Privacy Policy

Published on 7th September 2025 (Version 1.0)

Who we are

Privacy Policy for Global Aid Connection (Belgian NGO)

Introduction

Global Aid Connection (“we”, “our”, or “us”) is a Belgian non-governmental organization (NGO) dedicated to the delivery of humanitarian and development aid, operating via its website https://globalaidconnection.org/, which is built on the WordPress platform and hosted by Hostinger Netherlands. We take your privacy seriously and are committed to processing your personal data in accordance with the General Data Protection Regulation (EU Regulation 2016/679, “GDPR”), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (“Belgian Data Protection Act”), and guidance issued by the Belgian Data Protection Authority (“Autorité de protection des données”/“Gegevensbeschermingsautoriteit”, “DPA”). This privacy policy details how we collect, use, store, share, and protect your data, including information about payment processing through Stripe and direct bank transfers, and clarifies our commitments under Data Processing Agreements (DPAs) with our service providers.

1. Data Collection

1.1 Types of Data Collected

We collect and process the following categories of personal data from website users, donors, volunteers, and newsletter subscribers:

  • Identity Data: Name, surname, date of birth (if provided), postal address.
  • Contact Data: Email address, phone number.
  • Donation and Payment Data: Credit/debit card details (processed by Stripe), IBAN or bank account details for direct transfers, donation amounts and recurrence, billing address, and transaction metadata.
  • Technical and Usage Data: IP address, browser type, device information, pages visited, dates and times of site access.
  • Communication Data: Records of your correspondence with us, including emails, contact form submissions, or feedback messages.
  • Consent Records: Documentation of your consent regarding communications or use of cookies.
  • Cookie and Tracking Data: Information stored via cookies (see Cookie Policy section).

This data may be provided directly by you (for example, by filling in donation forms, subscribing to our newsletter, emailing us, or engaging with us via forms or comments) or may be collected automatically through your interaction with our site (e.g., via cookies and analytics tools).

1.2 Special Categories of Data

Generally, we do not collect or process special categories of data (also called sensitive data) such as race, religion, health, or political opinions via our website. If we require such data in specific project contexts, you will be asked for explicit consent and informed about the purpose, legal basis, and additional safeguards.

2. Legal Basis for Processing

Our processing of personal data is grounded in one or more of the following GDPR legal bases:

  • Consent (Article 6(1)(a) GDPR): When you actively give us your agreement (e.g., opting into newsletters or accepting cookies).
  • Contractual Necessity (Article 6(1)(b) GDPR): For fulfilling contractual obligations such as processing your donation or responding to your inquiry.
  • Legal Obligation (Article 6(1)(c) GDPR): Where processing is necessary for us to comply with Belgian or EU law (e.g., financial recordkeeping, anti-fraud and anti-money laundering requirements).
  • Legitimate Interests (Article 6(1)(f) GDPR): When processing is necessary for our legitimate interests as an NGO (such as improving the site, safeguarding data, or managing supporter relationships), provided your rights and freedoms are not overridden.

For any processing that relies on consent, you have the right to withdraw consent at any time, although this does not affect prior lawful processing.

3. Data Usage

3.1 Purposes of Data Processing

We use your personal data for purposes that include, but are not limited to:

  • Processing Donations: Managing and recording your donation, facilitating payment via Stripe and direct bank transfer, issuing receipts, and fulfilling donor benefits.
  • Administration and Communication: Responding to your queries, managing event registrations, and addressing your requests and feedback.
  • Marketing and Fundraising: Sending out newsletters, fundraising campaigns, and information about our activities, only with your explicit consent.
  • Compliance and Recordkeeping: Fulfilling legal requirements for auditing, accounting, and anti-fraud/anti-money laundering (AML) checks.
  • Site Security and Integrity: Monitoring security, protecting against fraud, and preventing unauthorized access to our systems or data.
  • Website Operations: Analysing website performance, usage statistics, and troubleshooting problems to improve user experience.
  • Cookie Management and Analytics: Using cookies and similar technologies for the functionality of our website and to understand user behavior, subject to your preferences (see Cookie Policy section).

We do not sell or rent your personal data for commercial purposes.

