Privacy Policy

This policy explains how Stichting Dorna ("we", "us", "Dorna", or "the Foundation") collects, uses, stores, and protects personal data when you use the Dorna Foundation website (dornafoundation.org), submit work through our open call, or correspond with us. We follow the EU General Data Protection Regulation (GDPR) as implemented in the Netherlands.

1. Who we are

The data controller is Stichting Dorna, a non-profit foundation registered in the Netherlands. You can reach us at:

For data protection questions specifically, please email the same address with the subject line "Privacy". The Foundation does not currently have a dedicated Data Protection Officer because we are below the GDPR threshold that requires one; the board handles privacy queries directly.

2. What we collect

From visitors to the website

If you only browse the site, we collect technical request data (IP address, user agent, requested URL, timestamp) through our hosting provider Netlify, in standard server logs. We do not run analytics scripts, advertising trackers, or social-network pixels.

From people who email us

If you contact us by email, we receive your email address, your name (if you include it), and the content of your message.

From the children's open call (digital submission)

When a child submits work through our open call form, we collect:

• About the child: first name, age, country, the type of work, an optional title, an optional message, and the work itself (uploaded file or typed text).
• About the parent or guardian: full name, email address, relationship to the child, and (if provided) phone number.
• Consent record: the four ticked consent items, the typed signature, and the timestamp of submission.
• Verification record: after submission, we email the guardian a confirmation link. We record whether the guardian clicked Confirm or Reject and when.

From the children's open call (postal submission)

If you send work by post, we receive whatever you choose to write on the printed Guardian Consent Form (the same fields listed above) and the work itself.

3. Why we collect it

• To consider submissions for inclusion in the Dorna children's magazine.
• To verify that the parent or guardian consents to the submission and to publication.
• To write back to the guardian's email about the outcome.
• To keep an editorial archive of accepted and previously published work.
• To respond to enquiries and correspondence.
• To meet our obligations as a Dutch foundation (financial records, future ANBI reporting).

4. Legal basis

Our legal basis under the GDPR (Article 6) is:

• Consent (Art. 6(1)(a)) for processing children's submission data and for publication. For children under 16, consent is given or authorised by the holder of parental responsibility, in line with Dutch implementation of GDPR Art. 8.
• Legitimate interests (Art. 6(1)(f)) for basic server logs needed to keep the website online and secure, and for standard email correspondence.
• Legal obligation (Art. 6(1)(c)) where Dutch law requires us to retain certain records (e.g. financial documents).

5. How long we keep it

• Children's submissions and consent records: five years from submission, then deleted, unless the guardian asks for earlier deletion.
• Published work in editorial archives: retained as long as the magazine archive itself remains in publication, with first name, age, and country only.
• Email correspondence: kept while the conversation is active and for up to two years afterwards.
• Financial records: seven years, as required by Dutch tax law.
• Server logs: kept by Netlify for the duration of their default retention (currently 30 days).

6. Who we share it with

We do not sell, rent, or trade personal data. We do use a small number of carefully chosen processors:

• Netlify hosts the website, the submission forms, the uploaded files, and our server-side functions. Netlify is GDPR-compliant and offers an EU data residency option.
• Resend sends transactional emails on our behalf (the parental-consent verification email, future newsletters if you sign up).
• Google Fonts serves the typefaces used on the site. By visiting the site you load fonts from Google's CDN; no personally identifying information is sent beyond the standard request metadata.

Each of these processors handles data on our behalf under written terms and the GDPR's controller-processor obligations.

7. International transfers

Some of our processors operate servers outside the European Economic Area (notably the United States). Where this happens, transfers are made under the European Commission's Standard Contractual Clauses (SCCs) and any additional safeguards required by the receiving processor's privacy framework. You may request a copy of the relevant safeguards from us at any time.

8. Children's data

We take particular care with personal data relating to children:

• The submission form does not request a child's last name, home address, school, or any contact details for the child themselves.
• If we publish a child's work, the only attribution is first name, age, and country. No surname, no contact information, no school, no photo of the child themselves (unless they specifically submit a self-portrait or photo with explicit guardian consent for that piece).
• A submission cannot be reviewed, kept, or published until the parent or guardian has clicked the verification link in our follow-up email. Submissions where the guardian rejects the verification or never confirms within 14 days are deleted.
• Guardians can request deletion of their child's data and any published work at any time by emailing info@dornafoundation.org.

9. Your rights

Under the GDPR you have the following rights regarding your personal data:

• Access, to ask what data we hold about you.
• Rectification, to correct inaccurate data.
• Erasure, to ask us to delete data ("right to be forgotten").
• Restriction, to limit how we use the data while a request is being considered.
• Portability, to receive a copy of data in a portable format.
• Objection, to object to processing based on legitimate interests.
• Withdraw consent, at any time, where processing is based on consent.
• Complain to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens.

To exercise any of these rights, email info@dornafoundation.org. We will respond within 30 days. There is no fee for reasonable requests.

10. Cookies and analytics

The Dorna website does not set any cookies of its own and does not run third-party analytics, advertising, or tracking scripts. Netlify, our host, may set strictly necessary cookies for load balancing and security; these do not identify individuals.

If you sign in to the admin area at /admin.html, we use a session token stored in your browser's sessionStorage for authentication. This is not a cookie and is cleared when you close the tab.

11. Security

We protect personal data with appropriate technical and organisational measures:

• All traffic to the site is served over HTTPS with TLS.
• Admin passwords are hashed with PBKDF2-HMAC-SHA512 using 600,000 iterations.
• Sensitive write endpoints require an authenticated, role-checked session.
• Submitted files are stored in our Netlify Forms account, not in a public directory.
• We keep the number of people with access to a minimum (the Dorna editorial team only).

12. Changes to this policy

We may update this policy from time to time as our practices evolve. The "Last updated" date at the top of the page will reflect any change. For material changes that affect children's submissions, we will additionally email guardians who have active consent on file.

13. Contact and complaints

For any privacy question or to exercise the rights listed above, please write to:

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, or with the supervisory authority of the EU member state where you live or where the alleged infringement took place.