Privacy Policy

This policy is applicable to and all personal data processed via publicly available digital services provided by European Digital Rights (EDRi), AISBL registered at 12 Rue Belliard, 1040 Brussels, Belgium.

To submit a data access request or ask for more information about EDRi's data protection and privacy policy, you can contact EDRi's Data Protection Officer at DPO [at] edri [dot] org.



We use data to provide you with the page, make sure it remains secure and use anonymous data for reporting and evaluation purposes.

We honour encrypted browsing (https) by default. Our websites are managed by our trustworthy service provider, Spectre Operations, based in the Netherlands. Spectre Operations acts as a processor of data whereas EDRi is the data controller. We have signed a data processing agreement with Spectre Operations. Spectre Operations will only use the logs and any other information for troubleshooting the supplied services and for monitoring usage patterns for security purposes.

Our website does not use cookies or web beacons and we do not collect data on clicked links. The processing of web usage data is kept to a minimum. We have no control over tracking technologies used by sites and services to which we link.

For reporting and evaluation purposes, we collect some statistics on the visits and downloads on our website with Matomo, a web analytics platform that gives us 100% data ownership. All data collected is anonymised, and we do not share it with third parties. The server software retains access logs (which contain individual IP addresses and pages visited) for the purposes of troubleshooting and generating aggregate statistics. We use this information to provide an indication of faults and to identify peak usage times so that we can decide when to make major site modifications.

The legal basis for this processing is our legitimate interest, under art 6(1)(f) of the General Data Protection Regulation (GDPR).


We process your contact details when you contact us by email or via our website.

We process the information you provide us, such as you name and email address, solely to handle your requests. The legal basis for such processing is your consent under art 6(1)(a) GDPR.

When you send us an email it is stored on our email server in the Netherlands and potentially on recipients' local devices. As a result, emails are susceptible to lawful access under Dutch jurisdiction. Our current service provider is Spectre Operations (see above).

Each EDRi employee is responsible for managing and enforcing data minimisation with regard to the communications that s/he receives or sends, and we endeavour to keep this information stored securely through the use of encrypted emails. We keep emails for a maximum of 24 months, after which they are deleted.

We do not solicit information on political and religious beliefs or medical information. When such sensitive personal information is provided to us through our email or postal addresses, we delete or anonymise this information as soon as possible.

EDRi staff members use PGP to encrypt emails. You can find their keys on the EDRi website and on public keyservers.

Mailing lists

We run a variety of open and closed mailing lists hosted on our servers at Spectre Operations. If you subscribe to our campaigns mailing list or to one of our other public mailing lists, we will process your email address. The membership of these mailing lists is kept confidential, and only available to selected EDRi staff members for the purpose of list management. The legal ground for the collection and processing is your consent under article 6.1 (a) GDPR.

Traffic data of emails we send and receive through the services of Spectre Operations is subject to the Netherlands data retention legislation. We only log details of the email addresses and mail servers involved in delivery.

We delete your personal data as soon as you ask us to be removed from a mailing list.

Newsletters and press releases

If you subscribe to EDRi-gram or to one of EDRi's other newsletters, including the press releases, the information you provide, such as your e-mail address, names and background will be stored and processed on our self-hosted CRM. It will only be used by EDRi's comms team to send you the mailings you subscribed to. The information will never be shared with third parties of any kind. Aggregate information about subscribers such as the number of subscribers can be used for other publications.

EDRi commonly uses ('double') confirmed opt-in for subscribers to any mailinglist unless you email us, call us or orally tell us to add you to a given mailinglist. In any of those cases the legal ground for the collection and processing is your consent under Article 6.1 (a) GDPR.

We delete your personal data as soon as you ask us to be removed from a newsletter.

By using professional, self-hosted mailinglist software like Mailman and CiviCRM, EDRi aims at minimising the abuse risk of email addresses by third parties. Subscribers can subscribe or unsubscribe themselves, without any intervention from EDRi. Maintenance, system operation and security of the mailinglists are delegated to Spectre Operations and subscribers may also be added via an opt-in system attached to a campaign website.

Social Media

Our website does not use any cookie or social plugin, which means you are not tracked by social media when you visit our website.

We have YouTube, Facebook, Twitter and Linkedin accounts, as we use social media and social networking services to advance our work. These applications require the use of third party service providers. Please note that these services engage in extensive data collection and processing practices that are governed by their own terms of service.

EDRi has access to the following personal data available on these services:

We make limited use of this information, for the following purposes:

The legal basis for the processing of these data is EDRi's legitimate interest (art. 6(f) GDPR).

Apart from this limited use, we do not further process or store the information listed above: only statistics are used about the engagement rate, demographics (average age, location), used device, followers, etc. to evaluate EDRi's communications performance and feed into future strategies.

Social media monitoring

In order to better consider the interests of the general public in the protection of digital rights and better shape our communications, we need to understand how social media users discuss these topics. To this end, we analyse social media activity related to digital rights and monitor the use of our own social media channels. We analyse for instance how our posts are liked, shared, or commented on social networks.

EDRi is the data controller for this data processing. The legal basis for this monitoring is our legitimate interest under art. 6(1)(f) GDPR. We ensure that adequate and specific safeguards are implemented for the processing of personal data, in line with the GDPR.

We use an external provider established in the European Union to process and analyse public social media data on our behalf and according to our instructions. We do not directly interact with social media users whose data are being processed and, in principle, do not have access to their contact details, which prevents us from providing relevant information individually. We have therefore included such information in this privacy policy. Further information and points of contact related to the processing of personal data can be found in the privacy policy of our external provider.

The external provider collects and analyses data from publicly available sources, including public social media platforms, websites and online newspapers. The external provider only processes information that is publicly available, such as:

While the external provider collects the personal data listed above, we only analyse some of these data, mostly in an aggregated format.

We have set up strict limitations on the topics we monitor and have ensured that authorised EDRi staff, when accessing and using the external provider's database, are bound by clear instructions and confidentiality obligations.

All personal data processed by the external provider on the EDRi's account will be deleted 6 months from the end of the contractual relationship with them.


When you support EDRi by making a donation, we only collect information necessary to process the donation. This includes your identification data (name, first name, address, country), the sum, the frequency of payment, your credit card details or account number, the type of payment, your email and the information whether you want to be informed of EDRI's activities.

The legal basis for such processing is your consent under art 6(1)(a) GDPR.

This information is securely stored by our service provider, Spectre Operations, based in the Netherlands.

Your rights

You have the following rights under the General Data Protection Regulation:

The contact for exercising your rights at EDRi is dpo(at)edri(dot)org. We will reply to you within one month. For the processing of data by our external provider for social “imedia monitoring purposes, you can contact privacy(at)meltwater(dot)com

You can also contact us at dpo(at)edri(dot)org if you have any questions regarding our privacy policy or require any clarifications.

We are governed by the Belgian data protection authority, who is competent to receive your complaints (

Changes to this policy

In the event that this policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to seek your consent.

Last updated on 17 October 2022

Stay updated!

Get the latest news from the Stop Scanning Me campaign and find out how you can contribute to making the internet a safe place for all.

Subscribe today