Privacy Policy

Introduction

Welcome to SophraCyber. This privacy policy explains how we collect, use, and protect your personal data when you interact with our coaching services, website, and tools. We are committed to safeguarding your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and the Dutch Algemene verordening gegevensbescherming (AVG).

This policy applies to all data collected through our website, booking systems (Calendly), payment processor (Stripe), e‑signature platform (BoldSign), and Microsoft 365 services (including Outlook, Teams, OneDrive and SharePoint), as well as our email service provider (MailerLite) and any other interactions you may have with SophraCyber.

This policy also explains how SophraCyber handles any personal data processed for professional accreditation purposes (e.g., ICF) only where you have given explicit, informed consent.

Note: Where the law requires consent (e.g., marketing emails, non‑essential cookies, recordings, or ICF submissions), we will ask for it separately. This policy is a notice, not a contract.

By using our services, you agree to the terms of this privacy policy.

Data Controller Information

SophraCyber is the data controller responsible for processing your personal data.

Business Name: SophraCyber
Business Type: ZZP (Zelfstandige Zonder Personeel)
KvK Registration Number: 98123874
Business Address: Vlierweg 12-K03, 1032LG, Amsterdam
Email: coach@sophracyber.com
Website: www.sophracyber.com

If you have any questions about this policy or your data, you can contact us using the details above or through our contact form.

Types of Personal Data Collected

We may collect the following categories of personal data:

  • Identity and Contact Information: Name, email address, phone number, LinkedIn URL.

  • Booking and Session Data: Appointment details, coaching session notes, preferences.

  • Contracting & Signature Data (BoldSign): signature, signing intent, timestamp, IP/address, device, geolocation (if enabled), envelope/document metadata.

  • Payment Information: Processed via Stripe. Card details are handled by Stripe and not stored by SophraCyber.

  • Technical Data: IP address, browser type, device information, cookies.

  • Communication Data: Messages and meeting recordings (via Microsoft Teams, if applicable, and only with prior notice or consent).

  • Microsoft 365 Workspace Data: email headers and content you send to us via Outlook, files you share (OneDrive/SharePoint), Teams meeting metadata.

  • Marketing & Subscription Data (MailerLite): email address, subscription status, preferences, consent timestamps, campaign interactions (opens/clicks).

  • Website Usage Data: Pages visited, time spent, interaction logs.

  • Accreditation Data: Coaching logs containing client names and emails, audio recordings of coaching sessions, and session transcripts submitted to ICF for certification or audit purposes. Accreditation data is only submitted to ICF with your explicit consent.

Data is collected directly from you when you:

  • Book a session via Calendly.

  • Make a payment via Stripe.

  • Communicate with us via Teams or email.

  • Browse or interact with our website.

Purpose of Data Collection

We collect and process your personal data for the following purposes:

  • Service Delivery: To schedule and conduct coaching, mentoring and training sessions.

  • Contracting & E‑Signature: to prepare, send, sign, and retain agreements via BoldSign.

  • Payment Processing: To manage invoices and receive payments securely.

  • Client Communication: To send confirmations, updates, and respond to inquiries.

  • Marketing Communications: to send newsletters and updates via MailerLite.

  • Service Improvement: To analyze usage patterns and improve our offerings.

  • Legal Compliance: To meet obligations under Dutch law and GDPR.

  • Accreditation Compliance: To maintain coaching logs and submit session recordings and transcripts to the International Coaching Federation (ICF).

Legal Basis for Processing Data

We process your personal data based on the following legal grounds:

  • Consent: marketing emails (MailerLite), recordings/transcripts, ICF submissions, and non‑essential cookies/analytics.

  • Contractual necessity: scheduling and delivering sessions (Calendly/Microsoft 365), contracting and signatures (BoldSign), payment processing (Stripe), and essential communications.

  • Legal Obligation: To comply with Dutch tax and business regulations, we may retain certain data for statutory periods.

  • Legitimate Interest: To improve our services, ensure platform security, and maintain business continuity, provided these interests do not override your rights and freedoms. To fulfill professional accreditation requirements with ICF, which may involve maintaining and submitting client data such as coaching logs, recordings, and transcripts.

  • Withdrawal: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing. If you withdraw consent for optional items (e.g., marketing, recordings, ICF), we will continue providing core coaching services.

You may withdraw your consent at any time by contacting us, without affecting the lawfulness of processing based on consent before its withdrawal. In case of consent withdrawal for data processing use-cases that are essential or mandatory for delivering the services as per the coaching and mentoring agreement, the company may have to terminate the contractual relationship in order to be compliant with privacy laws and GDPR.

Data Sharing and Third Parties

We do not sell your personal data. However, we may share it with trusted third-party service providers strictly for operational purposes:

  • Calendly (processor): Used for scheduling coaching sessions. Data shared includes your name, email, and session booking information.

  • BoldSign (processor): contract execution and signature logs/metadata.

  • Stripe (independent controller): billing and transaction data. Stripe may process data for its own risk and compliance purposes under its privacy notice.

  • Microsoft 365 (processor): email, files, and meetings (Outlook, OneDrive/SharePoint, Teams).

  • Website hosting/analytics (processor): limited to what’s necessary and only non‑essential analytics with prior consent.

  • MailerLite (processor): email delivery, subscription management, and preference tracking (with consent).

