01Controller & contact
The data controller responsible for personal data processed in connection with ICCA-Stroke is cme4u GmbH, organiser of the CSI Congress and host of ICCA-Stroke. cme4u GmbH determines the purposes and means of processing within the meaning of Article 4(7) GDPR.
- Controller
- cme4u GmbH
- Privacy
- info@iccaonline.org
- Postal
- Registered at the address shown in the site imprint.
For any question relating to your personal data — including the rights described in section 13 — please contact us at the address above. We aim to respond to written enquiries within one month, as required by Article 12(3) GDPR.
02Scope of this policy
This policy applies to the public ICCA-Stroke website, the online registration flow, all related transactional emails, and any direct communication you send to the organiser. It does not apply to third-party websites we link to; those operators publish their own privacy notices, which we recommend you read.
03Server logs & transport security
Every time a browser requests a page from this site, our hosting infrastructure writes a short, technical log entry. Typical fields are:
- The IP address making the request, in truncated form where feasible.
- The date and time of the request.
- The path that was requested and the HTTP response code returned.
- The referring page, the browser user-agent string and the operating system.
These logs allow us to operate the site, defend against abuse and diagnose faults. They are processed under the legitimate-interest legal basis (Article 6(1)(f) GDPR) and are not combined with other data sources for marketing purposes.
All connections between your browser and our servers are protected with industry-standard TLS encryption. A padlock icon in the browser address bar indicates that the connection is secure.
04Event registration data
When you register for the congress we ask for the information needed to confirm your place, issue an invoice, prepare your badge, and — where applicable — apply for CME accreditation on your behalf. The data collected typically includes:
- Title, first name, family name.
- Institution, department, professional specialty and country of practice.
- Postal billing address and VAT or tax identifier where required.
- Email address and telephone number.
- Dietary or accessibility requirements you voluntarily share with us.
- Payment data — handled directly by our payment provider; we never see your card number.
The legal basis for this processing is the performance of the registration contract you enter into with us (Article 6(1)(b) GDPR) and, for tax and accounting fields, compliance with German legal obligations (Article 6(1)(c) GDPR).
05Processors & sub-processors
We operate the registration platform together with Summitware BV, our long-standing technology partner, acting as a processor under a written data-processing agreement (Article 28 GDPR). Summitware in turn engages a small number of carefully selected sub-processors to deliver the service:
- Amazon Web Services — application hosting and storage in EU data-centres.
- MongoDB Atlas — managed database, with the cluster pinned to an EU region.
- Stripe — card payment processing; PCI-DSS Level 1 certified.
- SendGrid / Mailgun — delivery of transactional registration emails.
- Meta Pixel — only loaded after you give analytics/marketing consent; see section 9.
Where a sub-processor transfers data outside the EEA, the transfer relies on the European Commission's Standard Contractual Clauses together with supplementary measures consistent with the Schrems II ruling. A current list of sub-processors is available on request.
06Hotel & accommodation bookings
We do not operate a hotel booking service ourselves. When you click through to a hotel partner or to a booking platform such as HotelMap, you leave the ICCA-Stroke domain and any data you enter there is collected by that third party as an independent controller. We receive only aggregate, non-identifying information about the volume of bookings made through the partner link.
09Analytics & tag management
Subject to your consent, we use Google Analytics 4 to understand how visitors interact with the site so that we can improve the programme and registration journey. IP addresses are anonymised on collection and event data is retained for the shortest period GA4 allows. Tags are deployed through Google Tag Manager, which does not itself collect personal data but loads only those scripts whose category you have accepted.
We have a data-processing agreement in place with Google. Transfers of personal data to the United States rely on the EU–US Data Privacy Framework and the Standard Contractual Clauses.
10Embedded media & maps
Some pages embed content from third parties — for example, a YouTube recording from a previous edition or a Google Maps snippet showing the venue. These embeds are loaded in privacy-enhanced mode where the provider supports it, and the provider may still set cookies and receive technical request data once you interact with the embed. If you have declined marketing/statistics cookies, these embeds will not load automatically.
11Web fonts & reCAPTCHA
The site uses self-hosted web fonts wherever possible so that browsing the public pages does not cause requests to external font CDNs. The registration and contact forms are protected from automated abuse by Google reCAPTCHA, which receives a fingerprint of your interaction with the form for the sole purpose of distinguishing humans from bots. Use of reCAPTCHA is necessary for the legitimate interest of preventing fraud and spam (Article 6(1)(f) GDPR).
13Your rights under the GDPR
You have the following rights in respect of your personal data:
- Access (Art. 15) — confirmation of whether we process your data, and a copy of it.
- Rectification (Art. 16) — correction of inaccurate or incomplete data.
- Erasure (Art. 17) — deletion where the data is no longer needed or you withdraw consent.
- Restriction (Art. 18) — temporary suspension of processing while a dispute is resolved.
- Portability (Art. 20) — receipt of your data in a structured, machine-readable format.
- Objection (Art. 21) — including objection to any direct marketing.
- Withdrawal of consent (Art. 7(3)) — at any time, with effect for the future.
- Complaint to a supervisory authority (Art. 77) — typically the regulator in your country of residence.
To exercise any of these rights, write to info@iccaonline.org. We will respond within one month and may ask for proportionate identification to make sure data is not disclosed to the wrong person.
14Storage duration
Personal data is kept only for as long as the purpose for which it was collected requires, and then deleted or anonymised:
- Registration records — for the duration of the congress year plus the German statutory accounting retention period (typically up to ten years for invoice-bearing data).
- Newsletter subscriptions — until you unsubscribe, after which we keep only a hashed record of the unsubscribed address to honour your choice.
- Server logs — short-lived, typically seven to fourteen days, beyond which entries are deleted or fully anonymised.
- Analytics events — retained for the minimum period configurable in GA4 (currently two months for event data and fourteen months for user-association data).
15Updates to this policy
We review this policy at least annually and whenever we materially change the way we process personal data — for example, when introducing a new sub-processor or a new analytics tool. The "last reviewed" date at the top of the page reflects the most recent revision. Where changes affect data we collected with your consent, we will ask for fresh consent before the new processing begins.
Questions about how we handle your data? Write to info@iccaonline.org.
12Social plugins
Where the site links to our presence on LinkedIn or other social platforms, the link is a plain hyperlink: no data is exchanged with the network until you click through. We do not run "share" or "like" plugins that contact social networks on page load.