Privacy Notice

This Privacy Notice explains how MTÜ Sankofa Living & Learning ("we", "us", "our") collects, uses, and protects your personal data when you visit our websites, participate in our community programs, or join the Camp Calma Giveaway 2025.

1. Data Controller

2. What Data We Collect

We collect only the information necessary for participation, membership, communication, and transparency. This may include:

• Contact information: name, email address
• Account data: login credentials, membership status
• Donation and payment data (via Stripe)
• Giveaway participation data (tickets, prizes, timestamps)
• IP address and activity logs (via Supabase)
• Analytics data (via Google Analytics)
• Communication preferences and consent status
• Photos of prize winners (with consent)

We do not collect sensitive personal data unless explicitly provided by you (e.g., for testimonials or educational projects).

3. How We Use Your Data

We process personal data for the following purposes:

We never sell personal data or use it for commercial advertising.

4. Data Retention

We retain personal data as long as necessary for the purposes stated, and at least for the duration required by applicable accounting and non-profit laws.

• Giveaway and membership data: retained until 31 December 2026
• Donation and financial data: retained for up to 7 years to comply with Estonian and EU accounting requirements
• Logs and technical data: stored for up to 12 months for security and auditing

Data will be deleted or anonymized after the retention period expires.

5. Data Hosting and Processing

Your data is securely hosted and processed within the European Union, using trusted service providers that comply with the GDPR:

• Supabase (EU region) – database and authentication
• Vercel (EU region) – website hosting and deployment
• Stripe – donation and payment processing
• Google Workspace – email, storage, and document management
• Make.com (Integromat) – workflow automation
• Monday.com – internal project management
• Google Analytics – website usage statistics

All providers are bound by data processing agreements (DPAs) ensuring GDPR compliance.

6. Recipients and Data Transfers

We do not sell or share personal data externally.

Access is limited to authorized internal staff and systems necessary for operational or legal compliance.

No data is transferred outside the EEA, except where an equivalent level of protection is guaranteed (e.g., via EU Standard Contractual Clauses).

7. Cookies and Analytics

We use essential cookies for authentication and security, and Google Analytics for anonymous statistical analysis.

You can adjust cookie preferences in your browser settings.

Analytics data is anonymized and not combined with identifiable information.

8. Your Rights

Under the EU General Data Protection Regulation (GDPR), you have the following rights:

• Access – request a copy of your data
• Rectification – correct inaccurate data
• Erasure ("Right to be Forgotten") – request deletion of your data
• Restriction – limit processing in certain cases
• Portability – receive your data in a structured format
• Objection – object to processing based on legitimate interests
• Withdrawal of consent – at any time, where processing is based on consent

You may exercise your rights by emailing privacy@sankofa-ngo.org.

9. Supervisory Authorities

You may also file a complaint with your national authority. For our organization, the competent authorities are:

• Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) – www.aki.ee
• Comissão Nacional de Proteção de Dados (CNPD, Portugal) – www.cnpd.pt

10. Updates

We may update this Privacy Notice to reflect operational, legal, or technological changes.

The latest version will always be available at https://www.sankofa-ngo.org/privacy.

Contact