Privacy Policy

for Null Project

CENTER NALL LLC

Overview

This Privacy Policy explains how CENTER NALL LLC, a Cyprus-based organization operating Null Project (“Null Project,” “we,” “us” or “our”), acting as data controller, collects, uses, stores, shares, protects and otherwise processes personal data when you visit https://null-project.org, make a donation, communicate with us, subscribe to updates, submit forms, apply to participate in initiatives, or otherwise interact with our website, donation interfaces, communications channels and related services (together, the “Service”).

We are committed to processing personal data lawfully, fairly and transparently in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”), applicable laws of the Republic of Cyprus concerning data protection, and, where relevant, applicable rules relating to cookies and electronic communications. This Privacy Policy is intended to provide the information required under Articles 12 and 13 GDPR and, where relevant, Article 14 GDPR.

This website is intended for a mission-driven, donation-based project. It is not an e-commerce store selling goods and it is not a financial product or investment service. Nevertheless, because we use online donation and payment functionality, some processing activities described in this Policy also reflect payment security, fraud prevention, sanctions compliance and related legal obligations that may apply to us or to our payment service providers.

1. Data Protection Principles

We process personal data in accordance with the principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. We seek to collect personal data only for specified, explicit and legitimate purposes and to limit the data we process to what is reasonably necessary for those purposes.

Where appropriate, we seek to maintain personal data accurately and up to date, including by relying on users to provide accurate information and notify us of relevant changes. We also seek, where appropriate, to apply principles of privacy by design and privacy by default in the operation, maintenance and improvement of the Service.

2. Who We Are

CENTER NALL LLC is the organization responsible for operating Null Project and for determining the purposes and means of processing personal data described in this Privacy Policy.

Data Controller:

CENTER NALL LLC

4529 Cyprus Limassol, Pyrgos, Agiou Georgiou 8

Privacy@null-project.org

3. How We Use Your Personal Data

We process personal data when you visit our website, make or attempt to make a donation, subscribe to updates, contact us, submit information through forms, communicate with us by email, apply to collaborate or participate in a project, or otherwise interact with the Service.

The exact categories of personal data we process and the legal basis on which we process them depend on the nature of your interaction with us. In some cases, personal data is required so that we can administer a donation, respond to your request, comply with legal obligations, protect the security and integrity of the Service, or prevent fraud and misuse.

4. Categories of Personal Data We May Process

4.1 Information you provide directly

We may process personal data that you provide directly to us, including your full name, email address, country, postal or billing address, the content of your communications, project application details, feedback, and any other information you voluntarily provide through forms, emails, messages, subscriptions or other interactions.

4.2 Donation and transaction information

If you make a donation or attempt to make a donation through the Service, we may process information necessary to administer the donation and associated transaction, including donation amount, currency, timestamps, transaction identifiers, payment status, donor support communications, refund requests, payment dispute information, chargeback-related records and other information reasonably necessary to administer, verify or support the transaction.

Payment card information may be processed directly by payment service providers and gateways. We do not store full payment card numbers, CVV codes or full card authentication data on our own systems.

4.3 Technical, device and usage information

When you use the website, certain information may be collected automatically, including your IP address, browser type and version, device type, operating system, language settings, referral URLs, access timestamps, interaction logs, security logs, session-related information and information collected by cookies or similar technologies, subject where required to applicable consent requirements.

4.4 Compliance and security information

Where reasonably necessary to comply with legal obligations, protect the Service, prevent fraud or respond to disputes, we may process additional information relevant to fraud prevention, transaction monitoring, sanctions screening, suspicious activity review, abuse prevention, anti-money laundering review, security investigations, incident response or legal compliance.

5. Sources of Personal Data

We may obtain personal data directly from you, automatically through your use of the website, from payment service providers, from fraud prevention or technical service providers, from communication providers, from publicly available sources where lawful, and, where necessary, from legal or regulatory sources.

6. Detailed Description of Data Processing Activities

6.1 Automatic collection of information on the website

When you open the website, our systems or the systems of our hosting or infrastructure providers may automatically record information that your browser or device sends. Our purpose in processing such information is to ensure that the website functions properly, remains secure, can be monitored for abuse and technical errors, and can be improved over time.

Depending on the configuration of the website, such information may include your IP address, browser type and version, device information, operating system, referring pages, pages visited, dates and times of access, basic interaction data and security-related logs.

