eGrants

Privacy Policy

Platform: eGrants (egrants.com.ua)

Last Updated: November 17, 2025

1. GENERAL PROVISIONS

1.1 About the Platform

eGrants is a digital hub for grants, investments, and development programs. We help businesses and communities obtain funding and grow.

Developer: AIQ Agency, platform operator: NGO "RISTATE"

Cooperation: In accordance with a memorandum of cooperation with the Ministry of Development of Communities, Territories and Infrastructure of Ukraine.

1.2 Introduction

We value your privacy and strive to protect your personal data. This Privacy Policy describes how we collect, use, store, and protect your information when using the eGrants platform.

1.3 Scope of Application

This policy applies to all users of the eGrants platform, including:

  • Visitors without registration
  • Registered users
  • Business organizations
  • Donors and program organizers
  • Communities
  • Consultants
  • State enterprises
  • State bodies
  • Ministry administrators

1.4 Consent to Data Processing

By using our platform, you agree to the terms of this Privacy Policy and give consent to the processing of your personal data in the manner described in this document.

2. DATA ADMINISTRATOR

2.1 Contact Information

Full name: Non-Governmental Organization "RISTATE"

Abbreviated name: NGO "RISTATE"

Legal address: Ukraine, 01033, Kyiv, Korolenkivska St., 3, office 703

Website: egrants.com.ua

2.2 Contact Points

General Information:

Email: info@restateinitiative.org

Technical Support:

Email: info@egrants.com.ua

Personal Data Protection Inquiries:

Email: info@egrants.com.ua

3. CATEGORIES OF PERSONAL DATA COLLECTED

3.1 Registration and Authentication Data

Mandatory data:

  • Email address (for login and communication)
  • Password (stored in hashed form using modern encryption methods)
  • Selected profile type (role)

Additional data:

  • First and last name
  • EDRPOU code (for organizations)
  • Phone number (optional)
  • Avatar/profile photo

Purpose of collection: Account creation, authentication, user identification

Legal basis: Contract performance, user consent

3.2 Organization Profile Data

3.2.1 Business Profiles

  • Abbreviated and full organization name
  • Business type
  • Year of establishment
  • Number of employees
  • Annual turnover and currency
  • Description of activities (in Ukrainian and English)
  • Main products and services
  • Target markets
  • Investment needs (category, amount, description)
  • Organization website, email, phone
  • Social media links
  • Organization logo
  • Location (region, district, community, locality)
  • Geography of work (all Ukraine, international)

3.2.2 Donor Profiles

  • Donor organization name
  • Donor type
  • Year of establishment
  • Country of registration
  • Organization mission (in Ukrainian and English)
  • Focus areas of funding
  • Priority economic sectors
  • Geographic coverage
  • Active programs
  • Contact details (website, email, phone)
  • Social media links
  • Logo

3.2.3 Consultant Profiles

  • Consultant name
  • Specializations and expertise
  • Work experience (years)
  • Education and qualifications
  • Professional achievements
  • Languages spoken
  • Project portfolio
  • Rates and service costs
  • Contact details
  • Social media links

3.2.4 Communities

  • Community name
  • Community type
  • Population
  • Area size
  • Community description and development priorities
  • Community head contact details
  • Community contact details
  • Location and geographic data

3.2.5 State Enterprises

  • Full and abbreviated enterprise name
  • EDRPOU code
  • Form of ownership
  • Field of activity
  • Enterprise manager
  • Contact details
  • Location

3.2.6 State Bodies

  • Body name
  • Body level (central, regional, local)
  • Body type
  • EDRPOU code
  • Area of responsibility
  • Body head
  • Contact details
  • Location

3.2.7 Ministry Administrators

  • Ministry name
  • Administrator position
  • Contact details
  • Area of responsibility

Purpose of collection: Creating a public profile, interaction between platform users, partner search, providing organization information

Legal basis: Contract performance, user consent, legitimate interests

3.3 Funding Program Data

Information about programs created by donors:

  • Program name (in Ukrainian and English)
  • Program description
  • Status (open, urgent, closed)
  • Application deadline
  • Minimum and maximum funding amount
  • Currency
  • Project duration
  • Program geography
  • Who can apply (target audience)
  • Economic sectors
  • Evaluation criteria
  • Required documents
  • Contact information for inquiries
  • FAQ

