Data Privacy
This Privacy Policy was last updated on Feb 3, 2025.
Introduction
This policy provides information about how and why Stichting Bellingcat (a foundation incorporated in the Netherlands) and Bellingcat Fund (a 501c3 charity incorporated in the United States) process your personal data in relation to:
- Our fundraising and communication efforts
- Your participation in our events
- Your job applications to work with Bellingcat
We are committed to respecting your privacy and protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and other relevant privacy laws.
Our Privacy Role
Bellingcat is a data controller under the meaning of GDPR. This means we have statutory responsibilities regarding the collection, storage, and processing of your personal data. This Privacy Policy outlines how we fulfil these duties.
Does This Privacy Policy Apply to You?
This Privacy Policy applies to the collection and processing of personal data from job applicants, funders, donors, volunteers, consultants, training participants, partner organizations, and all other stakeholders in the regular course of our work.
Processing of Personal Data
Bellingcat relies on voluntary contributions to support its mission. To maintain transparency and strong relationships with our supporters, we collect and process personal data as described below:
Fundraising and Communication
With your prior consent, we may process your personal data to update you on:
- The impact of our research
- How your contributions support our work
- Events, projects, and opportunities relevant to you
When making a donation, you can choose to receive updates from Bellingcat. If you do not opt in, you will only receive a confirmation of your donation.
The personal data processed for communication includes your name and email address. We do not share this data with third parties.
Processing and Screening of Donations
When you donate to Bellingcat, we process your personal data to administer the donation securely. We work with third-party payment providers and banks to process transactions.
Additionally, for legal and ethical compliance, donations over 5,000 EUR undergo screening in line with our Anti-Money Laundering (AML) Policy.
Personal data processed: name, email address, and/or address. We do not share this data with third parties.
Third-Party Platforms and Data Security
Bellingcat uses third-party platforms to manage fundraising and donation processes:
- Salesforce: We use Salesforce as a customer relationship management (CRM) platform for fundraising and project management. All Salesforce data is securely stored in the European Union (EU) in compliance with GDPR. More info.
- Donorbox: We use Donorbox for online donations. Donorbox stores personal data on secure servers and may share it with service providers worldwide to facilitate its services while complying with GDPR and other privacy regulations. More info.
By using these platforms, we ensure secure data storage, controlled access, and full compliance with GDPR.
Attending Events
When attending our events, we may process your personal data, including:
- Name, contact details, and professional background (if provided)
- Food preferences (if applicable)
- Photographs or videos from events (only with your consent)
This data is used only for event administration and communication purposes.
Job Applications and Employee Screening
Personal data collected for job applications includes:
- Name, contact details, resume, and references
- Relevant experience, education, and employment history
Where necessary, applicants may undergo pre-screening and assessments, including verification of credentials. Employee screening is conducted by independent, authorized partners to ensure security and compliance with GDPR.
Who Else Has Access to My Personal Data?
Bellingcat does not sell or trade personal data. Access to your personal data is strictly limited to:
- Bellingcat staff with a legitimate need for processing
- External advisors (e.g., consultants, lawyers, auditors)
- Government authorities, where legally required
- Third-party processors (e.g., IT service providers, secure cloud storage, and analytics tools)
All third parties processing data on our behalf are contractually obligated to comply with GDPR and enter non-disclosure agreements to prevent unauthorized data disclosure.
Where Do We Store and Transfer Your Data?
While we prioritize storing data within the European Economic Area (EEA), some third-party service providers may process data outside the EEA. When data is transferred internationally, Bellingcat ensures compliance with GDPR through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Other lawful transfer mechanisms as per Article 46 of GDPR
For questions regarding data transfers, contact contact@bellingcat.com.
How Long Do We Retain Personal Data?
We retain personal data only as long as necessary for the purposes outlined above and in compliance with legal requirements:
| Category | Retention Period |
| User account information | 5 years after account termination |
| Financial transactions | 10 years (to comply with tax regulations) |
| Marketing preferences | Until the user withdraws consent |
| Website analytics | Aggregated & anonymized for analytical purposes |
| Legal and compliance records | As required by law |
For more details on retention periods, contact contact@bellingcat.com.
Your Rights Under GDPR
As a data subject, you have the right to:
- Access your personal data
- Rectify incorrect or incomplete data
- Erase your data (subject to legal obligations)
- Restrict data processing
- Data portability (transfer data to another service provider)
- Object to processing based on legitimate interests
- Withdraw consent (where applicable)
To exercise these rights, contact contact@bellingcat.com.
How to Contact Us
For inquiries about your data privacy rights, contact:
Bellingcat
PO Box 15712
1001 NE Amsterdam, Netherlands
Email: contact@bellingcat.com
If you believe your data rights have been violated, you may also file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at www.autoriteitpersoonsgegevens.nl.
Policy Updates
Bellingcat may update this Privacy Policy periodically. Changes will be published on our website. If a change has significant privacy implications, we will actively notify users.