This page explains what personal data the Verana Foundation (in formation), represented by 2060 OÜ, collects through veranafoundation.org, why we collect it, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR). It covers the contact form on /contact and any cookies or anti-abuse signals set by the site.
We do not sell data and do not run ad targeting or remarketing. The only data we collect is what you explicitly send through the contact form, what our hosting provider logs for security, and — with your consent — aggregate usage measurements so we can see which pages people read.
Data controller
The Verana Foundation is in formation. Until incorporation, the data controller is 2060 OÜ, Ahtri tn 12, 10151 Tallinn, Estonia (registry 16853041), acting as the Foundation’s steward; thereafter the incorporated Foundation. For privacy matters, use the contact form with inquiry type General inquiry and begin the message with “Legal:”. We do not publish a direct privacy email; routing is handled internally.
What we collect and why
When you submit the form on /contact, we receive:
- Required. Inquiry type, name, email, message, consent.
- Conditionally required. Organization (for membership, partnership, or press inquiries).
- Optional. Role or title, website/LinkedIn, referral source.
Automatically, as part of submission security:
- IP address and user-agent, from our hosting provider, used only for rate limiting and honeypot-based abuse detection — not for tracking or profiling.
Purpose. To respond to your inquiry and route it to the right person. Legal basis. Your consent (GDPR Art. 6(1)(a)) and our legitimate interest in answering inbound inquiries (Art. 6(1)(f)).
Cookies and analytics
Analytics, if enabled, are consent-gated: a banner offers Accept all or Essential only, and any analytics tag loads only after consent. Your choice is stored in your browser’s localStorage (not a cookie) so the banner does not reappear. No ad networks, no cross-site trackers; IP addresses anonymized. The specific analytics provider and measurement ID will be listed here once finalized.
Where data is processed
Hosting, the contact-form submission handler, and anti-abuse measures are being finalized during implementation and will be listed here. Spam protection is self-hosted (honeypot, time-to-submit, rate limiting); no third-party captcha is used. Any cross-border transfer will rely on an EC adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses as applicable.
How long we keep it
- Contact-form correspondence — up to 24 months from the last interaction, then deleted or anonymized unless an engagement is ongoing.
- Spam-protection logs (IP, user-agent) — up to 30 days.
- Analytics — minimum provider retention; aggregate reports contain no identifiers.
Your rights
Under the GDPR, you may:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase your data where we have no lawful basis to keep it;
- restrict or object to processing;
- receive a portable copy of the data you gave us;
- withdraw consent at any time;
- lodge a complaint with a supervisory authority — while stewarded by 2060 OÜ, the Estonian Data Protection Inspectorate.
To exercise any right, use the contact form (inquiry type General, message prefixed “Legal:”). We respond within 30 days.
Changes
We update this page when our practices change. The Last updated date reflects the most recent change; prior submissions remain governed by the version in force when they were sent.