4. Data Sharing

4.1 Third-Party Processors and Recipients

Your personal data may be shared with trusted third-party service providers under Data Processing Agreements, who assist us in delivering our services, always in accordance with GDPR requirements. These include:

Processor / CategoryLocation/NotesPurposeDPA in Place
Hostinger NetherlandsEU (Netherlands)Website hosting and data storageYes (GDPR-compliant)
Stripe Payments Europe, Ltd.EU (Ireland)Payment processing and anti-fraudYes (GDPR-compliant)
Banking PartnersEUDirect bank transfer processingImplicit by contract
Email Marketing ProvidersEU or EEA preferred; otherwise SCCs usedNewsletter and supporter communicationYes
Website Plugins/AnalyticsVariousForm submissions, security, analyticsYes / Privacy-reviewed
Legal/Accounting AdvisorsBelgium/EUCompliance, auditing, and legal adviceConfidentiality clauses

Your data is only shared with these processors for purposes compatible with those described in this policy. Processors are contractually obligated to implement adequate safeguards and process data only on our instructions.

4.2 Data Transfers outside the EEA

We seek to keep your personal data within the European Economic Area (EEA). If there is any transfer of your data outside the EEA, such transfers will rely on one of the following:

  • An adequacy decision by the European Commission (indicating the third country ensures an adequate level of protection).
  • Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Other appropriate safeguards as provided for by GDPR.

In all cases, we require vendors and partners outside the EEA to contractually guarantee an adequate level of protection.

5. Data Retention and Storage

5.1 Retention Periods

We retain your personal data only as long as necessary for the purposes of collection, or as required by legal or regulatory obligations. This means:

Data CategoryRetention PeriodRationale / Legal Basis
Donation Records7–10 yearsLegal & tax/accounting compliance
Communications2–5 years (unless erasure is requested)For correspondence follow-up and legal defense
Newsletter SubscribersUntil unsubscription or erasure requestConsent-based; periodic review
Website BackupsUp to 6 monthsTechnical disaster recovery
Cookie LogsSee Cookie Policy belowAs defined in Cookie Policy

Upon expiry, your data is securely deleted or anonymized as per best practices for nonprofit data retention and regulatory compliance.

5.2 Data Storage Location

Your personal data is stored on secure servers maintained by Hostinger Netherlands, within the EU, and by Stripe’s European infrastructure (Ireland/Luxembourg/Belgium, as applicable). Where other processors are used, data is stored in secure environments, subject to audit and encryption at rest and in transit.

6. Security Measures

6.1 Technical and Organizational Security

To safeguard your personal data, we implement robust technical and organizational security measures, including but not limited to:

  • SSL/TLS encryption for data in transit on our website.
  • Encrypted storage of sensitive donor data and backup databases.
  • Strong password protection and role-based authentication for staff.
  • Regular software and plugin updates, security patching, and malware scanning.
  • Firewalls, anti-virus, and intrusion detection tools on server environments.
  • Limited and audited access controls to databases and donation platforms.
  • End-to-end encryption for payment data handled by Stripe, which is PCI DSS certified.
  • Staff training and confidentiality obligations for all personnel accessing donor data.
  • Data Breach Response Plan outlining procedures in the event of a suspected breach, including notification to authorities and affected individuals as required by law.

These measures are regularly reviewed and audited to maintain effectiveness, drawing on recognized standards and the recommendations for NGOs operating in both stable and crisis settings.

7. User Rights (Data Subject Rights)

Under the GDPR and Belgian law, you have significant rights regarding your personal data held by us:

RightDescriptionHow to Exercise
AccessYou can request access to your personal data (“data subject access request”).Contact us as described below
RectificationYou may ask us to correct inaccurate or incomplete data.Contact us with details of corrections
Erasure (“Right to be Forgotten”)You may request deletion of your data, unless retention is legally required.Submit erasure request
Restriction of ProcessingYou may ask us to restrict certain processing in defined situations.Specify desired restriction
Data PortabilityYou can request to receive your data in a portable, machine-readable format.Request data export
ObjectionYou may object to certain types of processing, including direct marketing.Inform us of your objection
Withdrawal of ConsentWhere processing is based on consent, you may withdraw it anytime.Use unsubscribe links or contact us
Lodging a ComplaintYou have the right to lodge a complaint with the Belgian Data Protection Authority (DPA).See contact details below

We are required to respond to your legitimate requests promptly, and in any event, within one month (or up to three months in complex cases). We may need to confirm your identity before processing your request to safeguard your data.

