Privacy Policy

Effective date: 4 May 2026 Last updated: 4 May 2026

This Privacy Policy explains how Nina Costioli, operating as Lead From Within (the "Coach", "we", "us", or "our"), collects, uses, shares and protects your personal data when you visit leadfromwithin.ch (the "Site") or engage our coaching services (the "Services").

We process your personal data in accordance with the Swiss Federal Act on Data Protection (FADP / nFADP), and — when you reside in the European Economic Area (EEA) or the United Kingdom — the EU General Data Protection Regulation (GDPR) and the UK GDPR.

01Who is responsible for your data

The data controller responsible for your personal data is:

Nina Costioli — sole proprietor, operating as Lead From Within
Switzerland
Email: info@leadfromwithin.ch
Phone: +41 78 732 07 16

We are a small, single-practitioner coaching practice and are not legally required to designate a Data Protection Officer (DPO). For any question about your personal data, please write to the email above and mark your message "Privacy request".

02Data we collect

We collect only the personal data we genuinely need to operate the Site and deliver coaching services.

2.1 Data you give us directly

When	What we collect
Booking a free intro call (reservations form)	Full name, email address, phone number (optional), the topic you'd like to focus on (optional), the date/time you select
Creating a client account	Full name, email address, password (stored only as a salted bcrypt hash — never in plain text)
During coaching engagements	Notes Nina takes during sessions, homework you complete, journal entries you choose to write in your account, resources we share with you
Contacting us by email	The contents of your message and your email address
Submitting a testimonial (with consent)	Your name (or initials if you prefer), the quote you provide, role/company you mention

2.2 Data collected automatically

Session cookies — once you log in, a cookie named lfw.sid identifies your browser session. It is strictly necessary to keep you signed in.
Server logs — our server temporarily records request metadata (IP address, request path, user agent, timestamp) for security, abuse-prevention and debugging. These logs are typically purged within 30 days unless required for an active security investigation.
Rate-limit memory — to defeat brute-force attacks on login and password reset, we keep your IP address in memory for up to 1 hour.

We do not currently use third-party analytics, advertising trackers, or behavioural profiling tools. See our Cookie Policy for the full list.

2.3 Data we receive from third parties

Google Calendar / Google Meet — when Nina confirms your booking, a calendar event and Meet link are created via Google's Calendar API. The event attendees (your name and email) are processed by Google.
Email provider (SMTP) — outbound emails (booking confirmations, password reset, welcome, reschedule notifications) are routed through an SMTP provider. The provider necessarily processes the recipient's email address and message contents while in transit.

03How and why we use your data

Purpose	Examples
Run the Site and your account	Sign-in sessions, password reset, account preferences, page-visibility settings
Provide coaching services	Schedule, confirm, reschedule and remind sessions; share homework, notes and resources; track session count against your package
Communicate with you	Reply to enquiries; send booking confirmations and reminders; reset passwords
Keep the service safe	Detect abuse, brute-force attempts, spam, and unauthorised access
Comply with legal obligations	Keep records required by Swiss tax and accounting law; respond to lawful requests by competent authorities
Improve the Site (aggregated, non-identifying)	Read raw error logs to fix bugs; review usage patterns of features at a non-identifying level

We do not sell your personal data, and we do not share it with marketing networks, data brokers, or any third party for advertising purposes.

04Legal basis for processing

Where the GDPR applies, we rely on the following lawful bases:

Performance of a contract (Art. 6(1)(b) GDPR) — to deliver the coaching services you have requested or signed up for, including booking management and the client account.
Consent (Art. 6(1)(a) GDPR) — for non-essential cookies, for publishing testimonials with your name attached, and where you have explicitly opted in to receive marketing or newsletter communications. You may withdraw consent at any time.
Legitimate interests (Art. 6(1)(f) GDPR) — to keep the Site secure (rate limiting, abuse detection), to defend against legal claims, and to improve our service in non-intrusive ways. Where we rely on legitimate interests, we have balanced them against your rights and freedoms.
Compliance with a legal obligation (Art. 6(1)(c) GDPR) — to keep records of invoices and payments for the periods required by Swiss law, and to respond to lawful requests from supervisory authorities or courts.

Where the Swiss FADP applies, we process personal data only when there is a lawful basis (consent, performance of a contract, our overriding legitimate interest, or a statutory obligation), in line with the principles of lawfulness, good faith, purpose limitation, proportionality, accuracy, and security.

We share personal data only with carefully selected service providers ("processors") who help us run the Site and deliver coaching, and only to the extent strictly necessary.

Processor	What it processes	Country
Hosting / infrastructure provider	All Site requests, logs, the database, file uploads	European Union or Switzerland
Email (SMTP) provider	Outbound emails to you (confirmations, reset links, reminders)	European Union or Switzerland (provider-dependent)
Google (Calendar / Meet)	The booking date/time, attendees' names and emails for confirmed sessions only	United States (with Standard Contractual Clauses and the EU-U.S. Data Privacy Framework)

We may also disclose personal data to lawyers, accountants, auditors, or competent authorities where this is required by law or necessary to defend legal claims.

06International transfers

Wherever possible, your personal data stays inside Switzerland or the European Economic Area. The main exception is Google (Calendar and Meet), which may transfer data to the United States. Such transfers are protected by:

The EU–U.S. Data Privacy Framework (in respect of certified Google entities), and
Where the framework does not apply, by the European Commission's Standard Contractual Clauses together with supplementary measures.

You can ask us for a copy of the safeguards by writing to info@leadfromwithin.ch.

07How long we keep data

Data	Retention
Active client account (name, email, password hash)	For as long as you keep the account, plus 90 days after deletion request to allow recovery
Booking and session records	10 years after the last session, to comply with Swiss accounting and limitation periods
Coaching notes, homework, journal entries	Deleted promptly upon your account deletion request, unless we must keep them to defend or pursue legal claims
Email logs (delivery metadata)	Up to 12 months
Server logs (IP, request path)	Typically up to 30 days; longer only when needed for an active security investigation
Password-reset tokens	Single use, expire automatically after 1 hour
Session cookies	Until you log out or 1 hour of inactivity, whichever comes first
Cookie-consent record	12 months from your last choice, then re-asked

08How we protect your data

We take data security seriously. Specific measures include:

HTTPS/TLS encryption for all traffic between your browser and the Site.
Passwords stored only as bcrypt hashes (cost factor 12); plain-text passwords are never stored or logged.
Strict HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy).
Per-route rate limiting on login, registration, password reset and booking endpoints to defeat brute force and spam.
Server-side input validation and parameterised SQL queries to prevent injection.
Session cookies marked HttpOnly, SameSite=Lax, Secure in production; rotated on every login.
Administrative access limited to Nina Costioli; admin actions are gated behind a separate role check on every request.
Regular dependency reviews and patching.

No method of transmission or storage is 100% secure. We will notify you and the competent supervisory authority of any personal-data breach in line with our legal obligations (within 72 hours of becoming aware, where required).

09Cookies and tracking

We use a small number of cookies and similar technologies. Strictly necessary cookies (such as the session cookie lfw.sid) are set automatically when you sign in. Any non-essential cookies are set only after you opt in via the cookie banner.

Read the full breakdown — including cookie names, purposes and durations — in our Cookie Policy. You can change your preferences any time by clicking .

10Your rights

Subject to applicable law, you have the following rights:

Access — obtain confirmation of whether we process your data, and a copy.
Rectification — correct inaccurate or incomplete data. You can edit your name and password directly from your account settings.
Erasure ("right to be forgotten") — request deletion of your data, subject to legal-retention exceptions. You can trigger deletion from your account page.
Restriction of processing — ask us to suspend processing in specific cases.
Data portability — receive a structured, machine-readable copy of the data you have provided. You can download it from your account page.
Objection — object to processing based on our legitimate interests.
Withdraw consent — for any processing based on consent, including non-essential cookies and marketing emails. Withdrawal does not affect prior lawful processing.
Not be subject to a decision based solely on automated processing — see section 12.
Lodge a complaint with the competent supervisory authority — see section 14.

To exercise any of these rights, log into your account and use the Privacy & data controls, or write to info@leadfromwithin.ch. We respond within 30 days. We may need to verify your identity before acting on a request.

11Children

Lead From Within is intended for adults. We do not knowingly collect personal data from children under 16 (or the equivalent age of digital consent in your country). If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12Automated decisions and profiling

We do not make decisions about you based solely on automated processing, and we do not engage in profiling that produces legal or similarly significant effects.

13Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page shows when changes were last made. Material changes will be announced by email (for account holders) or by a banner on the Site.

14Contact and complaints

For any question about this policy or to exercise your rights:

Nina Costioli — Lead From Within
Email: info@leadfromwithin.ch
Phone: +41 78 732 07 16

If you believe we have handled your personal data unlawfully, you may file a complaint with the competent supervisory authority. In particular:

Switzerland — Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch.
European Economic Area — your local Data Protection Authority. A list is available at edpb.europa.eu.
United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.

We would, however, appreciate the chance to address your concerns first — please get in touch.

French and German translations of this policy are provided for convenience. In case of inconsistency, the English version prevails.