PRIVACY POLICY

1. Introduction

The Kosovar Civil Society Foundation (KCSF) is committed to protecting personal data and ensuring transparency in the way such data is processed, in accordance with the General Data Protection Regulation (GDPR) and the applicable legislation in Kosovo.

This Privacy Policy explains how we collect, use, and protect your personal data when you use our website.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identification data, such as your first and last name;
• Contact details, such as your email address and phone number;
• Technical data, including your IP address, browser type, and the device you use;
• Usage data, including the pages you visit and how you interact with our website;
• Communication data, including messages you send to us through website forms, email, or other communication channels;
• Marketing data (preferences regarding subscription to our newsletter).

4. Sources of Personal Data

Personal data may be collected as follows:

• Directly from you, when you fill in forms, contact us by email, or otherwise interact with our website;
• Through cookies and similar technologies when you use our website.

5. Purposes and Legal Basis

We process personal data for the following purposes and on the following legal bases:

• Communication with users, in order to respond to requests and provide information about our activities (based on our legitimate interest)
• Sending the newsletter, to send you information and updates, only with your consent (based on consent)
• Analytics and website improvement, to understand how the website is used and to improve the user experience (based on consent)
• Website security, to protect the website and prevent misuse (based on legitimate interest)
• Fulfilment of legal obligations, to comply with legal and regulatory requirements (based on legal obligation)

6. Cookies

Our website uses cookies and similar technologies for functionality, analytics and, in some cases, marketing purposes.

The use of non-essential cookies is based on your consent, which is obtained through the cookie banner.

For more information about the types of cookies we use and how you can manage them, please refer to our Cookie Policy.

7 Third Parties

We may share or process personal data through third-party services for specific purposes:

• Hetzner – for hosting and data storage;
• Google Analytics – for website traffic and usage analytics;
• Google Tag Manager – for managing website scripts and technologies;
• Meta – for marketing purposes (may be used);
• Mailchimp – for sending the newsletter (may be used);
• YouTube – for embedded video content, which may process technical data and cookies in accordance with its own policies;

These parties process data in accordance with their respective privacy policies.

8. International Transfers

Personal data is processed mainly within the European Economic Area (EEA), including through providers such as Hetzner, which operates in Germany.

However, some of the services we use, such as Google (e.g. Google Analytics), Meta and Mailchimp, may involve the transfer of data outside the EEA, including to the United States of America.

In such cases, we ensure that appropriate safeguards are used, such as:

• Standard Contractual Clauses (SCC) approved by the European Commission;
• Additional technical and organisational measures for data protection;

9. Data retention period

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including the fulfilment of legal, accounting or reporting obligations.

More specifically:

• Newsletter (through Mailchimp) – data is retained for as long as the user remains subscribed. After unsubscribing (unsubscribe), Mailchimp may retain minimal data (such as email address) in “suppression” lists to ensure that no further emails are sent and for legal compliance purposes;
• Analytics data (through Google Analytics) – under the standard configuration, user data is retained for up to 14 months before being automatically deleted;
• Tracking and marketing (e.g. Meta) – cookies and related data are usually retained for periods ranging from 3 to 12 months, in accordance with standard policies;
• YouTube embeds (YouTube) – may place cookies and retain user data in accordance with their own policies; the duration of cookies usually ranges from the session period to several months;
• Server logs (Hetzner) – are usually retained for 7 to 14 days, for security and diagnostic purposes;
• Email communications and correspondence – may be retained for an indefinite period where this is necessary for documentation, project management, institutional transparency and compliance with legal obligations;

We may retain data for longer periods if required by law or if necessary to protect our legal interests.

Note: The retention periods above are based on the standard configurations of the respective providers and may change depending on updates to their policies or changes we make to the configuration of the services.

10. Mandatory Provision of Data

In order to access our website and/or use our services, the provision of certain personal data may be necessary. Such data is processed only for purposes that are necessary for the provision, administration and operation of our website and/or services. Failure to provide this data may result in our inability to provide certain services.

11. Your Rights

• To request access to your data – to request information about the personal data we hold about you;
• Correct or delete data – to request the correction of inaccurate data or its deletion under certain conditions;
• Restrict processing – to request the restriction of the processing of your data in certain circumstances;
• Object to processing – to object to the processing of your data on grounds relating to your particular situation;
• Withdraw consent – where processing is based on consent, you may withdraw it at any time.

13. Right to Lodge a Complaint

If you believe that the processing of your personal data is not in compliance with the law, you have the right to lodge a complaint with the Information and Privacy Agency in Kosovo.

14. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or unauthorised disclosure.

These measures include, among others:

• the use of secure protocols (HTTPS/SSL);
• access control for data;
• restricting access only to authorised personnel;
• internal organisational measures for data protection;