We only use essential cookies that enable the functioning of this website.
Created: 2025-09-23
Last Updated: 2025-09-23
Controller: Niklas Wenzel (trading as Transformational U)
Websites covered: transformational-u.com and its subdomains
Privacy email (primary contact): niklas@transformational-u.com
Postal contact: Maastricht, Netherlands — full mailing address available on request via email.
Role: We act as the controller for personal data processed via our websites and services. We do not currently act as a processor for clients, nor as a joint controller. If this changes, we will provide a data processing addendum and update this notice.
We collect the information you enter in our forms on transformational-u.com (hosted on MailerLite) and during bookings:
Newsletter sign-up: name, email, age confirmation (16+), newsletter opt-in choices.
Contact form: name, email, message (free-text).
Coaching intake (free consultancy): name, email, year of university, free-text descriptions of (a) a problem you would like to solve and (b) your conditions for perceived success or progress, and your opt-in choices.
Consultancy call booking (via Notion Calendar): name, email, appointment date, time zone, and (if you add one) an optional note. For bookings that include newsletter opt-in, we also collect age confirmation (18+).
Internal relationship notes & DSAR register (Notion Workspace).
We keep brief internal notes about interactions (e.g., name, email, basic status such as “booked”/“completed”), basic consultation notes for those who book meetings (for example, your description of a problem you would like to solve, your conditions for perceived success or progress, and short notes taken during the session), and a DSAR register (requester name/email, request type, dates/timestamps, status, internal reference). We do not store DSAR export files or other attachments in Notion; those are kept offline on an encrypted, air-gapped drive. We avoid recording special-category data in notes; if such information is inadvertently included, we delete or redact it.
Please do not include sensitive information (e.g., health, ethnicity, political or religious beliefs, sexual orientation, biometric or criminal-offence data) in free-text fields. If such information is submitted, we delete or redact it unless a clear lawful basis applies.
Essential website data and logs: limited technical information provided by your browser/device when you access our site (e.g., IP address, date/time, URLs visited, basic device/browser details). We use this for security, reliability and troubleshooting.
Cookies: we currently use essential cookies only (e.g., to remember your consent choices and keep forms working). No analytics or advertising cookies run.
Email engagement (for subscribers): when we send newsletters or updates via MailerLite, we collect open and click information (e.g., whether an email was opened and which links were clicked) to understand engagement and improve communications.
We do not buy or import contact lists and do not use social logins. We currently do not obtain your personal data from third parties.
We only process personal data where a legal basis applies. Below we explain, for each purpose, what data we use, our legal basis, how long we keep it, who helps us process it, and (where relevant) the safeguards we apply for international transfers.
Email newsletter and updates.
We use your name, email address, age confirmation (16+ or 18+ depending on context), your newsletter preferences, and email engagement information (e.g., whether an email was opened and which links were clicked). Our legal basis is consent (GDPR Art. 6(1)(a)). We keep your marketing profile until you opt out. After you unsubscribe, we keep minimal logs (e.g., prior subscription status and consent timestamps) for up to 24 months to demonstrate compliance and diagnose deliverability issues. We also keep a suppression list indefinitely to ensure we do not email you again after you opt out. We use MailerLite to send emails and measure engagement. MailerLite primarily processes data in the EEA and, where transfers outside the EEA occur, relies on safeguards such as the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Responding to enquiries (contact form).
When you contact us, we process your name, email address, and your message so we can respond. Our legal basis is legitimate interests (Art. 6(1)(f)): it’s in your and our interest to answer the request you initiated, and no less intrusive equally effective alternative exists. We retain enquiry correspondence for 12 months, or longer if needed to address disputes. We use MailerLite to host the form and Titan Mail to receive and send email. International transfers, where relevant, are protected via the EU–US Data Privacy Framework and/or Standard Contractual Clauses (see each provider’s commitments).
Free consultancy intake and delivery.
To deliver the requested consultancy, we process your name, email, year of university, your description of a problem you would like to solve, and your conditions for perceived success or progress (and age confirmation where relevant). Our legal basis is contract / pre-contractual steps (Art. 6(1)(b)). We retain these records for 12 months after the session. If you later become a paying customer, we retain for 12 months after your last purchase/booking, unless a longer period is required by law. We use MailerLite (form hosting) and Titan Mail (email transport). International transfers, where relevant, are safeguarded by the providers using the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Booking and scheduling (Notion Calendar).
