Privacy policy.
1. General Information
This Privacy Policy explains how I collect, use, and process your personal data when you visit my website www.hannahmalu.com, use my services, or interact with me. I take the protection of your personal data seriously and process it in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection law.
2. Controller
The person responsible for data processing on this website is:
Hannah Marie Luisa Schreiner
c/o MDC#hml
Welserstraße 3
87463 Dietmannsried
Germany
Email: hello@hannahmalu.com
3. What Data I Collect
Depending on how you interact with my website and services, I may collect and process the following types of personal data:
Contact details (name, email address)
Billing information (address, payment details)
Health and lifestyle data (for coaching clients, with your explicit consent)
Communication data (messages, emails, chat interactions, inquiry form submissions)
Usage data (how you interact with my website and my content)
Technical data (IP address, browser type, device information)
4. Purposes and Legal Bases
I process personal data for the following purposes, each based on a legal ground under GDPR:
Operating the website – Art. 6(1)(f) GDPR (legitimate interest)
Responding to contact and coaching inquiries – Art. 6(1)(b) GDPR (pre-contractual measures)
Providing coaching services – Art. 6(1)(b) GDPR (performance of a contract)
Processing payments – Art. 6(1)(b) GDPR (performance of a contract)
Sending newsletters and marketing emails – Art. 6(1)(a) GDPR (consent)
Website analytics – Art. 6(1)(a) GDPR (consent, via cookie banner)
Processing health and lifestyle data – Art. 9(2)(a) GDPR (explicit consent)
Business administration and legal compliance – Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest)
Website security and fraud prevention – Art. 6(1)(f) GDPR (legitimate interest)
5. Health Data
As a nutritionist and fitness coach, I may process health and lifestyle information you share with me as part of my coaching services — for example, through your intake form. This is special category data under Art. 9 GDPR and receives heightened protection. I will only process this data with your explicit consent and use it exclusively to provide my coaching services to you.
6. Service Providers and Data Processors
I work with the following third-party service providers. Where these providers process personal data on my behalf, I have entered into Data Processing Agreements (DPAs) with them.
6.1 Website Hosting — Squarespace
My website is hosted and managed through Squarespace, Inc. (USA). Squarespace processes technical data including IP addresses and usage data as part of hosting and delivering the website. Data submitted through contact and inquiry forms on my website is also processed via Squarespace. Privacy Policy
6.2 Email Marketing — Kit
I use Kit to manage my newsletter and email communications. When you subscribe to my newsletter, your name and email address are stored and processed by Kit, Inc. (USA). You can unsubscribe at any time using the link in any email. Privacy Policy
6.3 Payments — Stripe
Payments for coaching and digital products are processed by Stripe, Inc. (USA). Payment data, including card details and billing address, is processed directly by Stripe and is not stored by me. Privacy Policy
6.4 Digital Products — Lemon Squeezy
Digital product purchases are processed via Lemon Squeezy (USA), which handles payment processing and delivery. Lemon Squeezy processes your name, email address, and payment information. Privacy Policy
6.5 Session Booking — Zcal
I use Zcal (USA) for booking individual coaching sessions. When you book a session, your name and email address are processed. Zcal integrates with Google Calendar to manage my availability. Privacy Policy
6.6 Scheduling and Calls — Google
I use several Google services for scheduling and conducting coaching sessions:
Google Calendar — for program scheduling and calendar management
Google Meet — for conducting coaching calls. When you participate in a call, your name, audio, and video are processed.
6.7 Analytics — Google Analytics
With your consent (given via the cookie banner on my website), I use Google Analytics provided by Google LLC (USA) to understand how visitors use my website. Google Analytics uses cookies for this purpose. You can withdraw your consent at any time by adjusting your cookie preferences at the bottom of the page. Google Privacy Policy
6.8 Fonts — Google Fonts
My website uses Google Fonts provided by Google LLC (USA). When you visit my website, your browser connects to Google's servers to load these fonts, which involves the transmission of your IP address. Google Privacy Policy
6.9 Bot Protection — Google reCAPTCHA
My website uses Google reCAPTCHA (Google LLC, USA) to distinguish human users from automated bots and to protect my forms from spam. reCAPTCHA analyzes visitor behavior automatically in the background. This processing is based on my legitimate interest in protecting the website from misuse (Art. 6(1)(f) GDPR).Google Privacy Policy
6.10 Social Media Automation — ManyChat
I use ManyChat (ManyChat, Inc., USA) to automate certain interactions on Instagram. If you interact with automated messages, your username and interaction data are processed by ManyChat.
6.11 Embedded Videos — YouTube
My website embeds videos from YouTube (Google LLC, USA). When you play an embedded video, a connection is established to Google's servers and your IP address and viewing behavior may be transmitted. By clicking play, you consent to this transmission. Google Privacy Policy
7. Social Media
I maintain a presence on Instagram, YouTube, and Spotify. If you contact me via social media or interact with my content there, the relevant platform and I may be jointly responsible for processing your data. Each platform's own privacy policy applies.
8. Cookies
My website uses cookies. For detailed information on the cookies I use and how to manage your preferences, please see my Cookie Policy. You can adjust your settings at any time through your browser settings or by using the cookie preferences panel on my website.
9. International Data Transfers
Several of the service providers listed above are based in the United States. Where personal data is transferred outside the European Union, I ensure that appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) approved by the European Commission — to maintain a high level of data protection.
10. Data Retention
I store personal data only as long as necessary:
for contractual obligations
for legal retention periods
until consent is withdrawn (where applicable)
11. Data Sharing
I do not sell your personal data. I will only share your data with third parties where this is necessary to provide my services (as described in Section 6), where you have given your consent, or where I am legally required to do so.
12. Affiliate Marketing
My website may contain affiliate links. If you purchase a product or service through one of these links, I may receive a small commission at no additional cost to you. My editorial content is not influenced by affiliate relationships.
13. Data Security
I implement appropriate technical and organizational measures to protect your data.
15. Your Rights
Under GDPR, you have the right to:
access your data
correct inaccurate data
request deletion
restrict processing
data portability
withdraw consent at any time
To exercise any of these rights, please contact me at hello@hannahmalu.com.
16. Right to Lodge a Complaint
If you believe I am processing your personal data unlawfully, you have the right to lodge a complaint with the competent supervisory authority. For my business in Bavaria, this is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
www.lda.bayern.de
17. Updates to this Policy
I may update this Privacy Policy from time to time.
The latest version will always be available on this website.
The version of the Terms & Conditions valid at the time of purchase shall apply.