The legal basis for this processing is our legitimate interest under Article 6(1)(f) GDPR in ensuring that the Service functions properly, remains available, secure and reliable, and in preventing abuse or technical misuse. In some cases, the use of cookies or similar technologies may be based on consent where required by applicable law.

We process technical and automatically collected data only for as long as reasonably necessary for the relevant purpose, including website security, diagnostics, abuse prevention and operational continuity. Unless a longer period is needed for a specific incident, legal claim or security investigation, such data is generally retained for a limited period appropriate to those purposes.

6.2 Processing donations and administering transactions

If you make a donation, we process personal data in order to receive, administer and support the transaction, communicate with you where necessary about the donation, maintain records, reconcile payment information, respond to donor support requests, handle refund requests where applicable, and manage disputes or chargebacks.

The legal bases for this processing may include the performance of steps requested by you in connection with the donation, our legitimate interests in operating and administering the Service, and compliance with legal obligations relating to accounting, tax, fraud prevention, sanctions screening or other applicable requirements.

Where certain personal data is necessary in order to process a donation or respond to a donation-related request, failure to provide such data may prevent us from processing the donation, verifying the transaction or providing related support.

6.3 Processing communications, information requests and feedback

If you contact us by email or through forms on the website, we process your personal data in order to respond to your request, provide information, address feedback, handle complaints, maintain relevant records, and, where appropriate, protect and defend our legal rights if a dispute arises.

The information we process may vary depending on the nature of your request, but generally includes your email address, the content of your message, and any supporting information you choose to provide. The legal basis for such processing is our legitimate interests in responding to communications, improving the Service and maintaining records relevant to our operations, and, where applicable, compliance with legal obligations.

6.4 Updates and communications

Where you subscribe to updates, newsletters or similar communications, we may process your contact information and communication preferences in order to send the relevant communications. Where required by law, this processing is based on your consent. Where consent is not required, communications may be sent only where permitted by applicable law and with an appropriate opt-out mechanism.

You may unsubscribe from non-essential communications at any time by using the unsubscribe mechanism included in the communication or by contacting us using the contact details in this Policy.

6.5 Fraud prevention, sanctions screening and related compliance

Because the Service includes donation and payment functionality, certain transactions or interactions may be subject to fraud prevention, transaction monitoring, sanctions screening, abuse prevention and related compliance controls. This may include review of donation-related information, payment metadata, technical indicators, device or network information, dispute patterns and other relevant signals.

The purpose of this processing is to protect the Service, donors, payment partners and the wider payment ecosystem; to prevent fraudulent or abusive activity; and to comply with applicable legal obligations or payment-related requirements. The legal bases may include compliance with legal obligations and our legitimate interests in maintaining security, preventing abuse and ensuring transaction integrity.

In certain cases, we may request additional information where reasonably necessary to verify a donation, review a dispute or refund request, or meet the requirements of a payment partner, legal obligation or security process.

7. Who We Work With

We may use carefully selected third-party service providers to support the operation of the Service. Such providers may include hosting and cloud infrastructure providers, website security and technical support providers, payment processors, email communication providers, fraud prevention providers, analytics providers, auditors, legal advisers and other service providers reasonably necessary for the operation, security and administration of the Service.

Where third-party providers process personal data on our behalf as processors, we seek, where required, to put in place contractual arrangements designed to address applicable data protection obligations, including obligations concerning confidentiality, security and processing only on documented instructions, as appropriate.

In certain contexts, including payment processing and related regulated financial activity, some third-party providers may act as independent data controllers in relation to processing carried out under their own legal and regulatory obligations. In such cases, their own privacy notices may also apply.

We do not sell personal data to third parties.

8. International Transfers

Some service providers may process personal data outside the European Economic Area. Where personal data is transferred internationally, we seek, where required, to rely on appropriate safeguards under GDPR, including adequacy decisions adopted by the European Commission, Standard Contractual Clauses, or other lawful transfer mechanisms as applicable.

Where required and appropriate, we may assess international transfers, including transfer impact considerations and supplementary safeguards, taking into account the nature of the data, the destination and applicable legal requirements. You may request information about relevant safeguards, where applicable, using the contact details below.

9. Consent

Where we rely on consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Where consent is required for non-essential cookies, analytics technologies or direct marketing communications, we seek to provide appropriate mechanisms to give, refuse or withdraw consent.

