Privacy Policy

In accordance with GDPR (EU) 2016/679 and Swiss nDSG (SR 235.1) · Last updated: April 2026

1. Data controller

Maria Boettner · c/o F2BII E-Commerce#651, Hintergoldingerstrasse 30, 8638 Goldingen, Switzerland

Email: mail@maria-boettner.de

Art. 13 GDPR – Obligation to provide information when collecting personal data

2. Principles

All data processing follows Art. 5 GDPR: lawfulness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.

Maria Boettner aligns her practice with the principles of ISO/IEC 27001, ISO/IEC 42001 and the EU AI Act – without holding formal certification under these standards.

3. Data collection and processing

3.1 Server log data

Hosting provider: IONOS SE, Germany. Automatically stored: IP address (anonymised after 7 days), browser type, operating system, referrer URL, date and time.

Art. 6(1)(f) GDPR – Legitimate interest

3.2 Newsletter subscription

Only email address and explicit consent (checkbox) collected. Via Contact Form 7, forwarded directly to mail@maria-boettner.de. No third-party storage.

Art. 6(1)(a) GDPR – Consent · Withdrawal: Art. 7(3) GDPR – at any time by email

3.3 Appointment booking – Calendly

Calendly LLC, Atlanta, USA. Data collected: name, email, appointment. EU-US Data Privacy Framework certified. DPA: calendly.com/dpa

Art. 6(1)(b) GDPR – Contract performance · Third-country transfer: Art. 46 GDPR

3.4 YouTube embeds

Google Ireland Limited, Dublin. Connection established with YouTube servers when embedded videos are accessed.

Art. 6(1)(f) GDPR – Legitimate interest

3.5 Cookies

Technically necessary cookies for website operation. Optional cookies for third-party content. Cookie consent banner shown on first visit.

Necessary cookies: Art. 6(1)(f) GDPR · Optional cookies: Art. 6(1)(a) GDPR

3.6 AI-powered tools

Tools such as the Soul Path Diagnostic may process: email address (voluntary), responses to spiritual orientation questions, AI-generated recommendations.

Important clarifications under the EU AI Act:

  • All AI tools are classified as ‘minimal risk’ – they make no decisions about individuals
  • No permanent storage of personal responses
  • No training of AI models with user data
  • AI outputs may not be used to train third-party AI models
  • Users are transparently informed when interacting with an AI system
  • You have the right to request human review of any AI-generated output that materially affects your experience
  • If AI voice or avatar features are introduced in future, this will be clearly disclosed in advance

Art. 6(1)(a) GDPR – Consent · EU AI Act Art. 50 – Transparency obligations

3.7 Third-party platforms

Maria Boettner may use third-party platforms including: IONOS SE (hosting), Calendly (booking), YouTube/Google (embedded content), Contact Form 7 (forms), and Anthropic API (AI tools). Each platform is subject to its own privacy policy and data processing terms.

4. Storage periods

  • Server logs: 7 days, then anonymised
  • Newsletter emails: until consent is withdrawn
  • Booking data: as per Calendly’s policy
  • Email correspondence: 3 years (statutory retention)

Art. 5(1)(e) GDPR – Storage limitation

5. Data sharing

Data shared only for contract fulfilment (Calendly), with explicit consent, or when required by law. No sharing for advertising purposes.

Art. 6(1)(b) and (c) GDPR

6. Data processing agreements

IONOS SE (hosting) · Calendly LLC (DPA: calendly.com/dpa)

Art. 28 GDPR – Processors

7. Your rights

  • Access – Art. 15 GDPR / Art. 25 nDSG
  • Rectification – Art. 16 GDPR
  • Erasure – Art. 17 GDPR
  • Restriction of processing – Art. 18 GDPR
  • Data portability – Art. 20 GDPR
  • Right to object – Art. 21 GDPR
  • Withdraw consent – Art. 7(3) GDPR
  • Lodge a complaint – Art. 77 GDPR

Supervisory authorities:

  • Switzerland: FDPIC – www.edoeb.admin.ch
  • Germany: Competent state data protection authority

Contact: mail@maria-boettner.de · Response within 30 days (Art. 12(3) GDPR)

8. Data security

Maria Boettner implements appropriate technical and organisational measures to ensure a level of security proportionate to the risk involved in data processing. This reflects a risk-based approach: the higher the potential risk to data subjects, the higher the security standards applied.

Technical measures in place:

  • SSL/TLS encryption across the entire website – data in transit is fully protected
  • Access restrictions – WordPress admin is limited to authorised users only
  • Two-factor authentication (2FA) for all administrator accounts
  • Regular security updates for WordPress core, theme and all plugins
  • IONOS server-side security infrastructure including firewall protection

Four security properties maintained under Art. 32 GDPR:

  • Confidentiality – personal data accessible only to authorised parties
  • Integrity – data remains accurate and unaltered without authorisation
  • Availability – data and systems remain accessible when required
  • Resilience – systems can withstand and recover from disruptions

Privacy by design and privacy by default (Swiss nDSG Art. 7):

Data protection is built into all processing activities from the outset. Only the minimum data necessary for each specific purpose is collected. This principle applies equally to all AI-powered tools on this website.

Data breach notification:

In the event of a personal data breach posing a high risk to data subjects, the relevant supervisory authority will be notified as quickly as possible – within 72 hours where required under GDPR Art. 33. Affected individuals will be informed without undue delay as required under Art. 34 GDPR and Swiss nDSG.

Regular review and testing:

Security measures are regularly reviewed and evaluated for continued effectiveness. Maria Boettner aligns with the principles of ISO/IEC 27001 as a continuous improvement framework – without holding formal certification.

Art. 32 GDPR – Security of processing · Art. 33-34 GDPR – Breach notification · Swiss nDSG Art. 7 – Privacy by design and by default · Swiss nDSG Art. 8 – Data security · GDPR Recital 83 – Risk-based approach

9. AI responsibility and international standards

EU AI Act (Regulation 2024/1689):

  • All AI tools: ‘minimal risk’ classification
  • Transparency: users informed about AI interactions (Art. 50)
  • No manipulative or deceptive AI use (Art. 5 – prohibited since February 2025)
  • No exploitation of vulnerability
  • Human oversight of all AI outputs by Maria Boettner

UN Guiding Principles on Business and Human Rights:

  • Non-discrimination in all services and AI tools
  • Access to complaint mechanisms

WHO/OHCHR Dignity in Care:

  • Person-centred support, dignity and autonomy
  • No exploitation of emotional vulnerability

ICF Code of Ethics:

  • Maria Boettner is bound by the ICF Code of Ethics
  • Complaints: www.coachingfederation.org/ethics

Maria Boettner is not certified under ISO 27001 or ISO 42001. She consciously aligns with the core principles of these standards, the EU AI Act, the UN Guiding Principles and WHO Dignity principles – for a responsible, transparent and human-rights-aligned approach to your data.

10. Non-discrimination

Services are provided without discrimination based on origin, nationality, religion, worldview, gender, age, disability or sexual orientation. This reflects the UN Universal Declaration of Human Rights (Art. 1 & 2), the Swiss Equality Act and the German General Equal Treatment Act (AGG).

11. Complementary practices

All services and AI tools are complementary offerings. They do not replace a visit to a doctor or psychological or psychiatric treatment.

12. Updates

This policy will be updated when necessary. The current version on mariaboettner.com applies. Last updated: April 2026.

Privacy Preference Center

Privacy Preferences