Privacy Policy

Last updated: April 2026

This privacy policy explains how we collect, use, and protect your personal data when you visit www.hartei.com and use our services. We take the protection of your personal data very seriously and process it in accordance with the General Data Protection Regulation (EU Regulation 2016/679, "GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), and the Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, "TDDDG").

1. Data Controller

The controller responsible for data processing on this website within the meaning of Art. 4(7) GDPR is:

Nils Enders-Brenner
Hartei
Luswiese 6
82327 Tutzing
Germany

Email: nils@hartei.com

Data Protection Officer: The appointment of a Data Protection Officer is not required, as fewer than 20 employees are regularly engaged in the automated processing of personal data (§ 38 BDSG).

2. Overview of Data Processing

We process personal data only to the extent necessary for the provision of a functional website and our services. The collection and processing of personal data occurs only with your consent or where processing is permitted by law.

We rely on the following legal bases for processing your personal data:

Art. 6(1)(a) GDPR — Consent: You have given your consent for one or more specific purposes.
Art. 6(1)(b) GDPR — Contract performance: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
Art. 6(1)(c) GDPR — Legal obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
Art. 6(1)(f) GDPR — Legitimate interest: Processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

3. Hosting

This website is hosted by:

IONOS SE
Elgendorfer Str. 57
56410 Montabaur
Germany
www.ionos.de

When you visit our website, the hosting provider automatically collects and stores information in server log files that your browser transmits. This includes:

IP address of the requesting device
Date and time of the request
Name and URL of the file accessed
Website from which the request originates (referrer URL)
Browser type and version
Operating system used
HTTP status code
Amount of data transferred

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the stable and secure operation of our website.

A data processing agreement (Auftragsverarbeitungsvertrag) pursuant to Art. 28 GDPR is in place with IONOS SE.

4. Cookies and Consent Management

4.1 Cookie Consent Manager — tarteaucitron.js

This website uses tarteaucitron.js as a cookie consent manager to obtain and manage your consent for the use of cookies and similar technologies. When you first visit our website, a consent banner is displayed, allowing you to accept or decline specific categories of cookies.

Your consent preferences are stored in a cookie on your device so that we do not have to ask you again on each visit. You may change your consent preferences at any time.

4.2 Cookie Categories

We use the following categories of cookies:

Essential cookies: These are strictly necessary for the operation of the website and the consent management function (e.g., session cookies, consent preference cookies). They do not require your consent.
Analytics cookies: These are used by Google Analytics to collect anonymized usage statistics. They are only set after you have given your explicit consent.

4.3 Legal Basis

Essential cookies: § 25(2) TDDDG (strictly necessary for the provision of the service).

Non-essential cookies (analytics): § 25(1) TDDDG requires your consent before non-essential cookies are stored on or read from your device. The processing of data collected via these cookies is based on Art. 6(1)(a) GDPR (consent).

5. Google Analytics 4

This website uses Google Analytics 4, a web analytics service provided by:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland

(Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

Measurement ID: G-BL9VHWRN0B

Google Analytics is only activated after you have given your explicit consent via the tarteaucitron.js consent manager. No analytics data is collected if you decline consent.

5.1 Data Collected

When activated, Google Analytics collects information such as:

Pages visited and duration of visit
Referral source/medium
Browser type and version
Operating system
Screen resolution
Anonymized IP address
Interaction events (clicks, scrolls)

5.2 IP Anonymization

IP anonymization is enabled. Google Analytics truncates your IP address within the European Union or other parties to the Agreement on the European Economic Area before it is transmitted to Google servers in the USA. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there.

5.3 Data Transfers to the USA

Data may be transferred to Google LLC in the United States. This transfer is safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, and where applicable, the EU-US Data Privacy Framework.

5.4 Legal Basis

Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by adjusting your cookie preferences via the consent banner or by using the opt-out mechanisms described below.

5.5 Opt-Out

You can prevent Google Analytics from collecting your data by:

Declining analytics cookies in the tarteaucitron consent banner
Installing the Google Analytics Opt-Out Browser Add-on

For more information, see the Google Privacy Policy.

6. Contact by Email

You can contact us by sending an email to nils@hartei.com. When you contact us by email, we process the following personal data:

Your name (if provided)
Your email address
The content of your message
Date and time of the email

Legal basis:

Art. 6(1)(b) GDPR — if your inquiry relates to the performance of a contract or pre-contractual measures (e.g., inquiring about our coaching services).
Art. 6(1)(f) GDPR — for all other inquiries. Our legitimate interest is to respond to your request.

