Privacy Policy

Last updated: 1 April 2026

1. Who We Are

RESONANCE FOUNDATION is a UK-based regenerative non-profit ecosystem dedicated to fostering inner development, co-creative collaboration, and systemic impact. Our website is resonancefoundation.org. Our CRM (CiviCRM) is self-hosted on our own servers in Germany (Hetzner Cloud), within the European Economic Area.

Data Controller: RESONANCE FOUNDATION — backoffice@resonancefoundation.org

This Privacy Policy applies to all users of our website and services worldwide, including residents of the EU/UK (GDPR / UK GDPR), California, USA (CCPA/CPRA), and Brazil (LGPD).

2. What Personal Data We Collect

2.1 Data You Provide Directly

  • Identity data: full name, date of birth / age
  • Contact data: email address, postal address, telephone number
  • Professional data: organisation name, role, professional background
  • Financial data: donation amounts, membership tier, sponsorship level — payment card data is processed exclusively by Stripe or PayPal and never stored on our servers
  • Participation data: activity bookings, event registrations, session requests, meeting attendance
  • Volunteer & partner data: motivations, skills, availability, areas of interest, organisational affiliations
  • Communication data: newsletter preferences, contact form messages, comments

2.2 Data Collected Automatically

  • Usage data via Google Analytics: pages visited, time spent, device type, browser, approximate location (anonymised IP)
  • Technical data: IP address (anonymised), browser type, operating system
  • CiviCRM session data: interactions with membership, donation, and event registration forms
  • Cookies and similar technologies (see our Cookie Policy)

3. How We Use Your Data

3.1 Membership, Donations & Sponsorships

We process identity, contact, professional, and financial data to manage membership registrations (Seed, Root, Bloom tiers), process donations and sponsorship contributions, issue receipts and acknowledgements, and maintain records as required by applicable accounting and legal obligations.

3.2 Volunteer & Partner Applications

We process identity, contact, professional, and participation data to evaluate and manage applications from volunteers and partners, coordinate onboarding and engagement, and maintain collaboration records.

3.3 Activity Bookings & Event Registrations

We process identity, contact, and participation data to manage bookings for mentorship sessions, healing sessions, circles, workshops, and other programme activities; send confirmations and reminders; and maintain attendance records.

3.4 Communications & Newsletter

We process contact and communication data to send our newsletter, programme updates, and event announcements to subscribers who have given explicit consent, and to respond to enquiries submitted via contact forms.

3.5 Financial Management

We process financial and identity data through Xero (our accounting software) to maintain accurate financial records, issue invoices and receipts, and comply with UK accounting and tax obligations.

3.6 Website Analytics

We process anonymised usage data via Google Analytics to understand how visitors interact with our website and to improve its content and performance.

4. Legal Basis for Processing

4.1 EU / UK (GDPR / UK GDPR)

  • Consent — newsletter subscriptions, analytics cookies, and marketing communications
  • Contract performance — membership registrations, donations, sponsorships, volunteer agreements, event bookings
  • Legitimate interests — website security, fraud prevention, service improvement
  • Legal obligation — financial record-keeping and compliance with applicable law

4.2 California, USA (CCPA/CPRA)

We collect and use personal information as described in this policy. We do not sell personal information. Certain analytics activities may constitute “sharing” for cross-context behavioural advertising under California law; you may opt out via our cookie settings panel or by activating a Global Privacy Control (GPC) signal in your browser.

4.3 Brazil (LGPD)

Under Brazil’s Lei Geral de Proteção de Dados (LGPD), we rely on: consent (for newsletter and marketing communications), contract performance (for membership, donations, and event bookings), legitimate interest (for website security and analytics), and legal obligation (for financial record-keeping).

5. Data Sharing & Processors

We do not sell or rent your personal data. We share data only with the following trusted processors, strictly to operate our services:

  • Google LLC (USA) — Google Analytics (anonymised usage data)
  • Hetzner Online GmbH (Germany, EEA) — hosting for our website (resonancefoundation.org) and CiviCRM (crm.resonancefoundation.org). DPA signed 12 April 2026.
  • Cloudflare Inc. (USA) — CDN and security services
  • Stripe Inc. (USA/Ireland) — payment processing for donations, memberships, and sponsorships
  • PayPal Holdings Inc. (USA/Luxembourg) — alternative payment processing
  • Xero Limited (New Zealand/UK) — accounting and financial management software. Data processed on EU-based servers (AWS Frankfurt). New Zealand holds an EU adequacy decision.
  • Email service provider — newsletter and transactional email delivery

All processors are bound by data processing agreements (DPAs). Payment card data is processed exclusively by Stripe or PayPal and is never transmitted to or stored on our servers.

6. International Data Transfers

RESONANCE FOUNDATION is a UK-registered entity operating services hosted across multiple jurisdictions. This section explains how personal data flows are managed in compliance with UK GDPR and EU GDPR.

6.1 Data Infrastructure & Residency

All core infrastructure is consolidated on Hetzner Cloud, Frankfurt, Germany (EEA). There are no international transfers for core services:

  • Website hosting — Hetzner Cloud, Frankfurt, Germany (EEA). No international transfer. Full GDPR protection applies directly.
  • CiviCRM (memberships, donations, volunteers, partners, events) — self-hosted on Hetzner Cloud, Frankfurt, Germany (EEA). No international transfer.
  • Financial management — Xero Limited (New Zealand/UK). Data processed on EU-based servers (AWS Frankfurt). New Zealand holds an EU adequacy decision. DPA in place.
  • CDN & security — Cloudflare Inc., USA. Data in transit only; no personal data stored. Covered by Cloudflare’s DPA and SCCs.
  • Analytics — Google Analytics (Google LLC, USA). Anonymised usage data only (IP anonymisation enabled). Covered by Google’s DPA and SCCs.
  • Payment processing — Stripe (USA/Ireland) and PayPal (USA/Luxembourg). Payment card data processed exclusively by these providers under their own DPAs and SCCs. No card data reaches our servers.

