Privacy Policy

Global Human Impact Foundation, non-profit humanitarian organization headquartered in Benin. Editorial contact and DPO: dsi@ghimpactfoundation.org — Phone: 248-275-6613. Full publisher details are available in the Legal Notice.

We only collect data that is strictly necessary for the purpose pursued. By category:

• Identity data: first name, last name, date of birth, nationality, profile picture (optional).
• Contact data: email address, postal address, phone number.
• Anonymous interaction data (blog comments/reports without account): chosen pseudonym (publicly displayed), e-mail address (never published, only readable by the moderation staff with the "comments:read" permission for review and follow-up), and an irreversible hash of the IP (used only for spam/abuse prevention).
• Account data: encrypted password (hashed, never stored in clear text), email verification status, last login date.
• Donation and transaction data: amount, currency, donation type (one-off / recurring), payment method, tax receipt status, payment provider transaction ID. Bank card numbers are NEVER stored on our servers — they are handled directly by our PCI-DSS certified payment partners (Stripe, PayPal).
• Volunteering / registration data: motivation, experience, availability, current organization, comments provided in the form.
• Communications data: messages sent via the contact form, newsletter subscriptions, testimonials submitted.
• Technical and navigation data: IP address (anonymised for analytics), browser and OS user agent, pages viewed, referrer, session duration, device language.
• Consent data: cookie preferences, date and version of consent given, opt-in / opt-out history.

Each processing activity is based on a clearly identified legal ground:

• Manage your account and authenticate you (contract performance).
• Process your donations, issue tax receipts and meet anti-money-laundering obligations (legal obligation and contract).
• Process volunteering / training registrations and manage participation (contract performance and consent).
• Reply to your messages sent via the contact form (legitimate interest of replying to a request).
• Send the newsletter and impact updates (consent — you can unsubscribe in one click).
• Measure audience and improve the website (consent for non-essential analytics cookies — see Cookie Policy).
• Ensure security, fraud prevention, logging and incident response (legitimate interest in protecting the platform and its users).
• Comply with legal, accounting and tax obligations applicable to the Foundation (legal obligation).

Data is kept only for the time strictly necessary for each purpose, then archived or deleted. Indicative durations applied by the Foundation:

• Active user account: for the duration of the relationship plus 3 years after the last activity, then deletion or full anonymisation.
• Donation and tax receipt records: 10 years from the financial year (accounting obligation).
• Tax receipts issued: 6 years (tax obligation).
• Volunteering / training application — accepted candidates: duration of the program plus 3 years.
• Volunteering applications — not selected: 2 years from rejection, then deletion.
• Contact form messages: 3 years from the last exchange.
• Newsletter subscribers: until unsubscribe (one-click link in every email), then deletion within 30 days.
• Authentication and security logs (login, IP, JTI): 12 months.
• Analytics cookies and derived data: maximum 13 months (CNIL recommendation), then deletion or aggregation.
• Encrypted backups: 30 days rolling window after primary deletion.

Your data is accessed only by authorised Foundation staff (operations, donor relations, IT/DPO) and by carefully selected sub-processors bound by a data processing agreement:

• Hostinger International Limited (Cyprus) — website hosting.
• Stripe Payments Europe Ltd (Ireland) — donation processing by bank card. Subject to Stripe's privacy policy.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — donation processing via PayPal account or card.
• Google Ireland Limited — Google Analytics 4 audience measurement, activated ONLY after explicit consent, with Consent Mode v2 and IP anonymisation.
• Transactional email service — to send verification emails, donation receipts and password resets.

Some sub-processors may process data outside the EU, in particular in the United States (Stripe, PayPal, Google). These transfers are governed by the European Commission's Standard Contractual Clauses (SCC) and/or by the EU-US Data Privacy Framework adequacy decision. We never sell your data and never transfer it to third parties for commercial purposes.

The Foundation applies technical and organisational measures appropriate to the risk:

• TLS 1.2+ encryption of all data in transit (HTTPS).
• Encryption at rest of sensitive fields.
• Passwords stored using strong cryptographic hash.
• Audit logs, session expiration and token revocation.
• Regular backups, monitoring and incident response procedure.
• No payment card storage on our infrastructure.

In accordance with applicable data protection regulations (Benin Personal Data Protection Act, GDPR where it applies extraterritorially), you have the following rights, which you may exercise free of charge by contacting our DPO at dsi@ghimpactfoundation.org:

• Right of access: obtain a copy of the data we hold about you.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): obtain deletion of your data, subject to legal retention obligations.
• Right to restriction of processing.
• Right to data portability: receive your data in a structured, commonly used and machine-readable format.
• Right to object to processing based on legitimate interest, including profiling.
• Right to withdraw consent at any time, for processing based on consent (cookies, newsletter).
• Right to define directives for the fate of your data after your death.
• Right to lodge a complaint with the competent supervisory authority — in Benin: the Authority for the Protection of Personal Data (APDP); in the European Union: the supervisory authority of your country of residence.
• Self-service portal: visit /gdpr to request a data export or deletion. We send a confirmation link to your e-mail address (valid 24 hours). Anonymous comments and reports are deleted; donation records are anonymised but retained 10 years for accounting compliance.

The website uses essential cookies (always active, strictly necessary for operation), and optional cookies (analytics, preferences, marketing) deposited ONLY after your explicit consent collected via the banner. You can change your choices at any time on the Cookie Policy page. The complete list of cookies, their purpose and their lifetime is provided there.

The website is not intended for unaccompanied minors under 15. We do not knowingly collect data from a child without verified parental authorisation. If you believe a minor has provided us with data without authorisation, contact the DPO for immediate deletion.

The Foundation does not take any fully automated decision producing legal effects on the user (no profiling-driven decisions on donations, selections or eligibility).

This policy may be updated to reflect legal, technical or organisational changes. The revision date at the top of the page indicates the version currently in force. In case of substantial change, we will inform you by email and/or via a banner on the website at least 15 days before entry into force.