Skip to main content

Privacy Policy

How CROWN collects, processes, and protects personal data for website visitors, research participants, subscribers, and donors under GDPR and nDSG.

Privacy Policy

Effective date: 2 March 2026 Last updated: 2 March 2026

CROWN (“we,” “us,” “our”) is committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, store, and protect personal data in connection with our website (crown.ngo), our research programmes, our newsletter, and our donation and partnership activities.

This policy is designed to comply with the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Swiss Federal Act on Data Protection (nDSG/nLPD), effective 1 September 2023.

1. Data Controller

The data controller responsible for processing your personal data is:

CROWN Association au sens des articles 60 et suivants du Code civil suisse c/o CROWN, Rue de la Tour-de-l’Ile 4 1204 Geneve, Switzerland

Contact: contact@crown.ngo

For data protection enquiries specifically, please write to contact@crown.ngo with “DATA PROTECTION” in the subject line.

2. What Data We Collect

2.1 Website Visitors

When you visit crown.ngo, we may collect:

  • Technical data: IP address (anonymised), browser type and version, operating system, referral source, pages visited, time and duration of visit
  • Cookie data: See Section 7 (Cookies) below

Legal basis: Legitimate interest in maintaining website security, analysing usage patterns, and improving our content (GDPR Art. 6(1)(f); nDSG Art. 31(1)).

2.2 Research Participants

If you participate in CROWN’s research programmes, we may collect:

  • Identifying data: Name (if provided — participation may be anonymous or pseudonymous), email address, country of residence, age range
  • Research data: Survey responses, hair type self-assessment, experiences of discrimination, psychosocial measures (e.g., PHQ-9, GAD-7, Rosenberg Self-Esteem Scale responses)
  • Diagnostic data: If you undergo a CROWN Diagnostic assessment, sensor-derived hair measurements including fibre diameter, porosity, hydration, and related properties

Legal basis: Explicit consent (GDPR Art. 6(1)(a); nDSG Art. 31(1)). Participation in research is always voluntary. Consent may be withdrawn at any time without consequence.

Special category data: Some research data may constitute special category data under GDPR Art. 9 (data revealing racial or ethnic origin). We process such data only with your explicit consent (GDPR Art. 9(2)(a)) and in compliance with applicable ethical review board requirements.

2.3 Newsletter Subscribers

If you subscribe to CROWN’s newsletter, we collect:

  • Contact data: Email address
  • Engagement data: Open rates, click-through rates (aggregated and anonymised)

Legal basis: Consent (GDPR Art. 6(1)(a)). You may unsubscribe at any time via the link in any newsletter email or by contacting contact@crown.ngo.

2.4 Story Submissions

If you share your story with CROWN, we collect:

  • Identifying data: Name (optional), country of residence, age range
  • Experience data: Your written account of hair-based discrimination

Legal basis: Consent (GDPR Art. 6(1)(a)). You choose what to share and whether to identify yourself. Consent for use in publications is separately requested and optional.

2.5 Donors and Partners

If you support CROWN financially or enter into a partnership, we collect:

  • Identifying data: Name, organisation (if applicable), email address, postal address
  • Financial data: Transaction records (amount, date, payment method). CROWN does not store credit card numbers or bank account details directly — these are processed by our payment service provider.

Legal basis: Performance of a contract or pre-contractual measures (GDPR Art. 6(1)(b)) and legal obligation for financial record-keeping (GDPR Art. 6(1)(c); Swiss Code of Obligations Art. 958).

2.6 Contact Form and Email Enquiries

If you contact CROWN via email or a website form, we collect:

  • Contact data: Name, email address, and the content of your communication

Legal basis: Legitimate interest in responding to enquiries (GDPR Art. 6(1)(f)).

3. How We Use Your Data

We use personal data exclusively for the following purposes:

  • Operating and improving the crown.ngo website
  • Conducting and publishing academic research on identity-based discrimination
  • Sending newsletter communications to subscribers
  • Processing donations and issuing tax receipts
  • Responding to enquiries and press requests
  • Complying with legal obligations (financial record-keeping, regulatory reporting)
  • Aggregating anonymised data for the CROWN Discrimination Index and CROWN Hair Commons

We do not sell personal data. We do not use personal data for commercial marketing. We do not share personal data with third parties for their marketing purposes.

