Ma Earth Privacy Policy

1.1.Ma Earth Labs AG, Baarerstrasse 10, 6300 Zug, Switzerland (hereinafter, “MEL”) is the data controller for personal data processed in connection with the websites and services operated at maearth.com and its subdomains, including studio.maearth.com (content and educational programs), news.maearth.com (blog and newsletter), and help.maearth.com (help center), together, the “Sites”, and the Ma Earth Funding Platform (hereinafter, the “Platform”). Data protection contact: [email protected].

1.2.The Platform connects "Donors" (users making voluntary donations) with projects operated by "Organizations" (eligible non-profit organizations, non-profit equivalents, approved host partner organizations (hereinafter, "Host Partners"), or organizations carrying out projects requiring the support of a Host Partner). Where an organization requires a support partner, a Host Partner (a registered non-profit approved by Ma Earth Foundation) may receive and administer funds on behalf of such organization. During time-limited "Funding Rounds," eligible projects may receive discretionary matching grants.

1.3.EU/EEA GDPR Representative (Article 27): If you are located in the EU and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative: Euverify Ltd (Ireland), Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland, Email: [email protected]. To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal. This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.

2.1.For Donors: identity and contact data (name, email) and donation preferences entered on the Platform. Payment data is entered directly into Stripe's hosted checkout and is never transmitted to or stored by MEL. Stripe acts as an independent controller for the donor data it collects under Stripe's own privacy policy (stripe.com/privacy). MEL receives payment metadata from Stripe (such as billing country, payment status, payment method type, and transaction identifiers). For platform-operation purposes such as Stripe Connect onboarding of Organizations, Stripe acts as MEL's processor.

2.2.For Organizations including Host Partners: organizational and legal data (organization name, legal status, website, location), contact person details (name, email, role), application and project data, due diligence documentation, and other materials uploaded to the Platform such as project descriptions, images, and supporting files. During Stripe Connect onboarding, MEL receives onboarding metadata from Stripe (including business name, business type, country, and onboarding status) but does not collect or store payment account details, which remain with Stripe.

2.3.Application and due diligence materials submitted by Organizations may incidentally contain special categories of personal data within the meaning of Art. 9 GDPR or sensitive personal data within the meaning of Art. 5(c) FADP (for example, information revealing religious or philosophical affiliations of faith-based organizations, political opinions of advocacy organizations, or health-related information of organizations serving specific populations). Where GDPR or FADP applies, MEL processes such data only to the extent necessary for application review, eligibility assessment, and grant administration. Organizations are responsible for ensuring they have a lawful basis, including, where required, the explicit consent of the data subject, to share third-party personal data, including any special category or sensitive data, with MEL.

2.4.For newsletter subscribers and contact form users: name and email address provided when subscribing to the newsletter at news.maearth.com or submitting the contact form on the Sites, together with engagement data (e.g., email opens and clicks). Contact form submissions are routed to [email protected].

2.5.For all visitors and users: technical and usage data, including IP address, user-agent string, device and browser information, pages accessed, and actions taken on the Sites and Platform. For debugging and error diagnosis, we use Sentry as a processor to sample a limited share of sessions for error tracking and anonymized session replay; replays may capture user interactions and form inputs, with personal data automatically redacted before transmission. We similarly use Mixpanel session replay for product analytics, with personal data automatically redacted before transmission. We also maintain administrative audit logs of security-relevant actions. We also collect server-side product analytics events (such as onboarding interactions and signup events) using internal user, organization, project, and round identifiers, and captured UTM parameters; no email, name, or DID is sent to analytics providers. Retention periods are set out in Section 5.

2.6.The Sites and Platform use essential cookies for session management, authentication, security, and content delivery. No advertising or marketing cookies are used. We also use third-party analytics cookies (Mixpanel, Google Analytics and Webflow Analytics) for product and website analytics and platform improvement, and A/B testing cookies (Intellimize) for testing variants of content and messaging on studio.maearth.com. Embedded videos (YouTube) and newsletter content (Beehiiv) may set their own cookies when interacted with. Non-essential cookies are activated only with your prior consent. On maearth.com (including the Platform and studio.maearth.com), consent is obtained via our banner powered by Cookiebot. On news.maearth.com, the newsletter platform Beehiiv operates its own cookie banner. On help.maearth.com, the documentation platform GitBook operates its own cookie banner. In each case, non-essential cookies are blocked by default for users in geographies where consent is required (including the EU and EEA) until consent is given. You can manage cookie preferences through your browser settings or, where applicable, through the Sites' or Platform's consent interface. Disabling essential cookies may prevent the Sites or Platform from functioning correctly.

2.7.Children: The Platform is not directed to children. MEL does not knowingly collect personal data from individuals under 18. If you believe a minor has provided personal data to MEL, please contact [email protected] and we will delete it.