Program organizer: Information about the donor (user_id)

Purpose of collection: Publishing information about funding opportunities, helping in grant search

Legal basis: Contract performance, user consent

3.4 Technical and Usage Data

3.4.1 Session Data

  • Session ID (session token)
  • Login date and time
  • Last activity date and time
  • IP address
  • User Agent (browser and operating system information)
  • Device type (desktop, mobile, tablet)
  • Browser name and version
  • Operating system and version
  • Session location (country, city - determined by IP)
  • Session status (active/inactive)

Purpose of collection: Session management, account security, preventing unauthorized access

Session retention period: 30 days from last activity

3.4.2 Cookies and Local Storage

Functional cookies:

  • site_access - cookie for site access (password protection)
  • locale - cookie for storing language settings (term: 1 year)
  • Session cookies for user authentication

Cookie settings:

  • httpOnly: for protection against XSS attacks
  • secure: true in production (HTTPS only)
  • sameSite: 'lax' for protection against CSRF

Browser local storage:

  • Language settings
  • Temporary form data (autosave)
  • User UI settings

3.4.3 Usage Analytics

  • Program views (view counter)
  • Organization profile views
  • Blog article views
  • Resource views
  • Success case views
  • Search query data
  • Filters and sorting used

Collection method: 2-3 second delay after opening page to exclude bots and random clicks

Excluded from tracking: Bots, scanners, short visits

Purpose of collection: Platform improvement, content popularity analysis, search optimization

Legal basis: Legitimate interests

3.4.4 Event Logging

  • Authentication logs (successful/failed login attempts)
  • Password change logs
  • 2FA activation/deactivation logs
  • Account creation/deletion logs
  • Email change logs
  • API request logs (for error diagnosis)

Log retention period: 90 days

3.5 Communication Data

3.5.1 Email Communication

Types of email messages:

  • Email verification during registration
  • Password recovery
  • Email change confirmation
  • Two-factor authentication codes
  • Security settings change notifications
  • Administrator notifications regarding profile/program verification

Mailing service:

  • We use professional email service for reliable message delivery

Data stored:

  • Recipient email address
  • Sending time
  • Delivery status
  • Message type

Purpose of collection: User communication, ensuring account security

Legal basis: Contract performance, legitimate interests

3.5.2 Administrative Messages

  • Administrator messages regarding verification status
  • Program/profile rejection notifications with reasons
  • Requests for additional information

3.6 User Preference Data (Favorites)

Saved items:

  • Saved funding programs
  • Saved business profiles
  • Saved donor profiles
  • Saved consultant profiles
  • Saved community profiles
  • Saved state enterprise profiles
  • Saved state body profiles

Data stored:

  • User ID (user reference)
  • Entity ID (saved item ID)
  • Date added to favorites
  • Deletion date (soft delete)
  • Add count (add_count)

Purpose of collection: Providing personalized experience, quick access to saved items

Legal basis: Contract performance, user consent

3.7 Files and Media Content

  • Organization logos (PNG, JPG, SVG)
  • User avatars
  • Program images (featured images)
  • Program documents (PDF and other formats)
  • Blog article images

Storage: Secure file management system with backup

Purpose of collection: Visual representation of profiles, programs, content

Legal basis: Contract performance, user consent

3.8 Two-Factor Authentication Data (2FA)

  • 2FA enabled status (enabled/disabled)
  • 2FA method (email)
  • Verification codes (temporary, deleted after use)
  • 2FA activation/deactivation history

Code retention period: 10 minutes

Purpose of collection: Enhancing account security

Legal basis: User consent, legitimate interests

4. LEGAL BASIS FOR DATA PROCESSING

4.1 Consent (Art. 6(1)(a) GDPR)

You provide explicit consent to process your personal data when you:

  • Register on the platform
  • Fill out your organization profile
  • Create funding programs
  • Upload files (logos, documents)
  • Activate additional features (2FA, favorites)

4.2 Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary for:

  • Creating and managing your account
  • Providing access to platform functionality
  • Publishing your profile/programs
  • Ensuring interaction between users

