Privacy Policy

1. Identity of the Organisation and Data Controller

THE HAPPINESSWEB is a Private Stichting (besloten stichting / fondation privée) incorporated under Belgian law, dedicated to inclusive entrepreneurship, social impact, and the structured exchange of knowledge, experience, and insight — an approach we refer to internally as KEI.

As the entity that determines the purposes and means of the personal data processing described in this Privacy Policy, THE HAPPINESSWEB acts as the Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the “GDPR”).

• Registered name: THE HAPPINESSWEB Private Stichting
• Legal form: Private Stichting (besloten stichting) — Belgian law
• Country of establishment: Belgium
• Data Protection contact: privacy@thehappinessweb.com
• Website: https://www.thehappinessweb.com & https://www.thehweb.com

Correspondence addressed to the above contact will be treated with the same confidentiality and care we extend to all aspects of our work.

2. Our Philosophy: Privacy by Design

THE HAPPINESSWEB was founded on principles of ethical, human-centred innovation. Our approach to personal data is an extension of those principles, not a legal afterthought. We pursue a deliberate privacy-by-design architecture, which means:

• we collect only the personal data that is strictly necessary for a legitimate, documented purpose;
• we do not operate an advertising ecosystem, engage in behavioural profiling, or sell personal data under any circumstances;
• we actively seek to minimise the number of cookies and tracking technologies placed on visitors’ devices;
• we apply data minimisation and purpose limitation as active design constraints, not merely as compliance boxes to be ticked;
• we prefer EU-based or EU-adequate infrastructure where this is technically and commercially feasible.

We recognise that no digital infrastructure is entirely free of data processing. This Privacy Policy is an honest account of the processing that does occur, the reasons for it, and the rights available to you. Where we consider that a processing activity is not strictly necessary, our preference is not to implement it at all.

3. Scope of this Privacy Policy

This Privacy Policy applies to:

• visitors to our website at https://www.thehappinessweb.com (the “Website”);
• individuals who contact us directly by electronic or other means;
• authenticated administrators of the Website who access back-end management functionality.

It does not govern the processing of personal data by third-party websites or services that may be hyperlinked from our Website. We encourage you to consult the privacy notices of any third-party services you access independently.

4. Categories of Personal Data We Process

We process the following categories of personal data, depending on the context of the interaction:

4.1 Data relating to public visitors

When you visit the Website, our hosting and security infrastructure may automatically process certain technical data. This includes:

• your IP address (processed transiently by our content delivery network for security and routing purposes);
• technical parameters of your HTTP request (browser type, operating system, referring URL, requested resource, timestamp) as recorded in standard infrastructure logs.

This processing occurs automatically as a consequence of how the internet operates. We do not use this data to build profiles of individual visitors, and it is — to our knowledge — not associated with any persistent identifier.

4.2 Data relating to direct correspondence

If you contact us by e-mail or through any contact facility we may provide, we will process the personal data you provide — typically your name, e-mail address, and the content of your message — for the purpose of responding to your inquiry. We retain correspondence for as long as reasonably necessary to address the matter raised.

4.3 Data relating to authenticated administrators

Our Website includes a password-protected administrative back-end, accessible to a small number of authorised persons. Authentication is managed through Supabase Auth. When an administrator logs in, authentication session data (including session tokens) may be stored in the browser’s localStorage or sessionStorage mechanisms. This data is confined to the administrator’s own device and browsing session, and is not accessible to ordinary visitors or third parties.

Supabase Auth processes authentication data as a data processor on our behalf, pursuant to a data processing agreement. Supabase’s infrastructure is designed to be GDPR-compliant, and relevant standard contractual safeguards apply.

4.4 Data we do not collect

For the avoidance of doubt, we do not collect or process:

• financial or payment data;
• special categories of personal data within the meaning of Article 9 GDPR;
• data relating to children as a targeted audience;
• data obtained from third-party data brokers or commercial data sources.

5. Cookies and Similar Technologies

THE HAPPINESSWEB has consciously designed its Website to avoid the use of marketing, analytics, profiling, or retargeting cookies. We do not operate Google Analytics, Meta Pixel, Google Tag Manager, or any equivalent service. We do not embed social media widgets, or advertising networks. We do not engage in cross-site tracking.

5.1 Strictly necessary infrastructure cookies

Our Website is hosted through infrastructure that includes Cloudflare’s content delivery and security network. In this context, Cloudflare may automatically set the following strictly necessary cookies on your device:

__cf_bm — A bot-management cookie set by Cloudflare to distinguish between human visitors and automated traffic. It contains an encrypted value and expires within 30 minutes of inactivity. It does not track browsing activity across sites and is not used for advertising purposes.

cf_clearance (occasional) — A security cookie that may be set when Cloudflare’s security systems have challenged a request, confirming that the challenge has been successfully completed. It does not identify you personally across websites and expires within 30 minutes to 24 hours depending on the security context.

These cookies are strictly necessary for the security and integrity of the Website’s infrastructure. Under Belgian law implementing the ePrivacy Directive (Article 129 of the Act of 13 June 2005 on electronic communications, as amended) and Recital 25 of the ePrivacy Directive, strictly necessary cookies do not require prior informed consent. We nonetheless disclose them here in the spirit of full transparency.

5.2 Our commitment to cookie minimisation

We are committed to a policy of continuous review and reduction of any technologies that process personal data unnecessarily. Our objective is that a public visitor to the Website should receive, at most, the minimal strictly necessary infrastructure cookies described above. We do not regard this as a floor; we regard it as a ceiling.

