Logo

Privacy Policy



Effective: March 28, 2025

 

Balazs is committed to ensuring that your privacy is protected. Learn more about the information we collect, how we process the data, and how we respect and secure your privacy.



Balazs may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy was last updated March 28, 2025.



Purpose and who we are



The purpose of this Privacy Policy is to describe how Balazs (“We,” “us,” or “our”) collects, uses and shares information about you through our online interfaces (e.g., websites and mobile applications) owned and controlled by us, including https://balazsujlaki.coach (collectively referred to herein as the “Site”). Please read this notice carefully to understand what we do.
If you do not understand any aspects of our Privacy Policy, please feel free to contact us at [email protected].



Balazs is a Business with a principal place of business at WILL BE PROVIDED BY THE CLIENT. If you reside or are located in the European Economic Area (“EEA”) Balazs is the data controller of all Personal Data (defined as any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address) collected via the Site and of certain Personal Data collected from third parties, as set out in this Privacy Policy.



What Information this Privacy Policy Covers



This Privacy Policy covers information we collect from you through our Site. Some of our Site’s functionality can be used without revealing any Personal Data, though for features or services related to the Online Courses, Personal Data is required. In order to access certain features and benefits on our Site, you may need to submit, or we may collect, “Personal Data” (i.e., information that can be used to identify you). Personal Data can include information such as your name and email address, among other things. You are responsible for ensuring the accuracy of the Personal Data you submit to {{location.name}}’s Coaching. Inaccurate information may affect your ability to use the Site, the information you receive when using the Site, and our ability to contact you. For example, your email address should be kept current because that is one of the primary manners in which we communicate with you.



What You Agree to by Using Our Site



Please understand that by submitting any Personal Data to us, you consent and agree that we may collect, use and disclose such Personal Data in accordance with this Privacy Policy and as permitted or required by law. If you do not agree with these terms, please do not provide any Personal Data to us. If you refuse or withdraw your consent, or if you choose not to provide us with any required Personal Data, we may not be able to provide you with the services that can be offered on our Site. Consent can be withdrawn at any time by sending an email to [email protected] and requesting the same. Please note that we may also rely on legitimate interests or fulfillment of a contract to continue processing your data.



What Information We Collect and How We Collect Them



We collect personal data and/or information from you in various ways:


  • When you register on our websites
  • When you register on our webinars
  • When you book in your calls
  • When you book in your coaching sessions
  • When you join our social media groups
  • When you subscribe to our newsletters
  • When you subscribe to notifications from us
  • When you affix your signature on our contracts
  • When you process payments on any of our services
  • When you register for an account, update or change information for your account
  • When you purchase products or services
  • When you complete a survey or feedback form
  • When you log in onto or access third-party sites e.g Facebook, from our site which may include text or images
  • When you participate on forums or group discussion e.g Facebook Group or Q&A sessions. Remember that the information you provide in this venue will be publicly available so you should not post information that is too confidential or sensitive.


We may collect the following information:

  • Name and job title
  • Contact information including email address and phone number/s
  • Demographic information such as postcode, preferences and interests
  • Education and employment history
  • Other information relevant to customer feedback and/ or promotional materials
  • IP address
  • URLs which you may have linked to our Site
  • Operating system
  • Browsing system used by each user on the site
  • Log in details to third-party services being used in the program
  • Bank account details
  • Credit/ debit card details


You may, however, visit our site anonymously by using the “incognito” or “private” feature of your browser or by disabling cookies.



Other Information We Collect



Social buttons. On many of the pages of Balazs sites you will see ‘social buttons’. These enable users to share or bookmark the web pages. There are buttons for: Twitter, Google +1, Facebook ‘Like’, and LinkedIn ‘Share’. In order to implement these buttons, and connect them to the relevant social networks and external sites, there are scripts from domains outside of {{location.name}}’s Coaching. You should be aware that these sites are likely to be collecting information about what you are doing all around the internet, including on {{location.name}}’s Coaching’s site. So if you click on any of these buttons, these sites will be registering that action and may use that information. In some cases these sites will be registering the fact that you are visiting {{location.name}}’s Coaching, and the specific pages you are on, even if you don’t click on the button if you are logged into their services, like Google and Facebook.



You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.



