NGOstack
FeaturesPricingFAQ
Get started

Privacy Policy

Last Updated: 10 June 2026

1. Controller

The controller responsible for the processing of your personal data is:

Weltweit – Gesellschaft zur Förderung lokaler Initiativen e.V.
Talstr. 1
65812 Bad Soden
Germany

Registered at Amtsgericht Königstein im Taunus, VR 1327

Representatives: Kajo Stelter, Frank Müller, Marie Wellenbeck

For privacy-related inquiries, please use our support contact form.

Supervisory Authority:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden
Germany
Email: [email protected]

2. Overview

This Privacy Policy explains how Weltweit – Gesellschaft zur Förderung lokaler Initiativen e.V. (“we”, “us”, “our”) collects, uses, stores, and shares your personal data when you use the Action Network platform (“Platform”, “Service”) at actionnetwork.world.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and the Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TDDDG).

This Privacy Policy should be read in conjunction with our Terms of Service.

3. Legal Bases for Processing

We process your personal data only where we have a legal basis to do so under Article 6(1) GDPR:

  • Article 6(1)(a) GDPR – Consent: You have given clear, affirmative consent to the processing of your personal data for one or more specific purposes (e.g., analytics, optional Google Drive integration).
  • Article 6(1)(b) GDPR – Contract Performance: Processing is necessary for the performance of a contract to which you are a party (e.g., providing Platform services, managing your account, processing subscriptions and payments).
  • Article 6(1)(c) GDPR – Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject (e.g., retention of invoices and accounting records under German tax and commercial law).
  • Article 6(1)(f) GDPR – Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided that your interests and fundamental rights do not override those interests (e.g., error logging, security, fraud prevention).

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4. Data We Collect

4.1 Authentication Data

When you register for an account, we collect the following data via our self-hosted Keycloak identity provider:

  • Email address
  • Name (first name, last name)
  • Password (stored as a cryptographic hash; we never store plaintext passwords)
  • Keycloak subject ID (unique identifier)
  • Realm access roles (user permissions)
  • Preferred username

Legal basis: Article 6(1)(b) GDPR (contract performance).

Authentication protocol: We use OAuth 2.0 with PKCE (Proof Key for Code Exchange, S256) for secure authentication. Access and refresh tokens are issued by Keycloak and validated server-side using the jose library.

4.2 Profile Data

During onboarding and when you edit your profile, we collect:

  • First name, last name
  • Bio / specialty (optional)
  • Interests (tags, optional)
  • Match tags (tags for matching purposes, optional)
  • Location (latitude/longitude coordinates, optional)
  • Avatar image (optional)

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.3 Organization Data

If you create or join an organization, we collect:

  • Organization name
  • Organization alias (URL-friendly slug)
  • Organization type (e.g., NGO, social enterprise)
  • Organization description
  • Organization logo (optional)
  • Organization membership roles (admin, editor, member, viewer)
  • Organization verification status and documentation (if you apply for verification)

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.4 User Settings

We store your preferences and settings, including:

  • Locale (language preference)
  • Timezone
  • Notification preferences (email digest, match alerts, connection alerts, opportunity alerts, workspace alerts)
  • Privacy settings (profile visibility, show email, show location)

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.5 Subscription and Payment Data (Paid Plans Only)

If you subscribe to a paid Solo or Org plan, we process the following data:

  • Stripe customer ID and subscription ID (generated by Stripe)
  • Subscription plan (Solo or Org), tier (including NGO discount tier), billing cycle (monthly or annual)
  • Subscription status (active, trialing, past_due, canceled, etc.)
  • Trial allotment (whether you have used your one trial per email address)
  • Current period end date, cancel-at-period-end flag
  • Billing name and address
  • VAT identification number (VAT-ID, for Org customers subject to reverse charge)
  • Invoice records (invoice number, amount, date, status, line items)
  • Early-start consent and withdrawal acknowledgement records (for Solo consumers, per § 356 BGB)

Payment card data: Your credit or debit card number, CVV, and expiry date are collected and stored by Stripe (our payment processor), not by us. We never receive or store your full card number. Stripe processes payment card data under its own PCI-DSS certification and privacy terms.

