Privacy Policy | Clearvital

Section 01

Who and what this Policy covers

The Policy applies to personal data we process as a controller—that is, where we decide why and how data is used. It covers website visits that involve technical logging, direct messages you initiate through our contact channels, onboarding records when you ask for proposals, and contractual delivery when you purchase optional coaching materials or sessions. It does not cover anonymous browsing statistics that cannot reasonably be linked to an individual.

If you engage us through an employer’s wellbeing budget or a corporate portal, additional terms may originate from your organisation. Where we act purely as a processor under client instructions, contract terms—not this Policy—define the primary obligations, although we still maintain appropriate safeguards that Article 28 GDPR requires.

Section 02

Controller identity and primary contact

The controller is Clearvital, Rosenthaler Str. 46/47, 10178 Berlin, Germany. The primary channel for privacy requests is service@clearvital.world. Telephone contact for operational queries is +49 30 2827876; please avoid transmitting special categories of data by voicemail.

We maintain internal records of processing activities when required by Article 30 GDPR. Summarised extracts about your specific processing can be provided as part of an access request where proportionate.

Section 03

Categories of personal data

Depending on how you interact with us, we may process:

Identity and contact data: name, preferred salutation, email address, telephone number, and postal address when you provide them.
Communication content: free-text fields in forms, attachments you choose to send, and notes from legitimate follow-up correspondence.
Contract and billing data: purchase references, service selections, invoices where generated, and payment status flags held by payment service providers.
Technical data: IP address, approximate regional location derived at city level, device identifiers where cookies or similar technologies are active, timestamps, and user-agent strings.
Usage diagnostics: aggregated interaction metrics if you consent to optional analytics tools.

We do not intentionally collect health data for coaching sign-up through this website. If you volunteer clinically sensitive sentences in a contact message, we restrict access and recommend redirecting that detail to qualified healthcare channels.

Section 04

Purposes and lawful bases

Website operation and security (Art. 6(1)(f) GDPR): delivering pages over HTTPS, blocking abuse, maintaining integrity logs, and investigating suspicious traffic.
Responding to inquiries (Art. 6(1)(b) or (f) GDPR): pre-contractual dialogue when you ask about paid coaching; legitimate interest in answering business correspondence when no contract is imminent, balanced against your reasonable expectations.
Contract performance (Art. 6(1)(b) GDPR): delivering agreed sessions, materials, scheduling updates, and payment handling through partners.
Legal compliance (Art. 6(1)(c) GDPR): tax invoicing, consumer information duties, responding to lawful authority requests, and document retention mandated in Germany.
Optional analytics or marketing technologies (Art. 6(1)(a) GDPR): only with prior consent managed through the cookie interface; you may revoke consent without retroactive invalidation of earlier lawful processing.

Where we rely on legitimate interests, you may object under Article 21 GDPR. We will assess whether compelling grounds override your interests; for direct marketing, we honour objections promptly.

Section 05

Recipients and subprocessors

Strictly instructed processors may host website files, route email, store encrypted backups, or process payments. Contractual arrangements follow Article 28 GDPR with confidentiality commitments, assistance obligations for data subject rights, deletion or return clauses at end of service, and audit cooperation proportionate to risk.

We do not rent contact lists. If we ever introduce referral partnerships with explicit permission campaigns, this Policy will describe categories and the separate consent or soft opt-in mechanics applicable.

Disclosures to public authorities occur only on narrow legal grounds, after verifying requests, and documenting responses subject to professional secrecy limits.

Section 06

International transfers

If tools store or access data outside the EEA, we implement Article 44–49 GDPR mechanisms: Standard Contractual Modules, adequacy decisions where available, or derogations only when strictly necessary (for example one-off contractual performance at your express request).

Transfers to the United States follow the EU-U.S. Data Privacy Framework adequacy decision only when a certified recipient is properly listed; otherwise SCCs remain in force. Impact assessments accompany riskier combinations and are refreshed when vendor practices materially change.

Section 07

Retention periods

General inquiry emails are deleted or anonymised within twenty-four months after the last substantive message unless a longer period is required to assert, exercise, or defend legal claims. Contractual documents, accounting vouchers, and tax-relevant correspondence follow German commercial and tax law retention, often up to ten years for specific records. Technical logs on infrastructure rotate according to supplier defaults, tuned downward through negotiation where feasible.

Consent logs for optional cookies are stored up to twelve months to demonstrate compliance, unless your browser clears storage earlier. Marketing suppression lists, if introduced, persist longer to honour unsubscribe choices.

Section 08

Security measures

Controls are layered: transport encryption for public endpoints, role-based access with periodic review, principle of least privilege, MFA on administrative accounts where supported, vendor security questionnaires for material processors, and incident logging with escalation templates aligned to Article 33–34 GDPR where a qualifying breach arises.

No online system is immune. If a breach likely risks your rights, we notify the competent supervisory authority without undue delay and communicate to you when required. We test restoration procedures for critical datasets.

Section 09

Your rights under the GDPR

You may request access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability for data processed by automated means under contract or consent (Article 20), and object to processing based on legitimate interests or for direct marketing (Article 21). Withdrawing consent does not affect prior processing lawfulness. Automated decision-making that produces legal or similarly significant effects is not used for coaching sales without human oversight; if tooling evolves, this section will update before deployment.

Requests are generally answered within one month, extendable by two further months where complex, with reasons provided. Identity verification must remain proportionate and not excessive.

Section 10

Supervisory authority

You may lodge a complaint with a supervisory authority in your Member State of residence, place of work, or the place of the alleged infringement. For Berlin-based processing, the Berlin Commissioner for Data Protection and Freedom of Information is a frequent contact point, without prejudice to competence rules.

We prefer resolving questions directly first; escalation remains your prerogative at any time.

Section 11

Children

Public marketing pages assume adult readers. Offers directed at minors, if any, require verifiable parental authority under applicable national rules before contract conclusion. If you believe a child submitted data without proper consent, notify us promptly so we can delete information absent a lawful retention duty.

Section 12

Profiling and future tools

Today, optional analytics may aggregate visit paths without individual scoring for pricing. If we introduce personalisation that materially evaluates preferences for contract decisions, we will provide transparent logic, significance, and human intervention rights before activation.

Section 13

Updates and related documents

We revise this Policy when processing operations, legal interpretations, or regulator guidance change. Continued use of the website after substantive revision notice does not by itself imply consent where consent is the required basis; contract-specific changes follow individual notices.

Companion documents: the Cookie Policy, Terms of Use, and Impressum provide adjacent context for visitors in Germany and the broader EU.