Privacy Policy

Last updated: September 4, 2025

It applies to ceoatheart.com and all related services offered under the names Lisa Maria Coaching and CEO at Heart Academy (together, the “Services”).

The Services are operated by Lisa Padilla, Enskild Firma (organization number: 880409-2842), registered in Sweden, who is the data controller responsible for your personal data.

1. Who we are (Data Controller)

- Lisa Padilla (Enskild Firma)
- Business name: Lisa Maria Coaching
- Organization number: 880409-2842
- Registered in Sweden
- Contact: [email protected]

If you have questions about this policy or your data, contact us via email. We do not currently appoint a Data Protection Officer.

2. What data we collect

2.1 Data you provide to us

Account & contact data: name, email, billing address, country, business name (if any).

Purchase & subscription data: products bought, amounts, currency, VAT details, renewal status.

Coaching/program participation: session bookings, notes you choose to share, community posts/messages.

Support & communications: emails, form submissions, troubleshooting info, feedback.

Marketing preferences: newsletter opt-in/opt-out, downloads of lead magnets/freebies.

2.2 Data we collect automatically

Usage data: pages viewed, clicks, referring URLs, time on page.

Device/technical data: IP address, browser type, device type, approximate location (country/region).

Cookies & similar: pixels, tags and local storage for essential site functions, analytics, and (if you consent) advertising.

2.3 Data from third parties

Payment processors (e.g., Stripe/PayPal): payment status, last 4 digits of card, expiry month/year (we do not store full card numbers).

Advertising & social platforms (e.g., Meta/Google) if you’ve accepted marketing cookies or interacted with our ads.

Course/membership platforms and CRM/automation tools used to deliver Services.

3. Why we use your data (purposes & legal bases)

We process personal data only when we have a legal basis under GDPR:

PurposeExamplesLegal basisProvide and operate the ServicesAccount creation, course access, membership/community, coaching callsContract (Art. 6(1)(b))Payments & invoicingProcess orders, manage subscriptions, VAT complianceContract; Legal obligation (tax/VAT)Customer supportRespond to emails, fix issuesLegitimate interests (quality & support)Service improvementAnalytics, troubleshooting, feature usageLegitimate interests (improve Services)Marketing communicationsNewsletters, product updates, freebiesConsent (opt-in) or Legitimate interests where allowed; you can opt out anytimeLegal & securityPrevent abuse, enforce terms, keep recordsLegitimate interests; Legal obligation

Where we rely on consent, you can withdraw it at any time (see Section 9). Where we rely on legitimate interests, we balance those interests against your rights and expectations.

4. Cookies and similar technologies

We use:

Essential cookies to run the site (login, security, checkout).

Analytics cookies to understand site performance (e.g., Google Analytics).

Advertising/retargeting cookies (e.g., Meta Pixel, Google Ads) if you consent, to measure campaigns and show relevant ads.

You can manage your preferences via our Cookie banner at any time, and through your browser settings. See our separate Cookie Policy for details (types, lifetimes, and partners).

5. How we share information

We don’t sell your personal data. We share it only with:

Service providers (processors) who help us operate the Services (hosting, analytics, email/CRM, payment processing, course/membership platform, scheduling, community). They may only process data under our instructions.

Professional advisors (legal, accounting) under confidentiality.

Authorities when required by law or to protect rights, safety, and security.

Business transfers: if we reorganize, merge, or sell parts of the business, data may transfer under this same policy.

Current core categories of processors may include (illustrative, not exhaustive): web hosting/CDN, email/CRM & automation, payment processors, analytics, advertising platforms, scheduling, and helpdesk tools. We keep contracts and safeguards in place with each.

6. International transfers

We are based in Sweden and process data in the EEA/UK. Some providers may process data in countries outside the EEA/UK (for example, the United States). When transfers occur, we use appropriate safeguards such as:

EU Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum/Agreement; and

Additional technical/organizational measures as needed.

You can contact us for more information about specific transfer safeguards.

7. Data retention

We keep personal data only as long as necessary for the purposes above:

Account, course & membership records: while your account is active and for up to 3 years after last activity, to handle queries and maintain service records.

Transaction & invoice data: kept for 7 years to meet Swedish bookkeeping/tax obligations.