For scheduling calls, we process your name, email address, appointment date, and time zone. Our legal basis is contract / pre-contractual steps (Art. 6(1)(b)). Booking entries in Notion Calendar are deleted 90 days after the appointment (manual quarterly deletion). Notion hosts scheduling data in the United States; transfers are safeguarded via the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Internal relationship management (Notion Workspace).
To keep low-level records of interactions and follow-ups, we process name, email, basic interaction status (e.g., booked/completed) and basic consultation notes (for example, your description of a problem you would like to solve, your conditions for perceived success or progress, and brief notes taken during the session). Our legal basis is legitimate interests (Art. 6(1)(f)): keeping minimal records to deliver and improve our service in a way you would reasonably expect. We retain these notes for 12 months after the last interaction. Processor: Notion (Workspace). International transfers: workspaces are primarily hosted in the United States; transfers are safeguarded via Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We do not include special-category data in notes; if such information is inadvertently captured, we delete or redact it.
Essential site operation and consent management.
To run our website and forms reliably and remember your consent choices, we process essential cookies, your consent selections, and limited technical information (e.g., IP address, date/time, URLs visited) necessary for functionality and troubleshooting. Our legal basis is legitimate interests (Art. 6(1)(f)): keeping the service usable while respecting your choices. We retain consent records for 24 months and technical logs for up to 12 months. We use MailerLite for website/landing pages and consent storage. Where transfers occur outside the EEA, MailerLite applies the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Security and abuse prevention.
To keep the service secure and detect misuse, we may process IP addresses, device/browser information, request metadata, and event logs. Our legal basis is legitimate interests (Art. 6(1)(f)): maintaining security and preventing fraud. We retain such logs for 12 months, or longer if a specific incident occurs. Service providers involved (MailerLite, Titan Mail) apply appropriate transfer safeguards (EU–US Data Privacy Framework and/or Standard Contractual Clauses) where relevant.
Compliance and records (proof of consent, rights requests).
To demonstrate compliance and respond to data subject rights, we keep consent status and timestamps, records of requests and our responses, and a suppression list for marketing opt-outs. Our legal basis is legal obligation (Art. 6(1)(c)), including GDPR Articles 7(1) and 12–15. We retain these records for up to 6 years, and we keep the suppression list as long as needed to ensure we do not email individuals who have opted out. We keep the DSAR register metadata (e.g., requester identity, dates, status) in Notion Workspace and store any DSAR export files only on our encrypted, air-gapped drive (not in Notion).
Tracking and consent notes.
We only send marketing emails—and measure opens/clicks—with your consent. You can withdraw consent at any time via the unsubscribe link or by emailing niklas@transformational-u.com. Withdrawing consent does not affect processing that occurred before withdrawal. You may object at any time to processing based on our legitimate interests; we will stop unless we have compelling legitimate grounds.
Special-category data.
Please do not include sensitive information (e.g., health data, ethnicity, religion, political opinions, sexual orientation, biometrics, or criminal-offence data) in free-text fields. If such information is submitted, we delete or redact it unless a clear lawful basis applies.
Summary of legitimate-interests balancing (for enquiries, site operation/consent management, and security).
Our interests are to respond efficiently to requests you initiate, keep the site functional and accessible, and maintain security. Processing is necessary for these aims; there is no equally effective less intrusive alternative. The impact on individuals is low, limited to routine operational data, with strong safeguards (minimality, limited retention, and the right to object). If you object, we will stop unless we have compelling legitimate grounds or need the data for legal claims.
We share personal data only with service providers that help us run our website and deliver requested services. They act as processors and may access personal data only on our documented instructions, under contracts that include GDPR-compliant data protection and confidentiality terms. Our current processors are:
MailerLite – website/landing pages, forms, consent storage, email sending, and email engagement.
International transfers: where data leaves the EEA, we rely on appropriate safeguards (e.g., Standard Contractual Clauses and, where applicable, an adequacy decision such as the EU–US Data Privacy Framework for certified organisations).
Notion Calendar (Notion) – scheduling consultation calls (no recordings/transcripts; booking entries deleted 90 days after the appointment).
International transfers: data are hosted in the United States; transfers are safeguarded via Standard Contractual Clauses and/or an applicable adequacy decision.
Notion (Workspace) – internal lightweight CRM records and basic consultation notes (minimal text only; no special-category data; no DSAR export files or other attachments stored in Notion).
International transfers: workspaces are primarily hosted in the United States; transfers are safeguarded via Standard Contractual Clauses and/or an applicable adequacy decision (e.g., EU–US DPF where applicable).
Titan Mail – business email provider used to receive and send messages (including contact-form enquiries routed to niklas@transformational-u.com).