10. Payment Data and Payment Security

Donations made through the website may be processed by PCI-compliant payment service providers, acquiring institutions, gateways and related payment infrastructure providers. Donation transactions may be subject to issuer authorization, fraud screening, sanctions checks, transaction monitoring, payment risk review, dispute review and other payment compliance controls.

Submission of a donation does not guarantee acceptance or successful processing. A donation may be delayed, placed on hold, declined, reversed, reviewed, refunded or blocked where required by law, payment network rules, security controls, fraud prevention measures, sanctions compliance obligations or risk management requirements.

Certain payment-related records may be retained where necessary for transaction administration, refund handling, fraud prevention, disputes, chargebacks, legal obligations, audit or compliance requirements.

11. How We Protect Your Data

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, misuse, disclosure, alteration, loss or destruction, taking into account the nature of the data, the risks associated with processing and the requirements of applicable law, including principles reflected in Article 32 GDPR.

Depending on the context, such measures may include role-based access controls, internal access restrictions, provider due diligence, encryption in transit where appropriate, security monitoring, incident response procedures, logging, confidentiality controls and other measures designed to support the integrity, confidentiality and availability of personal data.

Where appropriate, measures may also support restoration of availability and access to personal data following incidents, and we may periodically review or test relevant security measures. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

12. Personal Data Breaches

Where required by applicable law, personal data breaches may be assessed, documented, notified to competent supervisory authorities and, where required, communicated to affected individuals. Where required, notification to a competent supervisory authority may be made without undue delay and, where feasible, within 72 hours.

13. Cookies and Similar Technologies

We may use cookies and similar technologies for strictly necessary website functionality, security, performance, preferences and, where enabled, analytics. Where required by law, non-essential cookies are used only based on your consent.

Cookie categories may include strictly necessary cookies, analytics cookies and preference cookies. Where a consent management mechanism or cookie banner is available, you may manage your preferences through that mechanism.

Electronic communications, where used, are intended to be conducted in accordance with applicable consent and electronic communications rules, including opt-out mechanisms where required.

14. How Long We Store Your Data

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy and to comply with legal obligations. Retention periods may depend on the nature of the data, the purpose for which it was collected, legal limitation periods, accounting obligations, tax requirements, fraud prevention needs, dispute handling requirements, regulatory expectations and the protection or defense of legal rights.

Where retention is no longer necessary, personal data may be deleted, anonymized or otherwise handled in accordance with applicable legal and operational requirements.

15. Your Data Protection Rights

Under the GDPR, and subject to applicable conditions, limitations and exceptions, you may have the right to request access to your personal data; request rectification of inaccurate or incomplete data; request erasure; request restriction of processing; object to certain processing; request data portability; and withdraw consent where processing is based on consent.

You may also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is permitted by law.

We seek to respond to valid requests without undue delay and, where applicable, within one month, subject to lawful extensions permitted under GDPR. In order to protect personal data and verify the identity of the requester, we may request additional information before fulfilling a request.

Certain rights may be subject to limitations where processing is necessary to comply with legal obligations, anti-money laundering requirements, fraud prevention obligations, sanctions requirements, record-keeping duties, or the establishment, exercise or defense of legal claims.

You have the right to lodge a complaint with the competent supervisory authority in Cyprus if you believe that the processing of your personal data infringes applicable law.

16. Automated Decision-Making and Profiling

We do not engage in solely automated decision-making producing legal or similarly significant effects about you, except to the extent certain automated fraud prevention or payment risk screening tools may be applied by payment providers or security systems as part of transaction risk management. Donations are not used to make decisions about eligibility, creditworthiness or behavioral profiling concerning donors.

17. Special Category Data and Children

We do not intend to collect special categories of personal data unless expressly necessary and lawfully supported. If you believe that special category data has been provided to us unintentionally, please contact us.

The Service is not directed to children where collection of personal data from children would require parental authorization under applicable law.

18. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties and encourage you to review the privacy notices of those third parties before providing personal data or using their services.

19. Policy Amendment

From time to time, we may change this Privacy Policy and adopt a new version. Changes become effective upon posting unless otherwise stated. If we make material changes, we may notify users through the website or by other appropriate means where required by law.

20. Contact Details

You can address questions concerning this Privacy Policy, requests to exercise your data protection rights, or privacy-related complaints to:

CENTER NALL LLC

4529 Cyprus Limassol, Pyrgos, Agiou Georgiou 8

privacy@null-project.org