External web services. We use a number of external web services on Balazs sites mostly to display content within our web pages. For example,to display slideshows we sometimes use SlideShare; to show videos we use YouTube and Vimeo. This is not an exhaustive or complete list of the services we use, or might use in the future, when embedding content, but these are the most common. As with the social buttons we cannot prevent these sites, or external domains, from collecting information on your usage of this embedded content. If you are not logged in to these external services then they will not know who you are but are likely to gather anonymous usage information e.g. number of views, plays, loads etc.

Email tracking. Some emails that we send you have no tracking in at all, for example personal correspondence or emails with invoices attached. Other emails we send we put in tracking so that we can tell how much traffic those emails send to our site and we can track, at an individual level, whether the user has opened and clicked on the email. We rarely use the latter information at a personal level, rather we use it to understand open and click rates on our emails to try and improve them. Sometimes we do use the personal information e.g. to re-email people who didn’t click the first time. If you want to be sure that none of your email activity is tracked then you should unsubscribe from the our newsletter.



Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we partner with may use cookies on the Site, and your choices regarding cookies. Please read the Cookies Policy in conjunction with our Privacy Policy, which sets out additional details on how we use personally identifiable information and your various rights.



What We Do With The Information We Gather



We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:



  • Internal record keeping.
  • We may use the information to improve our products and services.
  • We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.
  • We may send you information of offers outside of Balazs that will be of your interest.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.


In addition to the other uses set forth in this Privacy Policy, we may disclose and otherwise use Personal Data as described below.



Providing the Site and our services. We may use Personal Data which you provide to us in order to allow you to access and use the Site and in order to provide any information, products or services that you request from us.



Updates. We use Personal Data collected when you sign-up for our various email or update services to send you the messages in connection with the Site or an Online Course. We may also archive this information and/or use it for future communications with you, where we are legally entitled to do so.



Identity Verification. For services that require identity verification, we use the Personal Data that we collect for verifying your identity, and for authenticating that submissions made on the Site were made by you. This service may be provided through a third-party identity verification vendor.



Communications with {{location.name}}’s Coaching. When you send us an email message or otherwise contact us, we may use the information provided by you to respond to your communication and/or as described in this Privacy Policy. We may also archive this information and/or use it for future communications with you where we are legally entitled to do so.



Disclosure to Balazs Operations and Maintenance Contractors. We use various service providers, vendors and contractors (collectively, “Contractors”) to assist us in providing our products and services to you. Our Contractors may have limited access to your Personal Data in the course of providing their products or services to us, so that we in turn can provide our products and services to you. These Contractors may include vendors and suppliers that provide us with technology, services, and/or content related to the operation and maintenance of the Site or the Online Course. Access to your Personal Data by these contractors is limited to the information reasonably necessary for the contractor to perform its limited function for us.



Third Party Credit Card Processing. Balazs provides you with the ability to pay for Online Courses and other services using a credit card through a third party payment processing service provider. Please note that our service provider – not Balazs – collects and processes your credit card information.



Government Authorities, Legal Rights and Actions. Balazs may share your Personal Data with various government authorities in response to subpoenas, court orders, or other legal process; to establish or exercise our legal rights or to protect our property; to defend against legal claims; or as otherwise required by law. In such cases we reserve the right to raise or waive any legal objection or right available to us. We also may share your Personal Data when we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property, or safety of {{location.name}}’s Coaching, the Site, our users, customers, or others; and in connection with our Terms of Use and other agreements.



External Links



For your convenience we may provide links to sites operated by organizations other than Balazs (“Third Party Sites”) that we believe may be of interest to you. We do not disclose your Personal Data to these Third Party Sites without obtaining your consent. We do not endorse and are not responsible for the privacy practices of these Third Party Sites. If you choose to click on a link to one of these Third Party Sites, you should review the privacy policy posted on the other site to understand how that Third Party Site collects and uses your Personal Data.



Retention of Personal Data



If you reside or are located in the EEA, we keep your Personal Data for no longer than necessary for the purposes for which the Personal Data is processed. The length of time we retain Personal Data for depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights. Unless mentioned otherwise we keep personal data indefinitely unless explicitly instructed to delete it.



