Privacy Policy

1. Controller

Ligament GmbH — MoveMindBreath by Dominique
[Street, No.]
[Postal Code, City], Austria
VAT ID: ATU 68536088
E-Mail: hello@dominiquescharax.com

2. General Information

This privacy policy informs you about which personal data we process on this website, for what purposes, on what legal basis and for how long. The relevant legal frameworks are the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG, BGBl. I No. 165/1999 as amended).

3. Legal Bases

• Consent — Art. 6(1)(a) GDPR (e.g. newsletter, cookie banner)
• Performance of contract / pre-contractual measures — Art. 6(1)(b) GDPR
• Legal obligation — Art. 6(1)(c) GDPR (e.g. tax retention under Sec. 132 BAO and Sec. 190–212 UGB, Austrian commercial code)
• Legitimate interests — Art. 6(1)(f) GDPR

4. Retention Periods

• 7 years — tax-relevant business records (Sec. 132 BAO, Sec. 190–212 UGB)
• 3 years — data required for contractual claims (Sec. 1489 ABGB, Austrian Civil Code)
• Server logfiles — max. 30 days

5. Security

We apply technical and organisational measures pursuant to Art. 32 GDPR, including TLS/SSL encryption (HTTPS), access controls and bcrypt password hashing.

6. International Data Transfers

Some services process data in third countries, in particular the USA. Transfers to the USA are based primarily on the EU-US Data Privacy Framework (DPF, adequacy decision of 10 July 2023) and additionally on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

7. Hosting

7.1 Vercel

This website is hosted on Vercel infrastructure.

• Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
• Legal basis: Art. 6(1)(f) GDPR
• Third country: USA — DPF + SCC
• Privacy: vercel.com/legal/privacy-policy

7.2 Supabase

We use Supabase as our database and authentication backend.

• Provider: Supabase Inc., Singapore
• Legal basis: Art. 6(1)(b) and (f) GDPR
• Region: EU (Frankfurt) — no third-country transfer
• Privacy: supabase.com/privacy

7.3 Server Logfiles

Technical access data (IP, time, requested URL, browser, OS) is logged for IT security and stability for max. 30 days. Legal basis: Art. 6(1)(f) GDPR.

8. Authentication & Member Area

Login is handled via NextAuth.js with bcrypt password hashing. Passwords are never stored in plaintext.

9. Order Processing

For book purchases, course bookings and workshop/seminar registrations we process master data, contact data, contract data and payment data (via Stripe). Legal basis: Art. 6(1)(b) GDPR; retention: 7 years (Sec. 132 BAO).

9.1 Stripe (Payments)

• Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
• Data: name, e-mail, billing address, payment data, order details
• Legal basis: Art. 6(1)(b) GDPR
• Third country: possibly USA — DPF + SCC
• Privacy: stripe.com/at/privacy

10. Online Courses & Video Hosting (Bunny.net)

• Provider: BunnyWay d.o.o., Slovenia
• Data: IP address, playback statistics, browser info
• Legal basis: Art. 6(1)(b) GDPR
• Region: EU — no third-country transfer
• Privacy: bunny.net/privacy

11. Contact & Booking

11.1 Contact form / e-mail

Data submitted via contact form or e-mail is processed solely to handle your request. Legal basis: Art. 6(1)(b) and (f) GDPR.

11.2 Calendly

• Provider: Calendly LLC, Atlanta, GA, USA
• Legal basis: Art. 6(1)(b) GDPR
• Third country: USA — DPF + SCC
• Privacy: calendly.com/privacy

12. Newsletter & Transactional E-Mail

12.1 Newsletter — Brevo

Newsletter sign-up is handled via Brevo using double-opt-in (Sec. 174 TKG 2021). Legal basis: Art. 6(1)(a) GDPR.

