Privacy Policy

Last updated: 01 September 2025

1) Who we are (Controller)

Pranado gGmbH
Zeppelinstr. 189, 69121 Heidelberg, Germany
Email: hello@do-for.life
This policy explains how we process personal data when you visit do-for.life, contact us, or use our services (speaking, workshops, coaching, retreats).

2) What we process, why, and on which legal bases

We only process what is necessary. Depending on your interaction, we process:

Contact details & content (name, email, phone, messages) to reply to you and perform pre-contractual/contractual steps (Art. 6(1)(b) GDPR).
Session & server logs (IP address, timestamp, user agent, referrer, requested URLs) to deliver the site, maintain security, and prevent abuse (Art. 6(1)(f) GDPR legitimate interests).
Booking & event data (e.g., names, tickets, special requests) when you book retreats via pretix and when you schedule calls via Outlook Bookings (Art. 6(1)(b) GDPR; where required, Art. 6(1)(a) consent).
Messenger metadata if you message us on WhatsApp or Signal (your number, time, device info) – messages are end-to-end encrypted on Signal; WhatsApp processes metadata per its EEA privacy policy (Art. 6(1)(a) consent or (f)) Signal Messenger WhatsApp.com.
Form data when you use Typeform (context to route your request) (Art. 6(1)(b); (a) where you choose to provide sensitive details) typeform.com help.typeform.com.

We do not use non-essential cookies/trackers by default. If we introduce analytics or third-party embeds that set cookies, we will ask for your consent first (see Cookies/TTDSG).

3) Where we process and how we transfer data

EU/EEA by default. We aim to store/process within the EU/EEA where feasible.
Microsoft 365 / Bookings. Microsoft completed its EU Data Boundary (Phase 3, Feb 2025) for Microsoft 365 services, including support data. Microsoft also participates in the EU-US Data Privacy Framework. When transfers occur, Microsoft applies DPF and/or SCCs as appropriate. Microsoft Learn The Official Microsoft Blog Microsoft
Typeform. Typeform S.L. (Spain) acts as our processor. Typeform provides a GDPR DPA and describes processing locations and sub-processors; where transfers outside the EEA are involved, SCCs apply. typeform.com help.typeform.com
pretix (retreat bookings). If we use pretix Hosted, pretix states your data is processed within the EU and stored in data centers in Germany; a GDPR DPA is available. docs.pretix.eu pretix.eu
Signal & WhatsApp. Signal minimises data collection; messages and calls are end-to-end encrypted. WhatsApp processes metadata under its EEA policy and separate business data processing terms. Use is voluntary; you can always contact us by email instead. Signal Messenger WhatsApp.com+1

4) Cookies & similar technologies (TTDSG)

Our site uses essential cookies (e.g., Joomla session) to make the website work; no consent is required for these. Any non-essential cookies (analytics, marketing, or certain third-party embeds) will be off by default and require your opt-in under § 25 TTDSG. If a banner offers “Accept all”, it will also offer an equivalent “Reject all”. You can change your choice anytime. Joomla! Dokumentation Didomi Ailance

5) Our processing in detail

5.1 Website hosting & server logs

We (or our hosting provider) process server logs to deliver content and protect against abuse (IP, timestamp, URL, user agent, referrer). Logs are kept briefly (security/diagnostics) and then deleted or anonymised (Art. 6(1)(f)).

5.2 Contacting us: email, WhatsApp, Signal, phone

If you contact us, we process your details to handle the request (Art. 6(1)(b)).

Signal: designed to collect minimal metadata; messages/calls are E2E-encrypted. Signal Messenger
WhatsApp: processes metadata and may share with Meta group companies per EEA policy; please avoid sending sensitive data here. Email is always available as a privacy-friendly alternative. WhatsApp.com

5.3 Typeform contact form (embedded)

If you use our Typeform, your inputs (name, contact, context) are processed by Typeform for us. We limit required fields and ask only for what is necessary. For Optional sensitive info, we rely on your explicit consent (Art. 6(1)(a)). DPA in place; SCCs where needed. typeform.com

5.4 Booking calls via Microsoft Bookings (Outlook)

When you schedule, Microsoft processes your name, email, selected slot and notes to arrange the call. Microsoft 365 now operates under the EU Data Boundary; DPF/SCCs apply where transfers occur. Microsoft Learn The Official Microsoft Blog Microsoft

5.5 Retreat bookings via pretix

For event/retreat bookings, pretix processes participant data (e.g., name, email, ticket data, custom fields you submit). pretix documents EU hosting (DE data centers) and offers a GDPR DPA. We will only collect health/food/allergy data where necessary for the retreat and based on your explicit consent or vital interests (e.g., allergy safety). docs.pretix.eu pretix.eu

5.6 Video calls (Teams/Zoom)

If we meet online, your name, email, and call metadata are processed by the platform. Recording is off by default; if a recording is ever useful, we will ask beforehand (Art. 6(1)(a)).

5.7 Social media pages

When you visit our profiles (e.g., Instagram/Facebook/YouTube), the platform operators process data under their own policies. We receive only aggregated insights.

6) How long we keep data

We keep data only as long as necessary:

Contact requests: typically 6–12 months after closure.
Contractual files (e.g., bookings, invoices): up to 10 years (tax/commercial law).
Server logs: short retention (security/diagnostics), then delete/aggregate.

7) Who receives data

Processors (hosting, Microsoft 365, Typeform, pretix) and, where needed, professional advisors (tax/legal). We do not sell data. Transfers follow the mechanisms in Section 3.

8) Your rights under GDPR

You can access, rectify, erase, restrict, object, and request data portability. You also have the right to withdraw consent at any time (without affecting prior lawful processing) and to lodge a complaint with a supervisory authority (e.g., the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Königstraße 10a, 70173 Stuttgart, poststelle@lfdi.bwl.de). Datenschutz-Grundverordnung hohenstein-academy.com

9) Is providing data required?

You don’t have to provide personal data when browsing. For contacting/booking, certain fields are required to respond or provide the service; without them we may not be able to proceed (Art. 13(2)(e/f) GDPR). Datenschutz-Grundverordnung

10) Children

Our coaching/workshops target adults and organisations.

11) Security

We use HTTPS and appropriate technical and organisational measures; access to systems is limited, staff instructed, and processors bound by DPAs.

12) Changes to this notice

We will update this page if we change tools or purposes. Substantial changes will be signposted.

Information

do for life logo

Embodied wisdom & mindful transformation.

From roots to transformation – a unique martial arts philosophy retreat in Portugal. Experience depth, connection & personal growth beyond sport.