Privacy Policy
Effective: 5 November 2025
Last updated: 5 November 2025
This Privacy Policy explains how Paperframe7 UG (haftungsbeschränkt) (“PaperFrame•7”, “we”, “us”) processes personal data when you visit our website, contact us, subscribe to updates, or book and attend our retreats.
We may update this Policy from time to time. The current version is always available on our website.
1) Controller & Contact
Controller:
Paperframe7 UG (haftungsbeschränkt)
Belgradstr. 68, 80804 Munich, Germany
Phone: +49 151 52452142
Email: n.ondrak@paperframe7.com
Managing Director: Niclas Ondrak
We have not appointed a Data Protection Officer (not legally required). For privacy inquiries or to exercise your rights, please email n.ondrak@paperframe7.com.
Age limit: Our services are intended for people aged 18+. We do not knowingly collect children’s data.
Non-therapeutic scope: PaperFrame•7 is coaching-oriented and non-therapeutic. Please do not submit clinical or detailed medical histories. Optional health/diet information is used only for safety/catering.
2) What data we process
- Website & technical data: IP address, time, pages viewed, referrer, user-agent, error logs (for security and operation).
- Contact data (website form/email): Name, email, message, phone (if provided).
- Leads via Meta/Instagram Lead Ads: Name, email, (optional) phone, your answers to form questions, timestamp, and form/ad identifiers.
- Newsletter data: Email address and subscription status (we do not track opens or clicks).
- Booking & travel data: Identity and contact details, booking details, itinerary-related data (dates, rooming preferences), emergency contact (optional).
- Payment references: Amount, currency, transaction reference and status (we do not store full card numbers).
- Health/dietary information (optional): Allergies or intolerances solely to support catering and safety during the retreat.
We do not use analytics or marketing cookies/pixels. If this changes, we will update this Policy and request consent where required.
3) Purposes, legal bases, recipients, transfers & retention
Summary table (Art. 13 GDPR)
| Purpose | Data | Legal basis | Main recipients (categories) | Third-country transfer | Retention |
|---|---|---|---|---|---|
| Website operation & security | IP, UA, timestamps, logs | Art. 6(1)(f) (legitimate interests: security/operation) | Hosting/IT providers (EU) | No | 7–30 days (logs) |
| Leads via Meta/Instagram Lead Ads | Name, email, (optional) phone, form answers, timestamp, form/ad ID | Art. 6(1)(b) (pre-contract at your request) or Art. 6(1)(f) (responding to qualified inquiries); newsletter/ongoing marketing only with Art. 6(1)(a) consent | Email/CRM tools (EU where possible); Meta Platforms Ireland Ltd. (independent controller for platform processing) | Possibly (SaaS) | 12 months after last contact or until objection/deletion; newsletter consents until withdrawal |
| Contact & inquiries (website form/email) | Name, email, message, phone | Art. 6(1)(b) (pre-contract) or 6(1)(f) (business communications) | Email/CRM tools (EU where possible) | Possibly (SaaS) | 12 months after last contact |
| Newsletter (no tracking) | Email, opt-in record | Art. 6(1)(a) (consent) | Email SaaS (EU where possible) | Possibly (SaaS) | Until withdrawal; suppression list as needed |
| Booking & retreat delivery | Identity/contact, itinerary, emergency contact | Art. 6(1)(b) (contract) | DMC in Vietnam, hotels, transport, catering/activity providers | Vietnam: Art. 49(1)(b)/(c) (necessary for contract) | Contract + 6/10 years (tax) |
| Payments | Billing details, transaction refs; for cards via Stripe: method metadata (e.g., brand, last four digits, expiry) | Art. 6(1)(b) (contract) / 6(1)(c) (tax law) | Stripe Payments Europe Limited (independent controller for card data), our bank, accounting software, tax advisors | Possible (Stripe global infrastructure; SCCs) | Per legal/tax rules |
| Health/diet (optional) | Allergies/intolerances | Art. 9(2)(a) (explicit consent) | Need-to-know only: DMC/catering | Vietnam (see above) | Deleted within 14 days after the retreat, unless an incident requires more |
We apply data minimization and share only what partners need to deliver the contracted services. Where non-EU vendors are used, we prefer EU data centers, apply safeguards, and limit access to what is necessary.