Legal basis:

  • Article 6(1)(b) GDPR (contract performance) for payment processing, subscription management, and billing.
  • Article 6(1)(c) GDPR (legal obligation) for retention of invoices and accounting records under German tax law (§ 147 Abgabenordnung, 10 years) and commercial law (§ 257 Handelsgesetzbuch, 6–10 years).

Note: Free-tier users have no payment data processed. Subscription and payment data applies only to users on a paid plan or trial.

Note (subject to legal/finance review): the VAT-ID / reverse-charge processing described above is contingent on Stripe Tax, OSS registration, and VIES validation being configured in the billing system. Confirm the actual configuration before publishing, and describe only the processing that genuinely occurs.

4.6 Workspace Data

If you create or participate in workspaces, we collect:

  • Workspace title, slug, and mode (task-mode or project-mode)
  • Workspace member and coordinator roles
  • Deliverables (tasks, documents, milestones scoped to the workspace)
  • Activity logs (changes, updates, and actions within the workspace)

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.7 Google Drive Integration (Optional)

If you choose to connect your Google Drive account to a workspace, we collect and store:

  • Google OAuth access and refresh tokens (stored server-side; never exposed to your browser)
  • Google account email address
  • Selected root folder ID
  • Connection capabilities (permissions granted)
  • Token expiry timestamp

Files and documents remain stored on your own Google Drive account, not on our servers. The Platform acts solely as an interface to access and manage your Google Drive files.

You may disconnect your Google Drive account at any time through workspace settings, which immediately revokes the Platform’s access to your Google Drive.

Legal basis: Article 6(1)(a) GDPR (consent, given when you authorize the Google Drive connection).

4.8 API Access Tokens

If you generate personal API access tokens to grant external services (e.g., AI agents) access to your Platform data, we store:

  • Token hash (the unhashed token is shown to you once and never stored)
  • Token name (optional label)
  • Creation timestamp
  • Last-used timestamp

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.9 Contact Form Data

When you submit a support inquiry via our contact form, we collect:

  • First name, last name
  • Email address
  • Subject and message

This data is transmitted via Brevo’s transactional email API to our support team. We also implement bot protection (honeypot field and 3-second timing check) and rate limiting (5 submissions per IP address per hour, stored in-memory only).

Legal basis: Article 6(1)(f) GDPR (legitimate interest in providing customer support).

4.10 Feedback Data

When you submit feedback via our GitHub-based feedback system, we collect:

  • Feedback type (bug, feature request, question, other)
  • Title and description
  • Email address (optional)
  • Page URL, user agent, timestamp

Feedback is posted as a public GitHub issue in our repository (welt-weit/anw-portal). Same bot protection and rate limiting as contact form applies.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in improving the Platform).

4.11 File Uploads

When you upload images (avatar, organization logo), we:

  • Process the image server-side (resize, format conversion to WebP, EXIF metadata removal)
  • Sanitize SVG files (for logos) to remove potentially harmful code
  • Store the processed image on our content delivery network (DigitalOcean Spaces, EU Frankfurt region)
  • Make the image publicly accessible via CDN URL

Legal basis: Article 6(1)(b) GDPR (contract performance).

4.12 Error Logging Data

When an error occurs on the Platform, we may log the following data to Better Stack (Logtail) for debugging and monitoring purposes:

  • Error message and stack trace
  • Page URL
  • User agent string
  • HTTP status code
  • Timestamp
  • Ticket ID (unique error identifier)

We do not log passwords, authentication tokens, or other sensitive credentials.

Error logging is optional and only active if the VITE_LOGTAIL_SOURCE_TOKEN environment variable is configured.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in maintaining Platform security and reliability).

