Privacy policy for the ‘Lunda’ Fundraising Form

Name of data controller: Estratos Digital GmbH

Address: Sommerhaidenweg 98, 1190 Vienna, Austria

Company registration number: FN 544761 w

Data Protection Officer: Viktor Szigetvari

Email address: privacy@lundadonate.org
 

Most of the processings of Lunda are carried out under the controllership of our respective clients. They determine the purpose and means of processing by choosing Lunda for their micro-donation webpages and by configuring which personal data on their donors should be collected on the basis of which legal basis. 
Only a few categories of processings are carried out under our own controllership. These are covered in this document.

​

Provision and administration of services to Lunda Clients (e.g. parties, causes)

For the provision of our services and the administration of the software we process the following categories of personal data regarding logged-in users of Lunda:

• Name of the organisation

• Cause(s)

• Stripe account data (in case it is registered to a natural person)

• Stripe connect status (in case it is registered to a natural person)

• User name

• Email address

• Registration date of the user

• Account confirmation status

• Audit Trail: Log-data on user activities within the application

These personal data are required to process your request in the context of the implementation of pre-contractual measures and for the fulfilment of the contract pursuant to Art 6 (1) lit b GDPR, otherwise it is not possible to conclude a contract or to process the request.
Following the expiry of the contract with a client, we will only retain the data for thirty days [30 days] after the end of the contractual relationship, unless the data is necessary to fulfil legal obligations under Austria’s Bookkeeping Law (7 years).

​

Processing of donations / payments – User/Donors data

Lunda provides clients with the ability to receive donations / payments. In this context we process the following personal data regarding those donors or other third parties in order to inform clients and donors about the payments completed on their behalf and to account for the services provided and to prevent any misuse of our services:

• Name

• Email

• Means of payment (Credit card, SEPA, Apple pay, Google pay, etc.)

• Payment data (dependent on the means of payment)

• Donation amount and Currency

• Payment ID: in case of recurring payments

• statistical data on donors and donations

• access data (e.g. IP adresses, device information, cookies)

• other personal data, dependent on the configuration decisions by the respective client

All the data contained and obtained through the Lunda forms will be retained as long as we continue providing such service to the concerned client. 

Following the expiry of the contract with a client, we will only retain the data for thirty days [30 days] after the end of the contractual relationship with the controller to allow the Client to download the data they own.

​​

Before onboarding subprocessors, Estratos Digital GmbH conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
The following categories of processors may receive data from the processing:

​

Providers of Payment Services

• Estratos Digital GmbH uses Stripe Payments Europe Ltd. payment services (C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin; Privacy Policy: https://stripe.com/en-gb-hu/privacy) as a provider of stripe Connect services.

• Estratos Digital GmbH uses Stripe Technology Europe Ltd. (The One Building 1,Lower Grand Canal Street, Dunblin 2,Ireland); Privacy Policy: https://stripe.com/en-gb-hu/privacy) as a provider of authorised payment services. 

• Through Stripe Estratos allows our clients to enable specific payment service providers (https://stripe.com/en-es/legal/payment-terms). Specific information can be found on the respective client privacy policy. NOTE to Lunda-clients: not all Stripe payment methods are supported by Lunda. Contact Estratos's representative's for further information.

• Estratos allows clients to enable the use of Paypal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg) as a provider of payment services.

• Estratos allows clients to enable the use of PayU S.A (PayU Spółka Akcyjna with the registered office in ul. Grunwaldzka 186, 60-166 Poznań,) as a provider of payment services.

• Estratos allows clients to enable the use of Paytrail (Paytrail Plc, with registered office in Lutakonaukio 7, 40100 Jyväskylä, Finland) as a provider of payment services.

​

Providers of mailing and analytics services

• Estratos Digital GmbH uses Twilio Ireland Ltd. (3 Dublin Landings, North Wall Quay, Dublin 1,Ireland); Privacy Policy: https://www.twilio.com/en-us/legal/privacy) as a provider of mailing and analytics services.

• Estratos Digital GmbH uses Sendgrid (that is a service provided by Twilio Ireland Limited, a company registered in the Republic of Ireland, whose registered address is 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland. DPA: https://www.twilio.com/en-us/legal/data-protection-addendum) as a directly integrated mass email sender of Lunda for receipts and transaction related automated emails.

• Estratos Digital GmbH uses Twilio Segment (Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, Ireland D01 C4E0 - https://segment.com/product/gdpr/ ) to provide data synchronization services.

Providers of storage services (data centres within the EU)

• Estratos Digital GmbH uses the Google Cloud Platform service to store and access personal data provided by data processor/subprocessor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Data Processing and Security Terms of the firms are available at: https://cloud.google.com/terms/data-processing-terms.

Estratos Digital GmbH requires subprocessors to use full disk encryption for data storage during data processing based on the Google Cloud Platform to guarantee that the data never reaches the cloud in an unencrypted state during network transmission.

 

As indicated Estratos does not act as a data controller with regards to LUNDA, we operate as data processors for our clients, this applies for cookies as well.

Data controllers (our clients) may decide to activate Facebook Pixel as part of their LUNDA forms. 

​

Facebook Pixel is operated by Facebook Inc. and is a tracking technology that allows to measure the effectiveness of the advertising campaigns and to better understand user interactions in the website. Facebook Pixel collects certain data when users interact with the website, including IP addresses, cookie data, and specific action taken in the site. This data is used to optimise the performance of ads, and create targeted audiences for future campaigns. This data may be shared with third parties for advertising and analytics purposes, subject to Facebook’s own privacy policies and terms of service.

​

Data controllers who activate Facebook pixel may decide to offer an opt out to such apps through their respective cookie banners. 

​

You will find more information in the privacy policy of the respective data controllers. 

Personal Data collected is stored and processed on computers in the European Union and we protect it by maintaining physical, electronic and procedural safeguards in compliance with applicable EU laws and regulations.
We maintain adequate administrative, technical and physical safeguards designed to protect the Personal Data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

When processed as part of a hosted service, the information may be processed and stored on the servers of third party providers hired to provide the hosting, and our agreements with such parties require that they not use, disclose, or share such information.

​

More information on the security of your data can be found in the security policy 
 

As a data subject you are generally entitled to the rights of information (Article 15 GDPR), correction (Article 16 GDPR), deletion (Article 17 GDPR), restriction (Article 18 GDPR), data portability (Article 20 GDPR), revocation (Article 21 GDPR) and objection (Article 7 GDPR). 
In order to exercise your rights and for any concern during the use of our software please contact us at the contact information provided above.
In addition you also have the right to lodge a complaint with the competent supervisory authority, which is the Austrian Data Protection Authority. Their contact details are to be found at www.dsb.gv.at.