Privacy Policy

Preamble

This privacy policy explains which types of personal data (hereinafter referred to as "data") we process, for what purposes, and to what extent. It applies to all data processing operations carried out by us, including in connection with the provision of our services as well as via our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").
The terminology used is gender-neutral.
Last updated: 24 October 2024

Controller
Maria Brosi / Coaching-with-Maria
Johan van der Keukenstraat 79D
1087 BC Amsterdam, The Netherlands
Email: contact@coaching-with-maria.com

Overview of Data Processing

Types of processed data:

• Master data

• Contact data

• Content data

• Usage data

• Meta, communication, and procedural data

• Log data

Categories of data subjects:

• Communication partners

• Users

Purposes of processing:

• Communication

• Security measures

• Organisational and administrative procedures

• Feedback

• Provision of the online offering and user experience

• IT infrastructure

Legal Basis for Processing
The following is an overview of the legal bases of the GDPR we rely on when processing personal data:

• Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract.

• Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party unless overridden by the interests or fundamental rights and freedoms of the data subject.

National Regulations – The Netherlands:
In addition to the GDPR, national data protection laws apply in the Netherlands, particularly the "Uitvoeringswet Algemene verordening gegevensbescherming" (UAVG).

Security Measures
We take appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with legal requirements. These measures include safeguarding data confidentiality, integrity, and availability by controlling physical and digital access, data input, transfer, availability, and separation.

We also implement procedures to ensure the exercise of data subject rights, deletion of data, and response to data incidents. Moreover, we consider data protection when designing or selecting hardware, software, and procedures based on the principles of privacy by design and by default.

TLS/SSL Encryption (HTTPS):
We use TLS/SSL encryption to protect data transmitted through our online services. When a site is secured via SSL/TLS, this is indicated by "https" in the browser's address bar.

Transfer of Personal Data
In the context of our processing, personal data may be transmitted to or disclosed to third parties (e.g., IT service providers or integrated service/content providers). In such cases, we comply with legal requirements and enter into data processing agreements as necessary.

International Data Transfers
If data is transferred to third countries outside the EU/EEA, we ensure this is done only in compliance with the GDPR. Transfers are based on:

• An adequacy decision (Art. 45 GDPR), or

• Standard Contractual Clauses (Art. 46(2)(c) GDPR), or

• Explicit consent or legal necessity (Art. 49 GDPR).

Information on current adequacy decisions and certified U.S. organisations under the EU-U.S. Data Privacy Framework (as of 10 July 2023) can be found at:
https://www.dataprivacyframework.gov/ and https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

Data Retention and Deletion
We delete personal data according to legal requirements when the purpose for processing no longer applies, consent is withdrawn, or there is no other legal basis. Exceptions include statutory retention obligations or legitimate interests requiring longer storage.

Where multiple retention periods apply, the longest duration governs. If a period begins after a specific event and lasts at least one year, it starts at the end of the calendar year of that event. Data retained for legal reasons is only used for the purposes that justify the retention.

Data Subject Rights
Under the GDPR, data subjects have the following rights:

• Right to object (Art. 21 GDPR)

• Right to withdraw consent (Art. 7(3) GDPR)

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure and restriction of processing (Art. 17, 18 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to lodge a complaint (Art. 77 GDPR)

Provision of Online Offering and Web Hosting
We process users’ data to provide our website and digital services. This includes IP addresses required to display content and functionalities.

Processed data: Usage data, meta/communication/procedural data, log data.
Data subjects: Users.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Hosting provider: We use external hosting services for infrastructure, storage, and software.

Log Files: Server log files (e.g., IP address, accessed pages, time of access, browser type) are used for security and system monitoring. Retention: up to 30 days unless required for evidence purposes.

Cookies
We use cookies to store and access information on users’ devices. Cookies serve functional, security, and analytical purposes.

Legal basis: Consent (Art. 6(1)(a) GDPR) or legitimate interests (Art. 6(1)(f) GDPR).
Types:

• Session cookies: Deleted when browser is closed.

• Persistent cookies: Remain on the device for up to two years.

Users can revoke consent at any time or opt out via browser settings.

Consent management: We use a consent management solution to collect, log, and manage user consents.

Contact and Inquiry Management
When users contact us (e.g., via email, contact form, phone, social media), we process their data to respond to inquiries and perform requested actions.

Processed data: Master data, contact data, content data, usage data, meta/communication/procedural data.
Legal basis: Contract performance (Art. 6(1)(b) GDPR) and/or legitimate interests (Art. 6(1)(f) GDPR).

Changes and Updates
We may update this privacy policy if changes in data processing make this necessary. In case of significant changes requiring user consent or notification, we will inform users accordingly.

Definitions
We use the following terms in accordance with the GDPR:

• Personal data: Any information relating to an identifiable individual.

• Processing: Any operation performed on personal data.

• Controller: The person or entity that determines the purposes and means of processing.

• Usage data: Data on how users interact with digital services.

• Contact data: Email, phone number, postal address, etc.

• Content data: Any text, media, or contributions provided by users.

• Meta/communication data: IP addresses, time stamps, identifiers, etc.

• Log data: System or access logs documenting events or interactions.

Generated using the free privacy policy generator by Dr. Thomas Schwenke (translated and adapted for English and EU legal compliance).