This page explains what personal data the Verana Foundation (in formation), represented by 2060 OÜ, collects through veranafoundation.org, why we collect it, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR). The site is more than an informational website: it hosts member accounts, the membership application and e-signature flow, invoicing and dues payment, and a public member directory — this policy covers all of them, plus the contact form and cookies.
We do not sell data and do not run ad targeting or remarketing. We collect what you give us to operate your membership, what payment and sign-in providers necessarily share with us, and — with your consent — aggregate usage measurements.
Data controller
The Verana Foundation is in formation. Until incorporation, the data controller is 2060 OÜ, Ahtri tn 12, 10151 Tallinn, Estonia (registry 16853041), acting as the Foundation’s steward; thereafter the incorporated Foundation. For privacy matters, use the contact form with inquiry type General inquiry and begin the message with “Legal:”.
What we collect and why
Accounts and sign-in
- Identity. Your verified email address is your account key, with your name and avatar if provided by a sign-in provider. Sign-in works via Google, GitHub, or a one-time code we email you; with OAuth we receive only your basic profile and verified email — never your password.
- Session. A strictly necessary, encrypted session cookie keeps you signed in. One-time sign-in codes are stored hashed and expire after 10 minutes.
Legal basis. Performance of a contract (GDPR Art. 6(1)(b)) — operating your account.
Membership applications and e-signatures
- Member details. Legal name; for organizations: entity type, country, registered address, optional VAT number, optional billing email, optional logo; for individuals: country of residence.
- Signature record. When you e-sign the Membership Agreement we record the signer’s name and title, timestamp, agreement version and document hash, and the IP address and browser user-agent at signing — kept as evidence that the agreement was validly executed — plus the personalised signed PDF.
- Organization access lists. Org managers may add colleagues’ email addresses to grant them access; those people are notified by email and linked to the organization when they sign in.
Legal basis. Performance of the Membership Agreement (Art. 6(1)(b)) and our legitimate interest in evidencing contracts (Art. 6(1)(f)).
Billing and payments
- Invoices. We issue and retain dues invoices (member identity, amounts, VAT treatment, VAT number where applicable) as our accounting records.
- Card payments are processed by Stripe; card numbers never touch our servers. We store Stripe’s customer and payment identifiers to match payments to invoices.
- Bank transfers arrive on our Wise business account. To match a wire to an invoice we read, via Wise’s API, the transfer’s amount, date, payment reference, and sender name.
Legal basis. Performance of the Membership Agreement (Art. 6(1)(b)) and our legal obligations under Estonian accounting and tax law (Art. 6(1)(c)).
Public member directory
The /members page lists members of the Foundation. Listing is curated by Foundation administrators, and an organization’s logo appears only with the explicit consent given at upload (“We may display this logo on veranafoundation.org”). You can withdraw at any time: remove the logo from your membership card, or ask us to unlist the membership entirely. Legal basis. Consent (Art. 6(1)(a)) and legitimate interest in presenting the Foundation’s membership (Art. 6(1)(f)).
Transactional email
We send operational email tied to your membership: sign-in codes, executed-agreement copies, payment requests, reminders and receipts, renewal and expiry notices, and access notifications. These are part of operating the service, not marketing; we send no newsletters without separate consent.
Contact form
Submissions on /contact (inquiry type, name, email, message, optional organization/role/links) are stored in our self-hosted Relaticle CRM (crm.2060.io) so we can respond. IP address and user-agent are used only for rate limiting and abuse detection.
Administration and security
Administrative actions on member records (e.g. marking an invoice paid, updating an address, listing a member) are written to an audit log recording who did what and when. Hosting logs (IP, user-agent) serve security and rate limiting only.
Cookies and analytics
The only cookie required by the site is the strictly necessary session cookie for signed-in users. Analytics, if enabled, are consent-gated: a banner offers Accept all or Essential only, and any analytics tag loads only after consent; your choice is stored in localStorage. No ad networks, no cross-site trackers; IP addresses anonymized. See the cookie policy.
Processors and where data goes
- Stripe (Ireland/US) — card payments and checkout.
- Wise (Belgium/UK) — our business bank account for dues received by transfer.
- Google / GitHub — only if you choose them for sign-in.
- Our email provider — delivery of transactional email.
- Our hosting provider (EU) and our self-hosted CRM, operated by 2060 OÜ.
Cross-border transfers rely on an EC adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses as applicable. No third-party marketing platform receives your data.
How long we keep it
- Account and member records — for the life of the membership and up to 24 months after it ends, then deleted or anonymized except where retention below applies.
- Invoices, payments, and signed agreements — up to 7 years, as required by Estonian accounting law and to evidence the contract.
- Signature evidence (IP, user-agent at signing) — kept with the signed agreement.
- One-time sign-in codes — 10 minutes; spam/abuse logs — up to 30 days.
- Contact-form correspondence — up to 24 months from the last interaction.
- Analytics — minimum provider retention; aggregate reports contain no identifiers.
Your rights
Under the GDPR, you may:
- access the personal data we hold about you;
- rectify inaccurate data (organization managers can correct the registered address directly from the membership card);
- erase your data where we have no lawful basis to keep it;
- restrict or object to processing;
- receive a portable copy of the data you gave us;
- withdraw consent at any time (e.g. remove your logo or ask to be unlisted from /members) — without affecting prior processing;
- lodge a complaint with a supervisory authority — while stewarded by 2060 OÜ, the Estonian Data Protection Inspectorate.
Note that invoices, payment records, and executed agreements are retained despite erasure requests while a legal obligation or the contract-evidence interest applies. To exercise any right, use the contact form (inquiry type General, message prefixed “Legal:”). We respond within 30 days.
Changes
We update this page when our practices change. The Last updated date reflects the most recent change; prior submissions remain governed by the version in force when they were sent.