Privacy Policy

The data controller responsible for processing your personal data is:

Verantwortlicher gem. Art. 4 Abs. 7 DSGVO: Forest4Future, vertreten durch Johannes zu Eltz. Kontakt: info@forest4future.eu.

We collect personal data only when necessary to fulfill our nonprofit mission. Depending on how you interact with us, this may include:

2.1 Donations & Sponsorships

• Full name, email address
• Billing address (required for tax receipts and payment processing)
• Donation amount and transaction details
• Payment method (processed by PayPal; we never see your full card number)

2.2 Gift Certificates

• Purchaser name and email
• Recipient name (as entered for the certificate)
• Personal message (optional)

2.3 Contact Forms & Email

• Name, email address, message content

2.4 Automatically Collected Data

• IP address (anonymized in server logs)
• Browser type, operating system, device type
• Pages visited, date and time of access

We do not use analytics or tracking tools such as Google Analytics. We do not collect data for advertising purposes.

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing donations, issuing tax receipts, and fulfilling gift certificate orders.
• Legitimate interest (Art. 6(1)(f)): Operating our website, ensuring security, and improving our services.
• Legal obligation (Art. 6(1)(c)): Retaining financial records as required by tax law (US IRS regulations for 501(c)(3) organizations).
• Consent (Art. 6(1)(a)): Where you explicitly consent, for example when subscribing to updates. You may withdraw consent at any time.

All payments (donations, tree sponsorships, gift certificates) are processed through PayPal, Inc. (San Jose, USA). PayPal is PCI DSS Level 1 certified. When you make a payment, your payment details are handled directly by PayPal via their secure API. We never store or have access to your full payment information.

PayPal processes your data in accordance with their Privacy Statement. Data may be transferred to the United States. PayPal participates in the EU-US Data Privacy Framework.

Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO (Vertragserfuellung). PayPal ist PCI-DSS Level 1 zertifiziert und nimmt am EU-US Data Privacy Framework teil.

Our website and backend services are hosted on Hetzner Cloud (Hetzner Online GmbH, Gunzenhauser Str. 1, 91710 Gunzenhausen, Germany). All servers are located in Germany (EU), ensuring that your data remains within the European Union. Hetzner is ISO 27001 certified.

Server access logs containing IP addresses are retained for a maximum of 7 days for security purposes and then automatically deleted.

Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse an sicherem und stabilem Betrieb der Website). Alle Server befinden sich in Deutschland.

We use SMTP-based email delivery (via Nodemailer) for transactional emails such as donation confirmations, tax receipts, and gift certificate delivery. We send emails only when necessary for completing transactions you initiate or when you have explicitly consented to receive updates.

We do not sell, rent, or share your email address with third parties for marketing purposes.

Our website uses only essential (strictly necessary) cookies. These are required for the website to function properly and cannot be switched off. They include:

• Session cookies for website functionality
• Cookie consent preference (remembering that you dismissed the cookie notice)
• PayPal payment session cookies (set by PayPal during checkout)

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. Under GDPR, essential cookies do not require explicit consent as they are necessary for the legitimate operation of the website (Art. 6(1)(f) DSGVO / ePrivacy Directive Art. 5(3)).

Wir verwenden ausschliesslich technisch notwendige Cookies. Tracking- oder Werbe-Cookies werden nicht eingesetzt.

We use the following third-party services:

We do not use Google Analytics, Facebook Pixel, or any other tracking or advertising services.

We retain your personal data only as long as necessary for the purposes described in this policy:

• Donation records: Retained for 7 years as required by US tax law (IRS regulations for 501(c)(3) organizations).
• Contact form submissions: Deleted after 12 months unless an ongoing relationship exists.
• Server logs: Automatically deleted after 7 days.
• Gift certificate data: Retained for 3 years after issuance.

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data, subject to legal retention requirements.
• Right to restrict processing (Art. 18): Request that we limit how we use your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, please contact us at info@forest4future.eu. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. If you are in Germany, this is the relevant state data protection authority (Landesdatenschutzbeauftragte).

Sie haben das Recht auf Auskunft, Berichtigung, Loeschung, Einschraenkung der Verarbeitung, Datenuebertragbarkeit und Widerspruch. Kontaktieren Sie uns unter info@forest4future.eu. Beschwerderecht bei der zustaendigen Aufsichtsbehoerde.

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated “Last updated” date. We encourage you to review this page periodically.

For any questions regarding this Privacy Policy or your personal data, please contact us: