Data Controller
The controller of your personal data is:
- Full name: NGO Bureau "We Are!" (Громадська організація «Бюро "Ми — є!"»)
- EDRPOU (registration number): 41591439
- Address: 116/24 Shevchenkiv Shliakh St., Beryzan, Kyiv Oblast, 07541, Ukraine
- Email: bureau.we.are@gmail.com
- Phone: +380 (97) 789 81 76
For all data protection enquiries please contact us at the details above.
Scope
This Policy covers the processing of personal data carried out by NGO Bureau "We Are!" in connection with the use of the website lgbt.in.ua and the public dashboard monitor.lgbt.in.ua.
We process data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable Ukrainian law.
If you only read public content and do not subscribe to our newsletter or fill in any forms, we process only technical server logs as described in Section 3. Analytics cookies and Google Analytics 4 are activated only after your separate consent in the cookie banner.
This Policy does not cover the monitoring of publicly available open-web content for the purposes of hate speech documentation. For that activity the Organisation publishes a separate Open-Source Monitoring Notice.
Data We Collect and Why
3.1 Server logs
Hosting provider Netlify Inc. automatically records technical data on each request to the site: IP address, browser type, operating system, URL, date and time of request, HTTP response status. This is processed on the basis of legitimate interest to ensure technical security and stable operation. We do not have direct interactive access to these logs.
3.2 Newsletter subscription (email)
If you voluntarily enter your email address in the subscription form, we pass it to Brevo (SAS Sendinblue, France) to send newsletters. The legal basis is your free and unambiguous consent (GDPR Art. 6(1)(a)). You may withdraw consent at any time by clicking the unsubscribe link in any email or by writing to us.
3.3 Contact forms
Data you provide through contact forms (name, email, message) is used solely to respond to your enquiry. Legal basis: performance of a contract or pre-contractual measures at your request (GDPR Art. 6(1)(b)) and our legitimate interest in corresponding with persons who contact the organisation.
3.4 Public monitoring statistics
The website displays aggregated, anonymised statistics from the Bureau's database (record counts etc.). These contain no personal data.
3.5 Incident-reporting form
The incident-reporting form accepts only links to publicly accessible open-web content. Please do not submit material from closed or private groups, chats, correspondence, restricted documents, or information about children or other third parties' personal data.
If the Organisation inadvertently receives impermissible material, it may not be processed on its merits and will be deleted without inclusion in the monitoring database.
3.6 Website analytics
With your consent, the site may use Google Analytics 4 via Google Tag Manager to understand overall page traffic, popular content and usage patterns. We use this data in aggregate form to improve the site's structure and content.
Analytics are not used for advertising profiling, targeted advertising, or decisions about individual visitors. We do not transmit to Google any identifiers such as names, emails, phone numbers, or form content.
Legal Basis for Processing (GDPR Art. 6)
- Consent (Art. 6(1)(a)): newsletter subscription; use of analytics cookies and Google Analytics 4.
- Contract performance / pre-contractual steps (Art. 6(1)(b)): responding to enquiries via the contact form.
- Legitimate interest (Art. 6(1)(f)): technical security and server logs; responding to inbound enquiries; protection against abuse.
We do not carry out automated decision-making or profiling (GDPR Art. 22) of website visitors.
Third Parties and Data Transfers
The following processors and service providers are engaged to operate the site:
| Service | Purpose | Country | Privacy document |
|---|---|---|---|
| Netlify Inc. | Website hosting, CDN and serverless functions | USA (EU SCCs) | Privacy Policy |
| Brevo (Sendinblue) | Newsletter delivery (subscribers only) | EU (France) | Privacy Policy |
| Google Ireland Ltd. / Google LLC | Google Tag Manager and Google Analytics 4 for visitor analytics (consent-gated) | EU / USA (EU SCCs) | Privacy Policy |
| Supabase Inc. | Database (public aggregated statistics only) | USA (EU SCCs) | Privacy Policy |
| jsDelivr (Cloudflare CDN) | Delivery of Supabase JS library | EU / USA | Privacy Policy |
| Google Fonts | Montserrat typeface (loaded from Google servers) | USA (EU SCCs) | Privacy Policy |
Transfers to the USA are governed by EU Standard Contractual Clauses (SCCs) adopted by Commission Decision of 4 June 2021. We do not sell or share your data with third parties for marketing or profiling purposes.
Note: when loading the site, your browser automatically connects to Google Fonts servers to retrieve the Montserrat typeface, transmitting your IP address. This transfer is based on legitimate interest. If you wish to prevent this, you may disable external font loading in your browser settings.
Cookies
A cookie is a small text file stored in your browser when you visit the site. The site uses strictly necessary cookies for security and correct operation, and may use Google Analytics 4 analytics cookies only after your consent. Advertising cookies, remarketing and ad personalisation are not used.
