DATA PROTECTION POLICY

1. Introduction

1.1 Purpose of Policy

I collect and use certain personal information from clients and other individuals I may contact for professional purposes. This policy explains how that personal data is collected, stored, processed, and protected, in compliance with the General Data Protection Regulation (GDPR).

1.2 Policy Statement

I am committed to protecting your privacy and personal data. I aim to:

  • Comply with GDPR and other relevant laws.

  • Respect individuals’ rights regarding their personal data.

  • Be open and transparent about how data is used.

  • Ensure any third parties who process personal data on my behalf also comply with GDPR.

2. Personal Data I May Hold

I only collect personal data that is necessary and relevant for my work:

  • Basic contact details: name, email address, contact preferences.

  • Wellbeing information: voluntarily provided reflections, intentions, or responses to my short questionnaire (only if the client chooses to continue after a first session).

  • Marketing consent: explicit opt-in if you wish to receive my weekly newsletter.

I do not collect sensitive health data unless voluntarily shared in the context of holistic wellbeing sessions.

3. Data Protection Principles

I adhere to GDPR principles:

  1. Lawful, fair, and transparent – data is collected for specific, legitimate purposes and in clear, understandable ways.

  2. Purpose limitation – data is only used for the purposes stated (sessions, communications, newsletter).

  3. Data minimization – only necessary information is collected.

  4. Accuracy – data is kept accurate and up to date.

  5. Storage limitation – data is not kept longer than necessary.

  6. Integrity and confidentiality – data is kept secure against unauthorized access, loss, or misuse.

4. Responsibilities

I am the data controller and responsible for:

  • Documenting personal data held and its purpose.

  • Ensuring consent procedures are lawful.

  • Implementing security measures to protect personal data.

  • Monitoring and reviewing procedures to maintain GDPR compliance.

5. Data Recording, Security, and Storage

5.1 Accuracy and Relevance

Personal data is collected only when necessary and is used strictly for the stated purpose.

5.2 Security

  • Digital data is stored on password-protected, encrypted devices.

  • Cloud storage is secured with authentication apps and GDPR-compliant services.

  • Paper notes, if any, are stored securely and shredded when no longer needed.

  • Access is restricted to authorized personnel only.

5.3 Data Retention

Data is retained only as long as necessary to provide services and maintain records, generally up to 5 years after the last session or communication. After this, data is securely deleted.

6. Consent

  • Consent is obtained explicitly for any optional personal data collection, including:

    • Weekly newsletter subscription.

    • Completion of the optional questionnaire for continuing sessions.

  • Consent is specific, informed, and freely given, and can be withdrawn at any time by contacting hello@supernovawoman.co.

  • An audit trail of consent will be maintained, documenting who consented, when, and for what purpose.

7. Direct Marketing

  • I only send marketing communications (e.g., weekly newsletter) with explicit consent.

  • You can unsubscribe at any time using the link in the email or by contacting hello@supernovawoman.co.

8. Subject Access Requests

You have the right to:

  • Access personal data I hold about you.

  • Request correction, deletion, or restriction of processing.

  • Receive your data in a structured, machine-readable format (data portability).

Requests should be sent to hello@supernovawoman.co, and I will respond within 20 working days.

9. International Data Transfers

Personal data will not be transferred outside the EU without your explicit consent.

10. Third Parties

Where third-party services are used (e.g., newsletter platforms or cloud storage), I ensure:

  • Written contracts are in place.

  • Third parties comply with GDPR.

  • Data is processed only according to my instructions.

11. Reporting Breaches

Any data breach will be reported promptly to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, where required by law.

Contact for Data Protection Queries:
📧 hello@supernovawoman.co
📍 Utrecht, The Netherlands