy-related questions, data requests, or complaints:

MEDIMUN — Data Protection 📧 info@medimun.org 🌐 www.medimun.org

Data Controller: The English School 0 Presidential Palace Road and Kyriacou Matsi Strovolos 1082, Nicosia, Cyprus