Privacy Policy

1. General Information

This Privacy Policy applies not only to my website www.jillbucher.com, but to my entire business, including my social media profiles, digital products, email communication, courses, booking systems, and 1:1 client work. It’s meant to show you what personal data I process, in what situations that happens, and how I handle that data.

Protecting your data matters to me. I want you to understand what happens with your information, clearly, transparently, and respectfully. You should also be able to decide for yourself what happens with your data, when, and by whom. I strive to comply with all requirements of the General Data Protection Regulation (GDPR), collect only the data I truly need, and treat it with the utmost confidentiality.

1.1 Responsible Party

The person responsible for data processing within the meaning of the GDPR is:

Jill Bucher
Herbsteiner Str. 20
13435 Berlin
Email: privacy@jillbucher.com

1.2 Applicable Laws – GDPR, BDSG, and TDDDG

The scope of data protection is governed by law. In this case, the relevant regulations are the GDPR (General Data Protection Regulation) as a European regulation, and the BDSG (Federal Data Protection Act) as a national law in Germany. Additionally, the TDDDG (Telecommunications-Digital Services Data Protection Act) supplements the GDPR with specific provisions related to the use of cookies.

1.3 Processing of Personal Data and Other Terms

Data protection applies when personal data is being processed. Personal data refers to any information that can be used to identify you personally. This includes, for example, the IP address of the device (PC, laptop, smartphone, etc.) you’re currently using. Data is considered processed when “something happens to it.” For instance, your browser transmits your IP address to my hosting provider, where it is automatically stored. This counts as the processing (as defined in Article 4(2) GDPR) of personal data (as defined in Article 4(1) GDPR). These and other legal definitions can be found in Article 4 of the GDPR.

1.4 Disclosure and Deletion of Data

The disclosure and deletion of data are also important and sensitive matters. So I want to briefly share my general approach with you upfront.

Data is only disclosed if there is a legal basis for doing so and only when it is absolutely necessary. This may particularly apply in cases involving a so-called data processor, with whom a data processing agreement has been concluded in accordance with Article 28 GDPR.

If I work with supporting team members (e.g. for tech or customer support), they are granted access only to the data they need to carry out their specific tasks. They are contractually bound to confidentiality and operate under the terms of Article 28 GDPR.

I delete your data when the purpose for processing it no longer applies, the legal basis no longer exists, and there are no other legal obligations requiring its retention. Article 17 GDPR also provides a helpful overview of this.

For all further details, please refer to the rest of this Privacy Policy or contact the responsible party with any specific questions.

1.5 Legal Bases

The processing of personal data always requires a legal basis. Article 6(1) sentence 1 of the GDPR outlines the following options: a) The data subject has given their consent to the processing of their personal data for one or more specific purposes; b) The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) The processing is necessary for compliance with a legal obligation to which the controller is subject; d) The processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child. In the following sections, we will specify the legal basis that applies to each type of data processing.

1.6 No Automated Decision-Making

I do not make automated decisions or carry out profiling within the meaning of Article 22 GDPR.

1.7 Data Transfers to Third Countries

Some of the tools I use (e.g., Dubsado, Zoom, Google Workspace) are based outside the EU. To ensure an adequate level of data protection nonetheless, I use the EU Commission’s Standard Contractual Clauses (SCCs) and choose my service providers with care. You can find an overview of the tools I use in Sections 2 and 3.

1.8 Your Rights Under the GDPR

You have the right to: Obtain information about whether and which personal data I process (Article 15 GDPR) Request the correction of inaccurate or incomplete data (Article 16 GDPR) Request the deletion of your data (Article 17 GDPR), provided there is no legal obligation to retain it Request the restriction of processing (Article 18 GDPR) Receive your data in a structured, portable format (Article 20 GDPR) Object to processing based on legitimate interests (Article 21 GDPR) Withdraw your consent at any time (Article 7(3) GDPR) Lodge a complaint with a competent supervisory authority (Article 77 GDPR) if you believe I am violating data protection laws If anything in this Privacy Policy changes, e.g. due to new tools, legal requirements, or service offerings, I will update it accordingly. The date of the latest update can be found at the bottom of this document.

2. Data Processing by Situation & User Groups

Depending on how you interact with me and my offerings, different data is processed. To help you understand clearly what happens and when, I have divided the main situations into separate sections.