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

  • Ensuring platform security
  • Preventing fraud and abuse
  • Analyzing platform usage to improve functionality
  • Diagnosing technical problems

4.4 Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

  • Storing data for accounting and tax purposes
  • Providing data to authorized bodies upon official request

5. PURPOSES OF PERSONAL DATA PROCESSING

5.1 Platform Service Provision

  • Account creation and management
  • User authentication and authorization
  • Publishing organization profiles
  • Publishing funding programs
  • Content search and filtering
  • Saving favorite items

5.2 User Communication

  • Sending verification emails
  • Account access recovery
  • Account change notifications
  • Administrative messages
  • Support request responses

5.3 Security and Protection

  • Detecting and preventing unauthorized access
  • User session management
  • Two-factor authentication
  • Suspicious activity monitoring
  • Protection from automated attacks (bots)

5.4 Analytics and Service Improvement

  • Tracking program and profile popularity
  • Search query analysis
  • Functionality optimization
  • Technical problem detection
  • User experience improvement

5.5 Legal Obligations

  • Data storage in accordance with legislation
  • Providing information to authorized bodies
  • Executing court decisions

6. TRANSFER AND DISCLOSURE OF PERSONAL DATA

6.1 Internal Use

Access to your personal data is granted to:

  • Platform administrators (limited access for moderation)
  • Technical support (for problem solving)
  • Developers (for diagnostics and bug fixing)

Minimization principle: Access is granted only to the extent necessary to perform functions

6.2 Third Parties - Data Processors

6.2.1 Hosting and Infrastructure

Render.com

Data transferred: All web application and database data

Server location: USA/EU

Purpose: Web application and database hosting

Security guarantees: SOC 2 Type II certification, data encryption, automatic backups

Cloudflare

Data transferred: IP addresses, technical request data, content cache

Purpose: CDN, DDoS protection, performance optimization, DNS

Security guarantees: International server network, SSL/TLS encryption, cyberattack protection

6.2.2 Analytics

Google Analytics

Data transferred: Anonymized data about visits, user behavior on site

Purpose: Traffic analysis, user experience improvement

Security guarantees: GDPR-compliant, IP address anonymization

6.2.3 Email Service

Data transferred: Email addresses, names, message content

Purpose: Sending transactional email messages

Security guarantees: We use certified services complying with international security standards

6.2.4 Content Management System

Data transferred: All user, profile, program, and content data

Purpose: Database management, API, administrative panel

Security guarantees: Connection encryption, access control, regular backups

6.3 Public Information

Information that is public by default:

  • Organization name (all profile types)
  • Activity description
  • Organization contact details (if specified)
  • Organization location
  • Public profile information
  • Funding programs (if status is "published")

Information that remains private:

  • Login email (personal user email)
  • Password (stored in hashed form)
  • IP addresses and technical data
  • Session history
  • Saved items (favorites)
  • Program drafts

6.4 Disclosure by Legal Requirement

We may disclose your personal data:

  • At the request of authorized state bodies of Ukraine
  • By court decision
  • To protect the rights and security of the platform
  • When investigating fraud or abuse

Principle: Disclosure occurs only to the minimum extent necessary

6.5 International Data Transfer

If data is transferred outside Ukraine/EU, we ensure:

  • Use of Standard Contractual Clauses (SCC)
  • Verification of data protection level adequacy
  • Additional technical protection measures (encryption)

7. PERSONAL DATA SECURITY

7.1 Technical Security Measures

7.1.1 Encryption

  • Passwords: Stored using modern hashing algorithms with high-level protection
  • Data transmission: Protected HTTPS connection with modern encryption
  • Database: Encrypted connections and access-level protection
  • Sessions: Secure session tokens with encryption

7.1.2 Authentication and Access Control

  • Role and permission system
  • Two-factor authentication (2FA)
  • Session management with forced logout capability
  • Failed login attempt limitation
  • Automatic termination of inactive sessions

7.1.3 Application-Level Protection

  • Secure authentication system with user verification
  • Access control to different platform sections
  • Protection against CSRF attacks (cross-site request forgery)
  • Protection against XSS attacks (cross-site scripting)
  • Request rate limiting to prevent abuse
  • Protection against SQL injections and other attack types