Confidentiality & Security of Personal Data



We consider the confidentiality and security of your information to be of the utmost importance. We will use industry standard physical, technical and administrative security measures to keep your Personal Data confidential and secure and will not share it with third parties, except as otherwise provided in this Privacy Policy, or unless such disclosure is necessary in special cases, such as a physical threat to you or others, as permitted by applicable law. Because the Internet is not a 100% secure environment we cannot guarantee the security of Personal Data, and there is some risk that an unauthorized third party may find a way to circumvent our security systems or that transmission of your information over the Internet will be intercepted. It is your responsibility to protect the security of your login information. Please note that email communications are typically not encrypted and should not be considered secure.



Balazs implements a variety of security measures to maintain the safety of your personal data when you enter, submit, or access your personal data.



We care about the security of our users. While we work to protect the security of your account and related information, we cannot guarantee that unauthorized third parties will not be able to defeat our security measures. Please notify us immediately of any compromise or unauthorized use of your account by emailing [email protected].



Controlling, Updating or Deleting Your Personal Data



You may choose to restrict the collection or use of your personal data in the following ways:
• Whenever you are asked to fill in a form on the website, look for the box that you can uncheck to indicate that you do not want the information to be used by anybody for direct marketing purposes
• If you have previously agreed to us using your personal data for direct marketing purposes, you may change your mind at any time by writing to or emailing us at [email protected].
• We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.



If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at the above address. We will promptly correct any information found to be incorrect.



You have certain rights in relation to your Personal Data. You can access your Personal Data and confirm that it remains correct and up-to-date or choose whether or not you wish to receive material from us or some of our partners by logging into the Site and visiting your user account page.



If you would like further information in relation to your rights or would like to exercise any of them, you may also contact us via [email protected].If you reside or are located in the EEA, you have the right to request that we:



  • provide access to any Personal Data we hold about you;
  • prevent the processing of your Personal Data for direct-marketing purposes;
  • update any Personal Data which is out of date or incorrect;
  • delete any Personal Data which we are holding about you;
  • restrict the way that we process your Personal Data;
  • provide your Personal Data to a third party provider of services; or
  • provide you with a copy of any Personal Data which we hold about you.


We try to answer every email promptly where possible, and provide our response within the time period stated by applicable law. Keep in mind, however, that there will be residual information that will remain within our databases, access logs and other records, which may or may not contain your Personal Data. Please also note that certain Personal Data may be exempt from such requests in certain circumstances, which may include if we need to keep processing your Personal Data to comply with a legal obligation.



When you email us with a request, we may ask that you provide us with information necessary to confirm your identity.



International Privacy Practices



{{location.name}}’s Coaching’s Sites are primarily operated and managed on servers located and operated within the United States. In order to provide our products and services to you, we may send and store your Personal Data outside of the country where you reside or are located, including to the United States. Accordingly, if you reside or are located outside of the United States, your Personal Data may be transferred outside of the country where you reside or are located, including to countries that may not or do not provide the same level of protection for your Personal Data. We are committed to protecting the privacy and confidentiality of Personal Data when it is transferred. If you reside or are located within the EEA and such transfers occur, we take appropriate steps to provide the same level of protection for the processing carried out in any such countries as you would have within the EEA to the extent feasible under applicable law.



Changing Our Privacy Policy



Please note that we review our privacy practices from time to time, and that these practices are subject to change. Any change, update, or modification will be effective immediately upon posting on our Site. Be sure to return to this page periodically to ensure familiarity with the most current version of this Privacy Policy.



No Information from Children Under 13



Balazs strongly believes in protecting the privacy of children. In line with this belief, we do not knowingly collect or maintain Personal Data on our Site from persons under 13 years of age, and no part of our Site is directed to persons under 13 years of age. If you are under 13 years of age, then please do not use or access this Site at any time or in any manner. We will take appropriate steps to delete any Personal Data of persons less than 13 years of age that has been collected on our Site without verified parental consent upon learning of the existence of such Personal Data.



Disclaimer



The material on our site is given for general information only, and does not constitute professional advice. You should take specific advice before taking a course of action as we do not accept directly or indirectly any responsibility for loss arising directly or indirectly from reliance on information on this site.

Given that the Internet uses an open system we cannot warrant that the site and downloads reach you virus-free. You must, therefore, take all appropriate precautions for your own safety.



Your Consent



By using our site, you consent to our privacy policy.



