Privacy Policy
Last updated: 25 June 2025
This Privacy Policy explains how Jana Marie Hoffmann ("I", "me", "my"), a sole trader registered in Sweden under VAT number SE 19820514470501, collects and uses personal information when you visit janamariehoffmann.com, purchase coaching services, attend events, download resources, interact on social media, or engage with my business (the "Services"). It also details your rights under the EU GDPR, Swedish Data Protection Act, and e‑privacy rules.
1. Who is responsible for your data?
| Role | Details |
|---|---|
| Data Controller | Jana Marie Hoffmann, sole proprietor (enskild firma) |
| Postal address | c/o J. M. Hoffmann, address on file, Stockholm, Sweden |
| Contact for privacy matters | Use the secure form at janamariehoffmann.com/contact – mark your message “Privacy.” |
| Data-Protection Officer | Not required; responsibility sits with Jana Marie Hoffmann. |
| Supervisory authority | Integritetsskyddsmyndigheten (IMY) – Box 8114, 104 20 Stockholm – Tel +46 8 657 61 00 – imy.se |
2. Quick summary
- I collect only what’s necessary to provide coaching, run the Site, market my Services, and comply with legal obligations.
- I never sell personal information.
- Main legal bases: contract, legitimate interest, consent. Special‑category data is processed only with explicit consent.
- International transfers rely on Standard Contractual Clauses or the EU–US Data Privacy Framework.
- You can exercise your GDPR rights anytime via the contact form; I respond within 30 days.
3. What data I collect
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, postal address, email, phone (optional) | You |
| Billing & payments | Invoices, Stripe/PayPal tokens | You / provider |
| Coaching session notes | Challenges, goals, wellbeing observations | You during sessions |
| Marketing & comms | Newsletter preferences, surveys, testimonials | You |
| Support & check-ins | WhatsApp Business messages, community chat posts | You via WhatsApp |
| Technical & usage | IP, browser, device, pages visited, cookie IDs | Your device |
| Social media | Profile name, messages, comments, likes | You / platform |
Children’s data
The Services target adults (18+). Parents may share their children’s information only for coaching purposes with parental consent. No data is collected directly from minors.
4. Legal bases, purposes & retention
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Deliver coaching & memberships | Identity, contact, billing, session notes | Contract Art 6(1)(b) | 10 years after last session |
| Billing, accounting, tax | Invoices, records | Legal obligation Art 6(1)(c) | 10 years |
| Scheduling sessions | Contact details | Legitimate interest Art 6(1)(f) | 3 years |
| Marketing emails | Email, preferences | Consent Art 6(1)(a) | Until unsubscribe |
| Testimonials | Name, text, photo (optional) | Consent Art 6(1)(a) | Until withdrawn |
| Analytics & cookies | Technical & usage | Consent Art 6(1)(a) | Up to 2 years |
| Security & fraud prevention | Logs, access data | Legitimate interest Art 6(1)(f) | 3 years |
| Special-category data | Health & wellbeing notes | Explicit consent Art 9(2)(a) | 10 years or on request |
5. Who I share data with (processors &trusted third parties)
All suppliers sign GDPR‑compliant Data‑Processing Agreements (Art 28).
| Purpose | Provider | Location | Transfer safeguard |
|---|---|---|---|
| Website hosting & CMS | Squarespace Inc. | USA | SCCs + EU–US DPF |
| Scheduling | Squarespace Scheduling (Acuity) | USA | SCCs + DPF |
| Payments | Stripe; PayPal | EEA / USA | SCCs + DPF |
| Video conferencing | Zoom; Google Meet | USA | SCCs + DPF |
| Email & file storage | Google Workspace | USA | SCCs + DPF |
| Messaging & community | WhatsApp Business | USA | SCCs + DPF |
| Analytics & ads | Google Analytics 4; Google Ads; Meta Pixel; LinkedIn Insights; Pinterest Tag; YouTube | USA | SCCs + DPF |
| Forms & quizzes | Typeform (EU); Jotform (USA) | EU / USA | SCCs |
| AI drafting | OpenAI Ireland; OpenAI LLC | EU / USA | SCCs |
| Membership areas | Squarespace Member Areas | USA | SCCs + DPF |
| Bookkeeping & invoicing | Fortnox AB | Sweden | EEA (no transfer) |
6. International transfers outside the EEA
Data in non-adequate countries (mainly USA) is protected by:
- Standard Contractual Clauses (2021/914)
- EU–US Data Privacy Framework certification
- Encryption in transit & at rest
Request SCCs anytime via contact form.
7. Cookies & tracking technologies
Essential cookies are always on; analytics & marketing cookies set only after consent via the banner. You can change preferences in the footer.
- Strictly necessary – session & security cookies;
- Analytics – GA4 first-party (after opt-in);
- Marketing – Meta, LinkedIn, Pinterest, Google Ads, YouTube (after opt-in).
8. How long I keep your data
| Data set | Retention |
|---|---|
| Coaching files & notes | 10 years post-service or sooner on request |
| Financial records | 10 years (per Bokföringslagen) |
| Newsletter list | Until unsubscribe or bounce |
| Form queries | 12 months after last correspondence |
| Testimonials | Until consent withdrawn |
| Security logs | 3 years |
9. How I protect your data (security)
- Squarespace SSL/TLS encryption
- Strong passwords & MFA on admin accounts
- Data at rest encrypted by providers
- Regular updates & monitoring
- Access restricted to Jana Marie Hoffmann
10. Your rights under GDPR
- Access – request your data
- Rectification – correct inaccuracies
- Erasure – delete your data
- Restriction – limit processing
- Portability – receive data in machine-readable form
- Object – object to processing
- Withdraw consent – at any time
- Complain – to IMY or local authority
Exercise rights via the contact form; response within 30 days.
11. Third-party links
The Site may link to external sites; I’m not responsible for their privacy practices—please review their policies.
12. Changes to this Privacy Policy
I review this annually or when processing changes. Significant updates will be announced on the Site or by email.
Last full rewrite: 25 June 2025