Rolfes SDG Academy Logo

Data Protection and Privacy Policy

This notice summarises how the current website build handles personal data for visitors, applicants, newsletter subscribers, donors, and certificate checks.

Last updated: March 26, 2026. This text documents the present technical setup and should be reviewed by the controller and legal counsel before publication as final legal wording.

1. Controller

Rolfes SDG Academy
Albert-Schweitzer-Str. 22
32602 Vlotho, Germany
Email: info@rolfessdgacademy.org

2. Data processed through the website

  • Contact details and message content when you use the contact, partnership, magazine, or application forms.
  • Email address and related submission metadata when you request newsletter updates.
  • Donation-related information if you choose to use the hosted Donorbox flow or embedded donation form.
  • Certificate verification inputs, hashed IP address, user-agent string, and result status if the certificate backend is deployed.
  • Necessary consent records used to store your privacy choices.

3. Why the data is processed

  • To respond to enquiries and partnership requests.
  • To administer programme applications and communicate with applicants.
  • To review newsletter requests and send updates when you actively subscribe.
  • To process donations if you choose to use the external donation provider.
  • To verify certificates, prevent abuse, and secure the certificate system if that backend is activated.
  • To remember your privacy choices and block optional tools until consent is given.

4. Legal bases typically relied on

  • Article 6(1)(a) GDPR: consent for newsletter signup, optional cookies, analytics, marketing embeds, and other opt-in tools.
  • Article 6(1)(b) GDPR: steps taken at your request before entering a programme or partnership relationship, and delivery of requested services.
  • Article 6(1)(c) GDPR: compliance with legal or accounting obligations where applicable.
  • Article 6(1)(f) GDPR: legitimate interests in site security, abuse prevention, and limited technical logging, subject to balancing with your rights.

5. Services and processors visible in this repository

  • Same-origin PHP handlers: now receive the public contact, partnership, magazine, Solar Cohort application, debate application, and newsletter submissions on the academy domain.
  • Donorbox: provides the donation flow; the on-page embed is blocked until marketing consent is granted.
  • Certificate verification endpoint: now runs on the academy domain and reads from the certificate database or a protected local registry file.
  • Hosting provider and mail provider: the final production providers are not defined in this repository and must be reviewed separately.

6. International transfers and Germany hosting status

The target hosting model for this project is Germany-first deployment. However, the current codebase still contains external vendors that may transfer personal data outside Germany or the EEA, including Donorbox, CDN-hosted frontend assets, and any mail provider selected by the controller.

Before final go-live, the controller should either replace those services with Germany or EEA hosted alternatives, or complete a vendor review covering transfer mechanisms, data processing terms, retention, and supplementary safeguards.

7. Cookies, local storage, and optional tools

The site now separates necessary, preferences, analytics, and marketing categories. Non-essential scripts and embeds are blocked by default until you actively opt in. For the detailed inventory of storage keys and consent categories, see the Cookies Policy.

8. Retention

Retention periods depend on the service involved. Contact and application data should only be kept for as long as needed for the stated purpose and any resulting legal obligations. Consent records are kept locally in the browser until they expire or are cleared. Certificate verification logs, if deployed, should be retained only as long as necessary for security and audit purposes.

9. Your rights

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure where the legal requirements are met.
  • Restriction of processing.
  • Data portability where applicable.
  • Objection to processing based on legitimate interests.
  • Withdrawal of consent at any time for future processing.

Requests can be sent to info@rolfessdgacademy.org.

10. Review items still open

  • Confirm the final Germany-based hosting provider and data centre region.
  • Review processor agreements and transfer safeguards for each external service retained at launch.
  • Choose the final Germany or EEA mail provider that will process newsletter and form follow-up messages.
  • Confirm whether any analytics tool will be configured, and if so, complete a separate legal review before enabling it.
  • Load the live certificate data source into the database or protected registry file before public verification is announced.

Rolfes SDG Academy

Rolfes SDG Academy is a youth-led, non-profit educational initiative advancing the United Nations Sustainable Development Goals through learning, leadership development, and collaborative action.

Albert-Schweitzer-Str. 22, 32602 Vlotho, Germany

+49 177 592 3568

info@rolfessdgacademy.org

Our Work

SDG Learning Programs Youth Leadership & Cohorts Climate & Energy Initiatives Global Debates & Dialogues SDG Ideas Hub Support Our Mission

Governance & Policies

About the Academy Partners & Collaborations Imprint Data Protection & Privacy Cookies Policy

Stay Connected

Subscribe to receive updates on programs, learning opportunities, youth initiatives, and SDG dialogues.

By subscribing, you ask us to record your address for Rolfes SDG Academy updates. The team reviews requests before using the configured email provider.

© 2026 Rolfes SDG Academy. All rights reserved.

Rolfes SDG Academy is an independent initiative and is not formally affiliated with the United Nations. References to the SDGs reflect alignment with the UN 2030 Agenda for Sustainable Development.

Website supported by LeAds