Privacy Policy - Udate 17.07.2025

This "Privacy Policy" (hereinafter referred to as the "Policy") is established by Balázs Ujlaki, operating as The River Flows in You LLP, a holistic life coaching service provider incorporated under the laws of Canada, with its registered office at 422 Richards St, Suite 170, Vancouver, BC, V6B 2Z4, Canada (hereinafter referred to as the "Company").

WHEREAS Balázs Ujlaki, as the Managing Partner, operates the Company aiming to provide online holistic life coaching services to expatriate professionals based in the European Union (EU).

WHEREAS the Company is committed to respecting and protecting the privacy of its clients and adheres to applicable data protection laws, including the General Data Protection Regulation (GDPR) of the European Union and relevant Canadian privacy laws.

WHEREAS, this Policy outlines how the Company collects, uses, stores, shares, and protects personal data in compliance with GDPR and relevant Canadian privacy requirements, particularly focusing on the sensitive nature of client data processed through the Company's services.

NOW, THEREFORE, the Company establishes this Privacy Policy, effective as of [Effective Date], to ensure transparency and accountability in its data processing activities and to detail the rights and obligations of the Company and its clients with respect to personal data. This Policy will remain in effect until terminated, modified, or replaced by the Company.


1. Introduction And Scope

This 'Introduction and Scope' section defines the essential elements of this Privacy Policy for 'The River Flows in You LLP' ('the Company'), a Canadian Limited Liability Partnership (LLP) operating under the laws of Canada. The Company, managed by Balázs Ujlaki, is dedicated to providing online holistic life coaching services to expatriate professionals residing in the European Union ('EU'), with the potential to extend services to the UK, Switzerland, and Norway. Clients, referred to as Data Subjects, are the primary focus of this Policy, which addresses how their personal information, particularly sensitive data related to mental and emotional health, is managed. This Policy is effective as of [Effective Date] and will cover all data processing activities undertaken by the Company from this date forward. The Policy's primary emphasis is on ensuring compliance with the General Data Protection Regulation (GDPR) of the European Union and relevant Canadian privacy laws as secondary compliance. The Company aims to maintain transparency, accountability, and integrity in its data practices to ensure clients’ trust and confidence.

2. Legal Basis And Principles Of Data Processing

The River Flows in You LLP, as the Data Controller, ensures that all data processing activities are conducted in accordance with the General Data Protection Regulation (GDPR) of the European Union. This includes the collection, use, storage, and sharing of personal data for the purpose of providing holistic life coaching services to expatriate professionals within the EU. The lawful bases for processing personal data include contract (necessary for the performance of coaching services), legitimate interest (for business operation), legal obligation (compliance with GDPR and other legal requirements), and explicit consent (for special category/sensitive data and marketing purposes).


The Company is committed to adhering to the following core data protection principles:


a. Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

b. Purpose Limitation: Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

c. Data Minimization: Data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.


d. Accuracy: Data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

e. Storage Limitation: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

f. Integrity and Confidentiality: Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.


g. Accountability: The Company shall be responsible for, and be able to demonstrate compliance with these principles. Balázs Ujlaki, as Managing Partner, is responsible for compliance and record-keeping. Explicit consent is particularly highlighted and required for the processing of special category data and marketing communications.

In cases where Canadian law conflicts with GDPR, the Company will comply with GDPR for EU clients.

3. Types Of Data Collected

The Company collects a variety of data from its clients to provide holistic life coaching services. These data categories include Personal Data and Special Category Data. Personal Data encompasses, but is not limited to, clients' names, addresses, email addresses, phone numbers, and professional/job information. It also includes payment information, IP addresses, and browser/system usage information. Special Category Data entails information about clients' mental and emotional health as well as coaching notes, which are gathered through Intake Forms and sessions with clients. This data is collected primarily directly from clients. Additionally, testimonial data may be collected and retained longer with explicit consent from the client.