4) International data transfers (Vietnam & other third countries)
To deliver your retreat (e.g., hotel rooming lists, transfers, catering, activities), some recipients are located in Vietnam. We rely on:
- Art. 49(1)(b)/(c) GDPR: transfer is necessary for the performance of your travel contract or to take steps at your request (e.g., securing your booking, dietary arrangements); and
- Standard Contractual Clauses (Art. 46 GDPR) for some tools where feasible.
5) Cookies & tracking
We only use cookies that are strictly necessary for site operation (Art. 6(1)(f) GDPR; TTDSG §25(2)). We do not use analytics or marketing cookies and therefore do not display a cookie consent banner. If we introduce third-party widgets (e.g., scheduling or media embeds) that require consent, we will request it and update this Policy.
6) Newsletter
We use double opt-in and send newsletters only with your consent (Art. 6(1)(a) GDPR). We do not track email opens or clicks. You can unsubscribe at any time via the link in each email.
7) Payments (Stripe Payment Links & SEPA bank transfer)
We offer card payments via Stripe Payment Links and bank transfer (SEPA). For card payments, you enter your details directly on a Stripe-hosted page. We do not receive or store full card numbers or CVC codes on our systems.
- Card payments via Stripe: Provider: Stripe Payments Europe Limited, Dublin (“Stripe”). Stripe acts as an independent controller for cardholder and fraud-prevention data. Data processed may include your name, email, billing address, booking reference, payment method information (e.g., card brand, last four digits, expiry month/year), transaction amount/currency/reference, status, and risk/fraud signals. Stripe may transfer data outside the EEA using Standard Contractual Clauses. Please also see Stripe’s privacy notices.
- Bank transfers (SEPA): If you pay by bank transfer, we process payer name, IBAN/BIC as shown on the transfer, invoice/reference numbers, amount/currency/date, and status. Our account-holding bank acts as an independent controller for its regulatory/compliance purposes.
- Legal bases: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (tax/accounting).
- Recipients: Stripe (for card payments), our bank, accounting software, and tax advisors.
- Retention: According to statutory tax retention periods (generally 6 or 10 years).
8) Photos & testimonials
We currently do not take identifiable photos/videos or publish testimonials. If this changes, we will ask for separate consent beforehand.
9) Security
We use appropriate technical and organisational measures, including TLS encryption in transit, role-based access, need-to-know restrictions for health/diet data, multi-factor authentication for admin accounts, regular backups, and vendor agreements where required.
10) Retention
We keep data only as long as necessary for the purposes described above or as required by law. Examples:
- Server logs: 7–30 days
- Contact/lead data: 12 months after last interaction
- Newsletter: until you unsubscribe (plus suppression where legally required)
- Booking & finance: contract duration + 6 or 10 years (tax)
- Health/diet data: deleted within 14 days after the retreat unless incident/legal need
11) Your rights (EU/EEA)
You have the right to:
- Access, rectify, erase, restrict processing, and data portability;
- Object to processing based on our legitimate interests (Art. 21(1) GDPR);
- Object to direct marketing at any time (Art. 21(2) GDPR);
- Withdraw consent at any time (Art. 7(3) GDPR), without affecting prior lawful processing;
- Lodge a complaint with a supervisory authority.
Supervisory authority (Bavaria):
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
To exercise your rights, email n.ondrak@paperframe7.com.
We do not use automated decision-making that produces legal or similarly significant effects (Art. 22 GDPR).
12) Third-party recipients & processors
We use selected service providers for hosting, email/newsletter, payments, and retreat operations. Where providers act on our instructions, we have suitable agreements in place. Where providers act as independent controllers (e.g., banks, Stripe, Meta), their privacy policies apply in addition to this Policy. For Meta/Instagram Lead Ads, PaperFrame•7 is the controller for leads transmitted to us; Meta acts as an independent controller for processing on its platforms. If you request contact via WhatsApp, WhatsApp Ireland/Meta acts as an independent controller; we use it only to handle your inquiry.
On request, we will provide an up-to-date list of our current processors and key recipients.
13) Changes to this Policy
We may update this Policy to reflect legal, technical, or business developments. Material changes will be highlighted on this page with a new “Last updated” date. Significant changes may be communicated by email where appropriate.