Privacy Policy
We collect and process your data on this site to better understand how it is used. We always ask you for consent to do that. You can change your website privacy settings by clicking on the icon in the bottom left corner.
1. General Information
This Privacy Policy applies not only to my website www.jillbucher.com, but to my entire business, including my social media profiles, digital products, email communication, courses, booking systems, and 1:1 client work. It’s meant to show you what personal data I process, in what situations that happens, and how I handle that data.
Protecting your data matters to me. I want you to understand what happens with your information, clearly, transparently, and respectfully. You should also be able to decide for yourself what happens with your data, when, and by whom. I strive to comply with all requirements of the General Data Protection Regulation (GDPR), collect only the data I truly need, and treat it with the utmost confidentiality.
1.1 Responsible Party
The person responsible for data processing within the meaning of the GDPR is:
Jill Bucher
Herbsteiner Str. 20
13435 Berlin
Email: privacy@jillbucher.com
1.2 Applicable Laws – GDPR, BDSG, and TDDDG
The scope of data protection is governed by law. In this case, the relevant regulations are the GDPR (General Data Protection Regulation) as a European regulation, and the BDSG (Federal Data Protection Act) as a national law in Germany. Additionally, the TDDDG (Telecommunications-Digital Services Data Protection Act) supplements the GDPR with specific provisions related to the use of cookies.1.3 Processing of Personal Data and Other Terms
Data protection applies when personal data is being processed. Personal data refers to any information that can be used to identify you personally. This includes, for example, the IP address of the device (PC, laptop, smartphone, etc.) you’re currently using. Data is considered processed when “something happens to it.” For instance, your browser transmits your IP address to my hosting provider, where it is automatically stored. This counts as the processing (as defined in Article 4(2) GDPR) of personal data (as defined in Article 4(1) GDPR). These and other legal definitions can be found in Article 4 of the GDPR.1.4 Disclosure and Deletion of Data
The disclosure and deletion of data are also important and sensitive matters. So I want to briefly share my general approach with you upfront.
Data is only disclosed if there is a legal basis for doing so and only when it is absolutely necessary. This may particularly apply in cases involving a so-called data processor, with whom a data processing agreement has been concluded in accordance with Article 28 GDPR.
If I work with supporting team members (e.g. for tech or customer support), they are granted access only to the data they need to carry out their specific tasks. They are contractually bound to confidentiality and operate under the terms of Article 28 GDPR.
I delete your data when the purpose for processing it no longer applies, the legal basis no longer exists, and there are no other legal obligations requiring its retention. Article 17 GDPR also provides a helpful overview of this.
For all further details, please refer to the rest of this Privacy Policy or contact the responsible party with any specific questions.
1.5 Legal Bases
The processing of personal data always requires a legal basis. Article 6(1) sentence 1 of the GDPR outlines the following options: a) The data subject has given their consent to the processing of their personal data for one or more specific purposes; b) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) The processing is necessary for compliance with a legal obligation to which the controller is subject; d) The processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child. In the following sections, we will specify the legal basis that applies to each type of data processing.1.6 No Automated Decision-Making
I do not make automated decisions or carry out profiling within the meaning of Article 22 GDPR.1.7 Data Transfers to Third Countries
Some of the tools I use (e.g., Dubsado, Zoom, Google Workspace) are based outside the EU. To ensure an adequate level of data protection nonetheless, I use the EU Commission’s Standard Contractual Clauses (SCCs) and choose my service providers with care. You can find an overview of the tools I use in Sections 2 and 3.1.8 Your Rights Under the GDPR
You have the right to: Obtain information about whether and which personal data I process (Article 15 GDPR) Request the correction of inaccurate or incomplete data (Article 16 GDPR) Request the deletion of your data (Article 17 GDPR), provided there is no legal obligation to retain it Request the restriction of processing (Article 18 GDPR) Receive your data in a structured, portable format (Article 20 GDPR) Object to processing based on legitimate interests (Article 21 GDPR) Withdraw your consent at any time (Article 7(3) GDPR) Lodge a complaint with a competent supervisory authority (Article 77 GDPR) if you believe I am violating data protection laws If anything in this Privacy Policy changes, e.g. due to new tools, legal requirements, or service offerings, I will update it accordingly. The date of the latest update can be found at the bottom of this document.2. Data Processing by Situation & User Groups
Depending on how you interact with me and my offerings, different data is processed. To help you understand clearly what happens and when, I have divided the main situations into separate sections.