4. Purposes And Legal Basis For Processing Personal Data

The Company processes personal data for the following purposes and in compliance with applicable legal bases:


a. Delivering Contracted Coaching Sessions: The Company processes personal data to provide online holistic life coaching sessions as per the agreements made with clients. This is essential to fulfilling the contractual obligations between the Company and the client.

b. Managing Client Relationships and Payments: Personal data is used to manage relationships with clients, including handling payments, scheduling sessions, and maintaining accurate records. This processing is necessary for the performance of the contract with the client.

c. Fulfilling Legal Obligations: The Company processes personal data to comply with its legal obligations, including those mandated by GDPR and relevant Canadian privacy laws. This includes maintaining records for accounting, tax, and other legal requirements.


d. Marketing Communications: With explicit and separate opt-in consent from the client, the Company processes personal data for marketing purposes. This includes sending information about new services, promotions, and relevant updates to clients who have consented to receive such communications. Clients have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.


Any processing of personal data that involves sharing with independent partners or advisors is conducted only with the explicit consent of the client and for specified purposes. The explicit consent ensuring that clients are fully informed about the details and implications of such data sharing is mandatory.

5. Explicit Collection And Use Of Special Category Data

The Company recognizes the sensitivity and special protection required for processing Special Category Data, such as mental/emotional health information and coaching notes. To this end, the following requirements and processes are strictly adhered to:


a. Explicit Consent Requirement: The Company shall obtain explicit, documented Consent from clients before processing any Special Category Data. This Consent is obtained through Intake Forms and coaching agreements.

b. Transparency: Clients will be informed about the nature, use, storage, and sharing practices concerning Special Category Data. Explicit Consent is required before sharing any Special Category Data with independent advisors or third parties.


c. Secure Storage of Consent Forms: Consent forms shall be securely stored and accessible for client review upon request.

d. Clear and Separate Consent Options: Industry-standard practices will be applied, utilizing clear, separate (non-bundled) checkboxes and, preferably, a double opt-in process to ensure unequivocal Consent.


e. Compliance and Training: Staff are trained in handling Special Category Data up to date, with the last training being conducted in October 2023.

f. Reference Template: A template for the required Consent is provided in Exhibit A to this Policy.

6. Cookies, Analytics, And Tracking Technologies

Our website uses Cookies and similar tracking technologies to deliver a tailored experience, improve our services, and understand how our clients interact with our platform. A Cookie is a small file placed on your device when you visit our website. By using our services, you consent to the use of Cookies, which helps enhance functionality, performance, and targeted marketing activities as detailed below.


We use the following types of Cookies:


a. Essential Cookies: These are necessary for the functioning of the website and enable essential features such as user login and account management.


b. Performance and Analytics Cookies: These Cookies collect information about how users interact with our website, allowing us to analyze usage patterns, measure site performance, and improve user experience.

c. Functionality Cookies: These Cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

d. Advertising and Targeting Cookies: These Cookies track your browsing habits so that we can deliver content and advertisements relevant to your interests.

Upon your first visit to our website, a Cookie banner/pop-up is displayed requesting your explicit consent before loading any non-essential or tracking Cookies. Please note that currently, users cannot withdraw or adjust their Cookie preferences after the initial choice. However, we highly recommend enabling this feature to provide you with greater control over your data. We aim to ensure full transparency regarding the Cookies and tools used on our platform.

For detailed information about each Cookie, its purpose, and longevity, please refer to Exhibit D - Cookie Policy. Our practices adhere to industry standards to ensure compliance and data protection.

7. Data Collection Methods And Sources

The Company collects Personal Data primarily from clients directly to ensure accuracy and consent, particularly leveraging two main methods: Intake Forms and ongoing service interactions. At the initial stages of service delivery, clients are required to complete an Intake Form capturing Personal Data and explicit consent for processing Special Category Data and for receiving marketing communications. Through the duration of the service relationship, additional Personal Data may be collected based on client interactions, coaching sessions, communications, testimonials, and feedback submissions. It is important to note that no data is acquired from third-party sources; all Personal Data is sourced directly from client-provided information only.

8. Data Sharing And Third-Party Disclosures

The Company only shares personal data with Third-Party Service Providers/Subprocessors under specific conditions and mechanisms as outlined in this section to ensure compliance with applicable data protection laws, including GDPR. Personal data will be shared as follows:


a. With Independent Partners: Personal data may be shared with Independent Partners, such as financial or career advisors, strictly when necessary and only with the explicit written consent of the client.

b. With Third-Party Platforms within the EEA: The Company utilizes the services of specific third-party platforms within the European Economic Area (EEA) to facilitate its operations. These include:

i. Stripe for processing payments.

ii. Proton Cloud for cloud storage solutions.

iii. Zoom and Google Meet for conferencing and communication needs.