4. Data Sharing

We may share personal data with the following categories of recipients, and only to the extent necessary:

  • Academic research partners (University of Geneva, ETH Zürich) — anonymised or pseudonymised research data only, under data sharing agreements that require equivalent data protection standards
  • Service providers — hosting providers, email delivery services, and payment processors, all of which are contractually bound to process data only on our instructions and to maintain appropriate security measures
  • Legal authorities — if required by law, court order, or regulatory obligation

We do not transfer personal data outside the European Economic Area or Switzerland unless the recipient country provides an adequate level of data protection (as determined by the European Commission or the Swiss Federal Council) or appropriate safeguards are in place (e.g., Standard Contractual Clauses).

5. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected:

Data CategoryRetention Period
Website analytics26 months (anonymised)
Research participant dataDuration of the research programme + 10 years (standard academic retention)
Newsletter subscriber dataUntil unsubscription, then deleted within 30 days
Story submissionsDuration of the research programme + 10 years, or until deletion is requested
Donor records10 years (Swiss legal requirement under CO Art. 958)
Contact enquiries2 years after last communication

At the end of the retention period, personal data is securely deleted or irreversibly anonymised.

6. Your Rights

Under GDPR and Swiss nDSG, you have the following rights regarding your personal data:

  • Right of access (GDPR Art. 15; nDSG Art. 25) — request a copy of the personal data we hold about you
  • Right to rectification (GDPR Art. 16; nDSG Art. 32) — request correction of inaccurate personal data
  • Right to erasure (GDPR Art. 17; nDSG Art. 32) — request deletion of your personal data, subject to legal retention obligations
  • Right to restriction (GDPR Art. 18) — request that we restrict processing of your personal data in certain circumstances
  • Right to data portability (GDPR Art. 20; nDSG Art. 28) — receive your personal data in a structured, machine-readable format
  • Right to object (GDPR Art. 21; nDSG Art. 32) — object to processing based on legitimate interest
  • Right to withdraw consent (GDPR Art. 7(3); nDSG Art. 31) — withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal

To exercise any of these rights, contact contact@crown.ngo with “DATA PROTECTION” in the subject line. We will respond within 30 days.

7. Cookies

CROWN.ngo uses only technically necessary cookies required for website functionality (e.g., language preference, session management). We do not use tracking cookies, advertising cookies, or third-party analytics cookies that require consent under GDPR.

If we introduce analytics tools in the future, we will update this policy and implement a cookie consent mechanism prior to deployment.

8. Data Security

CROWN implements appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest for sensitive datasets
  • Access controls limiting data access to authorised personnel
  • Regular security assessments
  • Secure deletion procedures for data that has reached its retention limit

9. Research Ethics

CROWN’s research programmes are conducted in accordance with the Declaration of Helsinki (World Medical Association) and applicable Swiss and European research ethics requirements. Research involving human participants is subject to ethical review. Participation is always voluntary, informed consent is obtained prior to data collection, and participants may withdraw at any time without consequence.

10. Supervisory Authority

If you believe CROWN has not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern. edoeb.admin.ch
  • European Union: The data protection authority in your country of residence. A list is available at edpb.europa.eu

11. Changes to This Policy

CROWN may update this privacy policy to reflect changes in our data processing practices or applicable law. Material changes will be communicated via our website and, where appropriate, by email to affected individuals. The “Last updated” date at the top of this policy indicates the most recent revision.

12. Contact

For questions, concerns, or requests regarding this privacy policy or CROWN’s data protection practices:

CROWN c/o CROWN, Rue de la Tour-de-l’Ile 4 1204 Geneve, Switzerland Email: contact@crown.ngo Subject line: “DATA PROTECTION”

Stay informed on our research and advocacy

Quarterly updates on discrimination research, legislative developments, and clinical programmes.