International transfers: where data leaves the EEA, transfers are safeguarded via Standard Contractual Clauses and/or an applicable adequacy decision.
Google Meet – video meetings for consultations (no recordings, no transcripts).
International transfers: where data leaves the EEA, transfers are safeguarded via Standard Contractual Clauses and/or an applicable adequacy decision.
We do not sell your personal data. We may disclose information to competent authorities or courts where required by law. In the event of a business transfer (e.g., merger, acquisition, or asset sale), we will provide prior notice and ensure appropriate safeguards.
Current vendor list: to request the most up-to-date list of our processors (and their sub-processors, where relevant), contact niklas@transformational-u.com.
Where we process data. We are based in the Netherlands. Some processing occurs in the EEA. Depending on the tool we use, your personal data may also be processed outside the EEA/UK/Switzerland (for example, in the United States) by our service providers and their subprocessors. For Google Workspace (incl. Google Meet), Google may process data in any country where Google or its subprocessors maintain facilities; see Google’s data-center locations and Workspace subprocessor list.
Our transfer tools. When a transfer involves a country without an adequacy decision under GDPR/UK GDPR/Swiss FADP, we rely on one or more of the following:
Standard Contractual Clauses (SCCs).
– Google Workspace/Meet: SCCs are incorporated into Google’s Cloud Data Processing Addendum (no modification; audit rights preserved). (cloud.google.com)
– Notion Calendar: SCCs as provided under Notion’s privacy/contract framework.
– Notion (Workspace): SCCs as provided under Notion’s DPA (workspace primarily hosted in the US).
– MailerLite: SCCs under MailerLite’s DPA. (mailerlite.com)
– Titan Mail: SCCs under Titan’s DPA. (support.titan.email)
Data Privacy Framework (DPF), where applicable.
If our vendor is currently self-certified, we may rely on the EU-US DPF/UK Extension/Swiss-US DPF for transfers to the United States.
– Google LLC: listed as an active DPF participant. (Data Privacy Framework)
– Notion Labs, Inc.: states DPF adherence in its privacy materials. (privacycenter.notion.so)
– MailerLite: states DPF participation in its legal/security pages. (mailerlite.com)
If a vendor’s DPF status changes or DPF becomes unavailable for a given transfer, we will rely on SCCs and appropriate supplementary measures instead.
Supplementary measures. We apply technical and organisational measures appropriate to the risk (e.g., encryption in transit and at rest offered by our providers, strict access controls, least-privilege administration, subprocessor due-diligence and contractual pass-through). For Google Workspace/Meet, additional security controls and audit/cooperation options are available under Google’s Addendum.
Transfer Impact Assessments (TIAs). For each vendor that receives personal data in a non-adequate country, we carry out a desk-based TIA to evaluate (a) the nature of the data and purposes, (b) the transfer tool used (e.g., SCCs or DPF), (c) the recipient’s technical/organisational measures, and (d) any residual risks and mitigations. We review TIAs at least annually and whenever a material change occurs (service, law, or transfer tool). We can provide a high-level summary for each vendor on request.
How to access our transfer safeguards.
Google Workspace/Meet: Cloud Data Processing Addendum (incorporating SCCs and explaining Alternative Transfer Solutions); Workspace data-center locations; Workspace subprocessors. (cloud.google.com)
Notion Calendar: Privacy/DPF statement and security resources. (privacycenter.notion.so)
Notion (Workspace): GDPR/DPA and security/privacy resources. (privacycenter.notion.so)
MailerLite: Data Processing Agreement and security/DPF statement. (mailerlite.com)
Titan Mail: Data Processing Addendum. (support.titan.email)
If you want copies. You can view the DPAs/SCCs and DPF notices via the links above. If a provider requires login or a customer account to access a document, we will supply a summary of the relevant clauses (e.g., SCC modules, Annexes, and applicable technical measures) upon request.
We keep personal data only as long as needed for the purposes described and to meet legal/operational needs. When a period ends, we delete the data or irreversibly anonymise it.
Newsletters & updates.
While subscribed: we keep your profile and all engagement history (opens/clicks).
After you unsubscribe: we keep minimal logs (e.g., prior consent status/timestamps) for up to 24 months to demonstrate compliance and diagnose deliverability, and maintain a suppression list so we don’t email you again.
Enquiries (contact form & email threads).
We keep enquiry correspondence for 12 months, unless needed longer for a dispute.
Free consultancy intake & delivery.
We keep intake records for 12 months after the session. If you later become a paying customer, we keep these for 12 months after your last purchase/booking, unless a longer period is required by law.
