Privacy notice.

1.What this Privacy Notice is about.

This Privacy Notice describes how personal data is collected, processed, and protected in connection with evaniencke.com, the practice that runs around this site, and any communication or service between you and the practitioner. The terms data and personal data are used interchangeably throughout.

Personal data means information relating to identified or identifiable individuals, where the data, alone or in combination with other available information, makes it possible to identify those individuals. Sensitive personal data is a subset specifically protected under applicable data protection law. It includes information revealing racial or ethnic origin, health data, religious or philosophical beliefs, biometric data for identification purposes, and information relating to trade union membership. Section 3 sets out the categories of data processed under this Notice. Processing means any operation performed on personal data, including collection, storage, use, alteration, disclosure, and erasure.

This Privacy Notice is aligned with the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG/nDSG). The application of these laws depends on the individual case.

If you share data with the practice about other individuals (for example, family members or co-workers), you confirm that you are authorized to do so and that the relevant data is accurate. Please ensure that any such individuals have been informed about this Privacy Notice.

Where additional processing activities take place that are not covered by this general Notice, you will receive a separate, just-in-time notice at the point of collection.

2.Who is the controller for processing your data.

The data controller for processing under this Privacy Notice is:

Unless otherwise stated in an individual case (for example, in a separate notice, on a form, or in a contract), Eva van Rhee is the controller for all processing activities described in this Notice. The practice is not required to appoint a Data Protection Officer under applicable law. Data protection inquiries may be directed to the address and email above.

For each processing activity there are one or more parties responsible for ensuring that the processing complies with data protection law. The controller is responsible for, among other things, responding to access requests (Section 11) and ensuring that personal data is processed securely and lawfully. Sections 3, 7, and 12 contain additional information about third parties that act as separate controllers for their own processing.

3.What data is processed.

The categories of data processed are set out below.

Technical data

When you use the website, the IP address of your device and other technical data are collected to ensure the functionality and security of the site. This includes server logs of system access. Technical data is generally retained for six months. On its own, technical data does not allow identification, but it may be linked to other categories of data, and potentially to you, in the context of registrations or contractual performance. Technical data includes the IP address, information about the operating system of your device, the date, region, and time of use, and the browser used. The approximate region of access can be inferred from the IP address.

Communication data

When you communicate with the practice through the contact form, the booking form, the waitlist form, by email, or by letter, the data exchanged is collected. This includes your contact details, the metadata of the communication, and (where applicable) its content. Communication data is generally retained for twenty-four months from the last exchange. This period may be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. Email correspondence is generally retained for ten years.

Master data

Master data refers to the basic information needed, in addition to contract data, for the performance of contractual and other relationships. This includes name, contact details, role and function (where relevant), and any declarations of consent. Master data may be received from you, from parties you work for, or from public sources. Master data is generally retained for ten years from the last exchange, or for a shorter period where the contact has been used only for limited purposes.

Payment information is processed primarily by payment service providers (Stripe and PayPal). The practice does not receive or store full bank account numbers or full credit card details. Limited transaction data is received (such as payment status, amount, currency, and reference ID).

Contract data

This is data collected in connection with the conclusion or performance of a contract, including information about services provided, feedback, and any complaints. For client work, this category may include health-related and other sensitive personal data that you choose to share. Contract data is generally retained for ten years from the end of the contract, or longer where required for evidentiary or regulatory purposes.

Assessment and intake data

When you complete a free quiz on this site (for example, the Free Nervous System Scan or the Free Moral Injury Scan), your responses are submitted directly from this site to Supabase (EU region). The quiz is fully anonymous: the system collects no name, email address, or other identifying contact information. Your result is shown to you on screen at the end. By taking the quiz, you agree that your anonymous responses may be used for aggregated research and publication. This is the condition that keeps the quiz free.

For client intake, additional information may be collected through a separate intake form before our work begins. This may include information about your background, current circumstances, wellbeing, and goals for the work, which may constitute sensitive personal data. You are not required to share more than you choose to share.

Aggregated and statistical data

Anonymized statistics may be created from assessment and intake data for research, publication, and service-improvement purposes. Aggregated data contains no individual identifiers and cannot be reverse-engineered to identify you. It may be used to validate the underlying instruments behind the Free Nervous System Scan and the Free Moral Injury Scan, to inform published works such as books and articles, and to improve the Root Assessments framework and the services offered.

