I’m no lawyer, but you do process data of EU citizens and through the foundation’s supporters and sponsors you are doing business in the EU. Wouldn’t it be better to be safe than sorry and at least contact your legal representation or the Spanish DPA to make sure you are in the clear? No offence, but thinking your disclosure is sufficient is probably not sufficient.