Bookings (Notion Calendar).
Booking entries are deleted 90 days after the appointment (manual quarterly deletion).
Site operation & consent management.
Consent records for 24 months; essential technical/operational logs for up to 12 months.
Security & abuse prevention.
Security/event logs for 12 months (longer if an incident occurs).
Compliance records (proof of consent, rights requests).
Up to 6 years (typical compliance horizon).
Our DSAR register metadata may be kept in Notion Workspace; any DSAR export files are stored only on our encrypted, air-gapped drive.
Local CSV backups (manual, encrypted).
We maintain quarterly encrypted snapshots of relevant lists (e.g., opt-ins/opt-outs) stored only on an air-gapped external drive (not on the laptop). We keep the last four snapshots (12 months) and delete older ones on a rolling basis. The external drive is kept offline except when creating or updating the snapshot.
Backups held by our providers.
Our providers maintain disaster-recovery backups that rotate on their schedules; deleted data is removed from live systems first and then falls out of backups automatically on the provider’s normal cycle. We do not use backups for routine processing; if any backup is ever restored, we re-delete data that had reached its retention limit.
If you have questions about a specific dataset or provider, email niklas@transformational-u.com and we’ll share the current retention details we have on file.
We keep cookies to a minimum. Our website (transformational-u.com) uses essential cookies only—just what’s needed to make forms and pages work reliably. We do not use analytics or advertising cookies.
Essential site/functional cookies (MailerLite).
Used to serve pages, run forms, remember basic choices, and keep the site reliable. These are required for the service and do not require consent under the ePrivacy rules.
Anti-spam / abuse protection (reCAPTCHA via MailerLite forms, when enabled).
To protect forms from bots, a reCAPTCHA widget may load. This is provided by Google and can set cookies and process technical data (e.g., IP address, device/browser info) to distinguish humans from automated traffic. We enable it only where necessary to secure forms, relying on our legitimate interests in security and fraud prevention. If you prefer not to use a reCAPTCHA-protected form, you can contact us at niklas@transformational-u.com instead.
No analytics/ads cookies. If we add non-essential cookies in the future, we will update this notice and request your consent before they run.
Notion Calendar (booking).
When you book a consultation, you are redirected to a Notion Calendar page on a separate domain. That page may use its own cookies/technologies under Notion’s policies. Please review Notion’s privacy/cookie information when booking.
Because we only use essential cookies on our site, there isn’t a “manage cookies” panel. You can still control cookies via your browser settings (e.g., block or delete cookies). Blocking essential cookies may break form submissions or page functionality.
Email open/click measurement for newsletters is handled in emails themselves (not via website cookies) and only if you subscribed; you can unsubscribe anytime.
If anything here is unclear, email niklas@transformational-u.com. We review this section regularly and will post any changes before new cookies or similar technologies are used.
You have the following rights under the GDPR. Some rights apply only in specific situations:
Access. Get a copy of your personal data and information about how we use it.
Rectification. Correct inaccurate data and complete incomplete data.
Erasure. Ask us to delete your data in certain cases.
Restriction. Ask us to limit processing in certain cases.
Portability. Receive your data in a CSV (or similar) and/or have it sent to another controller, where technically feasible.
Object. Object to processing based on our legitimate interests and to direct marketing at any time.
Withdraw consent. When we rely on consent (e.g., newsletters), you can withdraw it at any time; this does not affect processing before withdrawal.
No solely automated decisions. We do not make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects about you.
Email niklas@transformational-u.com with your request. Please tell us what you’d like to do (e.g., access, erasure) and the email address you used with us.
We will verify your identity (usually by replying to the same address; we may ask for limited additional info if needed).
We respond within one month. If your request is complex or we receive many requests, we may extend by up to two months and will tell you why.
Requests are free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse it (we will explain why).
We accept requests from authorized agents (e.g., someone with written authorization or legal authority). Because our services are for adults (18+), an agent must show proof of authority and we will still verify the data subject’s identity where appropriate.
You can complain to a supervisory authority. Our lead authority is the Autoriteit Persoonsgegevens (Netherlands). You may also complain to your local EU/EEA authority.
When we ask for personal data, we tell you what is required and what is optional. If you choose not to provide required data, we may be unable to deliver the specific service you requested. Optional fields help us tailor our responses but are not necessary.
Newsletter sign-up (MailerLite).
Required: name, email, age confirmation (16+).
Optional: newsletter preferences.
Consequence if not provided: without these, we cannot send you the newsletter.
Contact form.
Required: name, email, message.