Strictly necessary (technical) cookies
| Name | Set by | Purpose | Duration | Type |
|---|---|---|---|---|
__cf_bm |
Cloudflare / jsDelivr | Bot and DDoS protection when loading JS library | 30 min | |
_cfuvid |
Cloudflare / Netlify | CDN session identification for security and load-balancing | Session | |
nf_ab |
Netlify | Netlify A/B testing (if enabled) | Session |
Functional cookies
| Name | Set by | Purpose | Duration | Type |
|---|---|---|---|---|
sb-<project>-auth-token |
Supabase | Admin-panel authentication session (authorised users only) | 7 days |
Analytics cookies (consent-gated)
| Name | Set by | Purpose | Duration | Type |
|---|---|---|---|---|
_ga |
Google Analytics 4 | Distinguishing visitors in aggregated statistics | Up to 2 years | |
_ga_<container-id> |
Google Analytics 4 | Session maintenance and page-view / event measurement | Up to 2 years |
Google Tag Manager is used as a container to manage analytics tags but must not load Google Analytics before your consent. The site applies basic consent mode: if you decline analytics cookies, Google Analytics does not fire.
Managing cookies
You may change or withdraw your consent at any time:
You can also manage, block or delete cookies through your browser settings:
Note: blocking strictly necessary cookies may limit site functionality.
Retention Periods
- Netlify server logs: up to 30 days, then automatically deleted.
- Newsletter subscriber email: retained in Brevo until consent is withdrawn (unsubscribe).
- Contact-form data: up to 24 months from the date of last correspondence or resolution of the matter.
- Google Analytics 4 data: retained according to GA4 property settings; we select the minimum practical retention period sufficient for traffic analysis and site improvement.
- Session cookies: deleted when the browser is closed or on expiry of the stated duration.
Your Rights as a Data Subject
Under GDPR (Arts. 15–22) you have the following rights:
Obtain confirmation of whether we process your data and receive a copy.
Request correction of inaccurate or completion of incomplete data.
Request deletion of your data ("right to be forgotten") where grounds exist.
Request temporary suspension of processing of your data.
Receive your data in a structured format or have it transferred to another controller.
Object to processing based on legitimate interest or for direct marketing.
Withdraw consent (e.g. for newsletter) at any time without affecting the lawfulness of prior processing.
Lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights or the supervisory authority in your country of residence.
To exercise any of these rights, contact us at bureau.we.are@gmail.com. We will respond within 30 calendar days (GDPR Art. 12(3)).
Data Security
We implement technical and organisational measures in accordance with GDPR Art. 32 to protect personal data against unauthorised access, destruction, alteration or disclosure:
- All traffic between browsers and the site is transmitted over the secure HTTPS protocol (TLS 1.2+).
- Access to administrative systems is protected by authentication and role-based access controls.
- API keys and secrets are stored in secure hosting environment variables and are not included in public code.
- The Supabase database is protected by Row-Level Security (RLS) policies.
In the event of a security breach that may pose a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes set out in GDPR Arts. 33–34.
Minors
Our website is not intended for persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us for deletion.
Changes to this Policy
We may update this Policy in response to changes in legislation, technical infrastructure or services. The current version is always available on this page with the effective date shown.
If changes materially affect the processing of your data or your rights, we will notify newsletter subscribers in advance.
Data Protection Contact
For all questions relating to personal data processing, the exercise of your rights, or this Policy, please contact us:
NGO Bureau "We Are!"
📬 116/24 Shevchenkiv Shliakh St., Beryzan, Kyiv Oblast, 07541, Ukraine
We respond to personal data requests within 30 calendar days.
If you consider that the processing of your data infringes GDPR requirements, you have the right to lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (ombudsman.gov.ua) or with the supervisory authority in your country of residence.
Use of AI Tools
The Organisation may use artificial intelligence tools as an auxiliary means for technical analysis, text summarisation, translation, content classification, pattern detection, neutral summarisation and draft content preparation.
The Organisation does not use AI for automated evaluation of individuals, profiling of private users, identity inference, construction of "risk lists", or decision-making without mandatory human oversight.
Before passing material to an external AI tool, the Organisation applies data minimisation: direct identifiers and quasi-identifiers not necessary for the task at hand are removed or masked. Consultation case files, materials from closed sources and data that could directly identify a vulnerable individual are not passed to external AI tools.
Final assessment, interpretation and decisions regarding the use of AI-generated outputs are always made by a human.
Open-Source Monitoring
This Policy does not exhaustively describe the procedure for monitoring publicly available open-web content for the purposes of hate speech documentation. The aim of monitoring is to analyse content and narratives in the public information space, not to identify private individuals.
For the principles, limitations and legal basis of open-source monitoring, see the Open-Source Monitoring Notice.