4.13 IP Addresses

We collect IP addresses only for the following limited purposes:

  • Rate limiting (contact form and feedback submissions): IP addresses are stored in-memory only and purged within 1 hour. They are not persisted to disk or logs.

We do not collect or store IP addresses for analytics purposes.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in preventing abuse).

4.14 Map Data

When you use the interactive map feature (powered by Mapbox), the following data may be transmitted to Mapbox (based in the United States):

  • Latitude and longitude coordinates (approximate location)
  • Location search queries (if you use the location picker)

We do not send your name, email, or other personally identifiable information to Mapbox.

Legal basis: Article 6(1)(b) GDPR (contract performance – providing map functionality).

5. Cookies and Local Storage

We use cookies and browser storage (localStorage, sessionStorage) to provide and improve the Platform. You can control your cookie preferences via our cookie consent banner, managed by vanilla-cookieconsent.

5.1 Cookies

Cookie Name Purpose Duration httpOnly Category
access_token JWT access token for authentication 24 hours Yes Necessary
refresh_token JWT refresh token for session renewal 30 days Yes Necessary
cc_cookie Cookie consent preferences (vanilla-cookieconsent) 365 days No Necessary

All cookies use Secure and SameSite=Lax attributes for security.

5.2 Browser Storage

Key Storage Type Purpose Duration Category
anw:analytics:sid sessionStorage Analytics session ID (first-party only) Browser session Analytics
anw:analytics:utm sessionStorage UTM campaign parameters Browser session Analytics
anw:oid localStorage Active organization ID Until changed Necessary
anw:signup_intent sessionStorage User’s stated intent during signup (org vs. network) Browser session Necessary
build_id localStorage Deployed version tracking for update notifications Until cleared Necessary

5.3 Analytics

We use first-party analytics only. We do not use Google Analytics or any third-party tracking services.

Our analytics collect:

  • Page views
  • Referrer (internal navigation only, not external URLs)
  • Session ID (generated client-side, stored in sessionStorage)
  • UTM campaign parameters (if present in URL)
  • Feature usage events (e.g., button clicks, form submissions)

We do not collect IP addresses for analytics purposes.

Legal basis: Article 6(1)(a) GDPR (consent via opt-out model under § 25(2) TDDDG). You can opt out by declining analytics cookies in the cookie consent banner.

6. Third-Party Service Providers

We engage the following third-party processors to provide Platform services. Each processor is bound by a data processing agreement (DPA) or contractual terms that ensure GDPR compliance.

Provider Purpose Data Processed Location Transfer Basis
Keycloak (self-hosted) Authentication, identity management Email, name, password hash, subject ID, roles EU (self-hosted) N/A (EU-hosted)
DigitalOcean Hosting, storage (Spaces CDN) All Platform data, uploaded images EU (Frankfurt) N/A (EU-hosted)
Stripe Payments Europe, Ltd. Payment processing (paid plans only) Billing name/address, VAT-ID (Org), email, card data (stored by Stripe), subscription & invoice records EU (Ireland) + USA sub-processing EU-US Data Privacy Framework + SCCs (Art. 46(2)(c) GDPR)
Brevo (Sendinblue) Transactional email (contact form, notifications) Name, email, message content EU N/A (EU-hosted)
Better Stack (Logtail) Error logging and monitoring Error messages, stack traces, page URL, user agent, timestamp EU N/A (EU-hosted)
GitHub (Microsoft) Feedback system (issue tracking) Feedback text, email (optional), page URL, user agent, timestamp USA EU-US Data Privacy Framework + SCCs (Art. 46(2)(c) GDPR)
Mapbox Interactive map Coordinates (lat/lng), location search queries USA EU-US Data Privacy Framework + SCCs (Art. 46(2)(c) GDPR)
Google Drive integration (optional) OAuth tokens, account email, folder IDs, file metadata USA EU-US Data Privacy Framework + SCCs (Art. 46(2)(c) GDPR)

Data transfers to the USA: Where a processor is based in the United States or uses USA-based sub-processors, data transfers are covered by:

  • The EU-US Data Privacy Framework (adequacy decision under Article 45 GDPR), and/or
  • Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.

