PRIVACY POLICY

Who We Are & Why This Policy Matters

Welcome. I’m Natália Leal, and I run this website and its related platforms as a sole proprietorship based in the Netherlands. I take your privacy seriously and want you to feel informed and confident when you interact with any of my online spaces.

This Privacy Policy explains, in clear terms:

• what personal data I collect;

• why and how I use it;

• the legal grounds I rely on under the GDPR and applicable Dutch law;

• who I share data with (and why);

• how long I keep data;

• your rights under data protection laws; and

• how to exercise those rights.

This policy applies to www.natalia-leal.com, its sub-domains (including courses.natalia-leal.com), and any other related online channels or media forms operated by me (collectively referred to as “the Site” for clarity and simplicity throughout this document).

If you do not agree with this Privacy Policy, please refrain from using the Site.

Changes to This Policy

I may update this Privacy Policy from time to time, for example when I adopt new practices or to reflect changes in the law. When I do, the “Last Updated” date at the top will be amended.

If the changes are material—meaning they significantly affect how your data is used or your rights—I will:

• send an email notification to subscribers and users where appropriate; and

• post an announcement or update on the Site (for example, a blog post or notice).

By continuing to use the Site after an updated version is posted, you accept the revised policy.

I collect different types of personal data depending on how you interact with the Site. This includes data you provide directly, data collected automatically, and information received from trusted third parties. Below is a clear overview of what may be collected.

2.1 Information You Provide Directly

You may share personal data with me when you:

• subscribe to my newsletter;

• download resources;

• book a call or coaching session;

• register for a course, webinar, event or programme;

• fill in a contact form;

• take part in a survey, challenge, giveaway, or similar activity.

This can include:

• your name;

• email address;

• phone number;

• billing and delivery details (if applicable);

• demographic or preference information you choose to share (e.g., country, interests, goals, feedback).

I only request information that is relevant and necessary for the purpose described at the time of collection.

2.2 Information Collected Automatically

When you visit or use the Site, certain technical information is collected automatically by the website’s hosting environment, security tools, analytics tools and by the Site itself. This helps ensure security, performance, and improvements. This may include:

• IP address;

• browser type and version;

• device type and operating system;

• time, date and duration of your visit;

• pages viewed;

• referring website (referrer URL).

This data is collected through standard web technologies such as server logs, cookies and similar tools. It is used to keep the Site secure, diagnose technical issues, understand usage patterns, and improve the user experience.

2.3 Cookies and Similar Technologies

The Site uses cookies, pixels and similar tools to remember your preferences, analyse website traffic and improve functionality. A detailed explanation is included later in the Cookies section of this Policy (see below).

2.4 Information From Social or Third-Party Services

If you choose to connect or interact with the Site via a third-party platform (such as Google, Facebook, Instagram, LinkedIn, Stripe, PayPal, or Udemy/other course platforms), I may receive information from that service according to their settings and your permissions.

This may include:

• your name and public profile details;

• email address;

• profile photo;

• location;

• user IDs;

• any other information you have authorised that service to share.

I only receive this information when you actively choose to connect or log in through these services.

2.5 Mobile Device Information

If you access the Site from a mobile device, I may collect:

• device type, model and manufacturer;

• operating system and version;

• browser information;

• anonymised location information (only if you grant permission).

2.6 Data from Surveys, Events, Offers or Giveaways

If you participate in surveys, challenges, giveaways, questionnaires, or other activities, I may collect additional information relevant to that activity — always clearly explained at the time of participation.

2.7 Children’s Privacy

The Site and its services are not directed at children under 16 years old. I do not knowingly collect personal data from children. If I learn that personal information from a child under 16 has been collected, I will delete it promptly.

2.8 Third-Party Links
The Site may contain links to third-party websites or services (such as payment providers, course platforms, or partner sites). I am not responsible for the privacy practices, content, or security of these external sites. I encourage you to read the privacy policies of any third-party websites you visit.

I only use your personal data when I have a clear and lawful reason to do so. Under the GDPR, these reasons (known as “legal bases”) include consent, contract, legitimate interest, legal obligation, and, in very limited cases, vital interests.

Below is how your information may be used when you interact with the Site.

