Privacy Policy

Effective date: September 11, 2024

In its daily business operations, Nua Coach uses a variety of personal data, including data about: Current, past, and prospective employees; Clients; Users and visitors of its websites; Subscribers; Other stakeholders.

As it collects and uses this data, the organization is subject to various laws regulating how these activities can be carried out and the security measures that must be implemented to protect them. The purpose of this policy is to establish the relevant legislation and describe the steps that Nua Coach is taking to ensure compliance. This control applies to all systems, persons, and processes that are part of the organization's information systems, including board members, directors, employees, suppliers, and other third parties who have access to NUA Coach's systems.

Applicable Privacy Legislation

The following list shows the main elements of privacy legislation that apply to the countries (or groups of countries) and states in which NUA Coach operates.

• [Argentina] - [Personal Data Protection Law (PDPL)]
• [Australia] - [Privacy Act]
• [Australia] - [Personal Information and Privacy Protection Act]
• [Brazil] - [General Data Protection Law (LGPD)]
• [Canada] - [Personal Information Protection and Electronic Documents Act (PIPEDA)]
• [Canada - Quebec] - [Personal Information Protection Act in the Private Sector]
• [European Union] - [General Data Protection Regulation (GDPR)]
• [Singapore] - [Personal Data Protection Act]
• [United Kingdom] - [UK GDPR Data Protection Act]
• [U.S. - California] - [California Consumer Privacy Act (CCPA)]

Nua Coach is legally obligated to comply with the provisions of this legislation at all times. While there may be variations in these provisions, this policy establishes the key principles that generally must be observed in such legislation.

Significant fines may apply if a breach is deemed to have occurred under the applicable privacy legislation, designed to protect the personal data of citizens of the involved country (or state, region, or countries). It is NUA Coach's policy to ensure that our compliance with the applicable legislation is clear and demonstrable at all times.

Definitions

The definitions used in privacy legislation vary, and it is not appropriate to reproduce them all here. However, the common terms used in this policy are as follows:

• Personal data: Any information that (a) can be used to identify the data subject to whom such data refers, or (b) is or may be directly or indirectly linked to a data subject.
• Data subject: An individual to whom the personal data belongs. This term is also referred to as the data subject.
• Processing of personal data: Operation or set of operations performed on personal data. Examples include collection, storage, modification, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination, or any other form of making available, deletion, or destruction of personal data.
• Data controller: Stakeholder in privacy who determines the purposes and means of processing personal data, excluding individuals who use data for personal purposes.
• Data processor: Stakeholder in privacy that processes personal data on behalf of and in accordance with the instructions of a data controller.

Principles Related to the Processing of Personal Data

• Legality, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

The processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, and the processing of genetic data, biometric data for uniquely identifying a person, health-related data, or sexual life or sexual orientation data of an individual shall be prohibited. Exceptions to this restriction apply only to legal exceptions, including, without limitation, necessary processing for reasons of public interest, preventive medicine, and the defense or exercise of a legal right.

NUA Coach shall ensure compliance with these principles both in processing and in introducing new processing methods, such as new computer systems.

Individual Rights

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision-making and profiling

These rights are subject to the following timeframes for compliance:

• The right to be informed: When data is collected (if provided by the data subject) or within one month (if not provided by the data subject)
• The right of access: One month
• The right to rectification: One month
• The right to erasure: Without undue delay
• The right to restrict processing: Without undue delay
• The right to data portability: One month
• The right to object: Upon receiving the objection
• Rights related to automated decision-making and profiling: Not specified

NUA Coach shall ensure that data subjects may exercise their rights without NUA Coach taking action to prevent or discourage data subjects from exercising those rights.

If requests are clearly unfounded or excessive, in particular because of their repetitive character, NUA Coach may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the requested action, or refuse to act on the request.

Where NUA Coach has reasonable doubts concerning the identity of the individual making the request, NUA Coach may request additional information necessary to confirm the identity of the data subject.

NUA Coach shall take reasonable steps to inform controllers and processors that are processing the data about the data subject's request.

Legality of Processing

Consent

Unless otherwise permitted by applicable legislation, NUA Coach shall obtain consent from data subjects before processing their personal data. The request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw consent at any time.

Fulfillment of a Contract

Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, NUA Coach may process the data without obtaining additional consent.

Legal Obligation

Where the processing of personal data is necessary for compliance with a legal obligation to which NUA Coach is subject, NUA Coach may process the data without obtaining additional consent.