2.1 When You Visit My Website or Social Media Profiles
When you visit my website www.jillbucher.com or my social media pages (e.g. Instagram, Facebook, LinkedIn, Pinterest, or Xing), some technical data is automatically collected. This includes, for example, your IP address, browser type, or the time of your visit. I also use cookies, which are small text files that can be stored on your device. Some cookies are technically necessary (for example, to make the cookie banner work), while others help me improve my content or analyze the visibility of my offerings. Legal Basis:- Article 6(1)(f) GDPR (legitimate interest in secure operation and reach analysis)
- Article 6(1)(a) GDPR (consent for non-essential cookies)
- Section 25(1) TDDDG
2.2 When You Interact with Me (Without Making a Purchase)
If you send me a message, sign up for my newsletter, download a freebie, or comment on social media, I process the data you voluntarily provide, such as your name, email address, or the content of your message. I use tools such as:- Dubsado (for contact forms)
- Google Mail (for direct email communication)
- Kit (for email marketing)
- The social media platforms themselves, depending on where you comment or write to me
- Article 6(1)(b) GDPR (pre-contractual communication)
- Article 6(1)(a) GDPR (consent, e.g. for the newsletter)
- Article 6(1)(f) GDPR (legitimate interest in maintaining contacts)
2.3 When You Are Part of My Community (Free or Paid)
If you become a member of a community, such as by gaining access to a closed area, a discussion group, or a digital course space, I may process additional data like your username, posts, profile picture, or information provided in comments or forms. This data is processed exclusively within the platform where the community takes place (e.g. Facebook, ThriveCart Learn, Circle, or similar). If you join a paid community, the information under section 2.4 (Clients) also applies. Legal Basis:- Article 6(1)(b) GDPR (contract)
- Article 6(1)(a) GDPR (consent for optional information or photos)
2.4 When You Are a Client (Product or Service)
If you purchase a digital product, book a coaching session, or participate in a program, I process the data necessary to fulfill the agreement. This includes:- Contact details (name, email address, and possibly your physical address)
- Booking details (e.g. time, product, price)
- Communication content (e.g. emails, notes, feedback)
- Invoices and payment data (e.g. via Stripe or ThriveCart)
- Recordings (video and/or audio) of video calls, if applicable and only with your consent
- Dubsado (for bookings, contracts, and invoices)
- Google Workspace (for email and calendar)
- ClickUp (for task tracking)
- Notion (for portals or project overviews)
- Zoom / Google Meet / Loom (for calls and video)
- ThriveCart / Stripe / YNAB (for purchases and bookkeeping)
- Article 6(1)(b) GDPR (contract)
- Article 6(1)(c) GDPR (legal obligation, e.g. tax law)
- Article 6(1)(f) GDPR (legitimate interest, e.g. in project management)
- Article 6(1)(a) GDPR (consent for recordings, testimonials, etc.)
3. Overview of Tools & Services Used
Below is an alphabetical list of the tools and platforms I use in the course of my work. For each tool, I’ve provided a brief summary of what I use it for, what data is processed, and the legal basis for doing so.
If a tool is used in multiple contexts, you’ll find the relevant details in the corresponding section above.