All third-party platforms engaged by the Company act as data processors under GDPR and are required to have appropriate Data Processing Agreements (DPA) in place with the Company. This ensures that all personal data processed remains secure and is handled in compliance with data protection laws.

c. Changes to Third-Party Providers: Any change in the Third-Party Service Providers/Subprocessors or any new International Data Transfer practices will be promptly communicated to the clients. Full details of all agreed third-party service providers and subprocessors are maintained in Exhibit E.


The Company assures that no personal data is currently transferred to Canada or any third country outside the EEA unless explicitly mentioned and agreed upon with the clients.

9. International Data Transfers

In the course of providing our online holistic life coaching services, The Company may need to transfer your personal data outside the European Economic Area (EEA). Such International Data Transfers will only be conducted in adherence to the GDPR and applicable data protection laws to ensure that your data remains protected throughout the process. The Company primarily processes and stores data within the EEA, currently in the Netherlands, and potentially in Germany in the future. If data is transferred outside the EEA, such transfers will only occur under one of the following legal safeguards:


a. Standard Contractual Clauses: The Company may enter into data transfer agreements incorporating the European Commission's Standard Contractual Clauses for transfers to third countries, ensuring that such transfers comply with GDPR requirements.


b. Adequacy Decisions: Transfers may occur to jurisdictions that have been recognized by the European Commission as providing an adequate level of data protection.


c. Other appropriate safeguards as permitted under GDPR, including binding corporate rules or specific consent from you, the data subject.


The Company is committed to ensuring that all major processing activities, including those conducted by its service providers, take place within the EEA. In the event that the freelance provider contract transitions from Dutch to German jurisdiction, data flows will remain GDPR-compliant, and clients will be duly notified of any changes.


Currently, there are no data transfers to Canada.

The Supervisory Authority will be duly informed of any significant changes affecting international data transfers, ensuring compliance with applicable regulations.

10. Confidentiality And Security Measures

The Company is committed to maintaining the confidentiality and security of client data through the implementation of comprehensive technical, organizational, and access control measures. These measures include the following:


a. Technical Measures:

i. Use of a Linux operating system with an active firewall to enhance system protection.

ii. Utilization of a password manager to generate and store secure passwords for accessing systems and applications.

iii. Storage of client data on an encrypted external hard drive to prevent unauthorized access.

b. Organizational Measures:

i. Reinforcement of confidentiality through strict clauses included in all coaching and partnership agreements, as well as in Data Processing Agreements.

ii. Conducting security self-audits every six months from the start of the operational phase to identify and address potential vulnerabilities in the data protection framework.


c. Access Control Measures:

i. Limiting access to client data only to Balázs Ujlaki, the Managing Partner, during the initial phase.

ii. Strictly managing and limiting future access to client data for virtual assistants or employees, ensuring that access is granted based on necessity and role responsibility.


The Company will designate a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR and relevant Canadian privacy laws. The DPO will also coordinate with data processors and subprocessors as defined in section 2 of this Policy to maintain high standards of data security and confidentiality.

11. Client Rights Under GDPR

As a Client or Data Subject within the EU, EEA, UK, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR) with respect to the Processing of your personal data. These rights are in place to ensure transparency, fairness, and control over your information. The Company is committed to facilitating the exercise of these rights. The following outlines your rights and how you can exercise them:


a. Right to Access (Article 15 GDPR): You have the right to obtain confirmation from the Company as to whether or not your personal data is being processed and, where that is the case, access to the personal data and information about the Processing.

b. Right to Rectification (Article 16 GDPR): You have the right to request the correction of inaccurate or incomplete personal data concerning you without undue delay.


c. Right to Erasure (Article 17 GDPR): Also known as the 'right to be forgotten,' you have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, if you withdraw your consent upon which the Processing is based, or if you object to the Processing under certain conditions.

d. Right to Restrict Processing (Article 18 GDPR): You have the right to request the restriction of Processing if you contest the accuracy of the data, the Processing is unlawful, the Company no longer needs the data for the initial purposes, or you have objected to Processing pending verification of the overriding legitimate grounds.


e. Right to Data Portability (Article 20 GDPR): You have the right to receive the personal data you have provided to the Company in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from the Company.

f. Right to Object (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, to the Processing of your personal data based on the Company's legitimate interests or for direct marketing purposes.

g. Right to Withdraw Consent (Article 7 GDPR): If the Processing of your personal data is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of the Processing before its withdrawal.

