Legal Document

Privacy Policy

This Privacy Policy describes how Plantostrengthie collects, uses, stores, and protects your personal data when you visit our website or use our group walking session services.

Last updated:

1. Introduction and Data Controller

Plantostrengthie, located at Utrechtsestraat 52–60, 1017 VP Amsterdam, Netherlands, is the data controller responsible for the processing of your personal data in connection with our website at plantostrengthie.world and our group walking session services.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Dutch Implementation Act (Uitvoeringswet AVG), and other applicable data protection legislation.

For any questions regarding this Privacy Policy or the processing of your personal data, you may contact us at assist@plantostrengthie.world or by telephone at +31 20 623 5255.

2. Personal Data We Collect

We collect personal data that you provide directly to us, as well as data collected automatically when you visit our website. The categories of personal data we may process include:

2.1 Data You Provide Directly

  • Identity data: your first and last name
  • Contact data: your email address, telephone number, and postal address
  • Communication data: the content of messages you send through our contact form or via email
  • Booking data: preferred session dates, group size, pace preferences, and special requirements you share during registration
  • Consent records: timestamps and details of consents you provide, including GDPR consent for data processing and cookie preferences

2.2 Data Collected Automatically

  • Technical data: IP address, browser type and version, operating system, device type, and screen resolution
  • Usage data: pages visited, time spent on pages, navigation paths, referral sources, and interaction with website elements
  • Cookie data: information stored through cookies and similar technologies as described in our Cookie Policy

2.3 Data We Do Not Collect

We do not intentionally collect special categories of personal data as defined in Article 9 GDPR, including data concerning health, racial or ethnic origin, political opinions, religious beliefs, or biometric data. Our walking sessions are recreational activities and we do not request health-related information from participants.

3. Purposes and Legal Bases for Processing

We process your personal data only for specified, explicit, and legitimate purposes. The table below outlines our primary processing activities and their corresponding legal bases under the GDPR.

3.1 Responding to Enquiries

When you submit our contact form or send us an email, we process your name, email address, and message content to respond to your enquiry. Legal basis: performance of a contract (Article 6(1)(b) GDPR) where your enquiry relates to a booking, or legitimate interests (Article 6(1)(f) GDPR) where the enquiry is general in nature.

3.2 Session Registration and Administration

When you register for a group walking session, we process your contact details and booking preferences to confirm your participation, communicate meeting points, and manage session logistics. Legal basis: performance of a contract (Article 6(1)(b) GDPR).

3.3 Website Operation and Security

We process technical data to ensure the proper functioning, security, and stability of our website. This includes detecting and preventing fraudulent activity, unauthorised access, and technical errors. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

3.4 Analytics and Website Improvement

With your consent, we use analytics tools to understand how visitors interact with our website, enabling us to improve content, navigation, and user experience. Legal basis: consent (Article 6(1)(a) GDPR). You may withdraw consent at any time through our cookie settings.

3.5 Marketing Communications

With your explicit consent, we may send you information about upcoming walking sessions, seasonal programmes, and related services. Legal basis: consent (Article 6(1)(a) GDPR). You may unsubscribe at any time using the link in any marketing email or by contacting us directly.

3.6 Legal Compliance

We may process personal data where necessary to comply with legal obligations, including tax record-keeping, responding to lawful requests from public authorities, and enforcing our Terms of Use. Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR).

4. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

  • Contact form submissions: retained for 24 months from the date of submission, then securely deleted
  • Session booking records: retained for 7 years from the date of the session to comply with Dutch tax and accounting requirements
  • Marketing consent records: retained for the duration of the consent plus 3 years after withdrawal
  • Cookie consent preferences: retained for 12 months, after which we request renewed consent
  • Server log files: retained for 90 days, then automatically deleted
  • Analytics data: retained in aggregated, anonymised form after 26 months; individual-level data is deleted after 14 months

When personal data is no longer needed, we securely delete or anonymise it using industry-standard methods. Anonymised data that cannot be linked to an individual may be retained indefinitely for statistical purposes.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We may share your data with the following categories of recipients, strictly for the purposes described in this policy:

5.1 Service Providers

We engage trusted third-party service providers who process personal data on our behalf under data processing agreements compliant with Article 28 GDPR. These include website hosting providers, email delivery services, and analytics platform operators (only when you have consented to analytics cookies).

5.2 Payment Processors

If you make a payment for session registration or programme enrolment, your payment data is processed directly by our payment service provider. We do not store complete credit card numbers on our servers.

5.3 Legal Requirements

We may disclose personal data when required by law, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 International Transfers

Your personal data is primarily processed within the European Economic Area (EEA). If any of our service providers transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions.

6. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

  • HTTPS encryption for all data transmitted between your browser and our website
  • Access controls limiting personal data access to authorised personnel on a need-to-know basis
  • Regular security assessments and updates to our website infrastructure
  • Secure storage of physical and digital records containing personal data
  • Staff training on data protection principles and incident response procedures
  • Password policies and multi-factor authentication for administrative systems

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but commit to notifying affected individuals and the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) of any data breach within 72 hours where required by Article 33 GDPR.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data. You may exercise these rights by contacting us at assist@plantostrengthie.world.

7.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the processing purposes, categories, recipients, and retention periods.

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

7.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes collected, where you withdraw consent, where you object to processing, or where the data was unlawfully processed. This right is subject to exceptions, such as legal retention obligations.

7.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you prefer restriction over erasure.

7.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

7.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or processing is necessary for legal claims.

7.7 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. You may manage cookie consent through our website banner or contact us directly.

7.8 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens (AP), the Dutch supervisory authority for data protection. Contact details: autoriteitpersoonsgegevens.nl.

We will respond to all valid rights requests within one month of receipt. This period may be extended by two additional months for complex requests, in which case we will inform you of the extension and reasons within the initial one-month period.

8. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe we have collected data from a child under 16 without appropriate consent, please contact us immediately and we will take steps to delete such data promptly.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website.

We encourage you to review this Privacy Policy periodically. Your continued use of our website after changes are posted constitutes your acknowledgment of the updated policy.

10. Contact Information

For questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact:

Plantostrengthie
Utrechtsestraat 52–60
1017 VP Amsterdam
Netherlands
Email: assist@plantostrengthie.world
Phone: +31 20 623 5255