7.1.4 Network Security

  • Infrastructure-level firewall
  • DDoS protection (Cloudflare)
  • Suspicious activity monitoring
  • System access logging

7.2 Organizational Measures

7.2.1 Data Access

  • Principle of least privilege
  • Role-based authorization
  • Administrator access logging
  • Periodic access reviews
  • NDA for employees with data access

7.2.2 Backup

  • Automatic daily database backups
  • Backup encryption
  • Storing backups on separate servers
  • Regular recovery testing

7.2.3 Monitoring and Response

  • 24/7 security monitoring
  • Logging all critical events
  • Security incident response plan
  • Breach notification procedure

7.3 Security Policies

  • Password policy (minimum 8 characters, complexity)
  • Regular security audits
  • Software updates
  • Periodic vulnerability testing

8. PERSONAL DATA RETENTION PERIODS

8.1 Active Accounts

Term: Unlimited while account is active

Data stored:

  • Profile information
  • History of created programs
  • Saved items (favorites)
  • Account settings

8.2 After Account Deletion

Term: 30 days (recovery period)

Actions after 30 days:

  • Complete deletion of personal data
  • Log anonymization (removing link to user_id)
  • Deletion of user files (avatars, documents)

Data that remains:

  • Anonymized statistics (without identification possibility)
  • Published programs (with link to author removed)

8.3 Sessions

Term: 30 days from last activity

Automatic cleanup: Deletion of outdated sessions every 24 hours

8.4 Security Logs

Term: 90 days

Data stored:

  • Authentication logs
  • Password change logs
  • 2FA activation/deactivation logs
  • API logs (for diagnostics)

8.5 Email Communication Metadata

Metadata retention period:

  • Delivery status: 7 days
  • Sending history: 30 days

Note: Message content is not stored after delivery

8.6 Backups

Term: 30 days

Automatic deletion: Backups older than 30 days are automatically deleted

8.7 Legal Requirements

In case of court proceedings or investigations, data may be stored longer in accordance with Ukrainian legislation requirements.

9. USER RIGHTS (GDPR AND UKRAINIAN LAW)

9.1 Right to Access

What you can do:

  • Obtain a copy of all your personal data
  • Find out what data we process
  • Obtain information about processing purposes

How to exercise:

  • Send a request to email: info@egrants.com.ua

Response time: 30 days

9.2 Right to Rectification

What you can do:

  • Correct inaccurate data
  • Complete incomplete data

How to exercise:

  • Directly through Settings → Profile
  • Send a request to email: info@egrants.com.ua

Execution time: Immediately (for editing through interface) or 30 days (for request)

9.3 Right to Erasure

What you can do:

  • Delete your account
  • Delete all personal data

How to exercise:

  • Send a request to email: info@egrants.com.ua

Process:

  1. Deletion confirmation (email or 2FA)
  2. 30-day recovery period (soft delete)
  3. Complete deletion after 30 days

Restrictions: Data may be retained if there are legal obligations

9.4 Right to Restriction of Processing

What you can do:

  • Restrict processing of your data in certain cases
  • Block account without deletion

How to exercise:

  • Send a request to email: info@egrants.com.ua

Execution time: 30 days

9.5 Right to Data Portability

What you can do:

  • Receive your data in structured format
  • Transfer data to another service

How to exercise:

  • Send a request to email: info@egrants.com.ua

Format: JSON file with all your data

9.6 Right to Object

What you can do:

  • Object to data processing based on legitimate interests
  • Opt out of analytics

How to exercise:

  • Send a request to email: info@egrants.com.ua

9.7 Right Not to Be Subject to Automated Decision-Making

Guarantee: We do not use fully automated decision-making systems that have legal consequences for you.

Note: Content moderation is performed manually by administrators.

9.8 Right to Lodge a Complaint

Where to complain:

Ukraine: Commissioner of the Verkhovna Rada of Ukraine for Human Rights

EU (for EU residents): Your national data protection authority

9.9 Withdrawal of Consent

What you can do:

  • Withdraw consent to data processing at any time

How to exercise:

  • Settings → Withdraw Consent
  • Delete account

Consequences: We will stop processing your data (except when other legal bases exist)

10. PROTECTION OF MINORS' DATA

10.1 Age Restrictions

Minimum age: 16 years (in accordance with GDPR)

Ukraine: 14 years with parental/guardian consent

10.2 Policy Regarding Minors

  • We do not knowingly collect data from children under 16 without parental consent
  • Upon discovering a minor's account without parental consent, we delete it

10.3 Reporting About Minors

If you believe a minor has created an account without parental consent, please notify us: info@egrants.com.ua

11. COOKIES AND SIMILAR TECHNOLOGIES

11.1 What Are Cookies

Cookies are small text files stored in your browser.

