Privacy Policy

Effective date: May 2026 · Location: Switzerland

1. Introduction

This Privacy Policy explains how Nataliya Romanenko (the "Coach") collects, uses, and protects your personal data when you visit www.shifthappenscoach.me and use the coaching services. We comply with the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Data controller

The responsible party for processing your data is:
Nataliya Romanenko, St. Alban Rheinweg 180, 4052 Basel, Switzerland
Email: nata.romanenko@gmail.com

3. What data we collect

We collect data that you provide directly to us, plus minimal technical metadata necessary to operate the site securely:

Contact form submissions: name, email address, optional phone or messenger contact, and the free-text message you write. Sent when you submit the consultation form.
Server access logs: IP address and User-Agent header. Stored briefly for security, abuse prevention and debugging. The IP is truncated before being written to our internal lead log (see Section 7).
Notification metadata: the data above is also forwarded to a private notification channel (Telegram) and to a private spreadsheet (Google Sheets) used as the lead log. The lead-log copy additionally includes the truncated IP address and the User-Agent header of the request — see Section 7.
Analytics data: pages viewed, session duration, traffic source, country and device type, collected by Google Analytics 4 only after your explicit consent via the cookie banner. IP addresses are truncated by Google before storage.

4. Legal basis for processing

We rely on the following legal bases under the GDPR (and the equivalent provisions of the Swiss nFADP):

Contact form data — performance of pre-contractual measures at your request, Art. 6(1)(b) GDPR.
Analytics cookies — your explicit consent, Art. 6(1)(a) GDPR. You may withdraw it at any time (see Section 9).
Server access logs and security measures — our legitimate interest in keeping the site secure and operational, Art. 6(1)(f) GDPR.
Coaching contract performance — once a coaching engagement begins, processing of your data is necessary for the performance of the contract, Art. 6(1)(b) GDPR.
Tax and accounting records — compliance with legal obligations under Swiss law (e.g., the Swiss Code of Obligations), Art. 6(1)(c) GDPR.

5. Purpose of data processing

We process your data for the following purposes:

To respond to inquiries submitted via the contact form.
To provide and manage coaching services.
To communicate with you regarding appointments and program updates.
To comply with legal obligations (accounting, tax, and ICF credentialing).
To understand how visitors use the site, in aggregate, in order to improve it (only with your analytics consent).

6. AI and transcription tools

As outlined in our Terms & Conditions, we may use AI-powered tools (e.g., Zoom AI) for transcription and session summaries during coaching engagements. These tools are selected based on their compliance with high data protection standards. Data processed by these tools is stored securely and is not used to train public AI models. Consent is obtained before activation. This applies to the coaching service only and not to website visitors.

7. Cookies, analytics and data sharing

By default the site does not set any analytics cookies. Analytics is enabled only after you give explicit consent in the cookie banner shown on your first visit, in line with Google Consent Mode v2. You can withdraw your consent at any time using the controls described in Section 9.

First-party storage. The site uses one local-storage entry to remember your consent choice across visits — without it the banner would reappear on every page load.

Name	Provider / type	Purpose	Retention
`sh_consent_v1`	First-party (localStorage)	Remembers whether you accepted or declined analytics cookies	Persistent until you clear browser storage
`_ga`	Google Analytics 4	Distinguishes individual users (loaded only after consent)	2 years
`_ga_X52WTQ6G68`	Google Analytics 4	Preserves session state for the property (loaded only after consent)	2 years

Recipients of personal data. We do not sell your data. We only share data with the third-party providers listed below, all of which act as our data processors and provide appropriate safeguards. International transfers to the United States are made under the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework (DPF):

Hosting & infrastructure: Vercel Inc. (United States) — hosts the static site and serverless functions. Transfer under SCC + DPF.
Domain registrar: Hostpoint AG (Switzerland) — DNS only.
Email delivery: Resend Inc. (United States) and Amazon Web Services SES, eu-west-1 region (Ireland) — used to deliver the contact-form email to the Coach. Transfer under SCC + DPF.
Notifications (optional): Telegram FZ-LLC (United Arab Emirates) — a copy of new contact-form submissions is forwarded to a private chat for faster response.
Note: Telegram is based outside the EU/EEA and Switzerland and does not operate under SCC or an adequacy decision; consider this before submitting sensitive data via the contact form.
Lead log: Google Sheets (Google LLC, United States) — a copy of contact-form submissions, together with the truncated IP address and User-Agent header, is appended to a private spreadsheet so we don't lose inquiries to spam filters. Transfer under SCC + DPF.
Credential verification: Credly (Pearson, United States) — embedded badge widgets are loaded on demand only when you click a certificate tile in the "About" section. Credly may receive your IP address and set its own cookies at that moment. Transfer under SCC + DPF.
Analytics: Google Ireland Limited and Google LLC (United States) — Google Analytics 4 and Google Tag Manager. Loaded only after analytics consent. Transfer under SCC + DPF. IP truncation enabled. Data retention 14 months.
Fonts: self-hosted on the same domain — no third-party font CDN is used.
Professional bodies: ICF — only your name, contact and coaching dates, and only when required for credential renewal verification.
Supervisors / mentors: only in anonymised form, as part of our professional supervision practice.

8. Data retention

We retain your personal data only as long as necessary:

Contact-form submissions (email, Telegram, Google Sheets log): 12 months from receipt, unless they evolve into a coaching engagement (in which case the next two retention rules apply).
Coaching records: minimum of 3 years (as per ICF standards).
Financial records: 10 years (as per the Swiss Code of Obligations).
Server access logs: short-term, no longer than necessary for security and debugging.
Analytics data in Google Analytics 4: 14 months, after which user-level data is deleted automatically.

9. Your rights

Under the Swiss nFADP and, where applicable, the GDPR, you have the right to:

Access the personal data we hold about you (Art. 15 GDPR).
Rectification — request correction of inaccurate or incomplete data (Art. 16 GDPR).
Erasure — request deletion of your data, subject to legal retention requirements (Art. 17 GDPR).
Restriction of processing — request that we limit processing in certain circumstances (Art. 18 GDPR).
Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
Objection — object to processing based on legitimate interests (Art. 21 GDPR).
Withdraw consent at any time, without affecting processing already done. To withdraw analytics consent specifically, click the button below or clear the site's storage in your browser.
Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC, Bern, edoeb.admin.ch), or with your local EU/EEA data protection authority.

To exercise any of these rights, please contact us at nata.romanenko@gmail.com.

10. Data security

We implement appropriate technical and organisational measures (HTTPS/TLS encryption end-to-end, hosted on professionally managed infrastructure, narrow access controls, rate limits and input validation on the contact endpoint) to protect your personal data from unauthorised access, loss, or misuse.

11. Jurisdiction

This Privacy Policy is governed by Swiss law. The place of jurisdiction is Basel, Switzerland.