Fundacja Drzewo Bodhi

Privacy policy

Personal data administrator

We inform, that the administrator of Your personal data is Bodhi Tree Foundation (NIP: 6312722692), whose headquarters are located in at Zwycięstwa Street 1 in Gliwice, Poland (hereinafter referred to as the “Foundation”, “We”).
Our registration records are maintained by the District Court in Gliwice, X Commercial Division of the National Court Register. We are registered in the register of associations, other social and professional organizations, foundations, and independent public healthcare institutions of the National Court Register under the KRS Number: 0001107157.
If You would like to contact us, please write to us at: Zwycięstwa Street 1 in Gliwice, Poland or send us an e-mail: drzewobodhi@gmail.com.

Apporaching protection of personal data

This information, in accordance with Articles 13 and 14 of the GDPR [Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 2016, p. 1, as amended)], defines the legal basis for data processing, the methods of its collection and use by the Foundation, and presents the rights of individuals whose personal data is processed by the Foundation.

In the Privacy Policy, we present key information regarding the principles of personal data processing within our organization. We specify the main groups of individuals whose data is collected, explain the purpose of this activity, the legal basis, and the retention period. We also inform about the rights of individuals whose data is processed.

The Foundation makes every effort to protect Your privacy and the information provided, including personal data. We collect data only to the extent necessary and in accordance with the principles of adequacy, necessity, and minimization.

We handle the security of stored data with the utmost care. We apply recognized data protection standards and have implemented comprehensive policies and procedures to ensure their confidentiality and security. We regularly conduct internal audits to assess the effectiveness and adequacy of the security measures in place.

We use appropriate security measures in accordance with the latest technology to protect personal data from unauthorized access, processing, acquisition, and modification. We conduct risk analyses to ensure that personal data is processed securely. We guarantee that only authorized individuals have access to the data and only to the extent necessary to perform their duties. We ensure that all operations on the data are recorded and carried out exclusively by authorized individuals. Additionally, we ensure that the entities cooperating with us provide guarantees for the application of appropriate security measures.

General information regarding processing personal data

Personal data is collected with due care and adequately protected against unauthorized access. Its processing is carried out in accordance with applicable data protection laws and under the conditions specified therein.

We do not process sensitive data or data of minors.

Providing personal data is entirely voluntary.

Foundation strives to conduct its statutory activities to the greatest extent possible without processing the personal data of participants in organized events or projects. However, in cases where data processing is necessary and appropriate, failure to provide personal data may prevent the proper execution of processes such as volunteer recruitment, registration for an event organized by Foundation, the execution of an agreement with a partner, or the processing of a donation.

Your data will not be processed in an automated manner or subjected to profiling.

Rights of Individuals Whose Data We Process

All individuals whose data we process have the right to:
– access their data,
– request correction of their data,
– request deletion or restriction of data processing,
– object to data processing due to their particular situation, as we also process their data based on our legitimate interest,
– request data portability,
– withdraw consent for data processing at any time.

Individuals whose data we process based on our legitimate interest (e.g., for sending thank-you messages to donors) have the right to object by informing us that they do not wish their data to be used in this manner.

You have the right to withdraw Your consent to the processing of Your personal data at any time, to the extent that You have given it. Withdrawal of consent will not affect processing that has already taken place based on the consent before its withdrawal. If consent is withdrawn, we will cease processing Your personal data.

The scope of these rights and the situations in which they can be exercised are defined by law. The ability to exercise a particular right depends on the purpose and legal basis of data processing.

To exercise these rights, please contact the Foundation at: drzewobodhi@gmail.com.

We strive to make the full realization of the rights related to personal data processing as simple as possible. However, as the data administrator of personal data, we have to ensure that data is not disclosed to unauthorized individuals. Therefore, if we have any doubts about the identity of the person submitting a request, such as for access to or deletion of data, we may ask for additional information for verification purposes.

If You believe that we have violated Your rights, You have the right to file a complaint with the President of the Personal Data Protection Office. However, we kindly ask that You inform us of the issue first. We make every effort to properly protect personal data, and if a mistake is made, we want to correct it as soon as possible.

For any questions, requests, or complaints regarding the processing of personal data, please contact the Foundation Board. You can do so by sending an email to drzewobodhi@gmail.com or by sending a mail to: Zwycięstwa Street 1 in Gliwice, Poland. We will review the request and take appropriate action to resolve the reported issue in cooperation with the person submitting the request or complaint.