2.1 When You Visit My Website or Social Media Profiles

When you visit my website www.jillbucher.com or my social media pages (e.g. Instagram, Facebook, LinkedIn, Pinterest, or Xing), some technical data is automatically collected. This includes, for example, your IP address, browser type, or the time of your visit. I also use cookies, which are small text files that can be stored on your device. Some cookies are technically necessary (for example, to make the cookie banner work), while others help me improve my content or analyze the visibility of my offerings. Legal Basis:

• Article 6(1)(f) GDPR (legitimate interest in secure operation and reach analysis)
• Article 6(1)(a) GDPR (consent for non-essential cookies)
• Section 25(1) TDDDG

Further details can be found directly in the cookie banner on the website.

2.2 When You Interact with Me (Without Making a Purchase)

If you send me a message, sign up for my newsletter, download a freebie, or comment on social media, I process the data you voluntarily provide, such as your name, email address, or the content of your message. I use tools such as:

• Dubsado (for contact forms)
• Google Mail (for direct email communication)
• Kit (for email marketing)
• The social media platforms themselves, depending on where you comment or write to me

Legal Basis:

• Article 6(1)(b) GDPR (pre-contractual communication)
• Article 6(1)(a) GDPR (consent, e.g. for the newsletter)
• Article 6(1)(f) GDPR (legitimate interest in maintaining contacts)

I delete this data when it is no longer necessary, at the latest after statutory retention periods expire or when you withdraw your consent.

2.3 When You Are Part of My Community (Free or Paid)

If you become a member of a community, such as by gaining access to a closed area, a discussion group, or a digital course space, I may process additional data like your username, posts, profile picture, or information provided in comments or forms. This data is processed exclusively within the platform where the community takes place (e.g. Facebook, ThriveCart Learn, Circle, or similar). If you join a paid community, the information under section 2.4 (Clients) also applies. Legal Basis:

• Article 6(1)(b) GDPR (contract)
• Article 6(1)(a) GDPR (consent for optional information or photos)

I do not share this data outside the community without your explicit consent

2.4 When You Are a Client (Product or Service)

If you purchase a digital product, book a coaching session, or participate in a program, I process the data necessary to fulfill the agreement. This includes:

• Contact details (name, email address, and possibly your physical address)
• Booking details (e.g. time, product, price)
• Communication content (e.g. emails, notes, feedback)
• Invoices and payment data (e.g. via Stripe or ThriveCart)
• Recordings (video and/or audio) of video calls, if applicable and only with your consent

I use tools such as:

• Dubsado (for bookings, contracts, and invoices)
• Google Workspace (for email and calendar)
• ClickUp (for task tracking)
• Notion (for portals or project overviews)
• Zoom / Google Meet / Loom (for calls and video)
• ThriveCart / Stripe / YNAB (for purchases and bookkeeping)

Legal Basis:

• Article 6(1)(b) GDPR (contract)
• Article 6(1)(c) GDPR (legal obligation, e.g. tax law)
• Article 6(1)(f) GDPR (legitimate interest, e.g. in project management)
• Article 6(1)(a) GDPR (consent for recordings, testimonials, etc.)

Note on external service providers: My bookkeeper and tax advisor may access invoice data when necessary to fulfill legal obligations.

3. Overview of Tools & Services Used

Below is an alphabetical list of the tools and platforms I use in the course of my work. For each tool, I’ve provided a brief summary of what I use it for, what data is processed, and the legal basis for doing so.

If a tool is used in multiple contexts, you’ll find the relevant details in the corresponding section above.

3.1 Borlabs Cookie

Provider	Borlabs GmbH, Hamburg, Germany
Purpose	Consent management on the website (cookie banner)
Data	IP address, consent status, time of consent
Legal Basis	Article 6(1)(c) GDPR, § 25(1) TDDDG
Location	Germany
More Info	borlabs.io/privacy/

3.2 Canva

Provider	Canva Pty Ltd, Australia
Purpose	Design of social media graphics etc., possibly including client photos (e.g. testimonials)
Data	Images, first names, logos (only with consent)
Legal Basis	Article 6(1)(a) GDPR
Location	Global (including Australia)
More Info	canva.com/policies/privacy-policy/

3.3 ClickUp

Provider	Mango Technologies, Inc. (USA)
Purpose	Task and project management
Data	Name, email address, project content, notes, status information
Legal Basis	Article 6(1)(b) and (f) GDPR
Data Security	Servers in the USA, secured via Standard Contractual Clauses (SCC)
More Info	clickup.com/privacy

