PrivacyPrivacy policy.
A practical, plain-language description of what personal data we collect, why we collect it, how long we keep it, and what rights you have. Last updated May 29, 2026.
1. Scope
This policy covers personal data we collect through this website (gctexchange.org), our monthly digest, our donation flow, and our recruitment and grant-application processes. Research datasets we collect for scientific work are governed by separate, project-specific consent frameworks, documented per release on each dataset card.
2. Data controller
GCT Exchange is the data controller for personal data collected through this website. You can reach our data-protection contact at privacy@gctexchange.org. We do not have a designated EU representative; if you are an EU resident exercising rights under the GDPR, please write to the same address.
3. What we collect
From the website and the digest: your email address (and only your email address) when you subscribe; first-party cookies only for theme preference and CSRF protection. From the contact form: your name, your email, and the message you send. From the donation flow: your name, email, billing country, and payment information processed directly by Stripe; we do not store full card numbers. From applications (jobs, fellowships, grants): the materials you choose to send us.
4. How we use it
Only to do what you asked us to do. We use your email to send the digest you subscribed to, respond to your contact-form message, acknowledge your gift, or process your application. We do not sell, rent, or trade personal data. We do not use it for advertising. We do not enrich it with third-party data brokers.
5. Lawful basis (GDPR / Data Protection Act 2019, Kenya)
Newsletter: consent (you opted in). Contact and applications: legitimate interest in responding to you. Donations: contract performance and legal obligation (tax / audit). We rely on consent for any optional analytics; we currently use none.
6. Research data
Speech recordings, clinical data, satellite imagery, agricultural images, and any other research data we collect are governed by project-specific consent frameworks reviewed by our independent ethics committee. Each open dataset ships with a dataset card documenting consent process, data subjects' rights, and a takedown process. Personal data in research corpora is not used for any purpose outside the documented research scope.
7. Cookies
First-party cookies only, and a minimal set: a theme cookie that remembers your light/dark choice, and a session cookie for CSRF protection on the contact and donation forms. No third-party analytics, ad, or fingerprinting cookies. No banner is shown because none is required.
8. Service providers (sub-processors)
We rely on the following sub-processors: Stripe (payment processing); a transactional email provider for digest sends; a cloud-storage provider for backups. We have a written data-processing agreement with each. The current list, with locations and purposes, is available on request from privacy@gctexchange.org.
9. International transfers
Our primary infrastructure is hosted across multiple African and European regions. When data crosses borders, we use Standard Contractual Clauses or equivalent transfer mechanisms. We do not transfer personal data to jurisdictions without adequate safeguards.
10. Retention
Newsletter subscriptions: retained until you unsubscribe. Contact-form messages: retained for 24 months unless a longer retention is required by an active matter. Donation records: retained for 7 years for tax and audit compliance. Application materials: retained for 12 months after the role closes; longer if you opt in to our talent pool.
11. Your rights
You may request access, correction, deletion, restriction, portability, or objection at any time by emailing privacy@gctexchange.org. We respond within 30 days. You may also complain to the data-protection authority in your country of residence.
12. Security
Transport encryption (TLS 1.2+) is enforced everywhere. Access to personal data is limited to staff who need it for their role; access is logged and reviewed quarterly. We carry out a yearly security review.
13. Children
This website is not directed at children under 13. We do not knowingly collect personal data from children. Research projects involving minors follow project-specific consent frameworks that include guardian consent and additional ethics review.
14. Changes
We may update this policy. Material changes will be summarised at the top of this page with the revision date and announced in the next monthly digest.
Questions? Write to privacy@gctexchange.org. We respond within 30 days.