Disclaimer: This document is a courtesy translation of the German original. In case of any discrepancies between the English and German versions, the German original shall prevail.
1. Introduction and Controller
We appreciate your interest in “Coach in the Box”. The protection of your personal data, especially in the sensitive context of coaching, is our highest priority. This privacy policy informs you comprehensively about the nature, scope, and purpose of the processing of personal data within our website, our coaching app (PWA), as well as our social media presences.
The controller within the meaning of the GDPR is:
Coach in the Box UG (haftungsbeschränkt) i.G.
Stensstraße 10
45149 Essen
Represented by: Luis Perona, Marcin Wierzbicki
E-Mail: hello@coachinthebox.com
2. Security and Hosting
To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g., TLS/SSL via HTTPS). Data “at rest” (stored on our servers) is also stored encrypted.
We rely on a strict separation principle (“Silo Architecture”): Your sensitive coaching content is processed on dedicated systems that are physically and logically separated from our administrative and marketing systems. We host our core systems exclusively in certified data centers within the European Union (Germany and the Netherlands).
Local Hosting: For privacy-friendly presentation, we use fonts (Google Fonts) and icons (FontAwesome), which we host locally on our own servers. There is no data transfer to external servers of Google or third-party providers.
3. Collection and Processing when Visiting the Website
During the purely informational use of our website, we only collect the data that your browser technically transmits to our server. These so-called server log files include:
IP address (anonymized/shortened)
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred
Website from which the request comes (Referrer)
Browser type and version
Operating system and its interface
The processing takes place in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in the stability and functionality of the website. The data is automatically deleted after a maximum of 7 days.
4. Contact, CRM and Newsletter
If you contact us via email or provided contact forms, your details will be processed to handle the request and in the event of follow-up questions (Art. 6 Para. 1 lit. b or lit. f GDPR).
E-Mail Infrastructure (Strato): Our business email communication is handled via Strato AG (Germany). The emails are stored there in compliance with GoBD.
CRM & Prospect Management (Zoho): For the management of customer relationships and inquiries, we use the European instance (zoho.eu) of the Zoho Corporation. The connection is encrypted.
Newsletter: Provided you have given us your consent (Double-Opt-In), we use your email address to send information. The legal basis is Art. 6 Para. 1 lit. a GDPR. You can revoke this consent at any time with effect for the future.
Storage duration: Prospect data is deleted after 2 years of inactivity or immediately upon revocation, provided there are no opposing legal retention obligations.
5. Use of the Coaching App (Progressive Web App – PWA)
The use of our app involves various processing stages to provide you with a personalized coaching experience. Our app is based on PWA technology, which enables local installation and improved performance.
5.1 Installation and Local Storage (Service Worker & Cache)
When using or installing the app (“Add to Homescreen”), program data is stored in your browser’s cache or locally on your device. This serves for faster loading times and offline availability. Personal data is not transmitted to us in this context beyond the usual scope of web usage.
5.2 Invitation and Registration
Access to the app is generally provided via an invitation from your employer (HR department or team leader). In this process, your email address is transmitted to our system to send you an individual invitation link (Art. 6 Para. 1 lit. f GDPR – legitimate interest in the fulfillment of the contract with the B2B customer). During registration, you assign a password and we record your name and optionally further profile data (e.g., profile picture, professional role).
5.3 Processing of Coaching Data (Special Categories)
In the context of coaching, you actively input data (e.g., answers to reflection questions, psychological metrics, goal definitions). This data constitutes special categories of personal data. The processing takes place exclusively on the basis of your explicit consent (Art. 9 Para. 2 lit. a GDPR), which you grant upon your first login.
Strict Separation: This data is processed encrypted on highly secure servers of Contabo GmbH in Germany. There is no data exchange with our marketing or CRM systems.
B2B Reportings: For HR managers of B2B customers, we create aggregated evaluations at the team level. This data is completely anonymized and does not allow any conclusions to be drawn about individual participants.
5.4 System Notifications and Push Mails
To support the coaching process, the app sends automated notifications (e.g., reminders of tasks, status updates) via email to the address you provided. The legal basis is the fulfillment of our contractual service (Art. 6 Para. 1 lit. b GDPR). Provided you consent to receiving push notifications on your device, a technical token is used to enable the delivery.
Storage duration: Your user profile and your inputs are stored for the duration of active use. After 3 years of inactivity or upon request for deletion, your personal data will be permanently removed or anonymized.
6. Payment Processing and Accounting
To fulfill contracts (Art. 6 Para. 1 lit. b GDPR) and tax obligations (Art. 6 Para. 1 lit. c GDPR), we process accounting and transaction data. We use Zoho Books (zoho.eu) for this purpose and link it with our German business account. Invoice-relevant data is stored in accordance with statutory retention periods (up to 10 years).
7. Your Rights as a Data Subject
You have the following rights towards us regarding your personal data:
Right to information (Art. 15 GDPR)
Right to rectification or erasure (Art. 16/17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to revoke consent (Art. 7 Para. 3 GDPR)
You also have the right to complain to a data protection supervisory authority about our processing of your personal data.
8. Automated Decision Making / Profiling
We do not use automated decision-making according to Art. 22 GDPR that produces legal effects concerning you.
9. Social Media Presences
9.1 LinkedIn
We maintain a company profile on LinkedIn (LinkedIn Ireland Unlimited Company). When you visit, data is collected by LinkedIn. We are jointly responsible with LinkedIn for the collection (but not the further processing) of data from page visitors (Art. 26 GDPR).
Third-country transfer (USA): LinkedIn Corp. is certified under the EU-U.S. Data Privacy Framework (DPF).
Details: www.linkedin.com/legal/privacy-policy
9.2 Facebook and Instagram (Meta Platforms)
We maintain company profiles on Facebook and Instagram and use the Meta Business Account for this purpose. The provider is Meta Platforms Ireland Limited (Merrion Road, Dublin 4, D04 X2K7, Ireland). When you visit our profiles, data is collected by Meta (e.g., through cookies). For the collection of data from page visitors in the context of the provided statistics (“Page Insights” / “Instagram Insights”), there is joint responsibility with Meta (Art. 26 GDPR).
Third-country transfer (USA): Personal data may be transferred to the parent company Meta Platforms Inc. in the USA. Meta is certified under the EU-U.S. Data Privacy Framework (DPF), which ensures an adequate level of data protection.
Further information can be found in Meta’s privacy policies:
Instagram: help.instagram.com/519522125107875
Facebook: www.facebook.com/privacy/policy/