Privacy Policy –

Effective date: 22 April 2026

1. Who we are

This privacy policy applies to the website:

• Website name: Plant‑Rich Europe
• Website URL: https://www.plantricheurope.org
• Controller: Madre Brava Stichting
• Registered address: John M. Keynesplein 1, 1066 EP Amsterdam, The Netherlands
• Type of organisation: Non‑profit foundation (NGO) registered in the Netherlands

When this policy says "we" or "us", it means Madre Brava Stichting as the controller of personal data collected via the Plant‑Rich Europe website.

2. Scope and applicable laws

This policy covers how we process personal data when you use plantricheurope.org.

We are based in the Netherlands, and we mainly target users in the EU/EEA, the UK and Switzerland. Our processing is primarily governed by:

• The EU General Data Protection Regulation (GDPR)
• The UK GDPR and the UK Data Protection Act
• Applicable Swiss data protection law

We also aim for broadly similar standards for users from other countries.

We do not target children, and we do not deliberately collect data from people under 18.

3. How you interact with us

On this website:

• You can:
  • Browse pages and content.
  • Contact us via email at info@madrebrava.org.
• You cannot:
  • Create a user account or log in.
  • Register for events.
  • Make donations or payments.
  • Subscribe to a newsletter.
  • Submit job or volunteer applications.
• We do not:
  • Use contact forms.
  • Embed third‑party content (e.g. YouTube, social media feeds, maps).

4. What personal data we collect

We collect and process the following categories of personal data in connection with this website.

4.1. Data you provide to us

When you email us at info@madrebrava.org, we may process:

• Contact details:
  • Email address
  • Name (if included in your message, email signature or email address)
• Content of your message:
  • Any information you choose to share in your email

We do not intentionally request or require special category data (such as health information, ethnicity, religious beliefs or political opinions). Please avoid including such information in your message unless it is strictly necessary.

4.2. Data we collect automatically

When you visit the website, we and our service providers may automatically collect:

• Technical data and usage data, such as:
  • IP address
  • Browser type and version
  • Device type and operating system
  • Referrer URL and pages visited
  • Date and time of your visit
  • Basic interaction information (e.g. clicks, page views)

Some of this data is collected through:

• Server logs (via our hosting on Webflow)
• Cookies and similar technologies used by:
  • Webflow (for essential technical operation)
  • Google Analytics 4 (GA4), where you consent to analytics cookies

5. Why we use your data and legal bases

We process personal data only where we have a lawful basis under GDPR/UK GDPR/Swiss law. Below is a clear summary.

PurposeExamples of dataLegal basisResponding to your enquiriesEmail address, name, content of your emailLegitimate interests – our legitimate interest in responding to and keeping track of communications and requests (EU/UK/CH law)Operating and securing the websiteIP address, technical logs, basic usage dataLegitimate interests – operating a secure, reliable website, detecting abuse or technical issuesAnalytics and performance (GA4)Pseudonymous usage data, device/browser infoConsent – we only use GA4 cookies and similar technologies once you have given consent via the cookie bannerComplying with legal obligationsContact records, emails, logs where relevantLegal obligation – to comply with EU/UK/Swiss and local laws, and to respond to lawful requests from authorities

You can withdraw your consent for analytics cookies at any time (see Section 7).

Where we rely on legitimate interests, we have balanced these interests against your rights and expect this processing to be low‑risk and proportionate.

6. Cookies and similar technologies

6.1. What cookies we use

Our website is built and hosted on Webflow, which uses cookies necessary for the site to function (e.g. load balancing, basic security).

In addition, we use:

• Google Analytics 4 (GA4) cookies – only with your consent – to understand how visitors use our website in an aggregated, pseudonymous way.

We do not use:

• Advertising cookies
• Social media tracking pixels
• Embedded third‑party players (e.g. YouTube, maps, social feeds) on the site

6.2. Cookie banner and your choices

We use Webflow's cookie banner to manage consent for non‑essential cookies (such as GA4). Through this banner, you can:

• Accept analytics cookies.
• Reject non‑essential cookies.

You can also control cookies through your browser settings (for example by blocking or deleting cookies), but this may affect how some websites function.

7. Google Analytics 4 (GA4)

We use Google Analytics 4 to help us understand, in aggregate, how visitors use the site (e.g. which pages are most visited, approximate location, device types).

Key points:

• GA4 uses cookies and similar technologies to collect pseudonymous data about your use of our site.
• GA4 data helps us improve content and usability.
• We configure GA4 so that:
  • IP addresses are not stored in full in Analytics reports.
  • We do not use GA4 to identify individual visitors.
• GA4 processing is carried out by Google LLC and its affiliates.

Legal basis:
We rely on your consent for GA4 cookies and related processing. If you do not consent, GA4 will not be activated (beyond what is strictly necessary for basic loading of the banner, where applicable).

