Privacy Policy

Last Updated: April 04, 2026

1. Introduction

NaturKultur e.V. ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the EVoly platform, including our web application and mobile applications (collectively, the "Platform").

NaturKultur e.V. acts as the data controller for personal data processed in connection with operating, securing, administering, and improving the EVoly platform. Participating organizations generally act as independent data controllers for personal data they input, manage, or process through EVoly in connection with their volunteers, projects, and activities.

Data Processor:
NaturKultur e.V.
Hinterm Horn 5
27711 Osterholz-Scharmbeck
Germany
Email: info@naturkultur.eu

This Privacy Policy is intended to comply with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable EU and German data protection laws.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration Information:

• Email address
• First and last name
• Phone number (optional)
• Password (encrypted)

Profile Information:

• Profile photo/avatar (optional)
• Personal documents (e.g., identification, contracts, insurance policies)
• Emergency contact details
• Current address
• Volunteer preferences and availability

Content You Create:

• Task feedback
• Personal journal entries (private notes)
• Project check-in/check-out records
• Messages and communications within the Platform

Organization Information (for Admins):

• Organization name and details
• Organization branding materials
• Organization documents and policies

2.2 Information Collected Automatically

Usage Data:

• Pages and features accessed
• Time and date of access
• Time spent on pages
• Navigation paths through the Platform
• Device information (operating system, browser type, device model)
• IP address and approximate geographic location
• App version and performance data

Content Metadata:

• File names, types, and sizes of uploaded documents
• Upload timestamps and user actions
• Content modification history
• Automated content analysis results (for safety and security purposes)

Technical Data:

• Login and authentication logs
• Session information
• Error reports and diagnostic data
• Performance metrics

Cookies and Similar Technologies: We use cookies and similar tracking technologies to:

• Maintain your login session
• Remember your preferences
• Analyze Platform usage and performance
• Improve user experience

2.3 Information from Third Parties

We may receive information about you from:

• Your organization (when they invite you to join EVoly)
• AWS services (hosting and infrastructure data)
• Email service providers (delivery status, bounce information)

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Legal Basis: Contract Performance

To provide and maintain EVoly services, including:

• Creating and managing your account
• Facilitating volunteer management and project coordination
• Enabling communication between volunteers, coordinators, and admins
• Processing check-ins/check-outs and task assignments
• Providing access to the AI chatbot assistant
• Securely storing your documents and journal entries

3.2 Legal Basis: Legitimate Interest

To improve and secure the Platform:

• Analyzing usage patterns to enhance features
• Monitoring and improving Platform performance
• Detecting and preventing fraud, abuse, and security threats
• Scanning uploaded content for prohibited material (malware, illegal content)
• Moderating content to ensure compliance with Terms of Service
• Conducting system maintenance and troubleshooting
• Generating anonymized analytics and reports

3.3 Legal Basis: Consent

For optional features where you provide explicit consent:

• Marketing communications (where applicable)
• Using your data for specific purposes beyond core functionality

You may withdraw consent at any time through your account settings.

3.4 Legal Basis: Legal Obligation

To comply with legal requirements:

• Responding to legal requests and court orders
• Maintaining audit logs and records as required by law
• Fulfilling data retention obligations
• Protecting legal rights and interests

4. Data Sharing and Disclosure

4.1 Within Your Organization

Your information may be accessed by authorized users within your organization:

• Organization Admins can access profiles, documents, and activity data of users in their organization
• Volunteer Coordinators can access information of volunteers assigned to their projects
• Other Volunteers may see your name and basic information in shared projects

Your personal journal entries are private and not shared with anyone unless required by law.

