Privacy Policy
Information Obligation Statement
Part A – Introduction & Responsibility
Protecting your personal data is very important to us.
We are pleased you are visiting our website. Below, we explain simply and transparently what data we collect, why we do it, and how we protect it. We treat your personal data confidentially and in accordance with legal regulations (GDPR, TKG 2021).
For security reasons and to protect the transmission of confidential content, such as inquiries you send to us, we use SSL encryption. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the lock symbol in your browser bar. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.
Who is responsible for data collection?
The controller for data processing on this website, within the meaning of the General Data Protection Regulation (GDPR), is:
Verein Regenwald der Österreicher
(Association for the Preservation of Biodiversity in Southern Costa Rica)
1220 Vienna, Schiergasse 1a/1
Phone: +43-(0)664-204 26 29
Email: info@regenwald.at
Imprint: Imprint
We receive support from our external data protection officer:
Attorney Dr. Daniel Stanonik LL.M.
Stanonik Rechtsanwälte GbR
1090 Vienna, Porzellangasse 37/13
Email: regenwald@stanonik.at
Website: Data Protection Officer
Part B – Your Rights as a User
To ensure you retain control over your data, you have comprehensive rights under the GDPR. You can exercise these rights at any time free of charge (e.g., by email to regenwald@stanonik.at or by post to the attention of the Data Protection Officer).
| Auskunft: | Sie können jederzeit fragen, ob und welche Daten wir von Ihnen gespeichert haben |
| Berichtigung: | Sind Ihre Daten falsch? Wir korrigieren sie. |
| Löschung: | Sie können verlangen, dass wir Ihre Daten löschen (sofern keine gesetzliche Aufbewahrungsfrist besteht). |
| Einschränkung: | Sie können die Verarbeitung Ihrer Daten einschränken lassen. |
| Datenübertragbarkeit: | Sie können Ihre Daten in einem maschinenlesbaren Format erhalten. |
| Widerruf Ihrer Einwilligung: | Viele Datenverarbeitungen sind nur mit Ihrer ausdrücklichen Einwilligung möglich (z. B. Newsletter, Tracking). Diese Einwilligung können Sie jederzeit für die Zukunft widerrufen. |
| Widerspruch: | Gegen die Verarbeitung auf Basis von „berechtigtem Interesse“ (Art 6 Abs 1 lit f DSGVO) können Sie Widerspruch einlegen. |
Right to lodge a complaint with the supervisory authority
If you believe that we are violating data protection law, you can lodge a complaint with the supervisory authority. In Austria, this is
Austrian Data Protection Authority
1030 Vienna, Barichgasse 40-42
Website: www.dsb.gv.at
Part C – Data Collection on Our Website
C1 – Hosting
Our website is hosted on the servers of a service provider (hoster).
Service Provider: Hetzner Online GmbH
Location: Germany
Purpose: Provision of infrastructure, storage space, databases, and security features.
Legal Basis: Our legitimate interest in a secure and fast website (Art 6 para 1 lit f GDPR)
We have concluded a data processing agreement (DPA) with the provider in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
C2 – Server Log Files
When you access our site, the server automatically stores information transmitted by your browser. This happens automatically and is necessary for the security of the site.
What is stored?
- Client IP address (%h)
- Time of access (%t)
- Requested resource (e.g., URL path %U)
- HTTP method (e.g., GET, POST)
- HTTP status code (%>s, e.g., 200 for success, 404 for not found)
- Size of transferred data (%b)
- Referer (%{Referer}i): The website from which the visitor came
- User-Agent (%{User-Agent}i): Client’s browser and operating system
Why? To ensure the functionality and security of the website (e.g., protection against DDoS attacks) and to fix errors. Data is not evaluated for marketing purposes.
Legal Basis: Our legitimate interest in the secure provision of the website (Art 6 para 1 lit f GDPR).
Storage Duration: The data will be deleted as soon as it is no longer required for the purpose of its collection. This occurs after 60 days (rolling). The collection of data for the provision of the website is absolutely necessary for the operation of the website. Consequently, the user has no right to object.
C3 – Cookies
We use a consent management tool to obtain and document your consent for storing certain cookies (e.g., for analysis or marketing). These are small text files that are stored on your device with the help of your browser. They do not cause any harm. We use cookies to make our offering user-friendly. Some cookies remain stored on your device until you delete them. They allow us to recognize your browser on your next visit. If you do not wish this, you can set your browser to inform you about the setting of cookies and only allow them in individual cases. Disabling cookies may limit the functionality of our website.
Tool Used: complianz by iubenda
How it works: On your first visit, you will be asked which categories you wish to allow. Your decision is stored in a technically necessary cookie so that you are not asked again with every click.