You can withdraw consent by:

• Adjusting your preferences in the cookie banner (if displayed), and/or
• Deleting or blocking analytics cookies via your browser.

8. Who we share your data with

We do not sell your data. We may share personal data with:

8.1. Service providers (processors)

These providers help us operate the website and our communications:

• Web hosting and site platform:
  • Webflow, Inc. – hosts the website and provides the cookie banner and related technical services.
• Analytics:
  • Google LLC / Google Ireland Ltd – Google Analytics 4.
• Email service:
  • Google Workspace (Google LLC / Google Ireland Ltd) – for handling incoming and outgoing email to info@madrebrava.org.

These providers act as processors and only process data on our instructions, under data processing agreements where required.

8.2. Consultants and technical support

• Our web consultant in the UK may access Webflow and related tools to maintain and develop the site. Access is limited to what is necessary.

8.3. Legal and compliance

We may disclose personal data if required by law or if we reasonably believe it is necessary to:

• Comply with a legal obligation or request from a competent authority.
• Protect our rights, security or property, or those of others.
• Investigate and prevent misuse or security incidents.

9. International data transfers

Some of our service providers (such as Webflow and Google) are located in, or may process data in, countries outside the EU/EEA, the UK and Switzerland, including the United States.

Where this happens, we take steps to ensure an appropriate level of protection, for example by:

• Using Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK authorities, and/or
• Relying on other lawful transfer mechanisms recognised under EU, UK and Swiss data protection laws.

You can contact us (see Section 13) for more information about these safeguards.

10. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this policy, and for any period required by law.

In particular:

• Contact emails and general correspondence:
  • Normally kept for up to 2 years after the last relevant interaction, unless we need to keep them longer for legal, accountability or record‑keeping purposes.
• Server logs and security‑related logs:
  • Typically kept for a limited period (often a few weeks or months) to ensure security and troubleshoot issues, then deleted or anonymised. The exact period may depend on Webflow's standard practices.
• Google Analytics 4 data:
  • Retained according to our GA4 settings (commonly up to 14 months for standard reporting, unless we configure a shorter period).

We may retain specific data longer where required by law (e.g. for tax or accounting records) or where necessary to establish, exercise or defend legal claims.

11. How we protect your data

We take appropriate technical and organisational measures to protect personal data, including:

• Using HTTPS (TLS encryption) for our website to protect data in transit.
• Relying on reputable service providers (Webflow, Google Workspace, Google Analytics) with industry‑standard security measures.
• Limiting access to personal data to people and providers who need it for their role, under confidentiality obligations where appropriate.
• Applying basic security practices when accessing admin areas and email.

No system is completely secure, but we work to keep your data protected and to respond appropriately to potential incidents.

12. Your rights

Subject to applicable law (EU GDPR, UK GDPR, Swiss law), you have various rights in relation to your personal data.

These may include:

• Right of access:
  To request confirmation of whether we process your personal data and obtain a copy of that data.
• Right to rectification:
  To ask us to correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"):
  To request deletion of your personal data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected).
• Right to restriction of processing:
  To ask us to restrict our use of your personal data in certain cases.
• Right to object:
  • To object at any time, on grounds relating to your particular situation, to our processing of your data where we rely on legitimate interests.
  • We will then stop processing unless we have compelling legitimate grounds or need the data to establish, exercise or defend legal claims.
• Right to data portability:
  Where our processing is based on your consent or a contract, and carried out by automated means, you may have the right to receive your data in a structured, commonly used and machine‑readable format, and to transmit it to another controller where technically feasible.
• Right to withdraw consent:
  Where we rely on your consent (for example for GA4 analytics cookies), you can withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us using the details in Section 13. We may need to verify your identity before responding.

13. How to contact us

For any questions, concerns or requests about this policy or your personal data, please contact:

• Controller: Madre Brava Stichting
• Email: info@madrebrava.org
• Postal address:
  Madre Brava Stichting
  John M. Keynesplein 1
  1066 EP Amsterdam
  The Netherlands

Please include enough information for us to identify you and understand your request.

14. Complaints and your right to contact an authority

If you are unhappy with how we handle your personal data, we would encourage you to contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with a data protection authority:

• In the Netherlands (our main supervisory authority):
  Autoriteit Persoonsgegevens – https://autoriteitpersoonsgegevens.nl
• In your country of residence, place of work, or place of the alleged infringement within the EU/EEA.
• In the UK, the Information Commissioner's Office (ICO) – https://ico.org.uk.
• In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) – https://www.edoeb.admin.ch.

15. Changes to this policy

We may update this privacy policy from time to time, for example to reflect:

• Changes to our website or services.
• Changes in applicable data protection laws or guidance.
• New or updated service providers.

When we make significant changes, we will update the "Effective date" at the top of this page and, where appropriate, provide a notice on the website.