Data Protection

Effective Date: May 28, 2026 · Last Updated: May 28, 2026

This Data Protection Notice explains in plain language how Quenara Foundation, the humanitarian aid brand operated by No Name Foundation (a 501(c)(3) tax exempt nonprofit based in Dover, Delaware, USA, EIN: 35-2882867), protects your personal information across all touchpoints: the website, donor portal, payment flows, email, and field operations. This Notice complements the Privacy Policy with a focus on technical and organizational safeguards, data subject rights, and international transfer protections under GDPR, UK GDPR, and CCPA/CPRA.

1. Data Controller and Contact

Data Controller: No Name Foundation, a Delaware nonprofit corporation operating under the Quenara Foundation brand. Registered address: Dover, Delaware, USA. EIN: 35-2882867.

Privacy contact: privacy@quenarafoundation.com. We aim to respond to data protection inquiries within 5 business days.

2. Personal Information We Process

We process the minimum amount of personal information needed to operate the donation platform and generate IRS compliant receipts. Categories include:

• Identity data: full name, postal address, country of residence,
• Contact data: email address, phone number (optional),
• Financial data: donation amount, currency, payment method type (we never see or store your card number — Stripe tokenization handles this end to end),
• Account data: donor account username, hashed password, account preferences,
• Usage data: log files, IP address, browser type, pages visited, referral source, language preference,
• Communication data: messages you send to our help desk, email subscriptions, response history.

3. Lawful Basis for Processing (GDPR Article 6)

4. Technical Safeguards

4.1 Encryption

• In transit: TLS 1.3 (HTTPS) for all web traffic, including admin areas. Mixed content is blocked at the server level.
• At rest: AES 256 encryption for database fields containing personal information (names, addresses, donation history).
• Payment data: Card numbers, CVV, and expiration dates are tokenized by Stripe at the browser level and never transmitted to our servers. We comply with PCI DSS Level 1 by design (the highest payment card industry security standard).

4.2 Access Controls

• Role based access controls: only authorized staff with legitimate need can access donor records,
• Multi factor authentication required for all admin accounts,
• Audit logs retained for 7 years for all administrative access events,
• Quarterly access reviews to revoke unnecessary permissions.

4.3 Network Security

• Web Application Firewall (WAF) deployed at the edge,
• Rate limiting and bot detection on donation and login endpoints,
• Automated vulnerability scanning weekly,
• Penetration testing annually by an independent third party.

4.4 Backup and Recovery

• Daily encrypted backups retained for 30 days,
• Geographically redundant storage in two regions,
• Tested disaster recovery procedures with RTO under 4 hours.

5. Organizational Safeguards

• Privacy by design: data minimization is the default. We collect only what is strictly needed.
• Staff training: all staff receive annual privacy and security training,
• Vendor due diligence: third party processors (Stripe, hosting providers, email services) are vetted for security standards and bound by Data Processing Agreements,
• Incident response plan: documented breach notification procedures with 72 hour regulator notification timeline (GDPR Article 33),
• Annual policy review: our Data Protection Notice and underlying procedures are reviewed and updated at least annually.

6. Your Data Subject Rights

6.1 GDPR Rights (EU and EEA Residents)

Under Articles 15 to 22 of the General Data Protection Regulation, you have the right to:

• Access: request a copy of all personal information we hold about you,
• Rectification: ask us to correct inaccurate or incomplete information,
• Erasure: request deletion subject to legal retention obligations (IRS records must be kept 7 years),
• Restriction: request that we limit processing pending verification,
• Portability: receive your data in a structured machine readable format,
• Object: object to processing based on legitimate interests,
• Withdraw consent: at any time for processing based on consent (does not affect prior lawful processing),
• Lodge complaint: with a supervisory authority in your country of residence.

6.2 CCPA/CPRA Rights (California Residents)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know: what personal information we collect, use, disclose, and the purposes,
• Delete: request deletion of your personal information (subject to legal exceptions),
• Correct: request correction of inaccurate personal information,
• Opt out of sale: we do not sell personal information,
• Limit use of sensitive personal information: applicable to specific categories,
• Non discrimination: exercising your rights will not result in discriminatory treatment.