Retention: Your data will be retained for the duration necessary to fulfill the purpose of your inquiry. If your inquiry leads to a contractual relationship, statutory retention periods may apply (see Section 17). Otherwise, we delete your data once it is no longer needed and no legal retention obligations exist.

7. Booking System (TidyCal)

To book a discovery call, you may use the external booking service TidyCal. When you click on a booking link on our website, you leave hartei.com and are redirected to:

tidycal.com

TidyCal is operated by SureSwift Capital (AppSumo), based in the United States.

7.1 Data Collected by TidyCal

When you use TidyCal to book an appointment, the following data is collected:

Your name
Your email address
Your selected time slot

This data is processed on TidyCal's servers in the USA.

7.2 Legal Basis

Art. 6(1)(b) GDPR — processing is necessary for pre-contractual measures taken at your request (scheduling a discovery call).

7.3 Third-Party Privacy Policy

As TidyCal is a third-party service, their own privacy policy applies once you leave our website. Please review the TidyCal Privacy Policy for details on how your data is handled.

8. Zoom Video Conferencing

We use Zoom for coaching sessions and discovery calls. Zoom is provided by:

Zoom Video Communications, Inc.
55 Almaden Blvd., Suite 600
San Jose, CA 95113
USA

8.1 Data Collected

When you participate in a Zoom meeting, the following data may be processed:

Audio and video data
Chat messages within the meeting
Transcripts and live captions
Your display name and email address
Technical data (IP address, device information)

8.2 Legal Basis

Art. 6(1)(b) GDPR — processing is necessary for the performance of the coaching contract or pre-contractual measures (discovery call).

8.3 Data Transfers to the USA

Zoom is based in the USA. Data transfers are safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, and where applicable, the EU-US Data Privacy Framework.

8.4 Third-Party Privacy Policy

For more information, see the Zoom Privacy Policy.

9. Messaging Services (WhatsApp, Signal, iMessage)

As part of our ongoing coaching services, we use messaging platforms for daily communication. You choose your preferred platform at the start of the coaching engagement.

9.1 Platforms Used

WhatsApp — operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. WhatsApp uses end-to-end encryption for message content. However, metadata (e.g., timestamps, contact information) may be shared with Meta Platforms and transferred to the USA.
Signal — operated by the Signal Technology Foundation, a non-profit organization. Signal uses end-to-end encryption and collects minimal metadata.
iMessage — operated by Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. iMessage uses end-to-end encryption between Apple devices.

9.2 Data Collected

Messages exchanged (text, voice messages)
Media shared (photos, videos, documents)
Your phone number or contact information

9.3 Legal Basis

Art. 6(1)(b) GDPR — processing is necessary for the performance of the coaching contract. The messaging service is an integral part of the coaching service you have agreed to.

9.4 Note on Encryption

Signal and iMessage provide end-to-end encryption, meaning only the communicating parties can read the messages. WhatsApp also provides end-to-end encryption for message content, but metadata may be processed by Meta Platforms. If data privacy is a primary concern for you, we recommend choosing Signal as your messaging platform.

10. Coaching Services — Data Processing

In the context of our coaching services, we process various categories of personal data to provide you with a tailored coaching experience.

10.1 Categories of Data Processed

Health-related information (exercise data, physical conditions, nutrition habits, fitness levels)
Video recordings and transcripts from Zoom coaching sessions
Individualized training plans
Progress notes and assessments
Messages exchanged via your chosen messaging platform

10.2 Special Category Data (Health Data)

Health-related data constitutes a special category of personal data under Art. 9(1) GDPR. We process this data based on your explicit consent pursuant to Art. 9(2)(a) GDPR. You provide this consent when entering into the coaching agreement and may withdraw it at any time (see Section 16).

Please note that withdrawing consent for the processing of health data may make it impossible to continue providing the coaching service.

10.3 General Legal Basis

Art. 6(1)(b) GDPR — processing is necessary for the performance of the coaching contract.

11. Field Guide (Ebook) — Email Reservation

We offer the option to register your email address to be notified when "The Hartei Method — Field Guide" ebook becomes available for purchase.

11.1 Data Collected

Your email address

11.2 Purpose

Your email address is used solely to notify you when the Field Guide is launched and available for purchase.

11.3 Legal Basis

Art. 6(1)(a) GDPR — consent. By submitting your email address, you consent to being contacted for the specified purpose.

