Legal

Privacy Policy

Pursuant to GDPR, TTDSG and TMG · Last updated: March 2026

The protection of your personal data is of particular importance to us. We therefore process your data exclusively on the basis of statutory provisions (GDPR, TTDSG, TMG). In this privacy policy, we inform you about the most important aspects of data processing in connection with our website.

1. Controller

The controller pursuant to Art. 4 No. 7 GDPR is:

Verein für Afghanistan-Förderung e.V. (Bright Afghan)
Alaunbachweg 12, 53229 Bonn, Germany
Phone: +49 (0) 228 481077
Email: info@brightafghan.org
Represented by: Abdul Jalil Hekmat (Chairman)

2. Data Protection Officer

As a small non-profit association, we are not legally required to appoint a data protection officer pursuant to Art. 37 GDPR. For any data protection queries, please contact us directly at the address above.

3. Hosting & Server Log Files

This website is hosted by Vercel Inc., 340 Pine Street, Suite 900, San Francisco, CA 94104, USA. Each time our website is accessed, Vercel automatically records the following data in server log files: anonymised IP address, date and time of request, URL, referrer URL, browser type/version, operating system, HTTP status code.

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in the secure provision of the website). Log files are deleted after 30 days. Data transfer to the USA is based on EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR). Vercel participates in the EU–US Data Privacy Framework. Details: vercel.com/legal/privacy-policy

3.1 Vercel Analytics

We use Vercel Analytics, a privacy-friendly web analytics service by Vercel Inc. Vercel Analytics collects anonymised usage data such as page views, time on page, and device types. No cookies are set and no personal data (such as IP addresses) is stored or shared with third parties.

Vercel Analytics is only activated after you have given consent via our cookie consent banner. Legal basis: Art. 6 (1)(a) GDPR (consent). You may withdraw your consent at any time via the cookie settings.

More information: vercel.com/docs/analytics/privacy-policy

4. Cookies & Cookie Consent

4.1 Strictly Necessary Cookies

We use strictly necessary cookies without which the website cannot function. These do not require consent (§ 25 (2) No. 2 TTDSG): language preference, session cookie (for secure login), CSRF protection token.

4.2 Cookie Consent Banner

On your first visit, a cookie consent banner is displayed at the bottom of the page. You can accept all cookies, allow only essential cookies, or make a granular selection. Your consent decision is stored in your browser (localStorage) and can be withdrawn at any time via the cookie settings in the website footer.

Legal basis: § 25 (1) TTDSG (consent for non-essential cookies) and Art. 6 (1)(a) GDPR (consent). The storage of the consent decision itself is technically necessary (§ 25 (2) No. 2 TTDSG).

4.3 Optional Cookies

For any optional cookies, we obtain your explicit consent in advance pursuant to § 25 (1) TTDSG and Art. 6 (1)(a) GDPR. You may withdraw this consent at any time. We currently use the following optional services:

Vercel Analytics – for anonymised website usage analysis (see section 3.1)

5. Contact Form & Email Communication

When you contact us via our contact form or by email, the data you provide (name, email address, subject, message) is stored solely for the purpose of handling your enquiry and is not shared with third parties. Legal basis: Art. 6 (1)(b) GDPR or Art. 6 (1)(f) GDPR. Data is deleted after your enquiry has been fully resolved.

Form data is transmitted via TLS encryption. Emails are sent via Resend (Resend Inc., San Francisco, CA, USA, privacy policy). Data transfer to the USA is based on EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) and a Data Processing Agreement (Art. 28 GDPR). Only the data necessary for email delivery (recipient email address, subject, message content) is transmitted.

6. Donation Processing & Payment Service Providers

Donations are processed via Twingle (Twingle GmbH, Franklinstraße 27, 10587 Berlin, privacy policy). Data transmitted includes name, email, postal address (for donation receipt), donation amount/frequency, and payment data. Processing is based on a Data Processing Agreement (Art. 28 GDPR). Legal basis: Art. 6 (1)(b) GDPR; for donation receipts Art. 6 (1)(c) GDPR. Donor data is retained for 10 years pursuant to German tax law.

Twingle operates its servers in Germany and is fully GDPR-compliant. All donor data is exclusively processed and stored on German servers.

Twingle facilitates payments via third-party providers such as PayPal, Stripe, or SEPA. The respective privacy policies of these providers apply to their processing.

7. Newsletter

If you subscribe to our newsletter, we process your email address based on your consent (Art. 6 (1)(a) GDPR) via a double opt-in procedure.

7.1 Email Delivery via Resend

Newsletter emails are sent via Resend (Resend Inc., San Francisco, CA, USA, privacy policy). Data transfer to the USA is based on EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) and a Data Processing Agreement (Art. 28 GDPR).

7.2 Data Storage via Supabase

Newsletter subscriber data (email address, subscription timestamp, confirmation status) is managed and stored via Supabase (Supabase Inc., San Francisco, CA, USA, privacy policy). Data transfer to the USA is based on EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) and a Data Processing Agreement (Art. 28 GDPR). Data is stored in a secured database and used exclusively for newsletter delivery.

You may unsubscribe at any time via the unsubscribe link in any newsletter email or by contacting us at info@brightafghan.org. After withdrawal of consent, your data will be removed from the mailing list.

8. Content Management System (Sanity)

We use Sanity (Sanity AS, Stortorvet 7, 0155 Oslo, Norway, privacy policy) to manage website content. Sanity does not process personal data of website visitors.

9. Member Area & Authentication

The member dashboard is restricted to authorised staff. Login data (email/password or Google OAuth 2.0) is processed on the basis of Art. 6 (1)(b) GDPR. Google OAuth is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ( Google Privacy Policy).

10. Retention Periods

Server log files: 30 days
Contact enquiries: until fully resolved, then deleted
Donor data: 10 years (statutory retention obligation)
Newsletter subscribers: until consent is withdrawn
Account data: until account deletion

11. Your Rights as a Data Subject

Under the GDPR you have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to withdraw consent (Art. 7 (3) GDPR) – withdrawal does not affect the lawfulness of prior processing

To exercise your rights, contact us at: info@brightafghan.org

12. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). The supervisory authority for North Rhine-Westphalia is:

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
Email: poststelle@ldi.nrw.de · www.ldi.nrw.de

13. Data Security

This website uses TLS/SSL encryption for all data transmission. We implement appropriate technical and organisational security measures pursuant to Art. 32 GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties.

14. Changes to this Privacy Policy

We reserve the right to update this privacy policy when the legal framework or our data processing practices change. The current version is always available on this page. We will notify you of material changes in an appropriate manner.

Last updated: March 2026