top of page

AI Use & Data Protection Policy

Why this exists

Artificial intelligence tools can increase efficiency, but they also create significant risks for data security, confidentiality, intellectual property, and regulatory compliance.

Restore the Legacy treats data as a strategic asset.

Our impact models, donor information, project data, research, financial information, and partner relationships are core to the integrity and independence of our mission.

 

Many public AI tools store, process, or reuse input data. Once information is entered into these systems, control over that data can be lost.

 

This framework ensures that the use of AI never compromises confidentiality, security, or legal obligations, including the EU General Data Protection Regulation (GDPR / AVG).

 

 

Our principle
AI tools are not part of Restore the Legacy’s operational infrastructure.

Therefore: 
AI use must be minimized and never used for sensitive or internal data.

Non-negotiable rules
The following data may never be entered into AI tools under any circumstances:
 

Personal data
Any information related to an identifiable person, including but not limited to:

  • Donor information

  • Partner contacts

  • Employee data

  • Volunteer information

  • Village representatives

  • Government officials

  • Financial beneficiaries
     

Examples include names, email addresses, phone numbers, financial information, identity numbers, or location data.



Organisational data

Internal information about Restore the Legacy, including but not limited to:

  • Donor databases

  • Financial records

  • Internal strategy documents

  • Project proposals

  • Grant applications

  • Budgets and forecasts

  • Internal emails or communications

  • Governance documents


 

Partner and community data
Information related to:

  • Local Indonesian partners

  • Farmer cooperatives

  • Village governance structures

  • Land ownership or concession data

  • Commodity supply chains

  • Research collaborations


 

Environmental or project datasets

Operational datasets including but not limited to:

  • Satellite monitoring data

  • Biodiversity measurements

  • Soil samples or lab data

  • Reforestation mapping

  • Commodity yield information

  • Impact dashboards
     

* These datasets are part of our intellectual property and must remain fully controlled.


 

Public AI tools
Examples include but are not limited to:

  • ChatGPT

  • Claude

  • Gemini

  • Midjourney

  • DALL-E

  • Copilot

  • Fireflies

  • Perplexity


These systems must be treated as public environments. 
Anything entered may become:

  • Stored externally

  • Used for training

  • Processed by third-party infrastructure
     

Therefore Restore the Legacy data must never be entered.

Permitted AI use (limited)
AI tools may only be used for generic tasks that contain no internal information, for example:

  • Language polishing of fully public text

  • Brainstorming generic ideas

  • Grammar checking

  • Formatting help

  • Learning or research questions without internal context
     

All inputs must be fully anonymized and non-identifiable.

 

Intellectual property protection
Restore the Legacy develops unique systems, including:

  • Ecological restoration methodologies

  • Impact measurement models

  • Rainforest monitoring systems

  • Commodity transition models

  • Ecosystem restoration strategies

  • Impact data (dashboards)

  • App developments
     

These are part of the organisation’s intellectual capital.

Sharing such information with AI systems risks unintentional disclosure or replication.

Therefore these materials must never be uploaded or described in AI tools.

 

GDPR / AVG compliance
Under the EU General Data Protection Regulation, organisations must ensure that personal data:

  • Is processed lawfully

  • Remains secure

  • Is not shared with unauthorized processors

  • Is only processed with clear purpose and consent
     

Most public AI systems do not meet these requirements for organisational data processing. Entering personal data into such systems may therefore create legal liability and regulatory risk

 

 

Decision process for AI use
When in doubt, team members must assume AI use is not permitted.
If someone believes AI could be useful for a task, the following questions must be asked first:

  1. Does the task contain any internal data?

  2. Does it include any personal data?

  3. Could the information reveal strategy, partners, finances, or research?

  4. Could the input allow reconstruction of sensitive data?
     

If the answer to any of these questions is yes, AI may not be used.

 

Security culture
Everyone working with Restore the Legacy is responsible for protecting data.

Principles:

  • When in doubt, do not use AI

  • Protect donor trust and community relationships

  • Protect intellectual property

  • Protect partner confidentiality

  • Protect ecosystem data


Our credibility depends on responsible data stewardship.

 

Commitment
Restore the Legacy operates in a trust-based environment with donors, communities, and partners. Protecting information is essential to:

  • Safeguard our mission

  • Maintain legal compliance

  • Preserve intellectual independence

  • Protect the communities we work with


For this reason, AI use is intentionally restricted and must always prioritize security, confidentiality, and integrity.

 

Compliance with this policy falls under the responsibility of organisational leadership and may be periodically reviewed as part of Restore the Legacy’s internal governance and risk management processes.

Rainforest from top.jpg
Restore the Legacy works to restore and protect tropical rainforest ecosystems together with local communities and partners.

Learn more about our work

bottom of page