  • International Coaching Federation (ICF): Client names, emails, session recordings, and transcripts may be submitted to ICF for certification or audit purposes. This is done only with explicit client consent, in accordance with GDPR safeguards, and only when required for certification or audit purposes.

All third-party providers are GDPR-compliant and have appropriate data protection agreements in place. Data shared is limited to what is necessary for the intended purpose.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, including:

  • Client Records: Retained for up to 2 years after the last coaching session, unless longer retention is required by law.

  • Contracts & Signature Logs (BoldSign): retained for up to 7 years to evidence the agreement and for statutory/accounting purposes.

  • Payment Data: Retained for 7 years in accordance with Dutch tax regulations.

  • Marketing (MailerLite): retained until you unsubscribe or after 24 months of inactivity, then deleted or anonymised.

  • Website and Analytics Data: Retained for up to 12 months, unless anonymized.

  • Calendly and Teams Data: Retained according to the respective platform’s retention settings and your interaction history.

  • Accreditation Records: Coaching logs and related materials (e.g., recordings, transcripts) are retained for up to 5 years or as required by ICF guidelines. These records are securely stored and only shared with ICF when necessary.

Once the retention period expires, data is securely deleted or irreversibly anonymized.

Data Subject Rights

As a data subject under the GDPR and Dutch AVG, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.

  • Right to Rectification: You can ask us to correct inaccurate or incomplete data.

  • Right to Erasure (“Right to be Forgotten”): You can request deletion of your data, subject to legal and accreditation obligations.

  • Right to Restriction of Processing: You can ask us to limit how your data is used.

  • Right to Data Portability: You can request your data in a structured, commonly used format.

  • Right to Object: You can object to processing based on legitimate interest or direct marketing.

You have the right to withdraw marketing consent at any time and to object to direct marketing (including related profiling).To exercise any of the above rights, please use the contact form on our website. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

Please note that exercising certain rights (such as the right to erasure) may prevent us from providing services that require essential data processing. In such cases, we may need to terminate the coaching and mentoring agreement.

Security Measures and Data Protection

We take the protection of your personal data seriously and implement appropriate technical and cyber security measures, including:

  • Encryption: Sensitive data such as session recordings and transcripts are encrypted during storage and transmission.

  • Multi‑factor authentication (MFA) is enforced for administrator accounts across Microsoft 365, BoldSign, Stripe, MailerLite, and Calendly.

  • Access Controls: Only authorized personnel have access to client data, coaching logs, and accreditation materials.

  • Secure Platforms: We use GDPR-compliant services such as Calendly, Stripe, and Microsoft Teams.

  • Data Minimization: We collect only the data necessary for service delivery and compliance reasons.

  • Audit Trails: We maintain logs of data access and submission for accountability.

  • Cyber Security: We regularly review our security posture and implement appropriate safeguards.

In the unlikely event of a personal data breach, we will notify the Autoriteit Persoonsgegevens and affected individuals when required by law.

International Data Transfers

Some of the third-party services we use (e.g., Calendly, Stripe, Microsoft Teams) may store or process data outside the European Economic Area (EEA). When this occurs, we ensure that:

  • Transfers are made to countries with an adequate level of data protection as recognized by the European Commission.

  • Standard Contractual Clauses (SCCs) or other appropriate safeguards are in place.

  • Data submitted to ICF (based in the United States) for accreditation purposes is shared only with your explicit consent and in accordance with GDPR requirements.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience, analyze traffic, and support essential functions such as scheduling and payments.

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, understand how you use our site, and improve functionality.

Types of Cookies We Use:

  • Essential Cookies: These are necessary for the website to function properly. They enable core features such as security, session management, and accessibility.

  • Performance and Analytics Cookies: These help us understand how visitors interact with our website (e.g., which pages are visited most often) so we can improve usability and content.

  • Functionality Cookies: These remember your preferences (e.g., language settings or form inputs) to provide a more personalized experience.

  • Third-Party Cookies: These may be set by services we use, such as:

    • Calendly: For booking coaching sessions.

    • MailerLite (email sign‑up forms/embedded assets)

    • BoldSign (embedded signing, if used on our site)

    • Stripe: For secure payment processing.

    • Microsoft Teams: For virtual meeting integration.

These third-party services may use cookies to track usage or facilitate their features. We ensure that all third-party providers are GDPR-compliant.

Cookie Consent and Control

When you first visit our website, you will be presented with a cookie banner allowing you to accept or manage your cookie preferences. You can also control cookies through your browser settings at any time. Non‑essential cookies (including analytics and marketing) are off by default and only set after your opt‑in via our cookie banner. You can change or withdraw consent at any time via Cookie Settings.

Managing Cookies

If you choose to disable cookies, some features of the website may not function as intended. You can find instructions for managing cookies in the settings section of most modern browsers such as Chrome, Firefox, Safari, and Edge.

Changes to this Privacy Policy

We may update this privacy policy from time to time to reflect changes in our services, legal obligations, or data practices.

When We Update:

  • Updates may occur due to changes in GDPR, Dutch privacy laws, or ICF accreditation requirements.

  • Material changes will be communicated via our website or email, where appropriate.

Your Responsibility:

  • We encourage you to review this policy periodically to stay informed about how we protect your data.

Last updated: 25th of October 2025

Contact Information

For any questions regarding this Privacy Policy, please contact SophraCyber at coach@sophracyber.com or via the contact form on our website.