4.2 Service Providers

We share data with trusted third-party service providers who assist in operating EVoly:

Amazon Web Services (AWS):

• Cloud hosting and data storage
• Infrastructure and server management
• Data processing and database services

Amazon Lex:

• AI chatbot functionality
• Natural language processing
• Conversational interface

Email Service Provider (NaturKultur's email service):

• Sending notification emails
• Account verification and password resets
• System alerts and updates

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Legal Requirements

We may disclose your information when required by law or to:

• Comply with legal processes (subpoenas, court orders)
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent fraud or security threats
• Respond to government requests
• Report illegal content to law enforcement (especially child sexual abuse material, terrorism-related content, or violent crimes)
• Cooperate with investigations by authorities

Mandatory Reporting: We are legally obligated to report certain illegal content to authorities, including:

• Child sexual abuse material (CSAM) - reported to German Federal Criminal Police Office (BKA) and National Center for Missing & Exploited Children (NCMEC)
• Terrorism-related content - reported to appropriate authorities
• Other serious crimes as required by German law

When reporting illegal content:

• We preserve evidence for law enforcement
• We may provide user information (IP addresses, account details, timestamps)
• We cooperate fully with investigations
• We do not notify users when their content is reported to authorities for illegal material

4.4 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred. Users will be informed of any material changes affecting their data.

4.5 What We Don't Do

We do NOT:

• Sell your personal data to third parties
• Share your data for third-party marketing purposes
• Use your personal journal entries to train AI models
• Provide your data to advertisers

5. Data Retention

We retain personal data only as long as necessary for the purposes described, unless a longer period is legally required.

5.1 Active Accounts

Data is retained while the account remains active:

• Your profile and account information
• Usage data and activity logs
• Documents you've uploaded
• Journal entries and feedback

5.2 Deleted Accounts

Upon deletion:

• Identifiable personal data is removed within 30 days
• Anonymized data may be retained for analytics
• Legal or financial records are retained per statutory requirements
• Security audit logs may be retained

5.3 Inactive Accounts

Inactive accounts may be reviewed, minimized, or deleted after user notification.

5.4 Legal Retention Requirements

We retain certain data to comply with:

• German accounting and tax laws
• GDPR documentation requirements
• Legal hold obligations

6. Your Rights Under GDPR

As an individual in the European Union, you have the following rights regarding your personal data:

6.1 Right of Access

You can request a copy of the personal data we hold about you, including:

• What data we collect
• How we use it
• Who we share it with
• How long we retain it

6.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data through your account settings or by contacting us.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• It's no longer necessary for the purposes collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed

Exceptions: We may retain data if required by law or for legal claims.

6.4 Right to Restriction of Processing

You can request that we limit processing of your data when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

6.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format to:

• Transfer to another service provider
• Store for personal use

This applies to data you provided based on consent or contract.

6.6 Right to Object

You can object to processing based on legitimate interests for reasons related to your particular situation. We must stop processing unless we demonstrate compelling legitimate grounds.

6.7 Rights Related to Automated Decision-Making

EVoly does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our AI chatbot provides assistance only and does not make decisions about you.

6.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. This doesn't affect the lawfulness of processing before withdrawal.

6.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Or your local EU data protection authority.

6.10 How to Exercise Your Rights

To exercise any of these rights:

1. Contact us at info@naturkultur.eu
2. Verify your identity (we may request additional information)
3. We will respond within 30 days (extendable by 2 months for complex requests)

Where a request relates to data controlled by a participating organization, we may forward the request to that organization or instruct you to contact it directly, as appropriate under applicable data protection law.

7. Data Security

Appropriate technical and organizational measures are implemented, including encryption, access controls, monitoring, staff training, and breach response procedures. We implement appropriate technical and organizational measures to protect your personal data:

7.1 Technical Measures

• Encryption: Data in transit (TLS/SSL) and at rest
• Authentication: Password hashing, multi-factor authentication (MFA)
• Access Controls: Role-based access, principle of least privilege
• Monitoring: Security logging, intrusion detection
• Regular Updates: Security patches and software updates

7.2 Organizational Measures

• Data Minimization: Collecting only necessary data
• Privacy by Design: Building privacy into system architecture
• Staff Training: Regular security and privacy training
• Vendor Management: Due diligence on service providers
• Incident Response: Procedures for data breach notification

7.3 Data Breach Notification

In the event of a data breach affecting your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours
• We will notify affected individuals without undue delay
• We will provide information about the breach and mitigation steps

8. International Data Transfers

8.1 Primary Data Location

Your data is primarily stored and processed within the European Union through AWS's EU data centers.