3.1.MEL processes personal data for the following purposes and on the following legal bases: operating the Sites and Platform and processing donations via Stripe Connect (performance of contract); conducting application review, eligibility assessment, due diligence, and protecting the Platform against abuse, including fraud and manipulation detection, IP-based rate limiting, and malware scanning of file uploads, supported by AI-assisted screening of application data, with all funding decisions made by MEL staff or selection panels with meaningful human review (legitimate interest; compliance with legal obligations); communicating with users about their account, applications, and Funding Rounds (performance of contract; legitimate interest); sending newsletters and updates, where you have explicitly opted in (consent; you may withdraw at any time via the unsubscribe link in any email or by contacting [email protected]); responding to contact form submissions (legitimate interest); publishing profile and project records to the AT Protocol network through Personal Data Servers hosted by Certified (performance of contract; because AT Protocol is an open decentralized network, once published, profile data may be further replicated, cached, and displayed by independent servers outside MEL's and your PDS provider's control); sharing data with Ma Earth Foundation to the extent necessary for grant administration (legitimate interest) and, where applicable, enforcement under the Platform Terms and Conditions (legitimate interest); and analytics, A/B testing, and product and content improvement, including event-level usage tracking via cookies (consent) and aggregate server-side analytics (legitimate interest).

4.1.Personal data may be shared with

4.1.1.Ma Earth Foundation: application data, organizational and project data, due diligence documentation, and identity and contact data of members of selected Organizations, for grant due diligence, grant administration, and enforcement under the Platform Terms and Conditions. Ma Earth Foundation acts as an independent controller under a data processing agreement with MEL.

4.1.2.Approved third-party AI service providers, currently Anthropic (Claude), act as processors on MEL's instructions to assist with application review, scoring, and fraud-detection support. Processing is limited to organizational and project application content, which may incidentally include names and roles of team members identified in applications.

4.1.3.Infrastructure and service providers acting as processors on MEL's instructions: database and file storage (Supabase), email delivery (Resend), error tracking and anonymized session replay (Sentry), background job processing (Inngest), hosting and deployment of the Platform (Vercel), website hosting and CMS for the Sites (Webflow and GitBook), CDN and security (Cloudflare), file malware scanning (Scanii), product and website analytics (Mixpanel and Google Analytics), A/B testing of content on studio.maearth.com (Intellimize), newsletter distribution (Beehiiv), automation between systems such as newsletter signups (Zapier), and cookie consent management (Cookiebot). These providers process personal data only to the extent necessary to provide their services and are bound by data processing agreements.

4.1.4.Advisors, auditors, and selection panel members: application and organizational data relevant to their specific task (e.g., legal advice, statutory audit, Funding Round scoring), subject to confidentiality obligations.

4.1.5.Certified, a service operated by Hypercerts Foundation (a Delaware non-stock corporation) hosts Personal Data Servers (PDSs) for individual users and organizations, manages the users' and organizations' AT Protocol identity, and publishes profile and project records to the AT Protocol network. Certified or other PDS providers process records under their own legal responsibility, not on MEL's behalf. Because AT Protocol is an open decentralized network, once published, profile data may be further replicated, cached, and displayed by independent servers outside MEL's and your PDS provider's control. Deletion from the Platform does not guarantee removal from those servers. For Certified's own processing, see their privacy policy at certified.app/privacy.

4.1.6.Payment processing is carried out by Stripe directly with Organizations (during account onboarding) and Donors (at checkout). MEL does not share personal data with Stripe for these purposes. For Stripe's processing, see Stripe's privacy policy at https://stripe.com/en-ch/privacy.

4.1.7.Embedded content: Pages on the Sites may embed videos hosted by YouTube (Google). When you interact with embedded content, the relevant provider may collect data as described in their own privacy policy.

4.2.Where data is transferred outside Switzerland or the EEA to countries without an adequate level of data protection, MEL relies on standard contractual clauses adopted by the Swiss Federal Council or the European Commission, or equivalent safeguards.

4.3.For profile data published to the AT Protocol network, the open and federated nature of the protocol means that data may be replicated by independent servers in jurisdictions without an adequacy decision, with which MEL has no contractual relationship. Standard contractual clauses cannot be applied to such replication. This is disclosed to data subjects at the time of publication; data subjects who do not wish their data to be subject to such replication should not publish it via the Platform.

5.1.Personal data is retained for the duration of the user relationship and, thereafter, for as long as required by applicable law. Financial and accounting records are retained for 10 years (Art. 958f CO). Due diligence records are retained for a minimum of 5 years following the end of the relevant Funding Round. Newsletter subscriber data is retained until you unsubscribe. Data retained solely for account operation is deleted within 12 months of account closure, subject to applicable retention obligations.

6.1.Under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data. You may request access to your personal data and request rectification or completion if your data is inaccurate or incomplete. In certain circumstances, you may also request restriction of processing or deletion of your personal data. You may object to processing based on legitimate interests, including where processing is likely to cause damage or distress or is carried out for direct marketing purposes. Where applicable and technically feasible, you may also request to receive your personal data in a commonly used electronic format (data portability). To exercise these rights, contact [email protected]. These rights may be subject to legal limitations or exceptions. MEL will therefore examine each request on a case-by-case basis and will respond within a reasonable time limit.

6.2.You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch or, if you are in the EEA, with your local supervisory authority.

7.1.MEL applies appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, to protect personal data against unauthorized access, loss, or misuse. Data transmitted over the internet cannot be guaranteed entirely secure.

8.1.MEL may update this Privacy Policy from time to time to reflect new practices or legal requirements. The latest version will always be available at maearth.com/privacy.