Privacy Policy

1. Data Controller

PadaPesa ApS ("we", "us", "our") is the data controller for personal data processed through the PadaPesa Coaching platform at coach.padapesa.com.

• Company: PadaPesa ApS
• Address: Copenhagen, Denmark
• Email: privacy@padapesa.com
• DPO Contact: dpo@padapesa.com

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

• Full name, email address
• Profile picture (optional)
• Authentication credentials (hashed passwords, OAuth tokens)
• Account preferences and settings

2.2 Learning & Coaching Data

• Course enrolment and completion records
• Quiz answers and scores
• AI coaching session transcripts
• Progress tracking data (streaks, badges, points)
• Community posts, comments, and interactions

2.3 Payment Data

• Subscription plan and billing cycle
• Payment card details are processed directly by Stripe and never stored on our servers
• Transaction history and invoices

2.4 Technical Data

• IP address, browser type, operating system
• Device identifiers and screen resolution
• Referring URLs and page view data
• Cookie and local storage data (see our Cookie Policy)

3. Legal Basis for Processing

4. Data Sharing & Transfers

We share personal data only with:

• Stripe — payment processing (PCI DSS compliant, EU–US Data Privacy Framework)
• Cloud infrastructure providers — hosting and data storage within the EU/EEA
• AI service providers — for coaching session processing (data processed in accordance with our DPA)
• Law enforcement — when required by law or valid legal process

Where data is transferred outside the EU/EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or the EU–US Data Privacy Framework).

5. Data Retention

6. Your Rights (GDPR Articles 15–22)

Under GDPR, you have the right to:

• Access (Art. 15) — Request a copy of your personal data
• Rectification (Art. 16) — Correct inaccurate or incomplete data
• Erasure(Art. 17) — Request deletion of your data ("right to be forgotten")
• Restriction (Art. 18) — Restrict processing in certain circumstances
• Data portability (Art. 20) — Receive your data in a structured, machine-readable format
• Object (Art. 21) — Object to processing based on legitimate interests
• Withdraw consent (Art. 7) — Withdraw consent at any time without affecting prior processing

To exercise any of these rights, email privacy@padapesa.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. For Denmark, this is the Datatilsynet (datatilsynet.dk).

7. AI Processing

Our AI coaching features use machine learning to provide personalised financial recommendations based on your learning progress and stated goals. This processing does not produce legal or similarly significant effects. You may opt out of AI-based personalisation through your account settings.

8. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

9. Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Regular security audits and penetration testing
• Access control and role-based permissions
• Incident response procedures

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email or in-platform notice at least 30 days in advance.

11. Contact Us

For privacy-related questions or to exercise your rights:

• Privacy team: privacy@padapesa.com
• DPO: dpo@padapesa.com
• Company: PadaPesa ApS, Copenhagen, Denmark