Collectiva.
Last updated: April 2026

Privacy Policy

This is a draft policy for the prototype. Final text is being reviewed by a Greek lawyer and will be updated before public launch.

1. Who we are

Collectiva ΑΜΚΕ (the “platform”) is a Greek non-profit civil company that connects donors with verified Greek and EU non-profit organizations through monthly subscription giving. We are the data controller for personal data processed on collectiva.gr.

Contact: privacy@collectiva.gr.

2. What data we collect

  • Account data: name, email address, password hash, preferred locale, authentication identifiers from Clerk or OAuth providers.
  • Donation data: monthly amount, allocations across organizations, transaction history. Payment card data is handled directly by Stripe and never stored on our servers.
  • Organization data (for applicants): legal name, ΑΦΜ/VAT, legal form, leadership identity documents, IBAN, mission, goals, impact reports.
  • Usage data: pages visited, anonymized analytics, device/browser information, error logs.

3. How we use it

We process personal data to operate the subscription platform, route donations, generate annual tax receipts, enforce verification and compliance requirements on organizations, and send transactional emails (receipts, payment failures, impact updates).

4. Legal basis (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): processing donation and account data to deliver the service you signed up for.
  • Legal obligation (Art. 6(1)(c)): tax records, AML retention of financial data.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, aggregate analytics, platform security.
  • Consent (Art. 6(1)(a)): non-essential cookies, marketing emails.

5. Who we share data with

  • Stripe (payment processing, KYC for organizations)
  • Resend (transactional email delivery)
  • Vercel (hosting)
  • Neon / Supabase (managed Postgres database)
  • Greek authorities (ΓΕΜΗ, AAΔE) when legally required for verification or tax reporting.

We do not sell personal data.

6. Retention

  • Account data: retained while your account is active + 30 days after deletion.
  • Financial records: 10 years (Greek tax law).
  • Impact reports: retained for the lifetime of the organization on the platform.

7. Your rights

Under GDPR you have the right to:

  • access your personal data (Art. 15);
  • correct inaccurate data (Art. 16);
  • request erasure (Art. 17, subject to legal retention);
  • restrict or object to processing (Arts. 18, 21);
  • export your data in a portable format (Art. 20);
  • lodge a complaint with the Hellenic DPA (dpa.gr).

Exercise any right by emailing privacy@collectiva.gr. We respond within 30 days.

8. Data transfers

Personal data is stored primarily in the EU. Some sub-processors (e.g. Vercel, Stripe) may process data in third countries under Standard Contractual Clauses approved by the European Commission.

9. Changes

We will notify registered users by email of any material change at least 30 days before it takes effect.

Start giving