Marketing data (email consent, engagement): until you withdraw consent or after 24 months of inactivity, whichever is earlier.

Support communications: typically 24 months.

We may retain data longer if required by law, to establish or defend legal claims, or for security. When no longer needed, we securely delete or anonymize it.

8. Your rights (EEA/UK)

You have the right to:

- Access your data and get a copy.

- Rectify inaccurate or incomplete data.

- Erase your data (“right to be forgotten”) in certain cases.

- Restrict processing in certain cases.

- Object to processing based on legitimate interests or direct marketing (including profiling for marketing).

- Data portability for data you provided to us, where processed by automated means and based on consent or contract.

- Withdraw consent at any time where processing is based on consent.

- Lodge a complaint with your supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY). If you are in the UK, with the Information Commissioner’s Office (ICO). You can also contact your local authority in the EEA.

To exercise these rights, email [email protected]. We may need to verify your identity before responding.

9. Marketing choices

Emails: you can unsubscribe at any time via the link in our emails or by contacting us.

Ads & cookies: use our cookie banner and your browser/device settings to control analytics/advertising cookies. You may still see generic ads if you opt out.

10. Security

We use appropriate technical and organizational measures to protect your data (encryption in transit, access controls, least-privilege access, regular updates). No system is 100% secure, but we work to prevent unauthorized access, disclosure, alteration, or destruction.

11. Children

Our Services are intended for adults (18+). We do not knowingly collect personal data from children under 13 in Sweden. If you believe a child has provided personal data, contact us and we will delete it. If you provide coaching for minors through a parent/guardian, processing will be limited to what’s necessary and with appropriate consent.

12. Community areas

If you participate in our community spaces, events, or group calls, information you choose to share may be visible to other participants. Please avoid posting sensitive personal data. We may moderate to uphold community standards.

13. Automated decision-making & profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use basic profiling for marketing (e.g., segmenting by interests or purchases) to send content that’s more relevant. You can object at any time.

14. Third-party links

Our site may link to third-party websites. Their privacy practices are not covered by this policy. Please review their policies before providing personal data.

15. Changes to this policy

We may update this policy to reflect changes in our Services, technology, or law. We’ll post the updated version here and update the “Last updated” date. If changes are material, we’ll provide a more prominent notice.

16. How to contact us

For any privacy questions or requests:
[email protected]

[email protected]

Enskild Firma Lisa Padilla (Org. nr. 880409-2842), trading as Lisa Maria Coaching and CEO at Heart®

Trusted by women entrepreneurs across Europe since 2020

Contact | About Us

Our Affiliate Programme

Terms & Conditions | Privacy

Cookie Policy

EU Online Dispute Resolution

Privacy Policy

Last updated: September 4, 2025

It applies to ceoatheart.com and all related services offered under the names Lisa Maria Coaching and CEO at Heart Academy (together, the “Services”).

The Services are operated by Lisa Padilla, Enskild Firma (organization number: 880409-2842), registered in Sweden, who is the data controller responsible for your personal data.

1. Who we are (Data Controller)

- Lisa Padilla (Enskild Firma)- Business name: Lisa Maria Coaching- Organization number: 880409-2842- Registered in Sweden- Contact: [email protected]

If you have questions about this policy or your data, contact us via email. We do not currently appoint a Data Protection Officer.

2. What data we collect

2.1 Data you provide to us

Account & contact data: name, email, billing address, country, business name (if any).

Purchase & subscription data: products bought, amounts, currency, VAT details, renewal status.

Coaching/program participation: session bookings, notes you choose to share, community posts/messages.

Support & communications: emails, form submissions, troubleshooting info, feedback.

Marketing preferences: newsletter opt-in/opt-out, downloads of lead magnets/freebies.

2.2 Data we collect automatically

Usage data: pages viewed, clicks, referring URLs, time on page.

Device/technical data: IP address, browser type, device type, approximate location (country/region).

Cookies & similar: pixels, tags and local storage for essential site functions, analytics, and (if you consent) advertising.

2.3 Data from third parties

Payment processors (e.g., Stripe/PayPal): payment status, last 4 digits of card, expiry month/year (we do not store full card numbers).

Advertising & social platforms (e.g., Meta/Google) if you’ve accepted marketing cookies or interacted with our ads.

Course/membership platforms and CRM/automation tools used to deliver Services.

