Effective Date: February 19, 2025.
- Introduction
- Principles
- Categories of Personal Data and Retention Periods
- Data Deletion Procedures
- Data Security
- Client Rights
- Review of this Policy
- Contact Information
Introduction
This Data Retention Policy outlines how Narcissistic Abuse Rehab manages and retains personal data in compliance with the General Data Protection Regulation (GDPR) and Swedish data protection legislation. We are committed to protecting the privacy and security of all personal data we process.
Principles
Our data retention policy is based on the following principles:
- Data Minimization: We only collect and process personal data that is necessary for the specified purpose.
- Storage Limitation: We retain personal data for the shortest possible time necessary to fulfill the purpose for which it was collected.
- Accuracy: We strive to keep personal data accurate and up-to-date.
- Confidentiality and Security: We maintain appropriate security measures to protect personal data from unauthorized access, use, or disclosure.
- Legal Compliance: We comply with all applicable data protection laws and regulations.
Categories of Personal Data and Retention Periods
The following table outlines the categories of personal data we collect and process, along with their respective retention periods:
| Category of Personal Data | Purpose of Processing | Retention Period | Justification |
|---|---|---|---|
| Client Contact Information (Name, Address, Phone, Email) | Scheduling, communication, invoicing | 3 years after the end of the coaching relationship, with explicit client consent. Otherwise, 1 year. | Legitimate business interest (e.g., potential future contact, sending occasional updates about services) balanced with client privacy. Shorter retention if no consent. |
| Client Background Information (Goals, Challenges, etc.) | Tailoring coaching approach | 1 year after the end of the coaching relationship. | Data no longer needed for the original purpose. |
| Session Notes | Supporting client progress, continuity of care (if applicable) | 2 years after the end of the coaching relationship. Clients are informed of this policy. | Professional best practice, balanced with client privacy. Shorter retention possible depending on specific circumstances and client agreement. |
| Progress Tracking Data | Assessing coaching effectiveness | 1 year after the end of the coaching relationship. | Data no longer needed for the original purpose. |
| Client Agreements/Contracts | Legal and contractual obligations | 7 years after the termination of the contract. | Compliance with Swedish accounting and contract law. |
| Financial Records (Invoices, Receipts) | Accounting and tax purposes | 7 years, as required by Swedish tax law. | Compliance with legal obligations. |
| Referral Information (Name of referrer, reason for referral) | Managing referrals | 1 year after the referral is made (unless client engages in coaching). | Data no longer needed for the original purpose. |
| Marketing Data (Email addresses for newsletters, with consent) | Sending marketing communications | Until consent is withdrawn. | Compliance with GDPR requirements for marketing communications. |
Data Deletion Procedures
We have implemented the following procedures for deleting personal data:
- Automated Deletion: Where possible, data is deleted automatically after the specified retention period.
- Manual Deletion: For data that is not automatically deleted, we have a process for regularly reviewing and deleting data that is no longer necessary.
- Secure Deletion: All data is deleted securely to prevent recovery. This includes physical shredding for paper documents and secure wiping or destruction of electronic data.
Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, use, or disclosure. These measures include:
- Encryption: We use Stripe to process payments for our services. When you make a payment, you provide information to Stripe, including your payment card details, billing address, and other information necessary to complete the transaction. Stripe’s privacy policy, which can be found here, explains how they process your payment information. We use Google Workspace (which includes Gmail, Drive, Docs, and other services) to store and process personal data, including client contact information, session notes, and other data related to your coaching engagement. Google’s privacy policy, available here, details their data processing practices. We have Data Processing Agreements (DPAs) in place with both Stripe and Google to ensure your data is protected in accordance with the GDPR.
- Access Controls: Access to personal data is restricted to authorized personnel only.
- Regular Security Assessments: We conduct regular security assessments to identify and address potential vulnerabilities.
- Data Breach Procedures: We have procedures in place to respond to data breaches in accordance with GDPR requirements.
Client Rights
Clients have the following rights regarding their personal data:
- Right to Access: Clients can request access to the personal data we hold about them.
- Right to Rectification: Clients can request that we correct any inaccurate or incomplete personal data.
- Right to Erasure (“Right to be Forgotten”): Clients can request that we erase their personal data under certain circumstances.
- Right to Restriction of Processing: Clients can request that we restrict the processing of their personal data under certain circumstances.
- Right to Data Portability: Clients can request to receive their personal data in a machine-readable format.
- Right to Object: Clients can object to the processing of their personal data for certain purposes.
Review of this Policy
This Data Retention Policy will be reviewed and updated at least annually or as necessary to reflect changes in legislation or our data processing practices.
Contact Information
If you have any questions or concerns about this Data Retention Policy, please contact us.