Requests to exercise any of these rights should be submitted via email to the Company's Data Protection Officer at [DPO Email Address]. The Company will respond to your request within one month of receipt. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. You will be informed of any such extension within one month of your request.


At the onboarding stage, at the time of signing the contract, and through this Privacy Policy, the Company informs Clients of their rights. The Company is in the process of implementing industry-standard forms and procedures for responding to such requests, as outlined in Exhibit B.

If you believe your rights under GDPR have been violated, you have the right to lodge a complaint with a Supervisory Authority, as defined in Clause 9.

12. Handling Of Children’S Data

The Company strictly adheres to the policy of not knowingly collecting or processing personal data from individuals under the age of 18. To ensure compliance, the Company requires all Clients to confirm that they are at least 18 years of age at the time of data collection. In the event that personal data from a minor is inadvertently collected, the Company will promptly delete such data upon discovery. Parents or guardians of minors whose data may have been inadvertently collected are encouraged to contact the Company directly to facilitate the removal of the minor's data. The Company emphasizes the importance of safeguarding the personal data of minors and adheres to all applicable data protection laws concerning the protection of children's data.

13. Retention And Deletion Of Data

The Company retains Personal Data and Special Category Data in accordance with its legal obligations and business requirements. Client data is initially retained for up to one year following the conclusion of a 12-week coaching program. If clients provide explicit consent, their testimonials may be retained for an extended period. Minimal essential data necessary for legal defense in case of disputes may also be retained beyond the general retention period. Upon the conclusion of these retention periods, the Company will employ the following secure deletion practices to ensure that Personal Data and Special Category Data are permanently and fully erased, or anonymized:

a. Digital Data Deletion: Complete erasure from all storage and backup systems to prevent any future recovery.

b. Physical Data Deletion: Secure physical destruction (e.g., shredding) of all paper records containing Personal Data or Special Category Data.

c. Notification: Clients will be informed about the retention periods and deletion practices during the onboarding process and at the conclusion of the coaching program.

d. Exceptions: Any exceptions to the above deletion practices will be recorded and justified to ensure transparency and accountability.

14. Data Breach Management And Notification

The Company is committed to safeguarding personal data and addressing any data breach in compliance with GDPR requirements. This section outlines the protocols for detection, response, and notification in the event of a data breach, as well as the role of the DPO in managing such incidents. Detection: The Company will implement monitoring tools and regular audits to promptly identify any suspected data breaches. Response: Upon detection of a potential data breach, the Company will categorize the severity and immediately initiate containment measures to prevent further data loss. The Company's DPO, Balázs Ujlaki, will lead an investigation to understand the scope and impact of the breach, coordinating efforts to mitigate any harmful effects. Notification: The Company will document all relevant information regarding the data breach and, if deemed high risk, notify the Supervisory Authority within 72 hours of detection. Affected clients will also be notified without undue delay, providing them with clear information on the nature of the breach, potential consequences, and recommended measures to protect their data. Periodic Review and Rehearsal: The Company will periodically review and rehearse its breach detection and response protocols to ensure they are effective and up to industry standards. Detailed written protocols are outlined in Exhibit C. The DPO is designated as the primary point of contact for any data breaches and can be reached at the Company’s contact details provided in Section 18.

15. Marketing Communications And Consent Management

The Company is committed to ensuring that marketing communications are conducted in compliance with applicable data protection laws. The following rules apply to marketing messages, consent management, and consent withdrawal processes:


1. Marketing Consent: The Company will obtain explicit, informed consent from Clients/Data Subjects before sending any marketing communications. A separate, unchecked checkbox for marketing consent will be provided at the point of data collection, ensuring it is not bundled with service consent.


2. Double Opt-In: To confirm consent, the Company will employ a double opt-in process. Clients/Data Subjects will receive an email to verify their consent, ensuring that they actively opt-in to receive marketing communications.

3. Unsubscribe Option: Each marketing email sent by the Company will include a clear and straightforward option for Clients/Data Subjects to unsubscribe or withdraw their consent from further marketing communications. This option will be prominently displayed in each email.


