Privacy Policy
Last updated: 15 May 2026
I take your privacy seriously and only collect and process the personal data needed to run my business and deliver my services. This policy explains what data I collect, why, how I use it, and your rights under the General Data Protection Regulation (GDPR).
1. Who I am
I am Tenzin Tserang van Iersel, operating as a sole proprietorship under the trade names Ethical Business Model and Flow State Protocol. I am the "data controller" responsible for your personal data under GDPR.
- Address: Wilgenlaan 21, 5071 CA Udenhout, The Netherlands
- KVK: 74701207
- Email: tenzin@ethicalbusinessmodel.com
For any privacy-related question or request, email me directly. I respond within 30 days as required by GDPR, and usually much sooner.
2. What data I collect
Depending on how you interact with me, I may process the following categories of personal data:
If you visit my website:
- Basic technical data such as IP address, browser type, and pages visited, processed by my hosting provider for site security and uptime. No analytics or tracking tools are used.
If you fill in a form or contact me:
- Name, email address, and any other information you choose to share
- The content of your message or form submission
If you subscribe to my newsletter or download a lead magnet:
- Email address and first name
- Subscription status and engagement data (opens, clicks)
If you book a call:
- Name, email, and any details you provide in the booking form
- Date and time of the booked call
If you become a client:
- Billing details (name, address, email) for invoicing
- Payment information processed by Stripe or Wise — I do not store card details myself
- Content of our communications (email, WhatsApp, calls)
- Recordings of group and individual coaching sessions (with your knowledge — see section 5)
- Notes I take during our work together
3. Why I process your data, and the legal basis
Under GDPR I must have a valid legal basis for each type of processing. Here's how that breaks down:
- To deliver services I've agreed to provide (contract performance) — handling bookings, running coaching programs, processing payments, sending materials, recording sessions for client access.
- To meet legal obligations — keeping invoices and financial records for the period required by Dutch tax law (currently 7 years).
- With your consent — sending newsletters, marketing emails, or sharing testimonials. You can withdraw consent at any time.
- Legitimate interest — responding to enquiries, basic website security, and protecting against fraud or abuse. I weigh this against your rights and only rely on it where the impact on you is minimal.
4. Who I share your data with
I don't sell your data, ever. I do share it with a small number of trusted service providers ("processors") who help me run my business. Each is contractually required to handle your data in line with GDPR.
| Service | Purpose | Location |
|---|---|---|
| Hostinger | Website hosting and security | EU |
| Titan Email | Business email | International |
| MailerLite | Newsletter and automated emails | EU (Lithuania) |
| Go High Level | Booking and CRM | USA |
| Stripe | Payment processing | EU / USA |
| Wise | Payment processing and banking | EU / UK |
| Google (Meet, Drive) | Video calls and recording storage | USA |
| WhatsApp (Meta) | Client group chat | USA |
| Notion | Resources and documentation shared with clients | USA |
| Loom | Personalized video answers for clients | USA |
I may also share your data when legally required (for example, with the Dutch tax authority) or to enforce my Terms & Conditions.
5. Session recordings
Group calls in the Launchpad and Accelerator are recorded by default. Recordings are stored in Google Drive and shared with the cohort so participants can rewatch. By joining a session you acknowledge it will be recorded.
If you'd prefer to keep your camera off or stay silent during recording, that's always fine — let me know and I'll accommodate it. For one-on-one sessions in Full Momentum, recording is agreed with you in advance.
6. International data transfers
Some of the tools listed above are based in the United States or operate globally. Where data is transferred outside the European Economic Area, transfers are protected by appropriate safeguards: either an EU adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses signed with the provider.
7. How long I keep your data
- Newsletter subscribers: until you unsubscribe.
- Website enquiries: up to 24 months after the last contact.
- Client records and communications: for the duration of our work together, plus up to 2 years after.
- Invoices and financial records: 7 years, as required by Dutch tax law.
- Session recordings: kept for the duration of the program; access may continue afterwards for active alumni at my discretion. You can request deletion of recordings featuring you at any time.
8. Your rights
Under GDPR you have the right to:
- Access the personal data I hold about you
- Have inaccurate data corrected
- Request deletion of your data (where I'm not legally required to keep it)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent at any time (for processing based on consent)
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl
To exercise any of these rights, email me at tenzin@ethicalbusinessmodel.com.
9. Security
My website runs on HTTPS with an SSL certificate, and is hosted on a managed platform with automatic security updates. I use strong, unique passwords and two-factor authentication on all business accounts that support it. Despite these measures, no system is 100% secure — if a data breach occurs that affects you, I will notify you and the Dutch DPA within the timeframes required by law.
10. Tracking and analytics
This website currently uses no analytics tools, advertising pixels, or tracking cookies. Basic technical logs are kept by my hosting provider for site health and security only; these are not used to profile or identify you. If this changes in the future, this policy will be updated and a cookie banner will be added where required.
11. Children
My services are intended for adults running or starting a business. I do not knowingly collect data from anyone under 16.
12. Changes to this policy
I may update this policy from time to time. The "last updated" date at the top reflects the most recent change. For material changes, I will notify active clients and newsletter subscribers by email.