Subjects and policy of data processing

1 – Contact Details

Purposes and legal basis for processing Your personal data

We may process Your data:
– In case of any form of contact (e.g., by letter, phone, email, via a contact form, or in person at events we organize):

• To respond to Your inquiries and maintain contact for this purpose,
• To fulfill our statutory objectives by handling incoming correspondence and responding to Your messages,
• In connection with the content of correspondence,
• To establish contact regarding our statutory goals, now or in the future,
• To analyze our communication and received inquiries,
• To promote our statutory activities by informing You about actions taken by the Foundation,
• To analyze the effectiveness of our activities in achieving our statutory goals.

The legal basis for processing Your data is our legitimate interest in conducting communication, responding to inquiries related to our statutory activities, and promoting our mission (Article 6(1)(f) of the GDPR).

– For events requiring registration, to allow event sign-ups, analyze the effectiveness of our activities, fulfill reporting obligations, improve our actions, and maintain relationships. The legal basis for processing is the performance of a contract (e.g., for event participation) (Article 6(1)(b) of the GDPR) or our legitimate interest (Article 6(1)(f) of the GDPR).

– For claims by or against the Foundation, for the purpose of establishing, pursuing, or defending legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR).

– For processing Your image to inform about the Foundation’s activities – the legal basis is the Foundation’s legitimate interest (Article 6(1)(f) of the GDPR), always combined with Your consent (Article 6(1)(a) of the GDPR). When collecting additional personal data, such as Your image, we will provide an appropriate information clause along with a consent form.

– If You submit a request or complaint regarding Your GDPR rights, for reviewing and responding to the request/complaint – the legal basis for processing is the fulfillment of legal obligations (Article 6(1)(c) of the GDPR).

– If You are a contact person at our contractor’s company or if we are working on a project with Your organisation (“partner”), and You were designated as the contact person for contract execution, maintaining communication regarding contract performance, cooperation opportunities, order placements, responding to inquiries, or providing information about the Foundation’s activities and possible partnerships – the legal basis for processing is our legitimate interest in maintaining contact with partners and their employees or collaborators (Article 6(1)(f) of the GDPR) and necessity for contract execution (Article 6(1)(b) of the GDPR), as well as compliance with legal obligations (Article 6(1)(c) of the GDPR), such as tax and accounting requirements.

Source of data
We may receive Your personal data:

• Directly from You,
• From Your employer or the organization You represent – our partner (contact person at a partner),
• From another person who maintains contact with the Foundation in relation to its mission (e.g., via recommendation),
• From publicly available sources (e.g., company websites).

Types of processed data

If we receive data directly from You, what information we process depends on You. Typically, this includes: email address, email history, and additional data shared during communication, such as full name, nickname, mailing address, phone number, and other information if required for an event.

If we receive data indirectly, it usually includes: email address, email history, full name, and depending on the category of the person, also mailing address or phone number.
For a contact person at a partner organization, this may additionally include: business email, business phone number, workplace and its address, job position, and information about responsibilities within the organization.

In specific cases (e.g., event participation), and only with Your consent, we may process Your image.

Retention period of Your personal data

We will process Your personal data as long as we maintain an active relationship (e.g., responding to inquiries, exchanging correspondence, or for the duration of a contract).

After the relationship ends, Your data will be stored for two years from the end of the calendar year in which the last interaction took place, unless You object to further processing before then.

After this period, Your data will be processed only if permitted or required by applicable law, for example, for statistical purposes, compliance with accounting and tax regulations, maintaining financial records, or pursuing legal claims. In such cases, the data will be processed only to the extent and for the time necessary to achieve these objectives under legal provisions.

2 – Data of donors

Purposes of processing Your personal data and legal basis for processing

Your personal data will be processed for the following purposes:

• Handling the donation process – Data processing is carried out through a bank or payment operator to conclude and execute the donation agreement, including the technical handling of the payment made by You (Article 6(1)(b) of the GDPR).
• Fulfillment of legal obligations – Data processing is carried out to fulfill the legal obligations imposed on the Foundation, including but not limited to compliance with accounting and tax regulations and maintaining the necessary financial and accounting documentation (Article 6(1)(c) of the GDPR).
• Financing statutory activities – Data processing is carried out to analyze donations made to the Foundation, assess the effectiveness of activities, and improve them, which serves the realisation of our statutory objectives. Processing in this regard is based on the legitimate interest of the Foundation (Article 6(1)(f) of the GDPR).
• Sending “thank You” messages and information on fund utilization – Data such as an email address or correspondence address will be processed to send acknowledgements for support and information regarding the expenditure of acquired funds. Data processing in this regard is based on the legitimate interest of the Foundation, which is managing relationships with donors (Article 6(1)(f) of the GDPR).
• Claims handling – Your data may be processed to pursue claims or defend against claims within the area of legitimate interests of the Foundation (Article 6(1)(f) of the GDPR).

