Privacy Policy

KUPATE BG – Roma Public Council Foundation Website (“Terms of Use”)

1. Introduction

KUPATE BG – Roma Public Council Foundation (“the Foundation”, “we”, “us”, or “our”) is committed to protecting the privacy and personal data of all individuals who interact with us. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website, communicate with us, make a donation, participate in our programmes, or otherwise engage with our activities.

We recognise the importance of transparency, accountability, and trust, particularly given the public interest nature of our work and our cooperation with donors, institutions, and vulnerable communities. This Privacy Policy is designed to comply with the highest standards of data protection under European Union law and recognised international best practices.

This policy applies to all personal data processed by the Foundation through its website, digital platforms, communications, projects, and administrative operations.

2. Data Controller

For applicable data protection legislation, including Regulation (EU) 2016/679 (the General Data Protection Regulation – “GDPR”), the data controller is:

KUPATE BG – Roma Public Council Foundation
Registered in the Republic of Bulgaria
Registered non-profit organisation/foundation
Contact email: kupate.bg2021@gmail.com
Registered address: BULGARIA, Sofia (1517), Slatina district, 31 514th Street

3. Legal Framework

This Privacy Policy is governed by and complies with:

Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Bulgarian Personal Data Protection Act
Relevant EU and international data protection standards
Applicable contractual and regulatory obligations with donors and institutions

Where users are located outside the European Union, we endeavour to apply equivalent levels of data protection.

4. Definitions

For the purposes of this Privacy Policy:

Personal Data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Subject means the individual whose personal data is processed.
Controller means the organisation that determines the purposes and means of processing personal data.
Processor means a third party that processes personal data on behalf of the controller.

5. Principles of Data Processing

We process personal data in accordance with the following GDPR principles:

Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

6. Categories of Personal Data We Collect

Depending on how you interact with the Foundation, we may collect the following categories of personal data:

6.1 Identification and Contact Data

Full name
Email address
Telephone number
Postal address
Organisation or institution (if applicable)

6.2 Donation and Financial Data

Donation amount
Donation frequency
Payment method (processed securely by third-party providers)
Transaction reference numbers
Tax-related information where required by law

Note: The Foundation does not store full credit or debit card details.

6.3 Communication Data

Correspondence sent to us via email, contact forms, or post
Enquiries, complaints, or feedback
Records of meetings or calls (where applicable)

6.4 Website Usage Data

IP address
Browser type and version
Device information
Pages visited
Date and time of access

This data is typically anonymised or pseudonymised.

6.5 Programme and Project Data

Information relating to participation in Foundation projects
Monitoring and evaluation data
Reports and documentation (including photographs or video where consent has been obtained)

7. Special Categories of Personal Data

In limited circumstances, the Foundation may process special categories of personal data, such as data relating to health, ethnicity, or social vulnerability, particularly in the context of humanitarian and social programmes.

Such data is processed only:

Where strictly necessary
With appropriate safeguards
On a lawful basis, including explicit consent or substantial public interest grounds permitted under GDPR

8. Lawful Bases for Processing

We process personal data only where at least one lawful basis applies, including:

Consent – where you have given clear permission
Contractual necessity – where processing is required to fulfil an agreement
Legal obligation – where required by law or regulation
Legitimate interests – where processing is necessary for the Foundation’s legitimate activities and does not override individual rights
Public interest – where processing supports recognised social and humanitarian objectives

9. Purposes of Processing

We process personal data for the following purposes:

Responding to enquiries and correspondence
Managing donations and donor relations
Delivering social, housing, educational, and environmental programmes
Monitoring, evaluation, and reporting
Compliance with legal, regulatory, and financial obligations
Improving website functionality and user experience
Preventing fraud and misuse of resources
Ensuring transparency and accountability

10. Cookies and Online Tracking

Our website uses cookies and similar technologies to ensure functionality and improve user experience.

Cookies may be:

Strictly necessary
Analytical (anonymised)
Functional

Users can manage cookie preferences through browser settings. Full details are provided in our Cookie Policy.

11. Data Sharing and Disclosure

We do not sell or rent personal data.

Personal data may be shared only with:

Trusted service providers (e.g. IT, payment processors)
Public authorities where legally required
Donors or partners in anonymised or aggregated form
Auditors and regulators

All third parties are required to comply with data protection obligations.

12. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, including:

Adequacy decisions
Standard Contractual Clauses
Equivalent legal protections

13. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal and accounting requirements.

Retention periods vary depending on the type of data and applicable obligations.

14. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Secure servers
Access controls
Encryption where appropriate
Staff training and confidentiality obligations

Despite these measures, no system can be completely secure, and users acknowledge inherent risks.

15. Rights of Data Subjects

Under GDPR, you have the right to:

Access your personal data
Rectify inaccurate data
Request erasure (“right to be forgotten”)
Restrict processing
Object to processing
Data portability
Withdraw consent at any time
Lodge a complaint with a supervisory authority

Requests can be submitted in writing to the Foundation.

16. Children’s Data

The Foundation does not knowingly collect personal data from children without appropriate consent and safeguards. Where children participate in projects, data is processed responsibly and lawfully.

17. Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for their privacy practices and encourage users to review their policies.

18. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect legal, operational, or regulatory changes. Updates will be published on our website with the effective date.

19. Contact Information

For questions, concerns, or data protection requests, please contact:

KUPATE BG – Roma Public Council Foundation
Email: kupate.bg2021@gmail.com
Address: BULGARIA, Sofia (1517), Slatina district, 31 514th Street

20. Governing Law

This Privacy Policy is governed by the laws of the Republic of Bulgaria. Any disputes shall fall under the exclusive jurisdiction of the Bulgarian courts.