Privacy
Policy

Daily Humanity Europe, Lda ("Daily Humanity", "we", "us", or "our") provides professional safety training and related educational programmes and services to journalists, humanitarian workers, and institutional clients. This Privacy Policy explains how we collect, use, and protect your personal data when you interact with our website at dailyhumanity.dk and our services.

Daily Humanity Europe, Lda is the data controller responsible for your personal data.

Data Controller

This policy applies to personal data we process when you:

• Visit or use our website at dailyhumanity.dk
• Enquire about or register for Daily Humanity educational programmes or training
• Subscribe to our newsletter or training communications via Brevo
• Book a call or consultation through our scheduling system (Cal.com)
• Contact us by email, form, or telephone
• Enter into a contractual relationship with us as a client, partner, or supplier
• Attend an event or training hosted by Daily Humanity
• Complete identity verification in applicable contexts (see Section 3.3)

Not covered by this policy

This policy does not cover third-party websites or services. It also does not cover the Maira Intelligence and Monitoring platform, which is operated independently by Maira Labs, Co. (Delaware, United States) and licensed to Daily Humanity Europe, Lda for distribution in the EU/EEA, Switzerland, and the Eastern Partnership countries (Armenia, Azerbaijan, Georgia, Moldova, and Ukraine), excluding any territory subject to applicable EU sanctions or restrictive measures. Those clients are served entirely through Daily Humanity Europe, Lda within the licensed geographies. For Maira's practices, policies, and data processing, visit maira.one.

3.1 Data you provide directly

• Identity data** — name, job title, organisation
• Contact data** — email address, phone number, postal address
• Training registration data** — dietary requirements, emergency contacts, and health declarations relevant to field training safety
• Professional background** — employer, role, and prior training history, used to assess participant suitability and safety for field training
• Communications** — the content of emails or messages you send us
• Payment data** — billing address and invoice details; payment card data is processed directly by our payment providers (Stripe and Mollie) and is never stored by us

3.2 Data collected automatically

When you visit our website we collect, where you have consented:

• Technical data** — IP address, browser type and version, device type, operating system
• Usage data** — pages viewed, session duration, referring URL, and click paths, collected via PostHog (EU-hosted infrastructure)
• Cookie data** — see Section 9

3.3 Identity verification data (Didit)

In specific circumstances we are required or entitled to verify your identity before providing a service. We use Didit to perform this verification via its API. We use Didit's verification service in the following cases:

• Issuing invitation letters or documentation for non-EU residents who require a visa or travel authorisation
• Granting access to private or elevated-security training grounds where access control is legally or operationally required
• Programmes where attendance is subsidised by a third party (philanthropy, foundation, or institutional funder) requiring participant verification
• Cases where KYC, AML, or other EU or Portuguese legislation mandates identity verification

Identity verification may involve government-issued ID documents, facial-image matching (a biometric process), and address verification data. Daily Humanity is the controller of this verification; Didit acts as our processor under a Data Processing Agreement and applies its own security and compliance controls. We process this data on the basis of:

• Explicit consent (Art. 9(2)(a) GDPR)** for biometric verification in discretionary cases, captured separately at the point of verification; or
• Legal obligation (Art. 6(1)(c) and Art. 9(2)(g))** where KYC/AML or other legislation mandates it.

Any verification data returned to us by Didit is stored on our own EU-based Microsoft Azure managed database under general GDPR-compliant controls. Verification data is used solely for the specific verification event and is not repurposed.

3.4 Special category data

Some Daily Humanity educational programmes, particularly field and safety training, may require health-related information (for example, medical conditions relevant to training safety). This is special category data under GDPR Article 9. We collect it only with your explicit written consent and use it solely for participant safety during training.

We process personal data only where we have a lawful basis under GDPR Article 6 (and Article 9 for special category data):

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

We use personal data for the following specific purposes:

• Administering registrations and delivering Daily Humanity educational programmes and training
• Assessing participant eligibility and medical suitability for field training
• Issuing digital training certificates to your Apple Wallet or Google Wallet (see Section 5.1)
• Processing payments and maintaining statutory financial records
• Verifying participant identity in the applicable contexts described in Section 3.3
• Responding to enquiries and scheduling consultations you request via Cal.com
• Sending operational communications and, where you have subscribed, newsletters, via Brevo
• Measuring and improving website performance through privacy-preserving analytics (PostHog EU)
• Complying with our legal, tax, and regulatory obligations
• Detecting and preventing fraud, security threats, and unauthorised access to training facilities
• Establishing, exercising, or defending legal claims

We do not use your personal data for purposes incompatible with those listed above without giving you prior notice and, where required, obtaining your consent.

5.1 Digital training certificates

Upon completion of a training programme we issue a digital certificate containing your name, the programme name, completion date, and a unique credential identifier, delivered to your Apple Wallet or Google Wallet. We use PassKit to generate and deliver these passes for all participants. PassKit is SOC 2 certified and compliant with Google Wallet requirements, and acts as our data processor under a Data Processing Agreement. Certificate data is retained as part of your training record (see Section 8).

5.2 Automated processing and artificial intelligence

We use artificial intelligence provided by the Microsoft Azure OpenAI Service, hosted on Microsoft servers within the EU, to assist with processing certain personal data. The data processed by this service remains within the EU. Microsoft acts as our data processor under a Data Processing Agreement and does not use your data to train its own models.

