Privacy Statement
At OpenCharities we handle your personal data with care. Below we explain what data we collect, why, how long we keep it, and what rights you have. This statement applies to opencharities.com and the donation platform on it. For questions, email info@opencharities.com.
Cookies
Necessary cookies are required for the website to work, for example to remember your language preference; we always place these. Analytics cookies help us understand how the website is used and improve it; we place these only with your consent. On your first visit you set your preferences in the cookie banner, which you can change at any time via the cookie settings.
Who is responsible
Two organisations are joint controllers (Article 26 GDPR) for the processing of personal data via OpenCharities: • OpenCharities B.V. (Chamber of Commerce 96761253, based in Zaandam) is responsible for the management and operation of the platform on opencharities.com, and for technical and user data. • Stichting OpenCharities Foundation (Chamber of Commerce 42069457, based in Zaandam) is responsible for donation data and donor administration. The arrangements between the two organisations are recorded in an internal agreement. It makes no difference to you which organisation you contact: you can always reach us at info@opencharities.com.
What data we collect
We process the following categories of personal data: • Donation data: name, email address, IBAN and payment method (iDEAL or SEPA direct debit), donation amount and chosen initiative. For a recurring donation, also the details of your SEPA mandate, including the date of signing. • Contact data (if you provide it): address. • Newsletter and waitlist data: your email address, if you sign up. • Technical and usage data: IP address, browser type, device information, and browsing and click behaviour. We do not process credit or debit card data: payments run solely via iDEAL and SEPA direct debit. The platform stores only the last four digits of your account number. The platform is intended for people aged 18 and over; we do not knowingly process minors' data.
How we use your data
We process your data for the following purposes: • Processing your donation: receiving, administering and disbursing it to the chosen initiative or the wider portfolio. • Communicating about your donation: confirmation, management of your recurring donation, and updates on spending. • Newsletter: only if you have signed up for it; you can unsubscribe at any time. • Transparency about donations: we may show your name alongside your donation on the platform, unless you choose to give anonymously (opt out). • Managing, securing and improving the platform: technical operation, fraud and abuse prevention (including limiting the number of requests per IP address), error tracking and usage analysis. • Legal obligations: such as the statutory retention requirement. Legal bases: performance of the donation agreement (Art. 6(1)(b) GDPR), legitimate interest (Art. 6(1)(f), for security, platform management, analysis and public attribution of donations), legal obligation (Art. 6(1)(c)), and consent (Art. 6(1)(a), for analytics cookies and the newsletter, which you can always withdraw).
Who we share your data with
To operate the platform we engage external processors, grouped into the categories below. A Data Processing Agreement applies with each (usually part of their terms); they process your data solely on our instructions.
| Category | Purpose | Location & safeguard |
|---|---|---|
| Payment providers | Processing your donation via iDEAL and SEPA direct debit: Globadyme (payment service provider, with sub-processor MultiSafepay), Monerium (receipt and conversion of donations into the Foundation's account) and Monflo (disbursement to the selected initiatives). | EU / EEA |
| Hosting and storage | Hosting of the website and storage of donation and administration data. | EU and USA (with appropriate safeguards) |
| Delivery of transactional emails and the newsletter you have signed up for. | USA (with appropriate safeguards) | |
| Security, logging and analytics | Protection against abuse (per-IP rate limiting), error monitoring, technical logging, cookie-consent management and product analytics of the website. | EU and USA (with appropriate safeguards) |
Some of these parties are based in or use infrastructure outside the European Economic Area (EEA), in particular the United States. For such transfers we rely on the applicable EU safeguards, such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).
A complete, current list of all our processors is available on request via info@opencharities.com.
How long we keep your data
We do not keep your data longer than necessary: • Donation data: 7 years, based on the statutory retention requirement. • Contact data: for as long as you have an active relationship with OpenCharities, plus 2 years thereafter. • Technical and usage data: a maximum of 12 months. Security and error-tracking logs are kept for shorter periods, in line with the settings of the relevant service. After the retention period expires, data is deleted or anonymised.
Security, data breaches and automated decision-making
We protect your data with appropriate technical and organisational measures: encryption of data in transit (HTTPS), access on a least-privilege basis, and data minimisation (we store only the last four digits of your account number). If a data breach occurs that poses a risk to your rights and freedoms, we report it to the Dutch Data Protection Authority within 72 hours and inform you where the law requires. We do not make decisions about you based solely on automated processing, and we do not profile donors (Art. 22 GDPR).
Your rights
Under the GDPR you have the following rights: • Access: request what data we process about you. • Rectification: have inaccurate data corrected. • Erasure: have your data deleted, insofar as we are not legally required to keep it. • Restriction: have the processing restricted in certain cases. • Portability: receive your data in a common format or have it transferred. • Objection: object to processing based on legitimate interest. • Withdrawal of consent: where a processing activity is based on your consent, such as analytics cookies or the newsletter. Send your request to info@opencharities.com. We respond within 30 days.
Changes to this privacy statement
We may update this privacy statement from time to time. The most current version is always available on opencharities.com. For material changes we will inform you actively, for example by email.
Contact and complaints
OpenCharities Zaandam, the Netherlands info@opencharities.com If you have a complaint about how we process your personal data, you can file a complaint with the Dutch Data Protection Authority at autoriteitpersoonsgegevens.nl.
Last updated: 2 June 2026. Governed by Dutch law.