Source of data

Your personal data may be received directly from You – after making a transfer, the data will be provided to us by the bank or payment operator.

Types of processed data

In the case of electronic payments, we process data provided by the payment operator, typically including:
First name and surname,
Email address,
Donation amount,
Date of donation,
Payment title.

In the case of bank transfers, we process the data included in the transfer, such as:
First name and surname,
Donation amount,
Date of donation,
Bank account number,
Bank name,
Address,
Bank transfer title data.

If You provide us with Your email address (e.g. through e-payments or in the title of a traditional bank transfer) or correspondence address (e.g., an address linked to Your bank account or another one You provide), we may send You a letter of acknowledgment for Your donation and information on how the funds were used. Providing this data is voluntary and is not required to make a donation unless required by the specific payment system.

Retention period of Your personal data

Your personal data will be stored for the period required by accounting and tax regulations.
The data will be retained:

• For 5 years after the end of the calendar year in which the donation was made.
• For 2 years after the end of the calendar year in which the last interaction with You took place, unless You object to the processing of Your personal data earlier.

After this period, the data will be processed only if permitted or required under applicable law, e.g., for statistical purposes, compliance with accounting and tax regulations, maintaining necessary financial and accounting documentation, or for the purpose of pursuing claims. In such cases, the data will be processed only to the extent and for the duration necessary to achieve these purposes in accordance with legal requirements.

3 – Data of volunteers

Purposes of processing Your personal data and legal basis for processing

Your personal data will be processed:

• When it is necessary for the conclusion and execution of the volunteer agreement (Article 6(1)(b) of the GDPR).
• To fulfill legal obligations imposed on the Beneficiary (Article 6(1)(c) of the GDPR), including those arising from the Act of April 24, 2003, on Public Benefit Activity and Volunteerism (consolidated text: Journal of Laws of 2024, item 1491), such as the requirement to provide You with insurance.
• To pursue the legitimate interests of the Beneficiary, which include asserting potential claims and defending against claims (Article 6(1)(f) of the GDPR).

Source of data

We can obtain Your personal data directly from You.

Types of processed data

We process personal data provided by the volunteer candidate, including:
Identification data,
Address data,
Email address,
Phone number,
If required by the nature of the volunteer work:
educational background,
experience
professional qualifications.

Once You become a volunteer, we process additional personal data, including:
Identification data,
Address data,
Email address,
Phone number,
Information regarding NFZ (National Health Fund) branch,
Other data required for ZUS (Social Insurance Institution) forms or accident insurance (NNW), if applicable.

Retention period of Your personal data

Your personal data will be processed for the duration of the volunteer agreement. After its termination, for the period required by legal regulations. Your personal data may also be stored for the duration of the limitation period for potential claims.

4 – Social media

Purposes of processing Your personal data and legal basis for processing

We process Your personal data for the following purposes:

• Interacting on our social media channels by responding to Your messages and participating in discussions in the comments section under posts.
• Promoting our activities and spreading information about the Foundation through posts published on social media platforms.
• Analyzing statistics provided by social media operators, including data on post views, reach, interactions, and the demographics of our followers. The data is collected based on Your activity on social media and serves statistical purposes.

The legal basis for processing Your data is our legitimate interest (Article 6(1)(f) of the GDPR).

Additionally, Your data may be processed for the purpose of asserting or defending against potential claims, which also falls under our legitimate interest (Article 6(1)(f) of the GDPR).

It is important to note that social media platforms, such as Facebook or YouTube, are independent data controllers of their users’ personal data and process them in accordance with their own terms and policies.
When You interact with us on these platforms (e.g., by liking, following, reacting to posts, sharing, commenting, or sending private messages), the Foundation also becomes a data controller of Your personal data.

Once You visit our profile on a social media platform, You are using an external service that operates under its own data processing rules. These platforms may use the collected data for other purposes in accordance with their own policies.