We use these AI capabilities to:

• Support and streamline identity verification (KYC) checks
• Analyse and triage enquiries submitted through our website or by email
• Detect duplicate or conflicting records across our systems
• Check the completeness and correctness of information you provide
• Generate alerts and summaries for Daily Humanity Europe administrators

Human oversight. These tools assist our staff; they do not make final decisions about you on their own. Identity verification outcomes, enquiry responses, and eligibility decisions are reviewed and decided by a Daily Humanity Europe administrator. We do not make decisions producing legal or similarly significant effects based solely on automated processing. The legal basis for this processing is our legitimate interests in operational efficiency, data quality, and fraud prevention (Art. 6(1)(f)), and, where it supports a legally mandated KYC/AML check, compliance with a legal obligation (Art. 6(1)(c)).

If you have questions about how this processing affects you, or wish to request human review of any outcome, contact privacy@dailyhumanity.dk.

We do not sell your personal data. We share it only where necessary:

• Training delivery partners** — co-facilitators, venue operators, or field instructors engaged for specific programmes, bound by data protection obligations
• Payment processors** — Stripe and Mollie, each acting as an independent controller for transaction processing under its own privacy policy
• Email and CRM platform** — Brevo, for newsletter delivery and operational communications with clients and attendees, acting as our processor under a DPA
• Identity verification** — Didit, for verification via its API in the cases described in Section 3.3, acting as our processor under a DPA
• Digital certificates** — PassKit, for generating and delivering Apple and Google Wallet passes for all participants, acting as our processor under a DPA (SOC 2 certified)
• Scheduling** — Cal.com (EU-compliant), for routing call bookings from our contact page
• Analytics** — PostHog (EU-hosted infrastructure)
• Cookie consent management** — Cookiebot, for recording and managing your cookie preferences
• Cloud infrastructure** — Microsoft Azure (EU regions), on which all our data-storing infrastructure runs; SOC 2 and ISO 27001 certified
• AI processing** — Microsoft Azure OpenAI Service (EU regions), used to process certain data as described in Section 5.2; hosted within the EU and acting as our processor
• Professional advisors** — lawyers, accountants, and insurers, under duties of confidentiality
• Regulatory and law enforcement authorities** — where legally required, or to protect the vital interests of individuals

Our data-storing infrastructure (including databases and blob storage) runs on Microsoft Azure within the EU, and this includes identity verification data returned by Didit. Some processors are based in the United States and may process limited personal data there:

All transfers outside the EEA rely on either an European Commission adequacy decision (such as the EU-U.S. Data Privacy Framework for certified US recipients) or European Commission-approved Standard Contractual Clauses (SCCs). PassKit, which generates certificate passes for all participants including EU residents, processes data as our processor under its Data Processing Agreement incorporating the 2021 EU SCCs. You may request details of the safeguards applicable to your data by contacting privacy@dailyhumanity.dk.

We retain personal data for no longer than necessary for the purposes set out in this policy, or as required by law. Our standard retention periods are:

Where the same individual's data falls into more than one category — for example, a training participant whose registration also generates an invoice — the training/safety record is held for 1 year while the underlying contract and invoice data is retained for 10 years to meet Portuguese commercial and tax obligations.

All personal data is stored on secure servers operated within the EU on Microsoft Azure managed services, and is processed in full compliance with the GDPR. When data is no longer required, it is securely deleted or anonymised.

Our website uses cookies and similar technologies. We use Cookiebot to manage your consent: non-essential cookies are not set until you have given consent through the Cookiebot banner, and you can change or withdraw your preferences at any time.

Disabling analytics or marketing cookies does not affect your ability to use the site. Strictly necessary cookies cannot be disabled without breaking core functionality.

If you are in the EEA, you have the following rights:

• Access (Art. 15)** — request a copy of your personal data and information about how we use it
• Rectification (Art. 16)** — ask us to correct inaccurate or incomplete data
• Erasure (Art. 17)** — request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful
• Restriction (Art. 18)** — ask us to pause processing while you contest accuracy or await a decision on an objection
• Portability (Art. 20)** — receive your data in a structured, machine-readable format where processing is consent- or contract-based and automated
• Object (Art. 21)** — object to processing based on legitimate interests; you have an absolute right to object to direct marketing
• Withdraw consent** — at any time, without affecting prior processing

We do not make decisions producing legal or similarly significant effects on individuals based solely on automated processing. Where we use artificial intelligence to assist our work (see Section 5.2), a human administrator reviews and makes the final decision. You may request human review of any outcome by contacting us.

To exercise any right, contact Roman Stepanovych, Director at privacy@dailyhumanity.dk. We will respond within 30 days. Where requests are complex or numerous, we may extend this by a further two months and will tell you if we do.

You also have the right to lodge a complaint with the Portuguese supervisory authority:

Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and role-based permissions limiting data access to authorised personnel on a need-to-know basis
• All data-storing infrastructure (including blob storage and databases) hosted on Microsoft Azure (EU), which is SOC 2 and ISO 27001 certified
• Secure disposal procedures for data no longer required
• Staff awareness of data protection obligations

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of it and, where required, notify affected individuals without undue delay.

Our services are directed at professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@dailyhumanity.dk and we will delete it.

Our website may link to third-party websites or platforms. We are not responsible for their privacy practices. We encourage you to review the privacy policies of any external sites you visit.

Daily Humanity Europe, Lda (NIPC 519439104) does not currently meet the thresholds requiring mandatory appointment of a Data Protection Officer under GDPR Article 37. Data protection enquiries are handled by:

Email: privacy@dailyhumanity.dk Postal: Rua Cmdt. Filipe de Araújo 15, 2E, 2770-186 Paço de Arcos, Portugal

We may update this policy to reflect changes in our practices or legal obligations. When we make material changes, we will update the effective date and, where appropriate, notify you by email or a notice on our website.

Email: privacy@dailyhumanity.dk General enquiries: info@dailyhumanity.dk Postal: Rua Cmdt. Filipe de Araújo 15, 2E, 2770-186 Paço de Arcos, Portugal Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt