Safe Haven Dutch Coaching – Privacy Policy

Effective: 1 July 2025 —— Last updated: 11 June 2025

Plain-Language Summary

I care deeply about each student’s privacy. This policy explains:

  1. What I collect (your name, contact, lesson notes, payment data).
  2. Why I use it (to teach, bill, improve lessons, communicate with you).
  3. Who I share it with (only trusted services like Clockify, ChatGPT, Google Drive, Stripe, TransIP).
  4. How long I keep it (from 30 days up to 5 years, depending on the data).
  5. Your rights (access, correction, deletion).
  6. Special care for children’s data.

You can jump to any section using the menu below:

1. Definitions & Scope

  • Personal Data means any information relating to an identified or identifiable natural person (e.g., parent’s name, email; child’s first name, learning progress).
  • Services refers to all lesson platforms, coaching sessions, booking systems, communications, and this website provided by Safe Haven Dutch Coaching, operated by Florian Kersten (“I”, “me”, “my”).

This policy applies to all students (children aged approximately 6-14, “Students”) and their parents or legal guardians (“Parents,” “you”) who use my Services.

2. What I Collect

I collect information necessary to provide and improve my Services:

  • Parent/Guardian Information:
    • Account & Contact: Your name, email address, password (securely hashed), phone number (optional, for urgent contact or scheduling).
    • Billing Information: Information required by Stripe for payment processing. I do not store your full credit card details on my servers.
  • Student Information (provided by Parent/Guardian with consent):
    • Student Profile: Student’s first name, age or birthdate (for age-appropriate planning), a pseudonym code (e.g., “Student A” for certain internal planning tools), lesson preferences, and current Dutch language level.
    • Lesson Notes: Topic summaries from lessons, progress assessments, pseudonymized feedback related to learning and well-being within the coaching context.
    • Learning Materials: Worksheets or digital materials shared or created during sessions.
  • Booking & Payment Information: Payment records via Stripe, appointment dates and times, lesson duration.
  • Communications: Emails stored on TransIP mail servers, summaries of important communications (e.g., via my website’s messaging system if applicable), and pseudonymized chat summaries if AI tools are used for communication assistance (with your awareness).

3. How I Use & Retain Your Data

I only collect and use the data I need to teach effectively, bill accurately, communicate with you, secure my services, and improve lessons.

Purposes of Use:

  • To create and manage Parent and Student accounts.
  • To schedule, plan, and deliver personalized coaching sessions.
  • To process payments for Services via Stripe.
  • To track Student progress and tailor lesson content.
  • To communicate with Parents about their child’s progress, scheduling, and other service-related matters.
  • To share learning materials.
  • For AI-assisted lesson planning and content brainstorming using pseudonymized data (see Section 6).
  • To comply with legal obligations (e.g., Dutch tax law).
  • To maintain the security of my website and services (e.g., server logs).

Data Retention Schedule: Below is how long I keep each type of data:

  • Active Student Profiles (including lesson notes): Duration of lessons + 2 years (to allow for follow-up questions, facilitate repeat sessions, and provide continuity in learning).
  • Stripe Payment Records: 5 years (to comply with Dutch tax and accounting regulations).
  • Pseudonymized AI Transcripts/Inputs (e.g., for ChatGPT, Google AI Studio used in lesson planning): 30 days. Key insights are transferred to my secure, local notes, and the AI chat logs containing even pseudonymized data are then deleted.
  • Server Access & Error Logs: 90 days (for security monitoring and incident investigation), then auto-deleted.
  • Full Server Backups (TransIP) & iCloud Snapshots (for Craft/GoodNotes): Rolling 30-day rotation; older backups/snapshots are automatically purged.
  • Email Correspondence (TransIP): Retained for the duration of the active student profile + 2 years, or as long as necessary for ongoing communication or legal requirements.

I automate deletion schedules where technically feasible (e.g., for server backups and logs) and conduct a quarterly audit of my retention practices.

4. Children’s Privacy

Protecting the privacy of children is fundamental to my Services.

  • Parental Consent: I collect and process Personal Data about Students only with the explicit, verifiable consent of a Parent or legal guardian, typically obtained during the booking or registration process.
  • Data Minimization for Children: I only collect information about Students that is directly relevant and necessary for providing effective coaching Services (e.g., first name, age for appropriate lesson planning, learning progress). I actively avoid collecting unnecessary sensitive information.
  • Use of Children’s Data: A Student’s Personal Data is used solely for educational purposes: to plan and deliver lessons, track learning progress, provide feedback to Parents, and ensure a safe and supportive learning environment.
  • Parental Rights for Child’s Data: As a Parent, you have the right to access, review, correct, or request the deletion of your child’s Personal Data. You can do this by contacting me.
  • No Direct Marketing to Children: I do not use Student’s Personal Data for direct marketing purposes.
  • Security: I apply the same robust security measures (detailed in Section 9) to protect Students’ Personal Data as I do for all Personal Data I process.
  • AI Tools & Children: When AI tools are used for lesson planning, all Student data is strictly pseudonymized, and sensitive details are excluded (as detailed in Section 6).

I process your Personal Data based on the following GDPR legal grounds:

  • Consent: You (as a Parent) give explicit consent at the time of booking or registration for the processing of your and your child’s Personal Data as described in this policy, including consent for the use of specified third-party data processors. You can withdraw your consent at any time for future processing, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Performance of a Contract: Processing is necessary to deliver the paid coaching Services you have requested, including managing bookings, providing lessons, and processing payments.
  • Legitimate Interests: I process some data for my legitimate interests, such as:
    • Improving lesson quality and service effectiveness (e.g., via analysis of pseudonymized learning patterns from AI tools or internal review of teaching methods).
    • Administrative efficiency (e.g., using Clockify for time tracking of billable hours).
    • Maintaining the security of my website and services. I have assessed that these legitimate interests do not override your or your child’s fundamental rights and freedoms.
  • Legal Obligation: Processing is necessary to comply with legal requirements, such as retaining financial records for Dutch tax law.

6. Data Processors (Third-Party Services)

I use the following trusted third-party services to process your data. For each, I share only the minimum information needed for their specific purpose. I will obtain your explicit consent for their use.

  1. TransIP (Website Hosting, Database, & Email)
    • Data: Website content, CMS database (including Parent/Student profiles, lesson bookings, etc.), email correspondence.
    • Purpose: Hosting the website, database, and managing email.
    • GDPR/Privacy Policy: https://www.transip.nl/legal-and-security/privacy-policy/
  2. Stripe (Payment Processing)
    • Data: Parent name, email, billing information, purchase details.
    • Purpose: Securely processing payments.
    • GDPR/Privacy Policy: https://stripe.com/privacy
  3. Clockify (Time Tracking)
    • Data: Student first name (or pseudonym), lesson duration.
    • Purpose: Accurately tracking billable hours.
    • GDPR/Privacy Policy: https://cake.com/privacy
  4. OpenAI (ChatGPT - for AI Assistance)
    • Data: Pseudonymized Student learning needs/contexts (e.g., “Student A, age 8, is working on past tense verbs”), general lesson planning queries. No directly identifiable personal data (full names, addresses, specific sensitive details) are shared.
    • Purpose: Assisting in drafting lesson plans and educational content.
    • GDPR/Privacy Policy: https://openai.com/policies/privacy-policy (and API data usage policies: https://openai.com/policies/api-data-usage-policies)
    • My Practice: Student data is always pseudonymized. Sensitive details are excluded. I delete AI chat logs containing pseudonymized student project data from my account with the AI provider within 30 days.
  5. Google (Google AI Studio, Google Drive/Docs)
    • Google AI Studio Data: Pseudonymized Student information (similar to ChatGPT) for brainstorming content.
    • Google Drive/Docs Data: Shared educational materials, worksheets which may contain Student first names (for identification within the shared document context) and lesson-related content.
    • Purpose: AI-assisted brainstorming; creating and sharing educational materials.
    • GDPR/Privacy Policy: https://policies.google.com/privacy
  6. Apple (Craft for MacOS / iCloud - Document Drafting & Storage/Backups)
    • Data: Draft documents about lesson structure, notes; these may contain pseudonymized Student information. iCloud also stores backups of data from apps like GoodNotes and Craft.
    • Purpose: Creating, organizing lesson planning materials, and app data backup.
    • GDPR/Privacy Policy: https://www.apple.com/legal/privacy/
  7. GoodNotes (Shared Lesson Notes)
    • Data: Shared digital lesson notes, which may include Student first names or pseudonyms and lesson content.
    • Purpose: Creating and sharing interactive digital lesson notes.
    • GDPR/Privacy Policy: https://www.goodnotes.com/privacy-policy

7. International Data Transfers

Some of the Data Processors I use (e.g., OpenAI, Google, Apple, Stripe, and potentially Clockify/GoodNotes depending on their infrastructure) may store or process data outside the European Economic Area (EEA), primarily in the United States.

