Lunda Software is a fundraising software that enables clients to create and publish custom made micro-donation public webpages from within the software. These webpages are meant to be used by donors, who want to donate to the cause
of the client.
Name of data controller: Estratos Digital GmbH
Address: Sommerhaidenweg 98, 1190 Vienna, Austria
Company registration number: FN 544761 w
Data Protection Officer: Viktor Szigetvari
Email address: firstname.lastname@example.org
Purposes of the processing
Most of the processings of Lunda are carried out under the controllership of our respective clients. They determine the purpose and means of processing by choosing Lunda for their micro-donation webpages and by configuring which personal data on their donors should be collected on the basis of which legal basis.
Only a few categories of processings are carried out under our own controllership. These are covered in this document.
Provision and administration of services to Lunda Clients (e.g. parties, causes)
For the provision of our services and the administration of the software we process the following categories of personal data regarding logged-in users of Lunda:
Name of the organisation
Stripe account data (in case it is registered to a natural person)
Stripe connect status (in case it is registered to a natural person)
Registration date of the user
Account confirmation status
Audit Trail: Log-data on user activities within the application
These personal data are required to process your request in the context of the implementation of pre-contractual measures and for the fulfilment of the contract pursuant to Art 6 (1) lit b GDPR, otherwise it is not possible to conclude a contract or to process the request.
Following the expiry of the contract with a client, we will only retain the data for thirty days [30 days] after the end of the contractual relationship, unless the data is necessary to fulfil legal obligations under Austria’s Bookkeeping Law (7 years).
Processing of donations / payments – User/Donors data
Lunda provides clients with the ability to receive donations / payments. In this context we process the following personal data regarding those donors or other third parties in order to inform clients and donors about the payments completed on their behalf and to account for the services provided and to prevent any misuse of our services:
Means of payment (Credit card, SEPA, Apple pay, Google pay, etc.)
Payment data (dependent on the means of payment)
Donation amount and Currency
Payment ID: in case of recurring payments
statistical data on donors and donations
access data (e.g. IP adresses, device information, cookies)
other personal data, dependent on the configuration decisions by the respective client
All the data contained and obtained through the Lunda forms will be retained as long as we continue providing such service to the concerned client.
Following the expiry of the contract with a client, we will only retain the data for thirty days [30 days] after the end of the contractual relationship with the controller to allow the Client to download the data they own.
Before onboarding subprocessors, Estratos Digital GmbH conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
The following categories of processors may receive data from the processing:
Providers of Payment Services
Providers of mailing and analytics services
Estratos Digital GmbH uses Sendgrid (that is a service provided by Twilio Ireland Limited, a company registered in the Republic of Ireland, whose registered address is 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland. DPA: https://www.twilio.com/en-us/legal/data-protection-addendum) as a directly integrated mass email sender of Lunda for receipts and transaction related automated emails.
Estratos Digital GmbH uses Twilio Segment (Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Dublin, Ireland D01 C4E0 - https://segment.com/product/gdpr/ ) to provide data synchronization services.
Providers of storage services (data centres within the EU)
Estratos Digital GmbH uses the Google Cloud Platform service to store and access personal data provided by data processor/subprocessor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Data Processing and Security Terms of the firms are available at: https://cloud.google.com/terms/data-processing-terms.
Estratos Digital GmbH requires subprocessors to use full disk encryption for data storage during data processing based on the Google Cloud Platform to guarantee that the data never reaches the cloud in an unencrypted state during network transmission.
Access to data and measures ensuring safe data handling
Personal Data collected is stored and processed on computers in the European Union and we protect it by maintaining physical, electronic and procedural safeguards in compliance with applicable EU laws and regulations.
We maintain adequate administrative, technical and physical safeguards designed to protect the Personal Data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
When processed as part of a hosted service, the information may be processed and stored on the servers of third party providers hired to provide the hosting, and our agreements with such parties require that they not use, disclose, or share such information.
More information on the security of your data can be found in the security policy
Data subjects rights
As a data subject you are generally entitled to the rights of information (Article 15 GDPR), correction (Article 16 GDPR), deletion (Article 17 GDPR), restriction (Article 18 GDPR), data portability (Article 20 GDPR), revocation (Article 21 GDPR) and objection (Article 7 GDPR).
In order to exercise your rights and for any concern during the use of our software please contact us at the contact information provided above.
In addition you also have the right to lodge a complaint with the competent supervisory authority, which is the Austrian Data Protection Authority. Their contact details are to be found at www.dsb.gv.at.