Privacy Policy - impact.online

1. Who is Responsible for Your Data?

This Privacy Policy applies to the fundraising campaigns hosted on the impact.online platform. Because we host campaigns for many different organizations, the entity responsible for your data depends on the context of processing:

The Campaign Controller: The specific non-profit organization identified in the footer of the campaign page is the Data Controller for your donor information (e.g., name, email) and donation funds. They determine the purpose of the fundraising campaign.

The Platform Controller: ceed digital innovation GmbH ("Impact Online"), located at Martinstraße 25/4, 3400 Klosterneuburg, Austria, acts as the Data Controller for the technical operation of this website, platform security, log files, and the management of cookies/consent.

Technical Facilitation: For advertising measurement, Impact Online acts as a technical service provider. We implement the tracking tools (e.g., Meta Pixel) and obtain consent via our Cookie Banner to enable the Campaign Controller to measure the effectiveness of their ads.

2. What Data Do We Collect?

A. Information You Provide (Donor Data)

When you make a donation, we collect the following acting as a Data Processor on behalf of the Campaign Controller:

Contact Information: Name, email address, physical address, Date of Birth.
Transaction Data: Donation amount, currency, timestamp, and selected campaign.
Payment Data: Your credit card details are entered directly into a secure widget provided by Stripe Payments. Impact Online does not store full credit card numbers or CVC codes.

B. Information Collected Automatically (Visitor Data)

When you visit a campaign page, we (Impact Online) automatically collect technical data:

Usage Data: Pages viewed, time spent, and links clicked.
Tracking Data (Only with Consent): Device Information (IP address, browser type, device model) and Cookie identifiers (e.g., _fbp, _ga) and hashed technical signals used for ad attribution.

3. How We Use Your Data

Purpose	Legal Basis
Processing Donations	Performance of Contract (To fulfill your donation request).
Sending Receipts	Legal Obligation (Tax compliance) & Legitimate Interest.
Platform Security	Legitimate Interest (Preventing fraud and DDOS attacks).
Ad Measurement	Consent (You clicked "Accept" on the Cookie Banner).

4. Third-Party Data Sharing

A. Hosting & Infrastructure (AWS)

Our platform and all associated data are hosted on servers provided by Amazon Web Services (AWS).

Location: We primarily use servers in Dublin, Ireland and Frankfurt, Germany to ensure data processing remains within the EU.
Data Transfer: Since AWS is a US-based company, technical access from the US cannot be completely ruled out. AWS is certified under the EU-U.S. Data Privacy Framework, guaranteeing an adequate level of data protection.
Legal Basis: Legitimate Interest (Ensuring the security, stability, and scalability of the platform).

B. Payment Processing (Stripe)

We use Stripe Payments to process financial transactions. Your payment data is transmitted directly to Stripe via an encrypted connection. Stripe acts as an independent Data Controller for financial compliance.

Stripe Privacy Policy: https://stripe.com/privacy

C. Advertising Platforms (Meta & Google)

If (and only if) you grant consent via our Cookie Banner, we transmit technical data to the Campaign Controller's advertising accounts (e.g., Meta Business Manager, Google Ads) to measure fundraising success.

Meta (Facebook/Instagram): We may send hashed conversion signals (Server-Side API) to Meta.
Google Ads: We may send conversion labels to Google.

Note: If you click "Reject Cookies," no data is sent to these platforms.

D. Product Analytics (PostHog)

We use PostHog to analyze how visitors interact with our digital interfaces (e.g., to identify technical errors or usability issues).

Data Shared: Masked IP address, device type, mouse movements, and clicks.
Purpose: To improve the stability and user experience of the platform.
Location: Data is stored on servers in Frankfurt, EU (hosted by PostHog Inc.).

E. AI Personalization (LLM Providers)

To provide a personalized experience, we may process your inputs (e.g., text you type into forms) using Large Language Models (LLMs). We utilize the "Enterprise/API" versions of these services, ensuring that your data is NOT used to train the AI models of the providers.

We may transmit data to the following providers based on availability and performance:

OpenAI (GPT Models) – USA/Ireland
Google (Gemini Models) – USA/Ireland
Anthropic (Claude Models) – USA

Safeguards: All transfers to the USA are protected by appropriate safeguards, including the EU-U.S. Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs).

F. International Transfers

Some of our partners (Stripe, Posthog, Meta, Google) are based in the United States. We ensure that data transfers comply with GDPR, utilizing frameworks such as the EU-U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) to ensure your data remains protected.

5. Server-Side Tracking & Your Privacy

We use "Server-Side" tracking (e.g., Meta Conversions API) to ensure accurate donation reporting. To protect your privacy, we implement a strict "Consent Gate":

Our server checks your consent status before sending any data to Meta or Google.
If you reject cookies on the website, our server automatically blocks the transmission of your data to advertising networks, even if the transaction was successful.

6. Handling of Unidentified Users (GDPR Article 11)

We may hold technical logs (e.g., Cookie IDs) that are not linked to your name or email address. Pursuant to GDPR Article 11, we are not obliged to identify you from this data solely to fulfill a deletion request.

If you wish to delete this "Visitor Data," please clear your browser cookies or reset your device's Advertising ID.
We cannot delete server logs based on a request unless you provide the specific technical identifier (Cookie ID) associated with your device.

7. Your Rights

Depending on your location (EU/UK/Switzerland), you have the right to Access, Delete, Rectify, or Withdraw Consent. You can update your cookie preferences at any time via the "Privacy Settings" link in the footer.

To exercise these rights:

For Donation Data: Please contact the Campaign Controller (details in the footer of the campaign page).
For Cookie/Technical Data: Please contact Impact Online at privacy@augedo.com.

Additionally, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. In Austria, the competent authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

8. How Long Do We Keep Your Data?

Donor Data: We retain donation records for as long as required by tax and accounting laws (usually 7 years).
Technical Logs: Server logs and security records are retained for 90 days for security auditing and then deleted.
Analytics Data: User-level tracking data is deleted or anonymized after 18 months, depending on the specific tool settings.