Legal Basis: Fulfillment of a legal obligation to obtain consent pursuant to § 165 TKG 2021 (Art 6 para 1 lit c GDPR)
User data collected by technically necessary cookies is not used to create user profiles.
Here you can view our Cookie Policy and change your cookie settings at any time (https://www.regenwald.at/cookie-richtlinie/#cmplz-cookies-overview)
Part D – Analysis, Marketing & Third Parties
D1 – ANALYSIS AND STATISTICS
We use the free version of the “Burst Statistics” plugin (open source) to understand how our website is used.
Provider: Burst Statistics BV
Burst Statistics is a privacy-friendly WordPress plugin for website analysis that stores all data anonymously and only on our web server.
Data Protection & GDPR Compliance: All data is stored locally on our own server and never passed on to third parties.
What happens? The plugin sets cookies and analyzes your usage behavior (clicks, time spent, origin). IP addresses are anonymized and neither logged nor stored.
Legal Basis: Your consent (Art 6 para 1 lit a GDPR in conjunction with § 165 TKG 2021).
Storage Duration: 5 years
Revocation: At any time via the Cookie Settings.
Disabling Statistics: If you do not want anonymized statistics about your page views and visit history on our website to be created, you can disable “Statistics” in the cookie settings.
D2 – YouTube Videos (incl. Google Fonts) USA TRANSFER
We use YouTube so you can watch videos directly on our site without leaving the page.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
We have concluded a data processing agreement (DPA) with the provider in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
What happens? Normally, YouTube sends data to Google as soon as you enter a page with a video. We have prevented this. A connection to Google’s servers is only established if you agree to marketing cookies or actively click on the video.
Important Note: Due to technical reasons, loading the video player also causes Google Fonts (fonts for player controls) to be loaded from Google servers.
Legal Basis: Your explicit consent (Art 6 para 1 lit a GDPR). By consenting to YouTube/marketing cookies, you simultaneously consent to the necessary loading of fonts.
Third-country transfer: Data (your IP address and information about video retrieval) is transferred to Google servers, potentially in the USA. Google is certified under the “EU-US Data Privacy Framework,” ensuring an adequate level of protection in accordance with the GDPR even when data is transferred to the USA.
Storage Duration: We do not store any data. For Google’s storage duration, please refer to their privacy policy.
Revocation: At any time via the Cookie Settings.
Further information can be found in the Google Privacy Policy.
D3 – Google reCAPTCHA (incl. Google Fonts) USA TRANSFER
To protect our contact form (and other input fields) from misuse by automated programs (bots) and spam, we use Google reCAPTCHA. The service checks whether the input is made by a human or a program.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
We have concluded a data processing agreement (DPA) with the provider in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
What happens? For this purpose, reCAPTCHA analyzes your behavior based on various characteristics (e.g., IP address, time spent on the page, mouse movements). This analysis begins automatically as soon as you open the contact form.
Important Note: For the visual display of the Captcha field, fonts (Google Fonts) are loaded from Google servers.
Legal Basis: Our legitimate interest in protecting our web offerings from misuse by bots and spam.
Third-country transfer: Data is transferred to Google servers, potentially in the USA. Google is certified under the “EU-US Data Privacy Framework,” ensuring an adequate level of protection in accordance with the GDPR even when data is transferred to the USA.
Storage Duration: We do not store any data. For Google’s storage duration, please refer to their privacy policy.
Further information can be found in the Google Privacy Policy.
Part E – Special Features
E1 – Contact Form & Email Contact
If you write to us, we store your information to process the inquiry.
Data: Gender, title, name, email, phone number, message text.
Legal Basis: Art 6 para 1 lit b GDPR (if it concerns a contract) or Art 6 para 1 lit f GDPR (our legitimate interest in communication).
Storage Duration: We delete the data once the inquiry has been conclusively clarified and no legal retention obligations prevent deletion.
E2 – Rainforest Newsletter
For the management of our newsletters and subscriber addresses, we use the WordPress plugin “The Newsletter Plugin.” Advantage: The management of newsletters and subscriber data is GDPR-compliant and takes place directly on our server. No data is passed on to third parties.
If you subscribe to our newsletter, we use your email exclusively for sending it.
Data: Gender, name, email, addition/company/institute
Procedure: We use the double opt-in procedure (you will receive a confirmation email).
Provider: Web Agile S.a.s. di Fietta Roberto, Italy
Legal Basis: Your consent (Art 6 para 1 lit a GDPR).
Revocation: You will find an unsubscribe link in every newsletter.