6.2 UK ↔ EU Data Flows

As a UK entity with EEA-based infrastructure, our primary data flows benefit from the EU adequacy decision for the UK adopted in June 2021. Under this decision, personal data may flow freely between the UK and EEA without additional safeguards.

Important: The EU adequacy decision for the UK is valid until June 2027 and subject to renewal. RESONANCE FOUNDATION monitors this actively. If the decision is not renewed, we will implement Standard Contractual Clauses (SCCs) with affected processors.

6.3 Data Processing Agreements (DPAs)

Under UK GDPR and EU GDPR, we maintain a Data Processing Agreement with every processor that handles personal data on our behalf. Current status:

  • Hetzner Online GmbH — ✅ DPA signed 12 April 2026 (Art. 28 GDPR). Covers all infrastructure (website and CiviCRM).
  • Cloudflare Inc. — ✅ DPA in place via Cloudflare’s standard Data Processing Addendum.
  • Google LLC — ✅ DPA in place via Google’s Data Processing Terms.
  • Stripe Inc. — ✅ DPA in place via Stripe’s Data Processing Addendum.
  • PayPal Holdings Inc. — ✅ DPA in place via PayPal’s Data Processing Agreement.
  • Xero Limited — ⏳ DPA available via Xero’s standard Data Processing Agreement. Data processed on EU-based servers (AWS Frankfurt). Pending execution.

6.4 International Transfers Outside the EEA and UK

Where personal data is transferred to processors based outside the UK and EEA (primarily USA-based services), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO’s International Data Transfer Agreement (IDTA)
  • Adequacy decisions where applicable (New Zealand for Xero)
  • Binding Corporate Rules or equivalent mechanisms where SCCs are not available

6.5 Brazil (LGPD) Transfers

For data relating to Brazilian residents, international transfers are governed by Standard Contractual Clauses or equivalent mechanisms recognised by Brazil’s Autoridade Nacional de Proteção de Dados (ANPD).

6.6 Remote Access

Administrative access to CiviCRM and other systems from within the EEA (including Spain) does not constitute an international transfer. If administrative access is required from outside the EEA in the future, appropriate access controls and transfer mechanisms will be implemented.

7. Data Retention

  • Contact form & enquiry data: 2 years from last contact
  • Newsletter subscriber data: until you unsubscribe, plus 1 year
  • Membership & donation records: 7 years (legal/accounting requirement)
  • Volunteer & partner records: duration of relationship plus 3 years
  • Event & activity booking records: 3 years
  • Financial records (Xero): 7 years (UK accounting/tax requirement)
  • Analytics data: up to 26 months (Google Analytics default)
  • Consent records: 3 years as required by applicable law

8. Your Rights — EU / UK Residents (GDPR / UK GDPR)

Under UK GDPR and EU GDPR, you have the following rights:

  • Right of access — to request a copy of your personal data
  • Right to rectification — to correct inaccurate or incomplete data
  • Right to erasure — to request deletion of your data, subject to legal retention obligations
  • Right to restriction — to limit how we process your data
  • Right to data portability — to receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interests
  • Right to withdraw consent — at any time, without affecting prior processing

To exercise any of these rights: backoffice@resonancefoundation.org

Supervisory authorities:

  • UK: Information Commissioner’s Office — ico.org.uk
  • Spain: Agencia Española de Protección de Datos — aepd.es
  • Italy: Garante per la Protezione dei Dati Personali — garanteprivacy.it

9. Your Rights — California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

  • Right to know — to request disclosure of the categories and specific pieces of personal information we have collected
  • Right to delete — to request deletion of your personal information, subject to certain exceptions
  • Right to correct — to request correction of inaccurate personal information
  • Right to opt out of sale or sharing — we do not sell personal information; you may opt out of sharing via our cookie settings or GPC signal
  • Right to limit use of sensitive personal information
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

We will respond to California requests within 45 days.

We do not knowingly collect personal information from consumers under 16 years of age.

10. Your Rights — Brazilian Residents (LGPD)

If you are a resident of Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018):

  • Right of access — to confirm the existence of and access your personal data
  • Right to rectification — to correct incomplete, inaccurate, or outdated data
  • Right to anonymisation, blocking, or deletion — of unnecessary or excessive data
  • Right to data portability — to transfer your data to another service provider
  • Right to deletion of data processed with consent — upon withdrawal of consent
  • Right to information about sharing — to know with which entities your data is shared
  • Right to revoke consent — at any time

Brazilian supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd

11. How to Exercise Your Rights (All Regions)

To exercise any of the rights described above: backoffice@resonancefoundation.org

We will respond to all requests within 30 days (or 45 days for California residents). In some cases, we may need to verify your identity before processing your request.

12. Security

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS/SSL encryption, access controls, and regular security reviews. All core infrastructure is hosted on Hetzner Cloud in Germany (EEA), ensuring European data residency.

13. Children’s Privacy

Our website and services are not directed at children under 16 (or under 13 in the USA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services or applicable law. Any changes will be posted on this page with a revised date. Material changes will be communicated via our newsletter or a prominent notice on our website.

15. Contact

Data Controller: RESONANCE FOUNDATION — backoffice@resonancefoundation.org

Scroll to Top