• Provider: Sendinblue GmbH (Brevo), Köpenicker Straße 126, 10179 Berlin, Germany
• Privacy: brevo.com/legal/privacypolicy

12.2 Transactional E-Mail — Resend

• Provider: Resend, Inc., San Francisco, CA, USA
• Legal basis: Art. 6(1)(b) GDPR
• Third country: USA — SCC
• Privacy: resend.com/legal/privacy-policy

13. Cookies & Consent

We use cookies and comparable technologies. Strictly necessary cookies (session, authentication, language, consent record) are based on legitimate interests / contract performance. All other cookies (statistics, marketing) only with explicit consent via our cookie banner (Sec. 165(3) TKG 2021).

You can change your cookie preferences anytime via the "Cookie settings" link in the footer.

14. Analytics & Marketing (consent only)

The following services load only after explicit consent in the cookie banner. We use Google Consent Mode v2.

14.1 Google Tag Manager

• Provider: Google Ireland Limited, Dublin, Ireland
• Legal basis: Art. 6(1)(a) GDPR
• Privacy: policies.google.com/privacy

14.2 Google Analytics 4

• Provider: Google Ireland Limited
• Legal basis: Art. 6(1)(a) GDPR
• Third country: USA — DPF + SCC
• Retention: up to 14 months
• Security: IP masking

14.3 Google Ads & Conversion Tracking

• Provider: Google Ireland Limited
• Legal basis: Art. 6(1)(a) GDPR
• Third country: USA — DPF + SCC

14.4 Meta Pixel & Conversion API

• Provider: Meta Platforms Ireland Limited, Dublin, Ireland
• Legal basis: Art. 6(1)(a) GDPR
• Third country: USA — DPF + SCC
• Privacy: facebook.com/privacy/policy

14.5 LinkedIn Insight Tag

Implemented but currently disabled; activates only on consent.

• Provider: LinkedIn Ireland Unlimited Company, Dublin, Ireland
• Legal basis: Art. 6(1)(a) GDPR
• Privacy: linkedin.com/legal/privacy-policy

15. Marketing Attribution (UTM)

UTM parameters in incoming URLs are stored in browser LocalStorage (max. 30 days) and linked to your purchase to measure marketing effectiveness. Legal basis: Art. 6(1)(f) GDPR.

16. Social Media Profiles

We operate profiles on Instagram, Facebook and LinkedIn. When visiting these profiles, the privacy policies of the respective operators apply primarily.

17. Your Rights

You have the right to: access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and to withdraw consent (Art. 7(3) GDPR). Contact: hello@dominiquescharax.com

18. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority in Austria is:

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
www.dsb.gv.at

19. Changes to this Policy

We reserve the right to amend this privacy policy if processing operations or legal requirements change. The current version is available on this page.

11. Reviews and Testimonials

On our reviews page (/review) we collect customer reviews about the book, online courses and seminars. Submission is voluntary.

Data we collect

• Author data: first name, last name initial, optionally city — displayed publicly on the reviews page.
• Email address: collected but NOT displayed publicly. Purpose: verification of an existing customer relationship and follow-up in case of moderation needs.
• IP address: not stored in plaintext. We store a cryptographic hash (SHA-256 with a server-side salt). Purpose: spam limitation (maximum 3 submissions per hash per 24 hours).
• Review content: the text you write and the star rating.

Legal basis

Processing is based on your explicit consent pursuant to Art. 6 (1) lit. a GDPR. Before submission you actively confirm publication of your review with first name and initial.

Retention period

Published reviews are stored for as long as the reviews page is operated. You can withdraw your consent at any time; in this case we will delete your review and associated data within 30 days. Rejected submissions are automatically deleted after 6 months.

Moderation

Submitted reviews are manually checked for authenticity and compliance with terms of use before publication. We do not edit content. Rejection only occurs in cases of spam, offensive content, off-topic posts, or suspected fabrication.

Withdrawal

To delete your review, send an informal email to hello@dominiquescharax.com. Processing takes place within 30 days.