Privacy Policy

Privacy Policy — Bless Unity MTÜ (EN)

Effective date: 24 Oct 2025
Version: 1.0
Controller: Bless Unity MTÜ (registry code 80662560), Jõe tn 3-406, 10151 Tallinn, Harju maakond, Estonia.
Contact: info@bless-unity.org

This Privacy Policy explains how we collect, use, disclose and protect personal data in connection with our website, donation forms and related services. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

Note: Terms governing donations (e.g., refunds) are set out in our Refund & Returns Policy and Terms of Use. This document covers only privacy.

1) What data we collect

We may process the following categories of data:

  • Identity & contact data: first and last name, email, phone number, country/city (if provided), organisation (optional).

  • Donation & transaction data: donation amount/currency, payment method, transaction reference/ID, status, date/time, recurring plan details.

  • Communication data: messages you send us (contact forms, email), newsletter preferences, consents.

  • Technical data: IP address, device and browser information, language, referral URL, pages viewed, cookies or similar technologies (see Cookies section).

  • Volunteer/applicant data (if you apply): CV details, motivation, background data you provide.

We do not intentionally collect special categories of data (Art. 9 GDPR) and do not knowingly collect data of children under 13. If you believe such data was submitted, contact us to delete it.

2) Purposes and legal bases (Art. 6 GDPR)

We process personal data only where there is a lawful basis. Typical bases and purposes include:

  • Consent (Art. 6(1)(a)) – e.g., subscribing to newsletters, using non-essential cookies.

  • Contract/performance (Art. 6(1)(b)) – issuing donation confirmations/receipts, managing recurring donations you set up, responding to requests.

  • Legal obligation (Art. 6(1)(c)) – accounting and tax record-keeping, responding to lawful requests from authorities.

  • Legitimate interests (Art. 6(1)(f)) – website security and fraud prevention; maintaining donor relations; improving our services. We balance these interests against your rights and freedoms.

3) How we use data

We use personal data to:

  • process donations and recurring payments; issue receipts and acknowledgements;

  • communicate about our activities, impact, and fundraising (you can unsubscribe at any time);

  • comply with accounting/tax/reporting duties;

  • operate, secure and improve our website and donation flows;

  • manage volunteers and applicants (if you apply to help or join our team).

We do not sell personal data.

4) Disclosures to third parties (processors/recipients)

We share data only where necessary and under appropriate safeguards, for example with:

  • Payment service providers / acquirers: Stripe Technology Europe Ltd (IE), PayPal (Europe) S.à r.l. (LU), Wise Europe SA (BE) – to process donations and payouts.

  • Hosting, email and IT providers: website hosting/CDN, email relay, form tools, cloud storage and backup providers we engage.

  • Accounting and audit: professional accountants and auditors where required by law.

  • Public authorities: where required to comply with law or lawful requests.

We conclude data processing agreements with our processors where required by law and share the minimum necessary data.

5) International transfers

If personal data is transferred outside the European Economic Area (EEA), we rely on lawful transfer mechanisms such as adequacy decisions (Art. 45 GDPR) or Standard Contractual Clauses (SCCs) (Art. 46). We take additional measures where appropriate to protect your data.

6) Data retention

We retain personal data only as long as necessary for the purposes above or as required by law. Typical periods:

  • Donation, invoicing and accounting records: up to 7 years after the end of the financial year (to meet accounting/tax obligations).

  • Support requests and general correspondence: up to 3 years after the request is closed, unless longer is needed to establish or defend legal claims.

  • Marketing/newsletters: until you withdraw consent (unsubscribe) or after prolonged inactivity.

  • Technical logs/security events: typically 30–180 days, unless needed for security or investigations.

7) Cookies and similar technologies

We use essential cookies to operate the site (e.g., session, security). With your consent, we may use analytics cookies (e.g., to understand aggregated traffic). You can change or withdraw your consent at any time via the cookie banner or your browser settings. Details are provided in our Cookie Notice (if present) or on request.

8) Your rights

Under the GDPR you have the right to access, rectify, erase (where applicable), restrict processing, object to processing based on legitimate interests, and data portability. Where processing is based on consent, you may withdraw consent at any time (this does not affect prior lawful processing). You also have the right to lodge a complaint with the supervisory authority.

We aim to respond to requests within one month (Art. 12(3) GDPR). We may ask to verify your identity if necessary to protect your data.

9) Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), access controls, least-privilege principles, and vendor due diligence. No system is perfectly secure; if we become aware of a data breach that poses a high risk to your rights, we will notify you and the supervisory authority as required by law.

10) Children’s data

Our services are not directed to children under 13. If you are under 13, please do not submit personal data. If we learn that we have collected such data, we will delete it.

11) Changes to this Policy

We may update this Policy from time to time. The latest version is published on this page with the effective date. Substantive changes will be highlighted for a reasonable period.

12) Contact

For any questions or to exercise your rights, contact: info@bless-unity.org (subject: “Privacy – Bless Unity”).

Supervisory authority:
Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
info@aki.ee · +372 627 4135 · https://www.aki.ee/en