Privacy Policy — Lorner Research Center

Effective date: 2026-02-13

Contact for privacy enquiries and data subject requests: contact@lornerresearch.org

1. Scope

This policy explains how we collect, use, store, and delete personal data when you interact with this website (lorner.org). It covers:

  • Contact form submissions
  • Technical data recorded in server logs
  • Website analytics collected via our self-hosted Matomo (On‑Premise) installation

2. Data we collect

2.1 Contact form data

  • Full name
  • Email address
  • Message content

2.2 Technical data (server logs)

  • IP address
  • Date/time of request
  • Requested URL
  • User agent
  • HTTP status

2.3 Analytics data (Matomo, self‑hosted)

  • Anonymised IP address (IP masking applied on collection)
  • Date/time of visit
  • Pages viewed and navigation path
  • Referrer URL
  • Browser and device type

We collect only the data necessary for the purposes described in this policy.

3. Purposes and lawful bases

3.1 Contact form

Purpose: receive, manage and respond to enquiries

Lawful basis: legitimate interests (Article 6(1)(f) GDPR)

3.2 Website analytics

Purpose: improve site performance, content and security

Lawful bases:

  • Where analytics require cookies (persistent or identifier cookies), we rely on user consent (Article 6(1)(a) GDPR). Analytics cookies are set only after you give consent via the cookie banner.
  • For strictly technical, non‑cookie analytics and short‑term server logs used for operations and security, we rely on legitimate interests (Article 6(1)(f) GDPR).

We operate a cookie consent banner. Analytics cookies are set only after consent; technical logs required for security and operation are processed on legitimate interests. You may withdraw consent for cookies at any time via the banner or by removing the analytics cookie.

A Legitimate Interests Assessment (LIA) is maintained and available on request.

4. How we process data (contact form)

We process contact form submissions as follows:

  1. You submit a message via the contact form (processed by Tally.so)
  2. Tally sends an email notification to contact@lornerresearch.org (Zoho, EU data centre)
  3. Authorised staff review and, if necessary, respond to the message
  4. Messages and associated personal data are deleted according to the retention schedule set out below

5. Website analytics — Matomo (On‑Premise)

We use Matomo (self‑hosted on our EU server) for website analytics. Matomo is configured to respect the user’s Do Not Track (DNT) preference and to anonymise IP addresses prior to storage. Visitors may opt out via our cookie banner or Matomo’s opt‑out mechanism.

IP anonymisation and processing notes

  • When our Matomo server receives a tracking request it initially receives the full IP address. With IP anonymisation enabled, Matomo processes the request in memory and masks the IP address before it is stored in Matomo’s database.
  • Matomo can optionally use the full IP for geolocation lookup and then immediately apply the chosen masking before storage; the stored value is always the masked address.
  • Full IP addresses may still exist in your web server logs maintained by the hosting provider — Matomo’s anonymisation applies only to data stored in Matomo itself.
  • Location-based reports based on anonymised IPs may be less precise.

6. Opt‑out & Do Not Track

  • Matomo is configured to respect Do Not Track. Visitors who have DNT enabled in their browser will not be tracked.
  • Analytics cookies are set only after you give consent via the cookie banner. You may withdraw consent at any time via the banner or by deleting the analytics cookie.
  • Matomo opt‑out mechanism: https://lorner.org/matomo/index.php?module=CoreAdminHome&action=optOut

7. Retention

  • Contact form submissions: retained up to 60 days (deleted earlier when no longer necessary by staff)
  • Matomo raw tracking data (non‑aggregated): retained 30 days
  • Matomo aggregated, non‑identifying reports: retained up to 6 months
  • Server logs: retained 30–60 days for operational and security purposes
  • Backups: rolling backups retained up to 60 days; expired hosting backup copies may be retained by the host for up to 90 days in accordance with Hostinger’s policies

If you request deletion of personal data, we will delete data we control in accordance with these retention times and will request deletion of relevant data held by the host or processors.

8. Who can access data

Access to personal data is limited to authorised Lorner Research Center personnel who require it to perform their duties. Access to Matomo analytics data is restricted to authorised administrators.

9. Processors and hosting

We use the following service providers as data processors under the GDPR:

  • Tally.so — contact form processor; stores all user data on secure servers located within the European Union. Submissions are deleted by staff within 60 days (DPA in place by default for users). More info: https://tally.so/help/data-processing-agreement
  • Hostinger — website hosting on EU servers. A DPA is in place by default for users. https://www.hostinger.com/legal/dpa
  • Zoho — email hosting (EU data centre; a DPA has been initiated for our account)
  • Matomo (On‑Premise) — self-hosted analytics on our EU server. Because we host the data ourselves, we act as both data controller and processor, and a formal DPA with Matomo SAS is not applicable

10. International transfers

When personal data are transferred outside the EU/EEA, we ensure appropriate safeguards are in place (SCCs, adequacy, or other lawful transfer mechanisms). Contact us for a copy of any relevant safeguards.

11. Cookies and third‑party resources

The site loads limited third‑party resources (for example, Google Fonts and the Tally embed). Analytics cookies are set only after you give consent via the cookie banner. You can manage or block cookies through your browser settings.

12. Security

We use appropriate technical and organisational measures including HTTPS/TLS, access control, server security, and data minimisation. Processors we engage are contractually bound to implement suitable security measures.

13. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you
  • Request rectification of inaccurate data
  • Request erasure (the “right to be forgotten”)
  • Request restriction of processing
  • Object to processing based on legitimate interests
  • Data portability where applicable
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

14. Supervisory authority

Primary supervisory authority (Portugal): Comissão Nacional de Proteção de Dados (CNPD) — https://www.cnpd.pt. You may also complain to the data protection authority of your Member State.

15. Exercising your rights

To exercise your rights contact: contact@lornerresearch.org. We will respond within one month or, where permitted by law, inform you if an extension of up to two months is needed. For deletion requests involving host or processor copies, we will lodge deletion requests with the processor and inform you of the outcome.

16. Automated decision-making

We do not use automated decision-making or profiling based on contact form data or analytics.

17. Changes to this policy

We may update this policy. The current version posted on the website shows the effective date. Substantial changes will be announced on the site or by contact where required.