Legal · Internal policy framework
Data Protection
Last updated: 03 October 2025
This Data Protection Policy describes how Majesty-Coaching handles personal information in line with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG). It complements the customer-facing Privacy Policy and the business-to-business Data Protection Addendum.
Why this policy exists
This policy ensures personal data is handled lawfully, individuals' rights are protected, transparency is maintained with everyone we interact with, and we operate with a documented framework that helps prevent and respond to data incidents.
EU General Data Protection Regulation (GDPR)
Under Art. 5 GDPR, personal data must be:
- Processed lawfully, fairly, and in a transparent manner ("lawfulness, fairness, transparency");
- Collected for specified, explicit, and legitimate purposes ("purpose limitation");
- Adequate, relevant, and limited to what is necessary ("data minimisation");
- Accurate and, where necessary, kept up to date ("accuracy");
- Kept in a form that permits identification of data subjects only as long as necessary ("storage limitation");
- Processed in a manner that ensures appropriate security ("integrity and confidentiality");
- Demonstrably compliant ("accountability").
International transfers require an adequate level of protection per Chapter V GDPR.
1. Policy statement
Majesty-Coaching is committed to handling personal information from clients, applicants, lead-magnet subscribers, partners, and contractors in accordance with the data-protection requirements above and any other applicable law.
2. About this policy
Questions about this policy or concerns that it has not been followed should be referred to support@majesty-coaching.com.
3. What is personal data?
Personal data is any information relating to an identified or identifiable natural person. We do not actively collect special-category data (health, biometrics, political, religious). Where such data appears voluntarily in a free-text field on the application form, it is deleted on request and is never used for targeting or profiling.
4. Data protection principles
All personal data we process must be lawful, purpose-limited, minimised, accurate, time-limited, secure, and protected during international transfers. Compliance with these principles is documented and reviewed annually.
5. Fair and lawful processing
Lawful bases include consent, contract performance, legal obligation, and legitimate interests. Each processing activity is mapped to its lawful basis in our Record of Processing Activities (Art. 30 GDPR).
Collection of information
We collect information from:
- Direct interactions — application form submissions, LifeOS opt-ins, strategy-call bookings, emails, and onboarding forms.
- Automated technologies — server logs, analytics events (consent-gated), and UTM parameters preserved in session storage.
- Third-party processors — Vercel (hosting), Cal.com (booking), Kit (email/CRM), Stripe (payments), PostHog (product analytics, EU region), Google (GA4), Resend (transactional email, planned).
Use of information
Data supports application qualification, programme delivery, payment processing, transactional and marketing email, site analytics, and security. Marketing email is sent on the basis of consent (lead-magnet subscribers) or legitimate interest with opt-out (existing customers, per § 7 Abs. 3 UWG).
6. Processing for limited purposes
We process personal data only for the specific purposes notified at collection. Secondary use requires either compatibility with the original purpose, a fresh consent, or another lawful basis.
7. Notifying individuals
The customer-facing Privacy Policy contains the Art. 13/14 GDPR notice including purposes, legal bases, recipient categories, international transfer information, retention periods, and the rights available to data subjects.
8. Adequate, relevant, and non-excessive processing
The application form collects only what is required to qualify an applicant: name, email, business type, revenue range, primary bottleneck, why now, and an optional readiness confirmation. Free-text fields are bounded by minimum-length validation but are not maximum-length policed; long submissions are stored as written.
9. Accurate data
Information is verified at collection (email format, required fields). Subscribers can correct or delete their record at any time via the unsubscribe link or by emailing support@majesty-coaching.com.
10. Timely processing
We do not keep personal data longer than necessary. Indicative periods are listed in § 8 of the Privacy Policy. Tax-relevant records are retained for up to 10 years (§ 147 AO); business correspondence for up to 6 years (§ 257 HGB).
11. Processing in line with data subjects' rights
Individuals have rights under Art. 15–22 GDPR: access, rectification, erasure, restriction, portability, objection, and protection from solely automated decisions with legal effects. Consent is withdrawable at any time without affecting prior lawful processing.
12. Data security
Technical and organisational measures include:
- TLS 1.2+ in transit on every page;
- Access controls, least-privilege, and MFA on operational accounts;
- Pseudonymisation of analytics events where possible (no email or full IP in PostHog/GA4);
- Documented incident response with a 72-hour notification target per Art. 33 GDPR;
- Vendor due diligence for every processor (DPA in place under Art. 28 GDPR);
- Confidentiality obligations on every contractor with system access;
- Regular review of security controls and policies (at least annually).
Transferring personal data outside the EU/EEA
Where data is transferred outside the EU/EEA, we rely on adequacy decisions (e.g. EU-US Data Privacy Framework where applicable) or Standard Contractual Clauses (Art. 46 GDPR) with supplementary measures where required by Schrems II. Narrow Art. 49 derogations apply only in specific exceptional cases (e.g. explicit consent for a one-off transfer).
13. Disclosure and sharing of personal data
Personal data may be shared with processors (see § 5 of the Privacy Policy), professional advisors (lawyers, accountants), regulators where legally required, or a successor entity in the event of a sale of the business. Every recipient is bound by appropriate contractual safeguards.
14. Subject access requests
Contact support@majesty-coaching.com to exercise your rights. We verify identity where necessary and respond without undue delay, in any event within one month per Art. 12 GDPR. The deadline may be extended by two further months for complex or numerous requests, with notice.
15. Changes to this policy
Material modifications will receive advance notification via the site or by email, with the "Last updated" date adjusted accordingly.