Educational and illustrative case material

Where case examples are used in writing, training, or speaking, they are de-identified, fictionalized, or composite. Identifying details such as names, locations, occupations, and timelines are altered or omitted. Vignettes do not represent real individuals and are not direct reproductions of any client’s history or assessment.

Behavioral and preference data

The practice does not run behavioral advertising, retargeting, or profiling for marketing personalization. No behavioral profile of you is maintained. Aggregated, non-identifying information about how the website is used (for example, which pages are most visited) is collected through the privacy-respecting analytics described in Section 12.

AI-assisted preparation of personalized reports

Where reports are produced for clients (such as the personalized read of the Free Moral Injury Scan or the Free Nervous System Scan in their long-form versions inside The Assessment), the substantive analysis is conducted by Eva personally as the qualified practitioner. AI tools may be used to support consistency of formatting and language, but only on de-identified material. Direct identifiers (names, locations, organizations, other uniquely identifying references) are removed before any such tool is used and added back manually for the final report. No automated decision is made about you. All clinical interpretation originates with the practitioner. This processing does not constitute automated individual decision-making under Article 22 GDPR.

Other data

Data that may relate to you can be processed in connection with administrative or judicial proceedings, photographs or recordings at events (where applicable), and other situations not covered above. Retention is limited to what is necessary for the relevant purpose.

Most of the data described in this section is provided by you. You are not obliged to disclose data except in specific cases. To enter into a contract or use most services, master data, contract data, and registration data may be required. Where the practice cannot collect the data necessary to perform a service, the service may be refused or limited.

4.For what purposes data is processed.

Personal data is processed for the following purposes.

• Communication. Responding to your inquiries, providing information you have requested, exercising your rights (Section 11), and follow-up correspondence.
• Conclusion, administration, and performance of contracts. Master data, contract data, communication data, and (where applicable) registration data are processed in this context. This includes the run-up to a contract, performance of services, customer support, billing and accounting, the enforcement of contractual claims, and termination of contracts.
• Service delivery and personalized reports. Where assessment, intake, or session work takes place, your responses and the records of your sessions are processed to deliver the service, including the preparation of personalized reports. Personalized reports are tools for understanding and exploration, not diagnostic determinations.
• Research and validation of the frameworks and instruments used. Anonymous responses to the free quizzes are processed to validate the underlying instruments and the wider Root Assessments framework, and to support publications and professional training materials. By taking the quiz, you agree that your anonymous responses may be used for this purpose.
• Service improvement. Aggregated information about how the website is used and how services are received may be processed to improve the website and the services offered.
• Security and access control. Data is processed to monitor, test, and improve the security of the site and any associated systems, and to detect and respond to misuse.
• Legal compliance. Data is processed to comply with applicable laws and lawful requests from authorities, including identity or compliance checks where required.
• Risk management and business administration. Data is processed for accounts management, the prevention of abuse and fraud, and the planning and organization of the practice.

Profiling is not used for marketing personalization or behavioral advertising.

5.On what basis data is processed.

Where consent is requested for specific processing activities, in particular for the processing of sensitive personal data, the relevant purposes are explained at the point of consent. Consent may be withdrawn at any time with effect for the future, by written notice (mail or email). Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Where consent is not requested, processing relies on the requirement of the processing for entering into or performing a contract with you, or on the legitimate interests of the practice or a third party in the relevant processing. These legitimate interests include those described in Section 4, as well as compliance with legal regulations.

For sensitive personal data that you choose to share during intake or sessions (such as health-related information, beliefs, or family circumstances), processing relies on your explicit consent, given when you voluntarily provide such information through intake forms or in the course of our work together. You are not required to share sensitive information you do not wish to share.

6.Profiling and automated decisions.

For the personalized reports prepared for clients (such as the long-form versions of the Free Moral Injury Scan and the Free Nervous System Scan delivered inside The Assessment), responses are evaluated against the proprietary Root Assessments frameworks. The substantive interpretation is conducted by the practitioner. AI tools may support consistency of language and formatting in the final report, operating only on de-identified material. No decisions with legal or similarly significant effects are made automatically. Article 22 GDPR is not triggered by this processing. You may always discuss your report with the practitioner and request clarification or human review of any insight provided.