11.4 Retention

Your email address will be retained until you withdraw your consent, or until a reasonable period after the product has launched and the notification has been sent. You may withdraw your consent at any time by contacting us at nils@hartei.com.

12. Newsletter / Email Marketing

We may offer a newsletter or email marketing communications in the future. Should we do so, the following principles will apply:

Legal basis: Art. 6(1)(a) GDPR — consent.
Double opt-in: We will use a double opt-in process, meaning you will receive a confirmation email after signing up and must click a confirmation link to activate your subscription.
Unsubscribe: Every email will contain a clearly visible unsubscribe link, allowing you to revoke your consent at any time with effect for the future.
Data collected: Email address, date and time of registration, and IP address (for proof of consent).

13. Social Media Presence

Our website contains links to our profiles on the following social media platforms. These are external links — when you click on them, you leave hartei.com and the respective platform's privacy policy applies. We have no control over the data collected by these platforms.

13.1 LinkedIn

LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2, Ireland
LinkedIn Privacy Policy

13.2 Instagram / Facebook

Meta Platforms Ireland Limited
Merrion Road
Dublin 4, Ireland
Instagram Privacy Policy

13.3 X (formerly Twitter)

X Corp.
1355 Market Street, Suite 900
San Francisco, CA 94103, USA
X Privacy Policy

13.4 TikTok

TikTok Technology Limited
10 Earlsfort Terrace
Dublin 2, Ireland
TikTok Privacy Policy

14. Google Fonts

This website uses Google Fonts that are self-hosted on our own server. When you visit our website, no connection to Google servers is established for the purpose of loading fonts, and no data is transferred to Google in this regard.

15. SSL/TLS Encryption

This website uses SSL/TLS encryption (HTTPS) for security reasons and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the "https://" prefix in your browser's address bar and the lock icon.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

16. Your Rights as a Data Subject

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at nils@hartei.com.

16.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed. If so, you have the right to access that data and receive additional information about the processing.

16.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data.

16.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data where one of the grounds set out in Art. 17 GDPR applies, for example, when the data is no longer needed for its original purpose.

16.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing under certain conditions, for example, if you contest the accuracy of the data.

16.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

16.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation, where processing is based on Art. 6(1)(f) GDPR (legitimate interest). We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

16.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent before it was withdrawn.

16.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority for our business is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
www.lda.bayern.de

17. Data Retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable law. When the data is no longer needed and no statutory retention obligations apply, we will delete or anonymize it.

The following statutory retention periods may apply under German law:

6 years — for commercial correspondence and business letters (§ 257 HGB — Handelsgesetzbuch).
10 years — for accounting records, invoices, and tax-relevant documents (§ 147 AO — Abgabenordnung).

The retention period begins at the end of the calendar year in which the relevant transaction or correspondence was completed.

18. Data Transfers to Third Countries

Some of the third-party services we use are based in the United States of America. Where personal data is transferred to the USA or other countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, as adopted by the European Commission.
EU-US Data Privacy Framework — where the data recipient has been certified under the EU-US Data Privacy Framework, an adequacy decision pursuant to Art. 45 GDPR applies.

The specific safeguards applicable to each service are described in the relevant sections above.

19. Changes to This Privacy Policy

We reserve the right to update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance. The current version of this privacy policy is always available at hartei.com/privacy-policy.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when the most recent changes were made.

20. Data Processing Agreement Summary

The following table provides an overview of the third-party service providers (data processors) we use:

Service	Provider	Location	Purpose	Legal Basis
Web Hosting	IONOS SE	Montabaur, Germany	Website hosting and server log files	Art. 6(1)(f) GDPR
Google Analytics 4	Google Ireland Limited / Google LLC	Dublin, Ireland / USA	Web analytics (with consent only)	Art. 6(1)(a) GDPR
TidyCal (Booking)	SureSwift Capital (AppSumo)	USA	Appointment scheduling for discovery calls	Art. 6(1)(b) GDPR
Zoom	Zoom Video Communications, Inc.	San Jose, CA, USA	Video conferencing for coaching sessions and discovery calls	Art. 6(1)(b) GDPR
WhatsApp	Meta Platforms Ireland Limited	Dublin, Ireland / USA	Daily messaging during coaching engagement	Art. 6(1)(b) GDPR

If you have any questions about this privacy policy or the processing of your personal data, please contact us at nils@hartei.com.