Vital Interests of the Data Subject

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, NUA Coach may process the data without obtaining additional consent.

Task Carried Out in the Public Interest

Where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, NUA Coach may process the data without obtaining additional consent.

Legitimate Interests

Where the processing of personal data is necessary for the purposes of the legitimate interests pursued by NUA Coach or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, NUA Coach may process the data without obtaining additional consent.

Privacy by Design

NUA Coach has adopted the principle of privacy by design and ensures that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

The privacy impact assessment shall include:

• Consideration of how personal data will be processed and for what purposes
• Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
• Assessment of the risks to individuals in the processing of personal data
• What controls are necessary to address the identified risks and demonstrate compliance with legislation

The use of techniques such as data minimization, pseudonymization, and encryption shall be considered when applicable and appropriate.

Where a privacy impact assessment indicates that the processing of personal data would result in a high risk to data subjects and the organization cannot adequately address these risks, the supervisory authority shall be consulted before starting the processing of personal data.

Contracts Involving the Processing of Personal Data

NUA Coach shall ensure that all relationships in which personal data is processed on behalf of others are subject to a documented contract that includes the specific information and terms required by the applicable legislation. For more information, see NUA Coach's data processing agreement guidelines.

International Transfers of Personal Data

NUA Coach may transfer personal data outside the country or region in which it was collected, in accordance with applicable legislation. In such cases, NUA Coach shall ensure that the transfer is subject to appropriate safeguards, such as adequacy decisions or standard contractual clauses, to ensure that the data is protected to the same standard as required by the applicable legislation.

Data Protection Officer

Applicable legislation may require NUA Coach to designate a Data Protection Officer (DPO). The DPO must be an expert in data protection law and practices, and although the DPO may be a member of NUA Coach's existing staff, they shall be able to perform their duties and tasks independently. NUA Coach has designated an internal DPO to ensure compliance with the applicable legislation. The DPO is responsible for advising on data protection obligations, monitoring compliance, and serving as a point of contact for data subjects and the supervisory authority.

Data Breach Notification

It is NUA Coach's policy to be fair and proportionate when considering the actions to take to inform affected parties regarding breaches of personal data. In accordance with the applicable legislation, where a breach is known to have occurred that is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority shall be informed within 72 hours. This will be managed in accordance with our security incident response process. NUA Coach shall keep a record of personal data breaches, regardless of whether notification is required. Failure to notify the supervisory authority of a breach may result in a fine, in addition to the fine imposed for the breach itself.

Compliance with Applicable Privacy Legislation

The following actions are carried out to ensure that NUA Coach complies at all times with the applicable privacy legislation:

• The legal basis for the processing of personal data is clear and unambiguous
• A Data Protection Officer with specific responsibility for data protection compliance has been designated
• All staff involved in handling personal data understand their responsibilities for following good data protection practices
• Data protection training has been provided to all staff
• Rules regarding consent are followed
• Routes are available for data subjects wishing to exercise their rights regarding personal data, and such inquiries are handled effectively
• Regular reviews of procedures involving personal data are conducted on a regular basis
• Privacy by design is adopted for all new or changed systems and processes

The following documentation of processing activities is maintained:

• Organization name and relevant details
• Purposes of processing personal data
• Categories of individuals and personal data processed
• Categories of recipients of personal data
• Agreements and mechanisms for transfers of personal data to third-party countries or international organizations
• Retention periods for personal data
• Relevant technical and organizational controls in place

These actions are regularly reviewed as part of the management process related to privacy and data protection.

Exceptions

Any exception to the policy must be approved in advance by NUA Coach. Exceptions shall be documented and reviewed on a regular basis to ensure that they remain valid and that the risk associated with each exception is understood and accepted.

Compliance

Any violation of this policy may result in disciplinary action, up to and including termination of employment or contract, depending on the nature and severity of the violation. NUA Coach reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Complaints about non-compliance with this policy should be directed to support@nua.coach. Any employee found to have violated this policy may be subject to disciplinary action, including but not limited to reprimand, suspension, or termination of employment. Any such action shall be applied consistently, regardless of the position of the employee, and shall serve as a deterrent for future violations.

Accountability, Review, and Audit

NUA Coach shall conduct regular reviews and audits of its data processing activities to ensure ongoing compliance with this policy and the applicable privacy legislation. The results of these reviews and audits shall be reported to senior management and, where applicable, to the supervisory authority. NUA Coach shall update this policy as necessary to reflect changes in the applicable legislation, industry best practices, and the organization's own practices.