This page explains what personal data the Verana Council Association (in formation), represented by 2060 OÜ, collects through veranacouncil.org, why we collect it, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR). The site is more than an informational website: it hosts member accounts, the candidacy application and e-signature flow, the provisional admission-ballot mechanism, and a public member directory and record — this policy covers all of them, plus the contact form and cookies. Membership is free: the site collects no payments.
We do not sell data and do not run ad targeting or remarketing. We collect what you give us to operate your candidacy or membership, what sign-in providers necessarily share with us, and — with your consent — aggregate usage measurements.
Data controller
The Verana Council Association is in formation. Until incorporation, the data controller is 2060 OÜ, Ahtri tn 12, 10151 Tallinn, Estonia (registry 16853041), acting as the Council’s steward; thereafter the incorporated Verein (at which point the Swiss FADP applies alongside the GDPR and the Swiss FDPIC becomes a competent authority). For privacy matters, use the contact form with inquiry type General inquiry and begin the message with “Legal:”.
What we collect and why
Accounts and sign-in
- Identity. Your verified email address is your account key, with your name and avatar if provided by a sign-in provider. Sign-in works via Google, GitHub, or a one-time code we email you; with OAuth we receive only your basic profile and verified email — never your password.
- Session. A strictly necessary, encrypted session cookie keeps you signed in. One-time sign-in codes are stored hashed and expire after 10 minutes.
Legal basis. Performance of a contract (GDPR Art. 6(1)(b)) — operating your account.
Candidacies and e-signatures
- Candidate details. The organization’s legal name, entity type, country, registered address, optional logo, and the seat (sector × region) applied for.
- Signature record. When you e-sign the Candidate Agreement we record the signer’s name and title, timestamp, agreement version and document hash, and the IP address and browser user-agent at signing — kept as evidence that the agreement was validly executed — plus the personalised signed PDF.
- Organization access lists. Org managers may add colleagues’ email addresses to grant them access (including designating the voting representative); those people are notified by email and linked to the organization when they sign in.
Legal basis. Performance of the Candidate Agreement (Art. 6(1)(b)) and our legitimate interest in evidencing contracts (Art. 6(1)(f)).
Admission ballots and the public record
- Ballots. For each admission ballot we record which member organization voted, the choice, the time of the vote, and the representative who cast it (for internal accountability).
- The public record. Candidacies, ballot outcomes (counts, not per-member choices), seatings, observer acceptances, seed-designation rationales, and published minutes appear on /news by design — transparency is part of how the Council works. Personal data of representatives is not published; meeting minutes name attendees as institutional representatives.
Legal basis. Performance of the membership instruments (Art. 6(1)(b)) and our legitimate interest in transparent governance (Art. 6(1)(f)).
Public member directory
The /members page lists members and observers of the Council. Listing is curated by Council administrators, and an organization’s logo appears only with the explicit consent given at upload (“We may display this logo on veranacouncil.org”). You can withdraw at any time: remove the logo from your membership card, or ask us to unlist the membership entirely (the public record of admissions remains). Legal basis. Consent (Art. 6(1)(a)) and legitimate interest in presenting the Council’s membership (Art. 6(1)(f)).
Transactional email
We send operational email tied to your candidacy or membership: sign-in codes, executed-agreement copies, vetting and ballot notifications, and access notifications. These are part of operating the service, not marketing; we send no newsletters without separate consent.
Contact form
Submissions on /contact (inquiry type, name, email, message, optional organization/role/links) are stored in our self-hosted Relaticle CRM (crm.2060.io) so we can respond. IP address and user-agent are used only for rate limiting and abuse detection.
Administration and security
Administrative actions on member records (e.g. vetting a candidacy, opening a ballot, listing a member) are written to an audit log recording who did what and when. Hosting logs (IP, user-agent) serve security and rate limiting only.
Cookies and analytics
The only cookie required by the site is the strictly necessary session cookie for signed-in users. Analytics, if enabled, are consent-gated: a banner offers Accept all or Essential only, and any analytics tag loads only after consent; your choice is stored in localStorage. No ad networks, no cross-site trackers; IP addresses anonymized. See the cookie policy.
Processors and where data goes
- Google / GitHub — only if you choose them for sign-in.
- Our email provider — delivery of transactional email.
- Our hosting provider (EU) and our self-hosted CRM, operated by 2060 OÜ.
Cross-border transfers rely on an EC adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses as applicable. No third-party marketing platform receives your data.
How long we keep it
- Account and member records — for the life of the candidacy/membership and up to 24 months after it ends, then deleted or anonymized except where retention below applies.
- Signed agreements and ballot records — up to 10 years, to evidence the contract and the association’s decisions (the public record itself is permanent by design).
- Signature evidence (IP, user-agent at signing) — kept with the signed agreement.
- One-time sign-in codes — 10 minutes; spam/abuse logs — up to 30 days.
- Contact-form correspondence — up to 24 months from the last interaction.
- Analytics — minimum provider retention; aggregate reports contain no identifiers.
Your rights
Under the GDPR, you may:
- access the personal data we hold about you;
- rectify inaccurate data (organization managers can correct the registered address directly from the membership card);
- erase your data where we have no lawful basis to keep it;
- restrict or object to processing;
- receive a portable copy of the data you gave us;
- withdraw consent at any time (e.g. remove your logo or ask to be unlisted from /members) — without affecting prior processing;
- lodge a complaint with a supervisory authority — while stewarded by 2060 OÜ, the Estonian Data Protection Inspectorate.
Note that executed agreements and the association’s decision records are retained despite erasure requests while a legal obligation or the contract-evidence interest applies. To exercise any right, use the contact form (inquiry type General, message prefixed “Legal:”). We respond within 30 days.
Changes
We update this page when our practices change. The Last updated date reflects the most recent change; prior submissions remain governed by the version in force when they were sent.