3.4 Dubsado

Provider	Dubsado LLC, USA
Purpose	Contact forms, appointment scheduling, contracts, invoices
Data	Name, email address, discussion topics, contract details, invoices
Legal Basis	Article 6(1)(b) and (c) GDPR
Data Security	Servers in the USA, secured via Standard Contractual Clauses (SCC)
More Info	dubsado.com/legal/privacy-policy

3.5 Google Workspace

(including Gmail, Calendar, Drive, Docs, Sheets, Meet, Chat)

Provider	Google Ireland Ltd.
Purpose	Communication, scheduling, documentation
Data	Name, email address, appointment and conversation details, working documents
Legal Basis	Article 6(1)(b), (f), and (a) GDPR (e.g. in case of recordings)
Data Security	EU data region activated, SCCs for access outside the EU
More Info	policies.google.com/privacy

3.6 Kit (formerly ConvertKit)

Provider	ConvertKit LLC, USA
Purpose	Newsletter distribution, email marketing
Data	Email address, open and click behavior, interest tags
Legal Basis	Article 6(1)(a) and (f) GDPR
Data Security	Secured via Standard Contractual Clauses (SCC)
More Info	kit.com/privacy

3.7 LastPass

Provider	GoTo Technologies, Ireland / USA
Purpose	Management and secure sharing of login credentials
Data	Logins, potentially project-related notes (encrypted)
Legal Basis	Article 6(1)(b) and (f) GDPR
Data Security	End-to-end encryption, access granted only with permission
More Info	lastpass.com/legal-center/privacy-notice

3.8 Loom

Provider	Loom Inc., USA
Purpose	Recording of tutorial videos and screencasts for clients
Data	Screen, audio, or video recordings (shared only with specific recipients)
Legal Basis	Article 6(1)(b) and (f) GDPR
Data Security
More Info	loom.com/privacy

3.9 Notion

Provider	Notion Labs Inc., USA
Purpose	Documentation and provision of client portals
Data	Name, session content, working materials
Legal Basis	Article 6(1)(b) and (f) GDPR
Data Security	Two-factor authentication enabled, GDPR-compliant use
More Info	notion.so/notion/Privacy-Policy

3.10 Stripe

Provider	Stripe Payments Europe Ltd., Ireland
Purpose	Payment processing
Data	Name, email address, payment details, IP address, transaction data
Legal Basis	Article 6(1)(b), (c), and (f) GDPR
Data Security	PCI-DSS certified
More Info	stripe.com/privacy

3.11 ThriveCart

Provider	WebActix Ltd., New Zealand
Purpose	Purchase processing, product access, course platform
Data	Name, email address, purchase details, IP address, course progress (if applicable)
Legal Basis	Article 6(1)(b), (c), and (f) GDPR
Data Security	Data transfer to third countries secured via SCCs (Standard Contractual Clauses)
More Info	thrivecart.com/legal/thrivecart/

3.12 YNAB (You Need A Budget)

Provider	You Need A Budget LLC, USA
Purpose	Financial management and accounting
Data	Customer names, invoice amounts, incoming payments
Legal Basis	Article 6(1)(c) and (f) GDPR
Data Security
More Info	ynab.com/privacy-policy

3.13 Zapier

Provider	Zapier Inc., USA
Purpose	Automation between tools (e.g. calendar, tasks)
Data	Depending on the connection: name, project information, appointments
Legal Basis	Article 6(1)(f) GDPR (legitimate interest)
Data Security	SCCs (Standard Contractual Clauses), access control, encryption
More Info	zapier.com/privacy

3.14 Zoom

Provider	Zoom Video Communications Inc., USA
Purpose	Online meetings, occasional recordings (only with consent)
Data	Name, email address, audio/video recordings, transcripts (if applicable)
Legal Basis	Article 6(1)(b) and (a) GDPR
Data Security	SCCs, GDPR mode, EU data centers can be activated
More Info	zoom.us/privacy

4. Current Status of the Privacy Policy

This privacy policy was last updated on June 3, 2025. I review this privacy policy regularly and update it when legal requirements change or when I introduce new tools or offers in my business.

If there are significant changes, such as new processing purposes, additional services, or different legal bases, I will publish the updated version in the same place and recommend that you review the privacy policy regularly.

The most current version of this policy is always available at www.jillbucher.com/privacy.