3.1 To Provide and Improve My Services

Legal basis: Contract, Legitimate Interest

I use your information to:

• deliver coaching services, courses, webinars, events and programmes;

• give you access to downloads, resources and purchased products;

• manage your account on course platforms or membership areas;

• respond to your messages, questions or support requests;

• improve the Site and tailor content to your needs.

3.2 To Communicate With You

Legal basis: Consent, Contract, Legitimate Interest

This includes:

• sending you emails you subscribed to (newsletters, updates, invitations);

• communicating about bookings, sessions, purchases or technical issues;

• following up after you register for a call, webinar, download, challenge or event;

• contacting you when you request information or assistance.

You can unsubscribe from marketing emails at any time by clicking “unsubscribe” in any message.

3.3 For Payments and Order Processing

Legal basis: Contract, Legitimate Interest, Legal Obligation

If you purchase a product, course or service, your information (e.g., name, email, billing details) is used to:

• process and confirm your order;

• send invoices and receipts;

• manage refunds where applicable;

• meet Dutch administrative and tax obligations.

All payments are processed securely through trusted third-party providers (e.g., Stripe, PayPal, or the payment system of my course platform). I never store full payment card details.

3.4 For Analytics, Performance and Security

Legal basis: Legitimate Interest

Automatically collected technical data helps me:

• analyse how visitors use the Site;

• maintain security and prevent fraudulent or malicious activity;

• ensure the Site performs well across devices and browsers;

• understand which pages or resources are most useful.

This may involve the use of cookies, server logs and analytics tools, explained later in the Cookies section.

3.5 To Comply With Legal Requirements

Legal basis: Legal Obligation

I may process personal data where necessary to:

• comply with Dutch tax, bookkeeping or administrative obligations;

• respond to lawful requests from authorities;

• keep appropriate records to demonstrate GDPR compliance.

3.6 With Your Consent

Legal basis: Consent

Some activities only happen with your clear permission, such as:

• joining the email list or newsletter;

• taking part in surveys, giveaways, interviews or research;

• using optional cookies or marketing analytics tools.

You can withdraw your consent at any time.

3.7 For Legitimate Business Interests

Legal basis: Legitimate Interest

These interests include:

• keeping the Site relevant and user-friendly;

• maintaining contact with clients and subscribers;

• promoting services in a respectful, non-intrusive way;

• improving coaching content, offers and communication.

Where legitimate interests are used, they never override your rights or freedoms.

3.8 Automated Decision-Making / Profiling
The Site does not use automated decision-making or profiling to make decisions that affect you. Any recommendations, marketing, or content suggestions are made manually or based on general user activity data, not on automated profiling.

We take the security of your data seriously and use appropriate technical and organisational measures to keep it safe. These include:

• Secure storage systems: Your information is stored using trusted third-party tools that follow industry-standard security practices.

• Restricted access: Only authorised team members or contractors who genuinely need the information to perform their work can access it.

• Data minimisation: We only keep the information we need and only for as long as necessary.

• Regular reviews: We periodically review our systems, tools, and processes to ensure your data remains protected.

• Encryption and secure transmission: Whenever possible, data is encrypted in transit and at rest.

While no online service can guarantee absolute security, we are committed to continuously improving our practices and responding promptly to any risks or incidents.

We only keep your personal data for as long as it’s genuinely needed for the purposes described in this policy, or as required by law. This means:

• Mailing list: We keep your contact details until you unsubscribe.

• Consultations, coaching, and programme participation: We retain relevant records for up to 7 years, in line with professional and tax obligations.

• Website analytics and cookies: Retention varies depending on the tool used, typically between 30 days and 26 months.

• Client notes and session records: These are stored securely and kept only for the minimum period necessary for professional practice, after which they are safely deleted.

If you request deletion of your data and there is no legal or professional requirement to keep it, we will remove it promptly and confirm once it’s done.

The Site uses cookies, pixels, and similar tools to improve your experience, understand how the Site is used, and help me provide better services.

6.1 What Cookies We Use

• Essential cookies: These are strictly necessary for the Site to function (for example, keeping you logged in or remembering your session).

• Analytics cookies: These help me see which pages are visited, how users navigate the Site, and how to improve it. Google Analytics is used with IP anonymisation enabled.

• Functional cookies: These remember your preferences and settings (for example, language or display options).

• Marketing cookies: Used to show you relevant offers or content if you’ve consented to them.