When Personal Data is transferred outside the EEA, I ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements. These safeguards typically include:

  • The processor being located in a country deemed by the European Commission to provide an adequate level of data protection.
  • The use of Standard Contractual Clauses (SCCs) approved by the European Commission.
  • For transfers to the US, reliance on frameworks like the EU-U.S. Data Privacy Framework (if the provider is certified) or SCCs.

You can find more information about these safeguards in the respective privacy policies of the Data Processors linked in Section 6. For AI tools, my primary safeguard is the pseudonymization of any student-related data before it is processed by non-EEA services.

8. Student Rights & How to Exercise Them

Under GDPR, Parents (on behalf of themselves and their Student) have the right to:

  • Access: Request a copy of the Personal Data I hold about you and/or your Student.
  • Correction (Rectification): Request updates or corrections to inaccurate or incomplete Personal Data.
  • Deletion (Erasure / Right to be Forgotten): Ask me to erase Personal Data, unless I am legally required or have an overriding legitimate interest to keep it (e.g., payment records for tax law).
  • Portability: Receive Personal Data you have provided to me in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller where technically feasible.
  • Object: Object to the processing of Personal Data based on my legitimate interests.
  • Withdraw Consent: Withdraw your consent at any time for future processing where consent is the legal basis. This will not affect the lawfulness of processing based on consent before its withdrawal.
  • Restrict Processing: Request the restriction of processing of Personal Data under certain circumstances.

To exercise any right: Email me at florian@safehavendutch.nl with the Subject: GDPR Request. I will verify your identity (to protect your data) and respond within 30 days (this period may be extended by two further months where necessary, taking into account the complexity and number of requests, in which case I will inform you). There is generally no fee for exercising these rights, unless requests are manifestly unfounded or excessive.

9. Security Measures

I take the security of your Personal Data seriously and implement appropriate technical and organizational measures:

  • In Transit: SSL/TLS certificate via TransIP for all website traffic, ensuring data is encrypted between your browser and my server.
  • At Rest:
    • MySQL database with table-level encryption enabled on TransIP servers.
    • Data stored with third-party cloud services like Apple iCloud and Google Drive is encrypted by those providers by default.
  • Access Controls: Strong passwords and restricted access to backend systems and databases.
  • Firewall & WAF: TransIP server-level firewall active. Exploring Cloudflare free-tier Web Application Firewall (WAF) for enhanced protection.
  • Monitoring: Weekly review of SSH access logs and server error logs. Quarterly vulnerability scans planned.
  • Software Security: Use of PDO prepared statements to prevent SQL injection, CSRF tokens on forms, and secure session management.

10. Cookies

My custom CMS uses only:

  • Strictly Necessary Session Cookies (e.g., PHPSESSID): Essential for website functionality, such as logging you into your Parent dashboard. These are HTTPS-only and are deleted when you close your browser.
  • CSRF Cookies: For security to protect forms against Cross-Site Request Forgery.

I do not use tracking cookies or local-storage data for tracking individuals across websites or for advertising purposes.

11. Contact & Supervisory Authority

If you have any questions or concerns about this Privacy Policy or my data practices, please contact me: Florian Kersten Safe Haven Dutch Coaching Email: florian@safehavendutch.nl

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been infringed:

Autoriteit Persoonsgegevens P.O. Box 93374 2509 AJ Den Haag Phone: +31 (0)70 888 85 00 Website: https://www.autoriteitpersoonsgegevens.nl

Thank you for trusting Safe Haven Dutch Coaching with your learning journey.

I am committed to protecting your privacy with neighborly care and respect.