Privacy

Privacy statement

How your data is handled — for the website, training administration and in-company engagements. Version 27 April 2026.

Draft status & language. This English text is a translation for readability. The Dutch privacy statement is the legally authoritative document; in case of any interpretation conflict between language versions, the Dutch version prevails. This page has not yet been formally reviewed by a Dutch lawyer for the training context — clauses on case-study data, certification video recordings, in-company processor agreements and data transfer to The Association require legal review before final publication.

Who is responsible

Mitchel Heitinga, trading as IEMT Training, is the data controller within the meaning of the General Data Protection Regulation (GDPR) for the personal data collected on this website, in the training administration and during in-company engagements.

Contact: [email protected]. Chamber of Commerce number and registered address: [to be added after registration].

What data I collect

When you make contact via the website: name, email address, phone number (if you provide it yourself) and the content of your message. Via the hosting provider's server logs — as on virtually every website — technical information such as IP address, browser type and pages visited is recorded.

When you register for a training: additionally name and address details for invoicing, professional background and relevant work-practice context, accommodation or dietary preferences (for in-person trainings), and — for the guided variant — a short intake about what you want to achieve in your own practice.

During the certification process: two written case studies and one video recording of a session of roughly twenty minutes. These materials are used solely for the Association assessment by me as approved trainer; identifying client data is not recorded (clients are coded as "CS1" / "CS2" and the demonstration subject gives written consent).

For invoicing: billing address, VAT number if applicable, and payment details insofar as necessary for the administration.

Cookies and tracking

This website uses only functional storage that is necessary for the site to work (for example, language preference). This requires no consent under Dutch cookie law and is not used for tracking.

For visitor statistics I use Plausible Analytics, self-hosted on my own infrastructure. Plausible sets no cookies, collects no personal data, uses no cross-site tracking and shares no data with third parties — the statistics stay entirely within my own environment. No marketing or tracking cookies are placed.

Why I process this data

Processing takes place on the following GDPR legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): for scheduling sessions, communication during the engagement and invoicing.
  • Legal obligation (Art. 6(1)(c) GDPR): for the 7-year retention obligation of the administration under the Dutch General Tax Act.
  • Legitimate interest (Art. 6(1)(f) GDPR): for answering contact requests and running a secure, functioning website.
  • Consent (Art. 6(1)(a) GDPR): if you sign up for a newsletter or explicitly consent to coordination with another practitioner.

How long I keep data

  • Contact messages without follow-up: maximum 6 months, then deleted.
  • Session notes: maximum 1 year after completion of the engagement, then destroyed.
  • Contractual documents and invoicing: 7 years after the end of the financial year, per statutory retention obligation.
  • Newsletter subscriptions: until you unsubscribe (unsubscribe link is in every mailing).

Who data is shared with

Data is not sold or shared for marketing purposes. Part of the processing deliberately runs on self-hosted software on my own infrastructure, precisely to keep as little data as possible with external parties:

  • Website infrastructure: the site runs on Cloudflare infrastructure (hosting and network), processing technical server logs such as IP address. A processor agreement with Cloudflare has not yet been formally concluded — this is an open GDPR action point to be arranged before final go-live.
  • Appointment scheduling: via Cal.com, self-hosted on my own infrastructure. No booking data goes to an external Cal.com service.
  • Participant and lead administration: sign-ups for trainings are recorded in Twenty CRM, self-hosted on my own infrastructure within the EU (crm.iemtcoaching.com). There is no external CRM processor; the data stays within my own environment. Retention: three years for leads without client status, seven years for clients per the statutory tax retention obligation.
  • Visitor statistics: via Plausible Analytics, self-hosted (see "Cookies and tracking") — no external processor, no personal data.
  • Email: [mail provider — to be added] for sending and receiving email.
  • Bookkeeping: [accounting software or accountant — to be added] for invoicing and administration.
  • For corporate engagements: only at process level (start, end and status updates) with the client organisation, per the three-party agreement signed in advance.
  • Current treating practitioner: only with your written consent (collaboration consent) and only as agreed in that form.
  • Legally mandated authorities: the Tax Administration (invoicing data), the Dutch Data Protection Authority (in case of a data breach), or a court upon a judicial order.

Data stays within the European Economic Area (EEA). If a processor processes data outside the EEA, this happens solely on the basis of the European Commission's standard contractual clauses or an adequacy decision.

Security

Session notes and client dossiers are stored encrypted. Passwords and access to relevant systems are protected with two-factor authentication. Should a data breach unexpectedly occur, I report it within 72 hours to the Dutch Data Protection Authority and — if appropriate — to those affected, per GDPR Articles 33 and 34.

Your rights

Under the GDPR you have the following rights:

  • Access to the data I process about you (Art. 15 GDPR).
  • Rectification of inaccurate or incomplete data (Art. 16 GDPR).
  • Erasure of data (Art. 17 GDPR), subject to statutory retention periods.
  • Restriction of processing (Art. 18 GDPR).
  • Portability of data you provided yourself (Art. 20 GDPR).
  • Objection to processing based on legitimate interest (Art. 21 GDPR).
  • Withdrawal of consent at any time, where processing is based on consent.

You can submit a request via [email protected]. To prevent misuse I may ask you to verify your identity. I respond within 4 weeks.

If you are not satisfied with how I handle your data, you also have the right to lodge a complaint with the Dutch Data Protection Authority.

Changes

This privacy statement may be amended when legislation or practice gives reason to. The most recent version is always available on this page. For ongoing training engagements, the version that was active at the time of signing the participant agreement applies, unless you are explicitly informed of a change.

Contact

Privacy questions: [email protected].

← Back to home