Privacy

1. Privacy at a Glance

This privacy policy explains what personal data BoardCompanions collects when you use this website, why we collect it, and how we handle it.

Who is responsible? Data processing on this website is carried out by the website operator. See Section 9 for contact details.

What data do we collect? We collect data you provide to us (intake forms, contact form, account registration) and technical data recorded automatically by our servers (IP address, browser type, timestamps).

What do we use it for? To operate the BoardCompanions matching program — connecting experienced business leaders with social-profit organisations for pro-bono governance roles.

What rights do you have? You can request access to, correction of, or deletion of your data at any time. You can withdraw your consent or lodge a complaint with a supervisory authority. See Section 7.

2. What We Collect

Companion Intake Form

When you apply as a Companion, we collect: first name, last name, email address, phone number (optional), LinkedIn URL, INSEAD alumni profile URL (optional), graduation year, years of experience, a short bio, areas of expertise, working languages, country, and availability.

Organisation Intake Form

When your organisation applies to work with us, we collect: organisation name, legal name, type, website, LinkedIn page, address, country, geographic scope, contact person name, position, email and phone, purpose and mission statement, strategic goals, annual budget range, staff and volunteer numbers, organisational structure, current challenges, expertise needed, time commitment, and preferred language.

The contact person's name, email, phone, and position are personal data subject to this privacy policy, even in a professional context.

Contact Form

When you use the contact form, we collect your name, email address, and message.

User Accounts

If you create an account (for Companions, organisation contacts, or team members), we store your email address, a hashed password, and display name.

Server Log Files

Our servers automatically collect technical data when you visit this website: IP address, browser type and version, operating system, referrer URL, and time of access. This data is collected based on our legitimate interest in secure and stable website operation (Art. 6(1)(f) GDPR) and is retained for 30 days.

Campaign Attribution (UTM Tags)

If you arrive at our intake form via a tagged link from one of our outreach emails or partner sites, the URL may contain campaign-attribution parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term). When you submit your application, these parameters are stored on your record so we can see which outreach efforts reach which applicants — for example, to evaluate whether a particular mailing was effective. We do not use them to track you across pages or sessions, we do not share them with anyone, and we do not set any cookie to retain them. The legal basis is the same consent under which you submit the rest of your intake data.

What We Do NOT Collect

This website does not use tracking cookies, advertising scripts, analytics tools, social media widgets, tracking pixels, or third-party fonts. All fonts are self-hosted. No data is transmitted to third parties during normal browsing.

3. How We Use Your Data

Matching Program

Intake form data is used exclusively for the BoardCompanions matching process. This includes:

• Reviewing your application (by the country team responsible for your geography)
• Scheduling and conducting intake conversations
• Including your profile in matching processes (for Companions: sharing organisation briefings with you; for organisations: sharing your briefing with Companions)
• Recording successful placements
• Sending you email communications about your application status, matching processes, and program updates (if you opted in)

Data Sharing Within BoardCompanions

Your data is shared with the BoardCompanions country team responsible for your geography. During the matching process, your profile or briefing may be shared with the other party (Companion or organisation). The BoardCompanions.org team has read-only access to application data across all countries for coordination and quality assurance.

No Third-Party Marketing

We do not sell, rent, or share your personal data with third parties for marketing or commercial purposes.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent (Art. 6(1)(a) GDPR): When you submit an intake or contact form, you give explicit consent via a checkbox. You can withdraw this consent at any time.
• Contract performance (Art. 6(1)(b) GDPR): Processing your data through the matching program, sending transactional emails (account verification, password reset, application status updates), and providing access to member resources.
• Legitimate interest (Art. 6(1)(f) GDPR): Server log files for security and debugging. Internal team notes for quality assurance. Aggregated statistics for impact reporting.

5. Data Processors

We use the following service providers (data processors under Art. 28 GDPR) to operate this website:

Hetzner Online GmbH (Hosting)

This website and all application data are hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All personal data is stored in Hetzner's data centre in Nuremberg, Germany (EU). A data processing agreement is in place. For more information, see Hetzner's Privacy Policy.

Brevo / Sendinblue SAS (Email)

We use Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France) for transactional email (account verification, application status updates) and briefing distribution. Brevo receives your email address and name for personalisation. Data is stored on EU servers. A data processing agreement is in place as part of Brevo's terms of service. For more information, see Brevo's Terms of Use.