6.3 How to Exercise Your Rights

Send a request to privacy@quenarafoundation.com with:

• Your full name and email address as registered,
• The specific right you wish to exercise,
• Sufficient information to verify your identity (we will not honor requests we cannot verify),
• Preferred response format (email or postal).

We respond within 30 days for GDPR requests and 45 days for CCPA requests, extendable once when the request is complex. There is no fee for the first request in a 12 month period. We may decline manifestly unfounded or repetitive requests, providing a written explanation.

7. Data Retention

8. International Data Transfers

8.1 Why We Transfer Data

Quenara Foundation is headquartered in the United States. Personal information you provide will be processed primarily in the USA on infrastructure operated by Stripe (San Francisco, California), our cloud hosting provider, and email service vendors. Some support staff and beneficiary coordination may involve transfers to other countries where we conduct field operations.

8.2 Transfer Mechanisms (GDPR Articles 44 to 49)

• Standard Contractual Clauses (SCCs): we use the European Commission approved SCCs (Implementing Decision 2021/914) for transfers to the United States and other third countries,
• UK International Data Transfer Addendum (IDTA): for transfers involving UK personal data,
• Supplementary measures: encryption at rest and in transit, pseudonymization where feasible, access controls, regular audit,
• Transfer Impact Assessments: we periodically reassess legal protections in destination countries.

8.3 Beneficiary Data Protection

When we collect information about beneficiaries in field countries (for orphan sponsorship, scholarship records, or impact reporting), we apply heightened protection: anonymized identifiers where possible, local data processing where required, no transfer of sensitive personal data outside the beneficiary’s country unless strictly necessary for the program’s operation.

9. Children’s Privacy (COPPA)

Our donor portal is intended for adults 18 and older. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete it promptly. Parents who believe their child has submitted information may contact privacy@quenarafoundation.com.

Note: as part of orphan sponsorship programs we collect anonymized information about minor beneficiaries (e.g., first name, age, story) to share with sponsors. This is processed lawfully under the legal basis of vital interest (GDPR Art. 6(1)(d)) and with consent from legal guardians where applicable.

10. Cookies and Tracking

For full details on cookies, please refer to our Cookie Policy. In summary:

• Strictly necessary cookies (session, security, language preference) operate without consent under GDPR ePrivacy Directive exemptions,
• Analytics and marketing cookies require explicit opt in consent through our cookie banner,
• You can withdraw consent or change preferences anytime through the cookie settings link in the footer.

11. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify the relevant supervisory authority within 72 hours where required (GDPR Article 33),
• Notify affected individuals without undue delay when the breach is likely to result in high risk to your rights and freedoms (GDPR Article 34),
• Publish a notice on our website when the breach affects a significant number of donors,
• Provide clear guidance on protective steps you can take.

12. Automated Decision Making

We do not use automated decision making or profiling that produces legal or similarly significant effects on individuals. Our sanctions screening process is automated for efficiency but always reviewed by a human before any account action is taken.

13. Updates to This Notice

We may update this Data Protection Notice from time to time. When we make material changes:

• We will post the revised Notice with an updated “Last Updated” date,
• We will notify registered donors by email at least 14 days before the change takes effect,
• Where required by applicable law, we will seek your renewed consent.

14. Contact and Questions

For questions about this Data Protection Notice, to exercise your rights, or to report concerns:

• Email: privacy@quenarafoundation.com
• General inquiries: info@quenarafoundation.com
• Postal address: No Name Foundation, Dover, Delaware, USA
• EU residents: right to lodge a complaint with your national Data Protection Authority,
• California residents: California Attorney General complaint form available at oag.ca.gov/privacy.

Quenara Foundation is the humanitarian aid brand of No Name Foundation, a 501(c)(3) tax exempt nonprofit based in Dover, Delaware, USA. EIN: 35-2882867. We are committed to transparent data protection practices aligned with GDPR, UK GDPR, CCPA, CPRA, and COPPA where applicable.