3. Why we use your data (purposes & legal bases)

We process personal data only when we have a legal basis under GDPR:

Where we rely on consent, you can withdraw it at any time (see Section 9). Where we rely on legitimate interests, we balance those interests against your rights and expectations.

4. Cookies and similar technologies

We use:

Essential cookies to run the site (login, security, checkout).

Analytics cookies to understand site performance (e.g., Google Analytics).

Advertising/retargeting cookies (e.g., Meta Pixel, Google Ads) if you consent, to measure campaigns and show relevant ads.

You can manage your preferences via our Cookie banner at any time, and through your browser settings. See our separate Cookie Policy for details (types, lifetimes, and partners).

5. How we share information

We don’t sell your personal data. We share it only with:

Service providers (processors) who help us operate the Services (hosting, analytics, email/CRM, payment processing, course/membership platform, scheduling, community). They may only process data under our instructions.

Professional advisors (legal, accounting) under confidentiality.

Authorities when required by law or to protect rights, safety, and security.

Business transfers: if we reorganize, merge, or sell parts of the business, data may transfer under this same policy.

Current core categories of processors may include (illustrative, not exhaustive): web hosting/CDN, email/CRM & automation, payment processors, analytics, advertising platforms, scheduling, and helpdesk tools. We keep contracts and safeguards in place with each.

6. International transfers

We are based in Sweden and process data in the EEA/UK. Some providers may process data in countries outside the EEA/UK (for example, the United States). When transfers occur, we use appropriate safeguards such as:

EU Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum/Agreement; and

Additional technical/organizational measures as needed.

You can contact us for more information about specific transfer safeguards.

7. Data retention

We keep personal data only as long as necessary for the purposes above:

Account, course & membership records: while your account is active and for up to 3 years after last activity, to handle queries and maintain service records.

Transaction & invoice data: kept for 7 years to meet Swedish bookkeeping/tax obligations.

Marketing data (email consent, engagement): until you withdraw consent or after 24 months of inactivity, whichever is earlier.

Support communications: typically 24 months.

We may retain data longer if required by law, to establish or defend legal claims, or for security. When no longer needed, we securely delete or anonymize it.

8. Your rights (EEA/UK)

You have the right to:

- Access your data and get a copy.

- Rectify inaccurate or incomplete data.

- Erase your data (“right to be forgotten”) in certain cases.

- Restrict processing in certain cases.

- Object to processing based on legitimate interests or direct marketing (including profiling for marketing).

- Data portability for data you provided to us, where processed by automated means and based on consent or contract.

- Withdraw consent at any time where processing is based on consent.

- Lodge a complaint with your supervisory authority. In Sweden, this is Integritetsskyddsmyndigheten (IMY). If you are in the UK, with the Information Commissioner’s Office (ICO). You can also contact your local authority in the EEA.

To exercise these rights, email [email protected]. We may need to verify your identity before responding.

9. Marketing choices

Emails: you can unsubscribe at any time via the link in our emails or by contacting us.

Ads & cookies: use our cookie banner and your browser/device settings to control analytics/advertising cookies. You may still see generic ads if you opt out.

10. Security

We use appropriate technical and organizational measures to protect your data (encryption in transit, access controls, least-privilege access, regular updates). No system is 100% secure, but we work to prevent unauthorized access, disclosure, alteration, or destruction.

11. Children

12. Community areas

If you participate in our community spaces, events, or group calls, information you choose to share may be visible to other participants. Please avoid posting sensitive personal data. We may moderate to uphold community standards.

13. Automated decision-making & profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We may use basic profiling for marketing (e.g., segmenting by interests or purchases) to send content that’s more relevant. You can object at any time.

14. Third-party links

Our site may link to third-party websites. Their privacy practices are not covered by this policy. Please review their policies before providing personal data.

15. Changes to this policy

We may update this policy to reflect changes in our Services, technology, or law. We’ll post the updated version here and update the “Last updated” date. If changes are material, we’ll provide a more prominent notice.

16. How to contact us

For any privacy questions or requests:[email protected]

- Lisa Padilla (Enskild Firma)
- Business name: Lisa Maria Coaching
- Organization number: 880409-2842
- Registered in Sweden
- Contact: [email protected]

For any privacy questions or requests:
[email protected]