Optional: —
Consequence: without these, we cannot respond to your enquiry. If you prefer not to use the form, you can email us at niklas@transformational-u.com.
Free consultancy intake (MailerLite).
Required: email.
Optional: year of university; a description of a problem you would like to solve; conditions for perceived success or progress; opt-in choices.
Consequence: without an email, we cannot schedule or follow up on the session.
Booking (Notion Calendar).
Required: name, email, appointment date, time zone.
Optional: —
Consequence: without these details, we cannot schedule the consultation.
Age confirmation: if you opt in to our newsletter during booking, we also ask you to confirm you are 18+.
Statutory/contractual requirements.
There is no statutory requirement that compels you to provide personal data to us.
Providing data is not contractually required except where it is necessary to deliver the service you request (e.g., we need contact and scheduling details to book a call).
Sensitive information.
Please do not include sensitive information (e.g., health, ethnicity, religion, political opinions, sexual orientation, biometrics, criminal-offence data) in free-text fields. If such information is submitted, we delete or redact it unless a clear lawful basis applies.
Our services are not directed to children. They are intended for students and adults.
Newsletter sign-ups: You must confirm you are 16+ to subscribe. We do not knowingly collect personal data from persons under 16 in the EEA for newsletter purposes. If we become aware that we collected such data without parental consent, we will delete it.
Consultancy bookings (and future purchases): 18+ only.
Report a concern: If you believe a child under the applicable age has provided personal data, contact niklas@transformational-u.com. We may ask for limited information to verify and will delete the data where appropriate.
Age checks: If there are indications that a user is under the applicable age, we may request age confirmation and will restrict service until this is resolved.
We implement technical and organisational measures appropriate to the risk and the small scale of our service. While no method is 100% secure, we work to protect your data against unauthorised access, use, or disclosure.
Data minimisation & purpose limitation
We collect only what we need for the purposes described and discourage sending sensitive information in free-text fields. If such information is submitted, we delete or redact it.
Encryption
In transit: Our website and forms run over HTTPS (TLS); email transport uses TLS where supported.
At rest (providers): MailerLite, Notion, Google Workspace/Meet, and Titan encrypt stored data by default.
Local copies: Any manual CSV snapshots are encrypted and stored only on an air-gapped external drive (not on the Mac). We keep the last four quarterly snapshots and delete older ones on a rolling basis.
Access controls & least privilege
Only one person (the controller) has access to systems with personal data.
We use strong, unique passwords managed in a password manager and 2-factor authentication on MailerLite, Titan Mail, and Google Workspace accounts.
We maintain a single admin account and avoid unnecessary integrations.
For Notion Workspace, we restrict access to a single account, do not publicly share pages, and store only minimal text notes (no audio/video recordings or transcripts, no special-category data; if sensitive content is inadvertently included, we delete or redact it). DSAR export files and other attachments are kept only on our encrypted, air-gapped drive—not in Notion.
Devices used to access services are kept up-to-date and locked when not in use.
Operational hygiene
We periodically review and delete data per the retention rules in Section 6.
We do not record or transcribe calls in Google Meet.
Where enabled, reCAPTCHA is used only to protect forms from abuse.
Vendors & sub-processors
We use vendors under data processing agreements that include confidentiality, security, and sub-processor flow-down obligations.
We keep a small vendor register with links to DPAs, sub-processor lists, and transfer safeguards, and we review it for material changes.
Incident response
If we become aware of a security incident affecting personal data, we will investigate, take steps to contain and remediate, notify affected individuals where appropriate, and—where legally required—notify the supervisory authority within 72 hours.
If you have security or privacy concerns, contact niklas@transformational-u.com.
We will only use your personal data for the purposes described in this notice. If we plan to use your data for a new purpose that is incompatible with the original one, we will update this notice in advance and, where required, ask for your consent or identify another valid legal basis before we proceed. If the new purpose is compatible with the original purpose (for example, closely related service operations that you would reasonably expect), we will document that compatibility assessment internally and reflect any changes here.
We keep this notice under regular review. If we make material changes (for example, adding new processing purposes or new processors), we will post the update here and, where appropriate, notify you by email (for subscribers) or by a banner on our website before the change takes effect.
Version: 1.0
Effective date: 2025-09-23
Change log: On request, we can provide a summary of prior versions and what changed.
This notice is provided free of charge and in plain language. If you need it in another format (e.g., large print or text-only), email niklas@transformational-u.com and we will arrange a call (e.g., via Google Meet) and/or provide an accessible copy.
We aim to make the notice easy to find: it is linked from our website footer and from pages where we collect personal data (e.g., forms).