4. Consent Withdrawal: Clients/Data Subjects have the right to withdraw their consent at any time. This withdrawal will be processed promptly, and no further marketing communications will be sent to the Client/Data Subject upon such withdrawal.

5. Consent Records: Records of all consents obtained, including details of the double opt-in confirmations, will be maintained through the Company’s email/CRM tool. This ensures that the Company can demonstrate compliance with consent requirements.

6. Regulatory Compliance: The Company’s marketing communications practices and consent management processes will be regularly reviewed to ensure ongoing compliance with applicable data protection laws and industry best practices.

16. Data Subject Requests And Complaints Process

Clients (hereinafter referred to as Data Subjects) have the right to access, rectify, and delete their personal data, as well as to object to or restrict the processing of their data pursuant to GDPR. Data Subjects can exercise these rights or submit complaints regarding their data privacy by emailing their requests or grievances to [email protected].


Upon receiving a request or complaint, the Data Protection Officer (DPO) will acknowledge receipt within 10 business days and will provide an initial response, including any needed clarifications and the anticipated timeline for a full resolution. The DPO will ensure that the Data Subject's inquiries are managed in compliance with GDPR and other relevant data protection regulations.


The following process will be adhered to for handling Data Subject requests and complaints:


a. Request Processing: The DPO will verify the identity of the Data Subject before processing the request. If additional information is required to verify identity, the Data Subject will be informed promptly.


b. Response Timeframe: The DPO will aim to provide a complete response to the Data Subject’s request within one month from the date of receipt. If the complexity of the request necessitates a longer processing time, the DPO will notify the Data Subject within one month, explaining the delay and the expected timeframe for resolution, which will not exceed three months from the original request date.


c. Actions on Requests: Based on the nature of the request, the DPO will take necessary actions such as data rectification, restriction, or deletion in accordance with GDPR requirements. The Data Subject will be informed of the actions taken and, where applicable, reasons for any delay or denial in addressing the request.


d. Complaints: If a Data Subject submits a complaint, the DPO will investigate the matter comprehensively and impartially. The Data Subject will be informed of the investigation results and any corrective or preventative actions implemented to address the complaint.

e. Escalation to Supervisory Authority: If a Data Subject is unsatisfied with the DPO's response or handling of their request or complaint, they have the right to escalate the matter to the relevant Supervisory Authority, as outlined in Section 9.

To facilitate the request and complaint management process, industry-standard request forms and response procedures, as referenced in Exhibit B, will be implemented as the business grows. The Company is dedicated to continuously improving its data protection practices to ensure the trust and satisfaction of its clients.

17. Changes To Policy And Notification Obligations

The Company is committed to ensuring that clients are fully informed of any significant changes to this Policy. In the event that any substantive amendments are made, the Company will notify clients via email and through announcements on our website. This will be done promptly to ensure clients are aware of their rights and any new obligations that may arise from such changes. Clients will have the opportunity to review these updates and are encouraged to consult this Policy regularly. Balázs Ujlaki, as the primary contact, will be responsible for issuing these notifications. The effective date of any changes will be clearly communicated to ensure complete transparency. The Company guarantees that all updates will be made in a transparent manner, reflecting our commitment to data protection and privacy.

18. Contact Details And Supervisory Authority Information

For any privacy and data protection queries, subject rights requests, or complaints, clients should contact the Company or the Data Protection Officer (DPO) using the following contact details:


Company Contact Information:

Email: [email protected]

Registered Office Address: 422 Richards St, Suite 170, Vancouver, BC, V6B 2Z4, Canada


DPO Contact Information:

Name: Balázs Ujlaki

Email: [email protected]


In addition, clients have the right to lodge a complaint with the relevant Supervisory Authority. Based on the main establishment location, clients can contact the following Supervisory Authorities:


1. European Data Protection Supervisor (EDPS):

Website: https://edps.europa.eu/

Address: Rue Wiertz 60, B-1047 Brussels, Belgium


2. Information Commissioner's Office (ICO) (for clients in the UK):

Website: https://ico.org.uk/

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom


For other EU countries: European Data Protection Board (EDPB) website for the respective Supervisory Authority contact details: https://edpb.europa.eu/about-edpb/board/members_en