1. Who I Am
This website, majaherrero.com, is operated by Maja Barbara Michalewska (Herrero), trading as Elevate Sustain Prosper.
Data Controller:
Maja Barbara Michalewska (Herrero)
Elevate Sustain Prosper
CVR: DK 43657313
Address: Bykildevej 7, 1 th, 2500 Valby, Denmark
Email: contact@majaherrero.com
I am committed to protecting your personal data. This policy explains what data I collect, why I collect it, and what your rights are.
2. What Data I Collect
I collect personal data in the following situations:
Contact form submissions: Your name, email address, and message content.
Newsletter signup: Your email address and, optionally, your first name.
Quiz (Root Cause Blueprint): Your email address, first name (optional), quiz responses, and your blueprint result.
Booking a session (via TidyCal): Your name, email address, and booking details. TidyCal processes this data on my behalf.
Coaching services: Information you share during coaching sessions. This may include sensitive personal information related to health, family, and personal circumstances. This information is kept strictly confidential.
Website usage data: IP address (anonymized), browser type, pages visited, time spent on site, and referral source. This data is collected via Google Analytics only if you consent to analytics cookies.
Payment processing: Payment information is processed by Stripe and/or PayPal. I do not store your payment card details on my website or servers.
3. How I Use Your Data
I use your personal data for the following purposes:
- To respond to your messages and inquiries
- To deliver coaching services you have purchased
- To send your quiz results and, if you consented separately, newsletter communications
- To process payments for coaching programs
- To understand how visitors use this website (via anonymized analytics data, with your consent)
- To comply with legal obligations, including tax and accounting requirements
- To improve the website and my services
I will never sell your personal data to third parties. I will never use your data for purposes other than those listed above without your explicit consent.
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), I process your data based on the following legal grounds:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Fulfilling coaching contracts | Performance of contract | Art. 6(1)(b) |
| Responding to contact form inquiries | Pre-contractual steps / Legitimate interest | Art. 6(1)(b) / Art. 6(1)(f) |
| Sending invoices and tax records | Legal obligation | Art. 6(1)(c) |
| Newsletter (via ActiveCampaign) | Consent | Art. 6(1)(a) |
| Website analytics (Google Analytics) | Consent (via cookie banner) | Art. 6(1)(a) |
| Quiz lead magnet (email-gated results) | Consent | Art. 6(1)(a) |
| Booking sessions (via TidyCal) | Performance of contract | Art. 6(1)(b) |
| Publishing testimonials | Consent (documented) | Art. 6(1)(a) |
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Third-Party Services and Data Sharing
I use the following third-party services to operate this website and deliver my services. Each service processes data on my behalf as a data processor.
| Service | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Vercel | Website hosting | USA | EU-US Data Privacy Framework / SCCs |
| Sanity | Content management system | Norway / USA | EU-US Data Privacy Framework / SCCs |
| ActiveCampaign | Email marketing and newsletter | USA (Chicago, IL) | EU-US Data Privacy Framework / SCCs |
| Google Analytics | Website analytics | USA | EU-US Data Privacy Framework |
| TidyCal | Session booking | USA | Verify DPF certification / SCCs |
| Stripe | Payment processing | USA | EU-US Data Privacy Framework |
| PayPal | Payment processing | USA | EU-US Data Privacy Framework |
International data transfers: Some of my service providers are based in the United States. Data transfers to the US are conducted under the EU-US Data Privacy Framework (adopted July 2023) where the provider is certified, or under Standard Contractual Clauses (SCCs) where they are not.
I do not share your personal data with any other third parties for their own marketing or other purposes.
6. Cookies and Tracking
This website uses cookies. For full details on which cookies are used, how they work, and how to manage your preferences, please see my Cookie Policy.
No non-essential cookies are set until you give your consent via the cookie consent banner. You can change your cookie preferences at any time.
7. Newsletter and Email Marketing
If you subscribe to my newsletter or opt in to receive email updates (for example, after taking the quiz), your email address and first name are stored in ActiveCampaign.
I use double opt-in: after you subscribe, you will receive a confirmation email. Your subscription is only active after you confirm.
Every email includes an unsubscribe link. You can unsubscribe at any time with one click. After unsubscribing, your data will be deleted from my mailing list within 30 days.
I do not share your email address with any third party for their own marketing purposes.
8. Payment Processing
Payments for coaching programs are processed by Stripe and/or PayPal. I do not store your credit card or bank account details on my website or servers.
Stripe and PayPal are both certified under the EU-US Data Privacy Framework and implement Strong Customer Authentication (SCA) as required under PSD2.
For invoicing and tax compliance, I retain your name, email, purchase amount, and date of purchase as required by Danish bookkeeping law (Bogforingsloven).
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of access: You can request a copy of the personal data I hold about you.
Right to rectification: You can ask me to correct inaccurate or incomplete data.
Right to erasure: You can ask me to delete your personal data, subject to legal retention requirements.
Right to restrict processing: You can ask me to temporarily stop processing your data.
Right to data portability: You can request your data in a machine-readable format to transfer to another service.
Right to object: You can object to the processing of your data based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact me at: contact@majaherrero.com
I will respond to your request within 30 days.
Right to lodge a complaint: If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Danish Data Protection Agency:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Email: dt@datatilsynet.dk
Website: datatilsynet.dk
10. Data Retention
I retain your personal data only for as long as necessary for the purposes described above, or as required by law.
| Data Type | Retention Period |
|---|---|
| Coaching client records | Duration of contract + 5 years (Danish limitation period) |
| Tax and accounting records | 5 years after the end of the fiscal year (Bogforingsloven) |
| Contact form submissions | 24 months, then deleted |
| Newsletter subscriber data | Until you unsubscribe, then deleted within 30 days |
| Quiz responses and results | 24 months of inactivity, then deleted |
| Website analytics data | 14 months (Google Analytics setting) |
| Consent records (marketing) | Until consent is withdrawn + reasonable period for compliance documentation |
11. Data Security
I take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. Communication between your browser and this website is encrypted using SSL/TLS.
In the event of a personal data breach that poses a risk to your rights and freedoms, I will notify the Danish Data Protection Agency (Datatilsynet) within 72 hours. If the breach poses a high risk to you, I will also notify you directly without undue delay.
Children's data: This website and my services are not directed at individuals under 18.
12. Changes to This Policy
I may update this privacy policy from time to time. When I do, I will update the “Last updated” date at the top of this page.
I encourage you to review this policy periodically. Continued use of the website after changes constitutes acceptance of the updated policy.
13. Contact and Supervisory Authority
If you have any questions about this privacy policy or how I handle your data, contact me at:
Maja Herrero
Email: contact@majaherrero.com
Supervisory authority:
Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby, Denmark
dt@datatilsynet.dk
datatilsynet.dk