11.2 Types of Cookies We Use

11.2.1 Necessary Cookies

Purpose: Site functionality

List:

  • site_access - Site access (password protection)
    Term: Until browser exit
    Purpose: Checking access to protected site
  • Session cookies - Authentication
    Term: 30 days
    Purpose: Maintaining user session for convenience and security

Legal basis: Contract performance (cannot be disabled)

11.2.2 Functional Cookies

Purpose: Experience enhancement

List:

  • locale - Language settings
    Term: 1 year
    Purpose: Remembering chosen language (Ukrainian/English)
    Disable: Possible, but site will use default language

Legal basis: Consent / Legitimate interests

11.2.3 Analytical Cookies

Currently: We do not use third-party analytical cookies (Google Analytics, etc.)

Own analytics:

  • View tracking (without cookies, server-side)
  • Content popularity counters

11.3 Local Storage

What is stored:

  • Interface settings
  • Temporary form data (autosave)
  • Session data

Control: You can clear LocalStorage through browser settings

11.4 Cookie Management

11.4.1 Through Browser

  • Chrome: Settings → Privacy and Security → Cookies
  • Firefox: Settings → Privacy & Security → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Privacy → Cookies

11.4.2 Consequences of Disabling Cookies

  • Necessary cookies: Site will not function
  • Functional cookies: Loss of settings (language, theme)

11.5 "Do Not Track" Signal

We respect the DNT signal and do not track users with DNT enabled.

12. CHANGES TO PRIVACY POLICY

12.1 Change Notification

When making changes to this Policy, we will notify you via:

  • Email notification (for registered users)
  • Banner on site (for all visitors)
  • Updating "Last Updated" date

12.2 Significant Changes

In case of significant changes (e.g., new data categories, new data processors), we will ask for your renewed consent.

12.3 Archive of Previous Versions

Previous versions of the Privacy Policy are available upon request: info@egrants.com.ua

13. SPECIAL PROVISIONS FOR DIFFERENT USER TYPES

13.1 Organizations

Additional obligations:

  • Ensure accuracy of provided organization data
  • Obtain consent from organization to publish its data
  • Not violate intellectual property rights (logos, etc.)

Responsibility:

  • For content of published programs and profile information
  • For contact details specified in profile

13.2 Administrators and Moderators

Special access rights:

  • Viewing all profiles and programs
  • Content moderation
  • Access to statistics

Duties:

  • User data confidentiality
  • Preventing abuse of access rights
  • Adhering to access minimization principle

Responsibility: Administrators bear personal responsibility for unauthorized use of data access

13.3 Visitors Without Registration

Data collected:

  • Technical data (IP, User Agent)
  • Cookies (only site_access and locale)
  • Access logs

Restrictions: No access to personalized functions (favorites, program creation)

14. INTERNATIONAL USERS

14.1 Users from Ukraine

Applicable legislation:

  • Law of Ukraine "On Personal Data Protection"
  • Constitution of Ukraine
  • Civil Code of Ukraine

Supervisory authorities:

  • Commissioner of the Verkhovna Rada of Ukraine for Human Rights

14.2 Users from EU (GDPR)

Applicable:

  • General Data Protection Regulation (GDPR)
  • National legislation of EU member state

Supervisory authorities:

  • Your national data protection authority

EU Representative: Will be appointed if necessary

14.3 Other Jurisdictions

For users from other countries, GDPR provisions apply as the most protective of rights.

15. ADDITIONAL PROVISIONS

15.1 Business Transfer

In case of sale, merger, or business transfer:

  • Your personal data may be transferred to the new owner
  • The new party must comply with this Privacy Policy
  • We will notify you at least 30 days before the transfer

15.2 Anonymous Data

We may create anonymous data based on your personal data:

  • Platform usage statistics
  • Analytical reports
  • Trends and insights

Guarantee: Anonymous data does not allow identification of you

15.3 Liability for Links

Our platform may contain links to third-party sites (e.g., organizations' social networks).