5.3 No consent management platform required

Because we do not operate any non-essential cookies, we do not at present operate a consent management platform (CMP) or cookie banner for obtaining prior consent. Should our technical architecture change in a manner that introduces non-essential cookies, we will implement appropriate consent mechanisms at that time.

5.4 Font delivery

We self-host all typographic assets used on the Website, thereby avoiding outbound requests to external font services (such as Google Fonts or Adobe Fonts) that may result in the incidental transmission of visitor IP addresses to third-party servers.

6. Purposes and Legal Bases for Processing

Each processing activity carried out by THE HAPPINESSWEB rests on a specific legal basis within the meaning of Article 6 GDPR.

Delivery and security of the Website

Purpose: to serve the Website to your device, mitigate security threats, prevent denial-of-service attacks, and maintain infrastructure integrity. Legal basis: Legitimate interests pursuant to Article 6(1)(f) GDPR.

Response to direct correspondence

Purpose: to read, assess, and respond to communications addressed to us. Legal basis: Legitimate interests pursuant to Article 6(1)(f) GDPR, or, where the correspondence relates to a pre-contractual relationship, Article 6(1)(b) GDPR.

Administration of authenticated back-end access

Purpose: to authenticate authorised administrators and maintain secure access to administrative functionality. Legal basis: Legitimate interests pursuant to Article 6(1)(f) GDPR.

Compliance with legal obligations

Purpose: to comply with applicable legal or regulatory obligations. Legal basis: Legal obligation pursuant to Article 6(1)(c) GDPR.

We do not carry out any processing based on consent at this time, save insofar as strictly necessary cookies are concerned (where consent is not required by applicable law).

7. Infrastructure Processing and Third-Party Providers

7.1 Cloudflare, Inc.

Cloudflare provides content delivery network (CDN), DDoS mitigation, and bot-management services. As noted in Section 5, Cloudflare may place strictly necessary security cookies on visitors’ devices. Cloudflare processes infrastructure data (including IP addresses and HTTP request metadata) as part of its security functions. Cloudflare, Inc. is a United States-domiciled entity and maintains EU data processing agreements, Standard Contractual Clauses, and participates in relevant EU-US data transfer frameworks. See: cloudflare.com/privacypolicy

7.2 Supabase (for authenticated administrators only)

Supabase is a database and authentication platform used exclusively for the management of authenticated administrative accounts. No visitor-facing data is processed through Supabase. See: supabase.com/privacy

7.3 Website hosting platform (Lovable)

Our Website is deployed through Lovable, a web application deployment platform. As our hosting provider, Lovable may process technical data (including IP addresses and request logs) in the course of serving the Website. Lovable acts as a processor on our behalf.

Save for the providers described above, we do not share personal data with any third party, unless we are required to do so by law or by order of a competent authority.

8. International Transfers of Personal Data

Our preference is to process personal data within the European Economic Area (EEA). Where processing by the third-party providers described in Section 7 results in transfers of personal data to countries outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR, or Adequacy decisions adopted pursuant to Article 45 GDPR, where applicable.

9. Retention of Personal Data

We retain personal data only for as long as is necessary for the purpose for which it was collected, taking into account applicable legal obligations and our legitimate operational requirements.

• Infrastructure logs — Retained in accordance with Cloudflare’s standard retention policies (typically hours to days).
• Direct correspondence — Retained for the duration of the relevant matter and a reasonable period thereafter, typically not exceeding three (3) years.
• Administrator authentication data — Session tokens are browser-managed and cleared upon session termination. Administrative account data is retained while the account is active.
• Legal compliance data — Retained as required by the applicable legal obligation.

10. Your Rights as a Data Subject

As a data subject within the European Economic Area, you enjoy the following rights under Chapter III of the GDPR: right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction (Art. 18), right to data portability (Art. 20), right to object (Art. 21), and the right not to be subject to solely automated decision-making (Art. 22).

We confirm that we do not engage in automated individual decision-making, including profiling, that produces legal or similarly significant effects concerning any individual.

To exercise any of these rights, please contact us at privacy@thehappinessweb.com. We will respond within one calendar month of receipt.

11. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority. As a Belgian organisation, our lead supervisory authority is:

Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Drukpersstraat 35 / Rue de la Presse 35, 1000 Brussels, Belgium
Website: gegevensbeschermingsautoriteit.be
E-mail: contact@apd-gba.be · Tel: +32 (0)2 274 48 00

12. Security Measures

• HTTPS/TLS encryption for all data transmitted between your browser and our Website;
• industry-standard security services provided by Cloudflare (DDoS mitigation, bot protection);
• role-based access control for administrative back-end functionality;
• periodic review of our technical infrastructure;
• the avoidance of unnecessary data collection, which is itself a form of security-by-design.

13. Profiling, Automated Decision-Making, and Advertising

THE HAPPINESSWEB does not engage in behavioural profiling, automated decision-making producing legal effects, interest-based or targeted advertising, retargeting, the sale of personal data, or participation in any programmatic advertising ecosystem. These reflect a principled position. We intend to remain outside the attention economy as a matter of organisational ethos.

14. Minors

Our Website is not directed at children under the age of 16 years. We do not knowingly collect personal data from individuals under this age.

15. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy. Material changes will be brought to your attention by means of a prominent notice on the Website and an update to the effective date.

16. Contact and Data Protection Inquiries

THE HAPPINESSWEB Private Stichting · Belgium
E-mail: privacy@thehappinessweb.com