The practice does not use profiling for marketing personalization, behavioral advertising, or similar purposes. Anonymized assessment data may be used to identify patterns across the wider client base for research and publication purposes, as described in Section 3.

7.With whom data is shared.

Personal data may be disclosed to the following categories of recipients in connection with the operation of the site, the provision of services, and compliance with legal obligations.

• Service providers (data processors). External providers process data on behalf of the practice under contractual arrangements that include appropriate safeguards. The current providers are listed in Section 12.
• Contractual partners. Where services are delivered jointly with cooperation partners, or where you act on behalf of an organization with a contractual relationship with the practice, relevant data may be disclosed to that organization to the extent necessary for performance.
• Authorities. Personal data may be disclosed to courts, supervisory authorities, regulators, or law enforcement agencies in Switzerland or abroad where the practice is legally obliged or entitled to do so, or where disclosure is necessary to protect its rights.
• Other persons. This includes professional representatives (such as legal counsel or accountants), participants in legal proceedings, and parties involved in any future restructuring or transfer of the practice.

The practice does not sell personal data. Assessment and intake data is never disclosed to advertising platforms and is not used for advertising or marketing targeting.

8.International data transfers.

Some of the providers used in the operation of the site and the practice are located outside Switzerland. Personal data may therefore be processed in Switzerland, in the European Economic Area (EEA), in the United States, and (where sub-processors are involved) in other countries.

The principal cross-border processing activities are:

• Hosting and analytics (Netlify). Website hosting and cookieless analytics through Netlify, Inc. (United States). Analytics is performed server-side and does not involve cookies, device fingerprinting, or client-side tracking.
• Database and forms (Supabase). Form submissions and assessment data are stored in Supabase, with the EU region used where available.
• Email and business communications (Google Workspace). Email is processed through Google Workspace, which may operate in the EEA, the United States, and other regions.
• Payments (Stripe and PayPal). Payment data is processed by these providers as separate controllers. Stripe Payments Europe Ltd. is based in Ireland; PayPal (Europe) S.à r.l. et Cie, S.C.A. is based in Luxembourg. Both may process data in the United States and other countries where they operate.
• AI-assisted formatting (Anthropic). Where AI tools are used to support consistency in personalized reports, only de-identified material is transmitted to Anthropic, PBC (United States). No direct identifiers are shared. Anthropic is contractually prohibited from using this data for model training.

Where a recipient is located in a country that does not provide an adequate level of data protection under Swiss data protection law or the GDPR, appropriate safeguards are put in place. This typically includes Standard Contractual Clauses (SCCs) or equivalent legally recognized mechanisms, unless an exception applies (for example, where the transfer is necessary to perform a contract with you).

Even where safeguards are in place, absolute protection cannot be guaranteed, in particular due to the possibility of government access in some jurisdictions. Where appropriate, additional practical measures are applied, including data minimization, access restrictions, and manual de-identification before transfer for AI-assisted processing.

Data exchanged over the internet may be routed through third countries, meaning data may transit through jurisdictions other than the sender’s or recipient’s location.

9.How long data is kept.

Data is processed for as long as the relevant purposes, applicable retention periods, and legitimate interests in evidence and documentation require, or storage is a technical requirement. Retention periods for the main data categories are set out in Section 3. Once the storage or processing period expires, data is deleted or anonymized through the practice’s regular processes, unless legal or contractual obligations require longer retention.

Documentation and evidence purposes include the practice’s interest in documenting processes, interactions, and other facts in view of legal claims, IT security requirements, and compliance demonstrations. Retention may be a technical requirement where certain data cannot be separated from other data and therefore needs to be kept with it (for example, in backups or document management systems).

10.How data is protected.

Appropriate technical and organizational security measures are taken to maintain the confidentiality, integrity, and availability of personal data, and to protect against unauthorized or unlawful processing, accidental loss, alteration, or disclosure.

These measures include encryption of data in transit, pseudonymization where appropriate, access restrictions, secure backups, and confidentiality obligations on anyone with access to client data. Service providers are required to maintain comparable security measures.

Security risks cannot be eliminated entirely; some residual risk is unavoidable. In the event of a personal data breach that poses a risk to your rights and freedoms, you and the relevant supervisory authority will be notified as required by applicable law, generally within seventy-two hours of the practice becoming aware of the breach.