6.2 How We Use Tracking Tools

I may also use pixels or similar tools to:

• analyse email campaign performance;

• measure engagement with pages or online content;

• detect and prevent fraud or security risks.

All tracking tools are used according to GDPR and Dutch law requirements.

6.3 Your Choices

• You can accept or reject cookies when prompted on the Site.

• You can change your browser settings at any time to block or delete cookies.

• Refusing cookies may affect the full functionality of some parts of the Site.

• For marketing or analytics cookies that require consent, you can withdraw consent at any time via the cookie banner or email contact.

For more information about cookies in general, you can visit allaboutcookies.org.

If you are in the EU (or EEA), you have a number of rights regarding your personal data under the GDPR and Dutch law. Here’s a summary of what you can do and how:

7.1 Access & Correction

You can request a copy of the personal data I hold about you, and ask me to correct any errors or update incomplete information.

7.2 Deletion (“Right to be Forgotten”)

You can request that I delete your personal data when there’s no legal or professional reason to keep it. I will confirm once deletion is complete.

7.3 Restrict Processing

You can ask me to temporarily limit how I use your personal data in certain circumstances.

7.4 Object

You can object to the processing of your personal data for certain purposes, including marketing. If you do, I will stop processing unless there’s a compelling reason to continue.

7.5 Data Portability

Where technically feasible, you can request your personal data in a structured, machine-readable format for transfer to another controller.

7.6 Withdraw Consent

If processing is based on your consent (for example, marketing emails or optional cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

7.7 Lodge a Complaint

You have the right to complain to a supervisory authority — in the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority): www.autoriteitpersoonsgegevens.nl.

7.8 How to Exercise Your Rights

To exercise any of these rights, please contact me at: contact@natalia-leal.com. I may ask you to verify your identity to protect your privacy.

I aim to respond within one month (or sooner if possible), as required by law.

I am based in the Netherlands, and most of your personal data is processed within the EU/EEA. However, some trusted service providers I use may store or process data outside the EU/EEA (for example, email delivery services, course platforms, or cloud hosting providers).

When this happens, I make sure your data is protected with appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• Data Processing Agreements (DPAs) with clear privacy and security obligations;

• Service providers with proven compliance standards, such as ISO certifications or participation in recognised privacy frameworks.

These measures ensure your data continues to receive an equivalent level of protection as required under the GDPR and Dutch law.

If you have questions about data transfers or the safeguards used, you can always contact me at contact@natalia-leal.com.

I take the protection of your personal data seriously. While no method of transmission or storage is ever 100% risk-free, I use a combination of technical and organisational measures to keep your information safe.

These include:

• Secure servers and encrypted connections (SSL/TLS)

• Strong access controls, including passwords and limited administrative access

• Regular software updates and security monitoring

• Data Processing Agreements with third-party providers that meet GDPR and Dutch security standards

• Back-ups and recovery procedures to prevent data loss.

Only the minimum number of people who need access to your data to deliver the service will have it, and they follow strict confidentiality and data-protection rules.

If I ever identify a risk or incident involving your personal data, I will follow all legal requirements, including notifying affected users and the Dutch Data Protection Authority when necessary.

I may update this Privacy Policy from time to time to reflect new legal requirements, improvements in my services, or changes in the way I handle personal data.

• The “Last Updated” date at the top of the policy will always indicate the most recent version.

• If changes are material (meaning they significantly affect how your data is used or your rights), I will:

  • notify you via email where possible; and

  • post a notice or update on the Site (for example, a blog post or announcement).

By continuing to use the Site after an update, you accept the revised policy.

I encourage you to check this page periodically to stay informed about how your information is handled.

The controller responsible for your personal data is:

Natália Leal
📍Sole proprietorship registered in the Netherlands.
📍KvK number: 72490772

📧 Email: contact[at]natalia-leal.com
📧 Website: www.natalia-leal.com

🌍 Services available online and internationally

You can contact me for any questions about this Privacy Policy, to exercise your rights, or to withdraw consent. I aim to respond promptly and within the legal timeframe required by GDPR (typically within one month).

For complaints regarding the handling of your personal data, you also have the right to contact the Autoriteit Persoonsgegevens (Dutch Data Protection Authority): www.autoriteitpersoonsgegevens.nl.