We are not responsible for:

  • Privacy policies of third-party sites
  • Data processing on third-party resources

Recommendation: Familiarize yourself with third-party sites' privacy policies before providing them with personal data

15.4 Force Majeure

We are not liable for data security breaches in cases of force majeure:

  • Natural disasters
  • Military actions
  • Cyber attacks that cannot be prevented
  • Other circumstances of insurmountable force

Obligation: We will notify you of the incident within 72 hours

16. FREQUENTLY ASKED QUESTIONS (FAQ)

Q1: Do you sell our data to third parties?

A: No. We never sell your personal data. We only transfer data to data processors (hosting, email service) to ensure platform functionality.

Q2: Who can see my login email?

A: Your login email is private and inaccessible to other users. The organization's public email (if you specified one) is displayed in the profile.

Q3: What happens to my programs after account deletion?

A: Published programs will remain on the platform, but the link to your account will be removed. Program drafts will be deleted.

Q4: Do you use artificial intelligence to analyze my data?

A: Currently, we do not use AI/ML for automated decision-making regarding users.

Q5: How long are my sessions stored?

A: Active sessions are stored for 30 days from last activity. You can forcibly terminate sessions through Settings → Sessions.

Q6: Can I use the platform anonymously?

A: You can view content without registration, but creating a profile/programs requires registration with email.

Q7: What is EDRPOU and why is it needed?

A: EDRPOU is a unique organization code in Ukraine. It is necessary for organization verification and preventing duplicates.

Q8: Is my data transfer protected?

A: Yes. All data is transferred via protected HTTPS connection with TLS 1.3 encryption.

Q9: How often do you update software?

A: We regularly update software to fix vulnerabilities and improve security.

17. CONTACT INFORMATION

17.1 General Information

Email: info@restateinitiative.org

17.2 Technical Support

Email: info@egrants.com.ua

17.3 Privacy and Data Protection Inquiries

Email: info@egrants.com.ua

17.4 Response Time

  • General inquiries: Within 2 business days
  • Personal data requests: Within 30 days (in accordance with GDPR)
  • Urgent security issues: Within 24 hours

18. USER CONSENT

By using the eGrants platform, you confirm that:

☑ You have read this Privacy Policy

☑ You understand what data we collect and how we use it

☑ You agree to the terms of processing your personal data

☑ You are aware of your rights and the possibilities of exercising them

☑ You have reached the age of 16 or have parental/guardian consent

Policy acceptance date: Automatically upon registration

Policy version: 1.0

Last updated: November 17, 2025

APPENDIX: GLOSSARY OF TERMS

Personal data - any information relating to an identified or identifiable natural person.

Data processing - any action with personal data: collection, recording, storage, modification, use, transfer, destruction.

Data administrator - organization that determines the purposes and means of personal data processing (NGO "RISTATE").

Data processor - organization that processes data on behalf of the administrator.

GDPR - General Data Protection Regulation, EU General Data Protection Regulation.

2FA - Two-Factor Authentication, two-factor authentication.

Cookie - small text file stored in the browser.

Favorites - list of user's saved items.

EDRPOU - Unified State Register of Enterprises and Organizations of Ukraine.

Platform: eGrants (egrants.com.ua)

Document version: 1.0

Last updated: November 17, 2025

This document is compiled in accordance with the requirements of:

  • General Data Protection Regulation (GDPR) - EU Regulation 2016/679
  • Law of Ukraine "On Personal Data Protection" (No. 2297-VI)
  • Constitution of Ukraine (Article 32 - right to privacy)

If you have questions regarding this Privacy Policy, please contact us: info@egrants.com.ua

Grant Consultation

Grant Application Assistance

Our experts help you prepare and submit winning grant applications — from document preparation to final submission.

Free consultation
No charge for the first call
Pay for results
Commission only after grant approval
Personal expert
Dedicated grant specialist
Full support
From application to reporting
Step 1 of 425%

Hello! 👋

Let's find the right grant for you

Press Enter ↵

By submitting this form, you agree to our Privacy Policy