1. Introduction
This Privacy Policy explains how Küberpoliitika ühing*, registered in Estonia with registration number 80659411 and registered address at Sambliku tee, (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit our website, donate, subscribe to our newsletter, or otherwise interact with us.
We are committed to safeguarding your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection laws.

2. Personal data we collect
We may collect and process the following categories of personal data:
Identification and contact details: name, email address, postal address, phone number.
Donation details: payment information (processed securely via third-party providers), donation amount, date of donation.
Communication data: information you provide when contacting us (e.g., through forms or emails).
Newsletter subscription: your email address and preferences.
Website usage data: IP address, browser type, operating system, cookies, and analytics data.
We do not intentionally collect sensitive personal data (such as health, religion, political opinions) unless explicitly required and with your consent.

3. How we use your personal data
We process your personal data for the following purposes:
To respond to inquiries and provide requested information.
To process and acknowledge donations, and to comply with legal record-keeping obligations.
To manage newsletter subscriptions and send relevant communications (with your consent).
To manage event registrations and volunteer participation.
To improve our website, campaigns, and donor experience.
To comply with legal obligations applicable to NGOs.

4. Legal bases for processing
Under GDPR, we rely on the following lawful bases:
Consent: for newsletters, cookies, and optional communications.
Contractual necessity: when processing data necessary for event participation or service delivery.
Legal obligation: to keep donation and accounting records.
Legitimate interest: for responding to inquiries and improving our services, provided your rights are not overridden.

5. Data retention
We retain personal data only as long as necessary for the purposes stated:
Donor records: 7 years (or as required by tax/accounting law).
Newsletter subscriptions: until you unsubscribe.
Contact form responses: up to 12 months.
Analytics data: typically 26 months (Google Analytics default) unless configured otherwise.
After these periods, personal data is securely deleted or anonymised.

6. Sharing of personal data
We do not sell, rent, or trade your personal data. However, we may share data with trusted third-party service providers, including:
Payment processors (to handle donations securely).
Email service providers (for newsletters and communications).
IT and website hosting providers.
Auditors or authorities, if required by law.
All third parties are contractually bound to protect your data and use it only for the agreed purpose.

7. International transfers
If we transfer your data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as EU Commission adequacy decisions or Standard Contractual Clauses (SCCs).

8. Data subject rights
You have the following rights under GDPR:
Right of access – to request a copy of your personal data.
Right to rectification – to correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) – to request deletion of your data where legally possible.
Right to restrict processing – to limit how your data is used.
Right to data portability – to receive your data in a structured, machine-readable format.
Right to object – to processing based on legitimate interests, or to receiving marketing communications.
Right to withdraw consent – where processing is based on consent, at any time.
To exercise these rights, please contact us (see Section 11).

9. Cookies and analytics
Our website uses cookies and similar technologies to:
Ensure proper functionality of the website.
Collect analytics on usage patterns (via [Google Analytics / other provider]).
Improve performance and user experience.
You will be asked for consent before non-essential cookies are placed. You can withdraw consent or manage cookies in your browser settings.

10. Security
We implement appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no online transmission or storage system is 100% secure.
11. Contact details
For questions or requests regarding this Privacy Policy or your personal data rights, please contact:
Data Protection Officer / Privacy Contact
Küberpoliitika ühing *
Sambliku tee, 74018, Viimsi, Estonia
 Email: info@cyberpolicygroup.net
 Phone: +372 53441127

12. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA). In Estonia, the supervisory authority is:
Data Protection Inspectorate, Estonia

13. Changes to this Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with a new “last updated” date.

*Küberpoliitika ühing means Cyber Policy Group in Estonian