11.Your rights.

Under applicable data protection law, you have the following rights in relation to your personal data:

• The right to request information about whether and how your data is processed.
• The right to have inaccurate data corrected.
• The right to request the erasure of your data.
• The right to receive certain personal data in a commonly used electronic format, or to have it transferred to another controller.
• The right to withdraw consent, where processing is based on consent.
• The right to object to processing in certain circumstances, in particular for direct marketing purposes (where applicable) or for processing based on legitimate interests.
• The right to express your point of view in case of any automated decision and to request human review.

To exercise any of these rights, write to the email address in Section 2. To prevent misuse, identification may be requested (for example, a copy of an identity document, where this is the only available means of verification).

These rights are subject to conditions, exceptions, and restrictions under applicable law (for example, to protect the rights of third parties, trade secrets, or where retention is required to comply with a legal obligation). Where a request cannot be granted in full, you will be informed of the reason.

If you are not satisfied with how your rights are handled, you may lodge a complaint with the competent data protection supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the Netherlands, this is the Autoriteit Persoonsgegevens. In the EEA, you may lodge a complaint with the supervisory authority in your country of residence.

12.Online tracking.

The site uses a deliberately limited set of technologies to ensure functionality, security, and basic understanding of how the site is used. There is no advertising tracking, no behavioral profiling, and no cross-site tracking on this site.

Hosting and analytics: Netlify

The site is hosted on Netlify (Netlify, Inc., United States). Netlify Analytics is used in cookieless mode. Aggregated information about page views, referrers, and broad geographic regions is derived from server logs. No cookies are set on your device for analytics purposes. No client-side tracking script is loaded. Individual visitors are not identified.

Forms and assessments: Supabase

All forms on the site submit directly to Supabase (Supabase Inc., with EU region used where available). This includes the contact form, the booking form, the waitlist form, and the free quizzes. Supabase acts as a data processor under an appropriate agreement.

Email: Google Workspace

Email correspondence is processed through Google Workspace (Google Ireland Ltd., Ireland), which may use sub-processors in the United States and other countries.

Payments: Stripe and PayPal

Where payments are taken, Stripe Payments Europe Ltd. (Ireland) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) act as separate controllers under their own privacy notices. The practice does not store full card details or bank account numbers.

AI-assisted formatting: Anthropic

Where AI tools are used to support consistency in personalized reports (Section 3 and Section 6), Anthropic, PBC (United States) acts as a data processor. Anthropic does not set cookies on your device through this site; the processing occurs server-side, on de-identified material only.

Fonts: Google Fonts

Web fonts are loaded from Google Fonts. Google may receive your IP address as part of normal HTTP requests. No cookies are set by Google Fonts in this configuration.

What is not used

No Meta Pixel, LinkedIn Insight Tag, Google Ads, retargeting pixel, or comparable advertising-measurement technology is used on this site. No client-side advertising or behavioral cookies are set. No personalization profile is maintained. Cookies, where set at all, are limited to those necessary for site functionality.

13.Social network pages.

The practice maintains the following social media presences:

• LinkedIn: linkedin.com/in/evaniencke
• Instagram: instagram.com/evaniencke
• Substack: evaniencke.substack.com

When you interact with these pages, the platforms collect data about your interaction under their own responsibility as separate controllers. They process this data for their own purposes, including platform personalization and (where applicable) advertising. Limited control is available over the analytics and audience data the platforms generate from these pages.

For information about the platforms’ processing, please refer to their privacy notices: linkedin.com/legal/privacy-policy, help.instagram.com/155833707900388, and substack.com/privacy.

For LinkedIn Page Insights, the practice may be considered a joint controller with LinkedIn under applicable case law (CJEU: Wirtschaftsakademie). LinkedIn provides further information about this in its Page Insights Joint Controller Addendum.

Content published by you on these platforms (for example, public comments) may be redistributed where consistent with the platform’s terms.

14.Updates to this Notice.

This Privacy Notice is not part of a contract with you. It may be updated as services change or as legal requirements evolve. The version published at evaniencke.com/privacy is the current version. The last updated date at the top of this page reflects the most recent revision. Where an update materially affects how your data is handled, you will be notified directly where appropriate.