8. Data Processing Agreement (DPA) with Processors

8.1 Overview

As a data controller, Global Aid Connection ensures that all processing activities performed by our service providers (“processors”) are governed by written Data Processing Agreements (DPAs) that meet the stringent requirements of GDPR (Articles 28–36). These DPAs cover, among others, Stripe (online payment processing) and Hostinger Netherlands (website hosting). The contracts stipulate:

  • Purpose and Nature of Processing: Defined and limited to what we instruct, e.g., hosting and payment processing.
  • Duration: Only as long as necessary for service provision.
  • Type of Data & Data Subjects: As outlined in “Data Collection” above, relating to donors, subscribers, and website users.
  • Obligations of the Processor: Including data security, confidentiality, and prompt notification of data breaches.
  • Sub-processors: Processors must seek our approval before appointing sub-processors and ensure such sub-processors are contractually bound to equivalent standards.
  • Assisting the Controller: With data subject requests, compliance, and data breach management.
  • End-of-Contract Provisions: At the end of service provision, processors must return or securely destroy the data, unless law requires retention.

8.2 Specific Processors

Hostinger Netherlands (Website Hosting)

We use Hostinger Netherlands to host https://globalaidconnection.org/. Hostinger acts as a processor and confirms GDPR compliance in its DPA. Hostinger must secure our data (including backups), notify us of incidents, and restrict access to authorized technical personnel only. Detailed terms can be found in Hostinger’s Data Processing Addendum and Privacy Policy.

Stripe Payments Europe Ltd. (Payment Processing)

Stripe Ireland is our payment processor for online donations and is bound by its Data Processing Agreement. Stripe processes donor data as a “processor” (e.g., transmitting transaction details, fraud screening) and as a “controller” for its own legal obligations (fraud prevention, AML, regulatory). Stripe’s DPA details security requirements, sub-processor management, and restrictions on cross-border data transfers, with reliance on SCCs and other mechanisms as appropriate.

Direct Bank Transfers

When you transfer donations directly to our bank account, your data (such as name and IBAN) is processed by our banking partner. These data flows are subject to regulatory standards in the EU, where GDPR applies by default, and contractual frameworks between us and our bank ensure confidentiality and security.

Other Processors

Email marketing, analytics, and plugin/service providers may act as processors. We assess each processor for privacy compliance, require DPAs, and preference EEA-based operators (or those implementing standard contractual clauses and GDPR-level safeguards).

9. Cookies and Tracking Technologies

9.1 Overview

Our website uses cookies and similar tracking technologies necessary for its proper functioning, analytics, and, with your consent, marketing purposes. In accordance with GDPR, ePrivacy rules, and Belgian law, we:

  • Clearly inform users of cookie usage through a cookie notification/banner.
  • Seek user consent for non-essential cookies before setting them (e.g., analytics, marketing).
  • Provide cookie preferences management so users can withdraw or adjust their consent at any time.
  • Use only GDPR-compliant WordPress plugins and review them regularly for updates or changes.

9.2 Types of Cookies

Type of CookiePurposeLifespan
Essential/TechnicalRequired for basic website functionalitySession or up to 1 year
Analytics (e.g. Google Analytics)To understand traffic and usage patternsSession or up to 2 years
PreferenceTo remember language or region settingsSession or up to 1 year
MarketingFor targeted outreach/campaign tracking (only with consent)Variable, based on purpose

We provide a detailed Cookie Policy accessible from every page, outlining individual cookies, their purposes, and retention periods. Users can disable non-essential cookies at any time by using the provided controls or changing browser settings.

10. Children’s Privacy

We do not knowingly collect personal information from children under the age of 16, in accordance with GDPR requirements and Belgian law. If it is brought to our attention that personal information from a child has been collected without parental consent, we will take necessary measures to delete such data promptly. Parents or guardians concerned their child’s data may be held by us may contact us as described below.