Storage Duration: We delete the data upon revocation.
E3 – Rainforest News
If you subscribe to our Rainforest News, we use your address exclusively for sending it.
Data: Gender, name, email, addition/company/institute, address
Procedure: We use the double opt-in procedure (you will receive a confirmation email).
Service Providers: Printers, Austrian Post
We have concluded a data processing agreement (DPA) with the service providers in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
Legal Basis: Your explicit consent (Art 6 para 1 lit a GDPR) or our legitimate interest in communicating with our supporters (Art 6 para 1 lit f GDPR).
Revocation: You can revoke your consent or object at any time at info@regenwald.at.
Storage Duration: We delete the data upon revocation of your consent or objection.
E4 – Donations via Payment Slip
Donations to us are tax-deductible. For your donation to be deductible, you must provide your name and date of birth on the payment slip.
Data: Name, date of birth, IBAN, donation amount
Payment Service Provider: Raiffeisenbank Korneuburg eGen
We have concluded a data processing agreement (DPA) with the provider in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
Further information can be found in the Privacy Policy of Raiffeisenbank Korneuburg eGen.
Data Recipient: Austrian Tax Office
Legal Basis: Our legal obligation as beneficiary institutions to report donations to the tax office (Art 6 para 1 lit b GDPR).
Storage Duration: 10 years
E5 – Donation Shop
Donations to us are tax-deductible. For your donation to be deductible, you must provide your name and date of birth.
Data: Name, gender, company, date of birth, donation amount, address, phone number, email, payment data (e.g., credit/debit card details, PayPal account data, order number), donation details (e.g., CO2 emissions, chosen gifts, number of rainforest trees, plot size, name on certificate, flight destination)
Payment Service Provider:
Raiffeisenbank Korneuburg eGen: Further information can be found in the Privacy Policy of Raiffeisenbank Korneuburg eGen.
- PayPal (Europe) S.à.r.l. et Cie: PayPal is not certified under the “EU-US Data Privacy Framework.” PayPal has Binding Corporate Rules (BCRs), ensuring an adequate level of protection in accordance with the GDPR even when data is transferred to the USA. These have been accepted by the data protection authority in Luxembourg. Further information can be found in the PayPal Privacy Policy. USA TRANSFER
- Stripe, Inc.: Data may be transferred to the USA. Stripe is certified under the “EU-US Data Privacy Framework,” ensuring an adequate level of protection in accordance with the GDPR even when data is transferred to the USA. Further information can be found in the Privacy Policy of Stripe, Inc. USA TRANSFER
We have concluded a data processing agreement (DPA) with all providers in accordance with Art 28 GDPR. This guarantees that your data will only be processed according to our instructions and in compliance with the GDPR.
Data Recipient: Austrian Tax Office
Legal Basis: Our legal obligation as beneficiary institutions to report donations to the tax office (Art 6 para 1 lit b GDPR) and our legitimate interest in sending gifts as a thank you to our donors (Art 6 para 1 lit f GDPR).
Storage Duration: 10 years
E6 – Customer Account
You can create a customer account on our website to have all your orders, certificates, etc., in one place and always at hand.
If you wish for your customer account to be deleted, please inform us in writing.
However, not all data can be deleted, as legal retention periods apply. Orders and invoices must be retained even if the customer account is deleted.
Data: Email address, orders, downloads, address, payment methods, account details, certificates, newsletter status
Legal Basis: Your consent (Art 6 para 1 lit a GDPR)
Storage Duration: We delete the association of orders with a customer account upon revocation.
E7 – School Activities
With lively workshops and lectures for children and young people, we ignite enthusiasm for the fascinating world of the rainforest. Another highlight of our commitment is the so-called rainforest runs.
Data: Name of contact person, email, school, class, names of students, date of school activity, names and dates of birth of sponsors, and the donation amount for the rainforest run
Legal Basis: Our contract with you (Art 6 para 1 lit b GDPR) as well as our legal obligation as beneficiary institutions to report donations to the tax office (Art 6 para 1 lit b GDPR)
Storage Duration: We delete the data once the school activity has taken place and no legal retention obligations prevent deletion.
E8 – Sponsoring
We are proud of our partnerships! Therefore, we are happy to share the experiences of our partners.
Data: Name, role, company, comment, photo, sponsoring data (e.g., duration of cooperation, type of cooperation, etc.)
Legal Basis: Our contract with you (Art 6 para 1 lit b GDPR) and our legitimate interest in sharing your enthusiasm for our work with others to find further supporters (Art 6 para 1 lit f GDPR).
Storage Duration: We delete the data once the school activity has taken place and no legal retention obligations prevent deletion.