3.1 Borlabs Cookie
Provider | Borlabs GmbH, Hamburg, Germany |
Purpose | Consent management on the website (cookie banner) |
Data | IP address, consent status, time of consent |
Legal Basis | Article 6(1)(c) GDPR, § 25(1) TDDDG |
Location | Germany |
More Info | borlabs.io/privacy/ |
3.2 Canva
Provider | Canva Pty Ltd, Australia |
Purpose | Design of social media graphics etc., possibly including client photos (e.g. testimonials) |
Data | Images, first names, logos (only with consent) |
Legal Basis | Article 6(1)(a) GDPR |
Location | Global (including Australia) |
More Info | canva.com/policies/privacy-policy/ |
3.3 ClickUp
Provider | Mango Technologies, Inc. (USA) |
Purpose | Task and project management |
Data | Name, email address, project content, notes, status information |
Legal Basis | Article 6(1)(b) and (f) GDPR |
Data Security | Servers in the USA, secured via Standard Contractual Clauses (SCC) |
More Info | clickup.com/privacy |
3.4 Dubsado
Provider | Dubsado LLC, USA |
Purpose | Contact forms, appointment scheduling, contracts, invoices |
Data | Name, email address, discussion topics, contract details, invoices |
Legal Basis | Article 6(1)(b) and (c) GDPR |
Data Security | Servers in the USA, secured via Standard Contractual Clauses (SCC) |
More Info | dubsado.com/legal/privacy-policy |
3.5 Google Workspace
(including Gmail, Calendar, Drive, Docs, Sheets, Meet, Chat)Provider | Google Ireland Ltd. |
Purpose | Communication, scheduling, documentation |
Data | Name, email address, appointment and conversation details, working documents |
Legal Basis | Article 6(1)(b), (f), and (a) GDPR (e.g. in case of recordings) |
Data Security | EU data region activated, SCCs for access outside the EU |
More Info | policies.google.com/privacy |
3.6 Kit (formerly ConvertKit)
Provider | ConvertKit LLC, USA |
Purpose | Newsletter distribution, email marketing |
Data | Email address, open and click behavior, interest tags |
Legal Basis | Article 6(1)(a) and (f) GDPR |
Data Security | Secured via Standard Contractual Clauses (SCC) |
More Info | kit.com/privacy |
3.7 LastPass
Provider | GoTo Technologies, Ireland / USA |
Purpose | Management and secure sharing of login credentials |
Data | Logins, potentially project-related notes (encrypted) |
Legal Basis | Article 6(1)(b) and (f) GDPR |
Data Security | End-to-end encryption, access granted only with permission |
More Info | lastpass.com/legal-center/privacy-notice |
3.8 Loom
Provider | Loom Inc., USA |
Purpose | Recording of tutorial videos and screencasts for clients |
Data | Screen, audio, or video recordings (shared only with specific recipients) |
Legal Basis | Article 6(1)(b) and (f) GDPR |
Data Security | |
More Info | loom.com/privacy |
3.9 Notion
Provider | Notion Labs Inc., USA |
Purpose | Documentation and provision of client portals |
Data | Name, session content, working materials |
Legal Basis | Article 6(1)(b) and (f) GDPR |
Data Security | Two-factor authentication enabled, GDPR-compliant use |
More Info | notion.so/notion/Privacy-Policy |
3.10 Stripe
Provider | Stripe Payments Europe Ltd., Ireland |
Purpose | Payment processing |
Data | Name, email address, payment details, IP address, transaction data |
Legal Basis | Article 6(1)(b), (c), and (f) GDPR |
Data Security | PCI-DSS certified |
More Info | stripe.com/privacy |
3.11 ThriveCart
Provider | WebActix Ltd., New Zealand |
Purpose | Purchase processing, product access, course platform |
Data | Name, email address, purchase details, IP address, course progress (if applicable) |
Legal Basis | Article 6(1)(b), (c), and (f) GDPR |
Data Security | Data transfer to third countries secured via SCCs (Standard Contractual Clauses) |
More Info | thrivecart.com/legal/thrivecart/ |
3.12 YNAB (You Need A Budget)
Provider | You Need A Budget LLC, USA |
Purpose | Financial management and accounting |
Data | Customer names, invoice amounts, incoming payments |
Legal Basis | Article 6(1)(c) and (f) GDPR |
Data Security | |
More Info | ynab.com/privacy-policy |
3.13 Zapier
Provider | Zapier Inc., USA |
Purpose | Automation between tools (e.g. calendar, tasks) |
Data | Depending on the connection: name, project information, appointments |
Legal Basis | Article 6(1)(f) GDPR (legitimate interest) |
Data Security | SCCs (Standard Contractual Clauses), access control, encryption |
More Info | zapier.com/privacy |
3.14 Zoom
Provider | Zoom Video Communications Inc., USA |
Purpose | Online meetings, occasional recordings (only with consent) |
Data | Name, email address, audio/video recordings, transcripts (if applicable) |
Legal Basis | Article 6(1)(b) and (a) GDPR |
Data Security | SCCs, GDPR mode, EU data centers can be activated |
More Info | zoom.us/privacy |
4. Current Status of the Privacy Policy
This privacy policy was last updated on June 3, 2025. I review this privacy policy regularly and update it when legal requirements change or when I introduce new tools or offers in my business.
If there are significant changes, such as new processing purposes, additional services, or different legal bases, I will publish the updated version in the same place and recommend that you review the privacy policy regularly.
The most current version of this policy is always available at www.jillbucher.com/privacy.