Your interactions on social media platforms, such as likes or comments, may also be visible to other users of the same platform. The Foundation does not share these data with third parties.
The data You provide via social media are not combined with other information unless required by a specific situation (e.g., if You send us a private message requesting contact).

Source of data

We receive Your data when You start following our accounts on social media or You interact with us in any different way.

Types of processed data

We may process the following personal data:
Username,
First and last name,
Profile picture,,
Public profile information,
Details about when You started following us,
Other information provided in messages, comments, or reactions to our content,
Any additional data You share with us through these channels,
Data processed by social media platforms for statistical purposes.

Retention period of Your personal data

Your personal data will be processed as long as You remain our follower or engage with our content, and until the termination of our social media page.
You have the option to delete Your comments, unfollow our accounts, or deactivate Your social media account at any time, in accordance with the settings and policies of the respective social media platform.

Your data may be stored for the duration of any potential legal claims, in accordance with applicable statutes of limitation.

5 – Our website

Purposes of processing Your personal data and legal basis for processing

We process Your personal data for the following purposes:

• Ensuring the proper functioning of the website, its configuration, error correction and also analytics of statistics and content popularity – based on our legitimate interest (Article 6(1)(f) of the GDPR).
• Analyzing user activity and preferences to improve website functionality and content display (analytical and statistical purposes) – based on our legitimate interest (Article 6(1)(f) of the GDPR).

Cookie files are used in order to adjust the content of the website to Your needs, statistical measurements and website improvement – Your data will be processed based on Your voluntary consent, given when entering the website (Article 6(1)(a) of the GDPR).

Your personal data may be processed for the purpose of legitimate interests pursued by the Foundation, such as the investigation and defense against possible claims (Article 6(1)(f) of the GDPR).

Source of data

Your data is obtained directly from You, based on Your interactions with the website and Your consent to cookies. Providing this data is voluntary. No login is required to use the website’s functionalities.

Types of processed data

When You use the website, certain data is collected automatically. This includes:
IP address,
Domain name,
Browser type,
Operating system type.
These data may be collected via cookies and stored in server logs.

Retention period of Your personal data

Your data will be processed as long as You interact with the website.
Your personal data will be retained for the duration of the website’s operation, and after its termination, for the period required by legal regulations. Your data may also be stored for the duration of any potential legal claims, in accordance with applicable limitation periods.
At any time, You can disable cookie installation or delete them from Your device.

Recipients of Your personal data

Your personal data is not shared with third parties unless it is necessary and explicitly required by applicable laws or technological requirements (e.g., hosting or cloud services). This means data may be shared with entities essential for achieving our statutory objectives, including services that are also commonly necessary for everyday online activities. Depending on the category of the data subject, personal data may be disclosed to entities providing services to the Foundation in connection with contract execution, such as:

• IT service providers responsible for managing IT systems and applications, as well as renting server space (e.g., website administrators, hosting providers, and cloud service providers such as Google and Microsoft).
• Banks and payment operators (for donors, volunteers, and partners) when processing financial transactions.
• Postal operators – Poczta Polska S.A. (Polish Post) and other entities providing postal services according to the law (for traditional mail correspondence).
• Printing service providers, if applicable (e.g., printing books in which Your name is listed as a donor – only if You explicitly request this).
• Accounting service providers (for donors, volunteers, and partners).
• Legal service providers in case of claims or legal matters.
• Insurance companies, if required by law (for volunteers).
• Auditors and certified accountants for financial audits (for donors, volunteers, and partners).
• If an event takes place online – video conferencing platforms.

These entities process personal data based on an agreement with the Foundation and only according to our instructions. The Foundation only works with trusted processors that have signed data processing agreements or provide appropriate technical and organizational security measures. These entities are equally obligated to maintain confidentiality and ensure data security.

Personal data may also be shared with authorized public authorities – tax authorities, law enforcement agencies, regulatory bodies and other government institutions or subjects authorized by law if required by applicable regulations.

Additional information

The described Privacy Policy applies to the statutory activities of the Foundation and the www.fundacjarzewobodhi.pl website, of which we are exclusive administrator. We are not responsible for the privacy policies of other websites that we link to on our website. We may update this document due to advancements in internet technology, changes in personal data protection laws, or developments related to our website and online store. Any changes will be communicated to users as soon as possible in a clear and easily noticeable manner.
For any questions or comments regarding the Privacy Policy, please contact us at: drzewobodhi@gmail.com