Privacy Policy

Last updated: 5 May 2026

This privacy policy explains what personal data we collect when you visit growwithpapaia.com, sign up for our newsletter, book a call, buy a product or join a workshop — and what we do with it. It follows the structure of the official Austrian Chamber of Commerce (WKO) template (November 2025) and is fully aligned with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

If you'd rather skim than read every word: section 4 lists every third-party tool we use, section 5 explains your rights, and section 6 tells you where to complain if you think we're getting it wrong.

Data Controller

Kerstin Dallinger

Rollfährestraße 1, 3620 Spitz, Austria

Email: hello@growwithpapaia.com

Phone: +43 676 9217499

VAT ID: ATU79837456

We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR (we are a sole proprietorship and do not process special categories of data on a large scale). Kerstin Dallinger is the responsible contact for any data protection matter.

1. Categories of Data We Process

Depending on how you interact with us, we process the following categories of personal data:

• Identity data: name, business name, professional title

• Contact data: email address, phone number, postal address (only when you book or buy)

• Account & billing data: VAT ID (for B2B invoicing), invoicing address, transaction metadata

• Payment data: processed by our payment partners (Gumroad, Stripe) — we do not store full card details

• Booking data: chosen time slot, time zone, booking notes (Cal.com)

• Workshop & community data: name, email, attendance, optional recording (Zoom, Bryght)

• Newsletter data: email address, opt-in confirmation, engagement metrics (open / click rates) via Brevo

• Website usage data: IP address (truncated), device, browser, referrer, page interactions via Google Analytics 4 (only with your consent)

• Server log data: IP, user agent, timestamps for hosting & security via Framer

• Communications: the content of messages you send us by email or contact form

We do not knowingly collect data from anyone under 16 years of age. If you believe a child has shared personal data with us, please contact us and we will delete it.

2. Lawful Bases & Purposes of Processing

We process your personal data on one of the following lawful bases under Art. 6(1) GDPR:

2.1 Consent — Art. 6(1)(a) GDPR

You have voluntarily provided us with data and we process it on the basis of your consent for the following purposes:

• Newsletter and marketing emails via Brevo (double opt-in confirmation required)

• Website analytics via Google Analytics 4 / Google Tag Manager (only after you accept analytics cookies in our consent banner)

• Use of participant feedback, testimonials, or success stories as marketing material (only with your explicit written consent)

• Embedded third-party content (e.g., YouTube, LinkedIn, Instagram embeds where present) — only loaded after you accept the relevant cookies

You may withdraw your consent at any time, with effect for the future. To withdraw, click the unsubscribe link in any newsletter, change your cookie settings via the banner, or email us at hello@growwithpapaia.com.

2.2 Contract Performance — Art. 6(1)(b) GDPR

The data you provide is necessary for the performance of a contract or for pre-contractual steps you request:

• Discovery calls and Sprint sessions booked via Cal.com

• Product purchases processed via Gumroad and Stripe (Sprints, Lab membership, programs, templates, etc.)

• Program enrolment including community access via Bryght and live-session delivery via Zoom. Live sessions are recorded and stored in Bryght for up to 12 months as part of the program (asynchronous access for all participants); you will be informed about the recording at the start of each session and can opt out by turning off camera and microphone.

• Customer service and onboarding communication

Without this data we cannot enter into or perform the contract with you.

2.3 Legal Obligation — Art. 6(1)(c) GDPR

We are legally required to process certain data, in particular:

• Storing invoices and accounting records for seven years under § 132 BAO (Austrian Federal Fiscal Code) and § 212 UGB (Austrian Commercial Code)

• Tax filings, VAT reporting (UStG)

• Responding to lawful requests from authorities

2.4 Legitimate Interests — Art. 6(1)(f) GDPR

We process certain data on the basis of our legitimate interests (or those of a third party), provided your interests, fundamental rights and freedoms do not override ours. Specifically:

• Server logs and basic security telemetry (Framer hosting): to keep the website operational and protect against attacks

• Aggregated, non-personal performance metrics: to maintain and improve the service

• Direct marketing to existing customers for similar products (in line with § 174 TKG 2021, with an opt-out option in every email)

You have the right to object to processing based on legitimate interests at any time (see section 5).

3. Retention Periods

We store your data only as long as necessary for the purpose stated above:

• Newsletter data (Brevo): until you unsubscribe or request deletion

• Booking data (Cal.com): until the engagement ends + 3 years (limitation period)

• Invoicing & accounting data: 7 years (§ 132 BAO / § 212 UGB)

• Customer support communication: 3 years

• Website analytics (Google Analytics 4): 14 months (default GA4 retention)

• Server logs (Framer): up to 30 days

• Workshop recordings (where consented): up to 12 months, then deleted unless required for program delivery

Once the retention period expires, the data is deleted or anonymised, unless we are legally required to retain it for longer.