You may request copies of the applicable SCCs by contacting us via our support contact form.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal obligations.

Data Category Retention Period Legal Basis for Retention
Account and profile data Until account deletion Contract performance
Authentication tokens (access/refresh) 24 hours (access), 30 days (refresh), or until logout Contract performance
Subscription metadata (status, plan, period) Until account deletion Contract performance
Invoices and accounting records 10 years (German tax law, § 147 AO) Legal obligation (Art. 6(1)(c) GDPR)
API access tokens Until manually revoked or account deletion Contract performance
Google Drive connection data Until manually disconnected or account deletion Consent
Contact form / feedback submissions As long as necessary to respond + 1 year (archive) Legitimate interest
Error logs (Logtail) 90 days (Better Stack retention policy) Legitimate interest
IP addresses (rate limiting) In-memory only; purged within 1 hour Legitimate interest
Analytics data (first-party) 12 months Consent

Account deletion: When you delete your account, we delete all personal data except for:

  • Invoices and accounting records (retained for 10 years as required by German tax and commercial law).
  • Data required to comply with legal obligations or to establish, exercise, or defend legal claims.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not we process your personal data, and, where that is the case, access to the personal data and information about the processing.

8.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you. You can update most of your data directly via your account settings.

8.3 Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR)

You have the right to request the erasure of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

You can delete your account at any time via account settings. Note that invoices and accounting records will be retained for 10 years as required by law.

8.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing under certain conditions, such as when you contest the accuracy of the data or object to processing.

8.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON), and to transmit that data to another controller.

8.6 Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to processing of your personal data which is based on Article 6(1)(f) GDPR (legitimate interests). We will cease processing unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.

You have an absolute right to object to processing for direct marketing purposes at any time.

8.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on your consent (e.g., analytics, Google Drive integration), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.8 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Our supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden
Germany
Email: [email protected]

8.9 Exercising Your Rights

To exercise any of these rights, please contact us via our support contact form. We will respond to your request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Passwords are hashed using industry-standard algorithms (bcrypt/Argon2). API access tokens are hashed before storage.
  • Authentication: OAuth 2.0 with PKCE (S256) for secure user authentication. JWT tokens validated server-side using jose library.
  • Access control: Role-based access control (RBAC) for Platform features. Database access restricted to authorized personnel only.
  • Secure cookies: Authentication tokens stored in httpOnly, Secure, SameSite=Lax cookies to prevent client-side access and CSRF attacks.
  • EXIF stripping: Image uploads processed to remove EXIF metadata (which may contain geolocation or device information).
  • SVG sanitization: SVG files sanitized to remove potentially harmful code (XSS attacks).
  • Rate limiting: Contact form and feedback submissions rate-limited to prevent abuse.
  • Bot protection: Honeypot fields and timing checks on form submissions.
  • Regular security updates: We keep our software dependencies and infrastructure up to date with the latest security patches.

Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

10. Automated Decision-Making and Profiling

We use a tag-based matching system to suggest potential connections and opportunities based on the tags in your profile (interests, match tags) and the tags in other users’ profiles and organization opportunities.

This matching is fully automated but does not constitute automated decision-making with legal or similarly significant effects under Article 22 GDPR. The matching system provides suggestions only and does not make binding decisions about you. You remain in full control of whether to act on any suggestion.

We do not engage in profiling for marketing, behavioral analysis, or other purposes beyond the tag-based matching described above.

11. Children’s Data

The Platform is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data as soon as possible.

If you believe we have collected data from a child under 16, please contact us via our support contact form.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

We will notify you of any material changes by posting a notice on the Platform or by sending you an email. The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised.

Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Platform and delete your account.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Weltweit – Gesellschaft zur Förderung lokaler Initiativen e.V.
Talstr. 1
65812 Bad Soden
Germany

Support contact form: /support

Supervisory Authority:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden
Germany
Email: [email protected]