8.2 Transfers Outside the EU

If data is transferred outside the EU/EEA:

• We ensure adequate protection through EU-approved mechanisms
• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• We comply with GDPR requirements for international transfers

8.3 AWS Global Infrastructure

AWS may process data across its global infrastructure. AWS maintains GDPR compliance and provides appropriate safeguards for international transfers.

9. Children's Privacy

EVoly is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from someone under 18, we will delete it promptly.

If you believe a child has provided us with personal information, please contact us immediately.

10. Third-Party Links and Services

The Platform may contain links to external websites or integrate with third-party services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

11. AI Chatbot and Data Processing

11.1 Chatbot Functionality

Our AI chatbot (powered by Amazon Lex) processes your queries to provide assistance with platform navigation and general questions.

11.2 Data Processing

• Chatbot conversations may be logged for quality improvement
• Conversations are processed by Amazon Lex according to AWS privacy policies
• Your personal journal entries are NEVER used to train AI models
• Public chatbot has access only to non-confidential information

11.3 Opting Out

You can choose not to use the chatbot feature. It is optional and not required to use EVoly's core functions.

12. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• Feedback from users or authorities

12.1 Notification of Changes

We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date
• Sending an email notification (for significant changes)
• Displaying an in-app notice upon your next login

12.2 Continued Use

Your continued use of EVoly after changes constitutes acceptance of the updated Privacy Policy. If you disagree with changes, you may delete your account.

13. Contact Us

13.1 General Privacy Inquiries

For questions about this Privacy Policy or our data practices:

Email: darkomitevski@naturkultur.eu

Mail:
NaturKultur e.V.
Hinterm Horn 5
27711 Osterholz-Scharmbeck
Germany

13.2 Data Protection Officer

If we appoint a Data Protection Officer (DPO), their contact information will be provided here.

13.3 Response Time

We aim to respond to all privacy inquiries within 30 days. Complex requests may take up to 90 days, and we will inform you of any extensions.

14. Additional Information for Specific Regions

14.1 European Union (GDPR)

This entire Privacy Policy is designed to comply with GDPR requirements. See Section 6 for your specific rights under GDPR.

14.2 Germany

We comply with the German Federal Data Protection Act (BDSG) and applicable German state laws.

14.3 Other Jurisdictions

If you are accessing EVoly from outside the EU, your data may be transferred to and processed in the EU. By using the Platform, you consent to this transfer and processing in accordance with this Privacy Policy.

15. Special Categories of Data

We do not generally collect "special categories" of personal data under GDPR (such as health data, racial origin, political opinions). However:

• Documents You Upload: If you voluntarily upload documents containing special category data (e.g., medical certificates), you provide explicit consent for us to process these documents
• Organization Policies: Some organizations may collect health or safety information; this is managed at the organization level

You should only upload sensitive personal data if necessary and with understanding of how it will be used.

16. Your California Privacy Rights (If Applicable)

Although EVoly is based in Germany and primarily operates in the EU, if you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA).

For questions about CCPA rights, please contact us at the address provided in Section 14.

17. Data Processing Agreement

Organizations using EVoly to manage volunteers may act as joint data controllers or processors. We can provide Data Processing Agreements (DPAs) upon request to ensure GDPR compliance.

This Privacy Policy was last updated on April 04, 2026. Please review it regularly for any changes.

For privacy-related questions or to exercise your rights, contact us at info@naturkultur.eu.