11. Automated Decision-Making and Profiling

Global Aid Connection does not use your personal data for automated decision-making or profiling that would produce legal effects or similarly significant impacts on you. Any changes to this policy or future uses of your data for such purposes will only occur with clear notice and, where required, your explicit consent.

12. Changes to this Privacy Policy

This Privacy Policy is reviewed regularly and updated when necessary to reflect changes in our practices, technology, legal obligations, or regulatory guidance. When materially revised, we will announce updates prominently on our website; significant changes will be communicated directly to users or donors where reasonably practical.

The version details below will help you track changes:

  • Version: 1.0
  • Last updated: 7 September 2025

13. Contact Information

Data Controller

Global Aid Connection
Nonprofit (NGO) registered in Belgium
Registered address: Rue Gustave Gilson 139, 1090 Jette
Website: https://globalaidconnection.org/
Email: info@globalaidconnection.org

Data Protection Officer (DPO)/Privacy Lead

You can contact our nominated privacy lead (and, where appointed, Data Protection Officer) at ino@globalaidconnection.org or write to us at the above postal address, noting “Data Protection” on the envelope.

Supervisory Authority

If you are unsatisfied with our response or believe your personal data rights have been infringed, you may contact the Belgian Data Protection Authority:

Belgian Data Protection Authority (Autorité de Protection des Données / Gegevensbeschermingsautoriteit)
Rue de la Presse 35, 1000 Brussels, Belgium
Email: contact@apd-gba.be
Web: https://www.dataprotectionauthority.be/citizen/homepage

14. Policy Highlights Table

SectionKey Points
Data CollectionPersonal information, donation/payment data, technical and tracking info.
Data UsageProcess donations, respond to requests, marketing (with consent), improve website.
Data SharingWith processors under DPA: Hostinger (hosting), Stripe (payments), banks, others.
Security MeasuresSSL/TLS, encryption, access control, breach response, compliant processors.
User RightsAccess, rectification, erasure, restriction, portability, objection, complaint.
DPA & ProcessorsHostinger and Stripe bound by strong DPA terms; EU data residency prioritized.
Cookie PolicyCookie consent required for analytics/marketing; user controls available.
Contact InformationDetailed contact info for privacy questions, DPO, and Belgian DPA provided.

These highlights are for quick reference; the complete policy offers further detail and specificity where required by the GDPR and Belgian law.

15. Additional Notices and Recommendations

Transparency and Fairness:
We strive to provide clear, accessible, and accurate information on the collection and use of personal data at the point of collection (e.g., on donation forms, newsletter sign-ups, cookie banners), consistent with GDPR Article 13 obligations.

Accountability:
We maintain written records of processing activities, regularly review our policies and processing partners, and conduct Data Protection Impact Assessments (DPIAs) where higher risk processing is identified (e.g., for new systems handling significant volumes or special categories of data).

International Data Transfers:
Where any data is transferred outside the EU/EEA (e.g., if a provider has a data center abroad), we use European Commission’s Standard Contractual Clauses (SCCs) and additional technical safeguards, as outlined in our DPAs and as required by law and current regulatory practice.

Policy Accessibility:
This policy is available via the website footer and in all relevant interfaces (donation forms, registration, emails), in line with best practice for nonprofit privacy policies. An accessible and plain-language summary is also linked for broad user understanding.

Legal Advice Disclaimer:
This privacy policy is not legal advice and should be reviewed periodically by our legal counsel to ensure continued compliance with evolving data protection law, particularly as we expand our activities, use novel technologies, or engage in high-risk processing.

16. Further References and Resources

Our privacy practices have been informed by, and are designed for conformance with:

  • EU General Data Protection Regulation (GDPR) (EU 2016/679)
  • Belgian Data Protection Act of 30 July 2018
  • Guidance from the Belgian Data Protection Authority (APD/GBA)
  • Sector guidance for NGOs and nonprofit data privacy
  • Best practice privacy policy templates for the non-profit sector

If you have questions about our data processing or policies, please contact us as outlined above.

End of Privacy Policy

This policy has been drafted based on the most stringent data protection requirements applicable to Belgian NGOs, integrating authoritative references and current best practices across the EU and sector. It is recommended that organizations routinely review their policy for compliance as legislation, technology, and organizational activities evolve.