Migadu-Mail GmbH (Inbound Mailbox Hosting)

Inbound email replies (e.g., to germany@boardcompanions.net) are received by mailboxes hosted at Migadu-Mail GmbH, Rohnen 587, CH-9414 Schachen, Switzerland (contact@migadu.com; Data Protection Officer: Herr Michael Bruderer, same address). Migadu may receive personal data sent by the writer of an email (name, email address, message content). Switzerland is recognised by the European Commission as providing an adequate level of data protection (GDPR Art. 45), so this is not a third-country transfer requiring additional safeguards. A data processing agreement is in place — see Migadu's DPA.

Anthropic, PBC (AI Assistant for Operational Tasks)

As part of day-to-day operations, the controller uses the AI assistant Claude, provided by Anthropic, PBC, San Francisco, CA, USA, for tasks such as drafting and translating content, classifying or triaging incoming mailbox replies, and process management / automation work. Personal data you have shared with us (name, email address, message content) may be transmitted to Anthropic where necessary for the specific task. Transmission happens on a per-task basis and is limited to what is needed for that step.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient operation of a small non-profit website with limited admin capacity).

Data transfer: Anthropic is a US-based company. Transfers are safeguarded by Standard Contractual Clauses (SCCs, Art. 46 GDPR) under the Anthropic Data Processing Addendum.

Training and retention: Under Anthropic's API terms, customer data submitted via the API is not used by default to train models. Anthropic retains API data for up to 30 days for trust-and-safety purposes and then deletes it. See Anthropic's Commercial Terms of Service and Data Processing Addendum.

No Other Third-Party Services

We do not use analytics, advertising networks, social media widgets, or any other third-party services that receive your data. LinkedIn is linked as a plain hyperlink — no data is transmitted until you click and visit LinkedIn, where their own privacy policy applies.

6. Data Retention

We retain your data for as long as you are an active participant in the BoardCompanions program. Your application history, matching matchings, and placements are part of your record with us and are kept for the duration of your membership.

Specific retention periods:

• Active Companions and organisations: retained for the duration of your membership.
• Inactive participants (no activity for 2+ years): we send a reactivation email. If no response within 30 days, we mark you as departed.
• Departed participants: personal data is anonymised 1 year after departure. Anonymised records (without identifying information) may be retained for aggregate statistics.
• Declined applications: personal data is deleted 6 months after the decision.
• Contact form submissions: deleted 6 months after resolution.
• Server logs: automatically deleted after 30 days.

You can request deletion of your data at any time, regardless of these retention periods (see Section 7).

7. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

• Access (Art. 15): Request a copy of all personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate data. You can also update your own profile through the member area.
• Erasure (Art. 17): Request deletion of your personal data. We will comply unless we have a legal obligation to retain it. If you have a Companion account, you can also request deletion directly from your member profile; we apply a 30-day grace period before anonymisation completes.
• Restriction (Art. 18): Request that we stop processing your data while a complaint is being resolved.
• Data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
• Objection (Art. 21): Object to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)): Withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email info@boardcompanions.be. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The lead authority for BoardCompanions is:

Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be

You may also complain to the supervisory authority in your country of residence.

8. International Data Transfers

Application and member data is stored within the European Union. Our hosting provider (Hetzner) operates in Germany, and our email provider (Brevo) operates within the EU. Inbound mailbox hosting (Migadu) is in Switzerland, which the European Commission has recognised as providing an adequate level of data protection (GDPR Art. 45) — so this is not treated as a third-country transfer.

The one exception is the AI assistant Anthropic (United States), used per-task as described in Section 5. Transfers to Anthropic are safeguarded by Standard Contractual Clauses (SCCs, Art. 46 GDPR) included in the Anthropic Data Processing Addendum. Only data relevant to the specific task is transmitted.

9. Data Controller

The data controller for this website is:

BoardCompanions.org ASBL
Rue Georges Lorand 16
1050 Ixelles, Belgium
BCE/KBO: BE0720.607.357
Represented by: Erik Weytjens, President

German representative:
Nils Boeffel
info@boardcompanions.net

For data protection inquiries, contact info@boardcompanions.be.

10. Cookies

This website uses only essential cookies required for its operation:

• Session cookie: maintains your login session in the member and team areas. Expires when you log out or close your browser.
• CSRF token: protects form submissions against cross-site request forgery. Essential for security.

No advertising cookies, analytics cookies, or tracking technologies are used. No cookie consent banner is required because only essential cookies are set.

11. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. When we make significant changes, registered users will be notified by email. The current version is always available at this URL.

Last updated: April 2026