4. Data Recipients & Processors

We use carefully selected service providers (processors under Art. 28 GDPR) to deliver our website, products and services. With each of them, we have signed a Data Processing Agreement (DPA) where required.

Framer B.V.

Purpose: website hosting & CMS · Data: IP, user agent, server logs · Location: Netherlands (EU) · Safeguard: DPA, Art. 28 GDPR.

Google Ireland Ltd (Google Analytics 4, Google Tag Manager)

Purpose: website analytics (consent-based) · Data: pseudonymous IDs, behaviour, truncated IP · Location: Ireland / USA · Safeguard: DPA + EU-US Data Privacy Framework.

Sendinblue SAS (Brevo)

Purpose: newsletter, transactional email, lead-magnet delivery · Data: email, name, engagement · Location: France (EU) · Safeguard: DPA, EU-hosted.

Cal.com Inc.

Purpose: booking (Sprint, Discovery Calls) · Data: name, email, slot, notes · Location: USA · Safeguard: DPA + Standard Contractual Clauses.

Gumroad Inc.

Purpose: product sales, lead-magnet delivery · Data: email, payment metadata · Location: USA · Safeguard: DPA + Standard Contractual Clauses.

Stripe Payments Europe Ltd

Purpose: payment processing · Data: card data, email, billing address · Location: Ireland (EU) · Safeguard: DPA, EU-hosted.

Zoom Video Communications Inc.

Purpose: workshops, live calls · Data: name, email, optional recording · Location: USA · Safeguard: DPA + Standard Contractual Clauses.

Bryght (Bryght Labs Inc.)

Purpose: private community platform for program members · Data: name, email, profile, posts · Location: USA · Safeguard: DPA + Standard Contractual Clauses.

Notion Labs Inc.

Purpose: internal CRM, lead tracking · Data: name, email, notes · Location: USA · Safeguard: DPA + EU-US Data Privacy Framework.

Obsidian (Dynalist Inc.)

Purpose: internal knowledge management & note-taking; client notes are pseudonymised before storage · Data: name, email, project notes (pseudonymised) · Location: local device + Obsidian Sync (E2E encrypted) · Safeguard: end-to-end encryption; processor agreement where applicable.

We do not sell your personal data. We do not share it with third parties beyond what is listed above and what is strictly necessary for the purposes described.

4.1 Transfers Outside the EU/EEA

Some of our processors are based in or transfer data to the United States. In each case we rely on one of the following safeguards under Chapter V GDPR:

• EU-US Data Privacy Framework (adequacy decision under Art. 45 GDPR), where the provider is certified

• Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, combined with additional technical and organisational measures where required

You can request a copy of the relevant safeguards by emailing hello@growwithpapaia.com.

5. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): get a copy of the data we hold about you

• Right to rectification (Art. 16): correct inaccurate or incomplete data

• Right to erasure (Art. 17): request deletion (right to be forgotten)

• Right to restriction (Art. 18): limit how we use your data

• Right to data portability (Art. 20): receive your data in a structured, machine-readable format

• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing

• Right to withdraw consent (Art. 7(3)): withdraw any consent you previously gave, with effect for the future

To exercise any of these rights, email hello@growwithpapaia.com with the subject line "GDPR request". We will respond within one month (Art. 12(3) GDPR).

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects on you or significantly affects you in a similar way.

6. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR or that your data protection rights have otherwise been infringed, you have the right to lodge a complaint with a supervisory authority.

The competent supervisory authority in Austria is:

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Wien, Austria

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

Web: https://www.dsb.gv.at

7. Cookies & Tracking

We use cookies and similar technologies on growwithpapaia.com. We distinguish between two categories:

• Essential cookies (no consent required): needed for the site to function (e.g., session, security, cookie-consent state). Legal basis: Art. 6(1)(f) GDPR.

• Analytics & marketing cookies (consent required): Google Tag Manager + Google Analytics 4, plus any embedded third-party content (YouTube, LinkedIn, Instagram, where present). Legal basis: § 165 (3) TKG 2021 and Art. 6(1)(a) GDPR. These are loaded only after you accept them in our consent banner.

You can withdraw or change your consent at any time via the cookie banner (re-open via the link in the footer). You can also delete or block cookies in your browser settings — note that this may affect site functionality.

8. Security

We use industry-standard technical and organisational measures to protect your data, including TLS encryption for all data in transit and access controls on all internal systems. We choose our processors based on their security posture and GDPR compliance.

9. Changes to This Policy

We may update this policy when our services, processors or legal requirements change. The current version is always available at growwithpapaia.com/privacy-policy. We recommend reviewing it occasionally — and we will notify newsletter subscribers about material changes.

Contact

For any privacy-related question, email hello@growwithpapaia.com. If something is unclear, ask — we'd rather explain it twice than have you uncertain about your data.