Privacy Policy
Last updated: June 24, 2026 | Data Controller: ZPM Coaching SRL
- Who we are: ZPM Coaching SRL, data controller under GDPR, registered in Saftica, Ilfov, Romania
- What data we collect: Only what you voluntarily provide (name, email, phone, address) plus automatically collected technical data (IP address, browser)
- Why we process it: To provide services, communicate with you, send marketing (with your consent) and analyse site traffic
- Who we share with: Google Analytics and payment processors — nobody else, without your explicit consent
- Your rights: Access, rectification, erasure, portability, restriction, objection — exercisable at any time, free of charge
- GDPR contact: [email protected]
- What information we collect
- Purposes and legal bases for processing
- Legal basis under GDPR
- Who we share data with
- International data transfers
- Cookies and tracking technologies
- Data retention periods
- Data security
- Processing of minors’ data
- Rights of the data subject
- Changes to this policy
- Controller contact details
1. What information we collect
1.1 Information you provide directly
We collect personal data that you voluntarily provide through the following means:
- Completing the contact form or newsletter subscription form
- Purchasing a product or service (Thot Nutrition products, coaching programmes, digital courses)
- Registering for and attending events, workshops or training programmes
- Contacting us by email, phone or social media
- Creating a user account on the site
The categories of data we collect may include: first and last name, email address, phone number, postal address, billing details. Providing this data is voluntary; refusing to provide certain data may prevent you from using some services or site features.
All personal data you provide must be accurate, complete and up to date. You are responsible for the accuracy of the information you submit.
1.2 Automatically collected information
When you visit and navigate our website, we automatically collect certain technical and usage information which does not directly identify you as a person, but may constitute personal data within the meaning of GDPR:
- Log data: IP address, browser type and version, operating system, internet service provider, pages accessed, time spent on each page, date and time of access, referring URL
- Device data: device type, unique device identifiers, language settings, network information
- Usage data: how you interact with the site, features used, searches performed
This data is collected through cookies, scripts and similar technologies. Further details can be found in our Cookie Policy.
1.3 Data from third parties
We do not request or purchase personal data from third parties for the purpose of building user profiles. Technical data transmitted through Google Analytics originates indirectly from site visitors and is processed in accordance with Google’s policy.
2. Purposes and legal bases for processing
We process your personal data exclusively for the purposes described below, on the basis of the corresponding legal grounds under GDPR:
- Providing contracted services — responding to your requests, processing and delivering orders, managing the contractual relationship, providing access to purchased programmes
- Administrative communication — order confirmations, service notifications, updates to terms and conditions or policies
- Marketing and commercial communications — sending newsletters, special offers, new content and information about services and products; exclusively with your prior and explicit consent; you can unsubscribe at any time via the link in the email
- Analysis and improvement of services — understanding how the site is used, identifying technical issues, optimising the user experience
- Security and fraud prevention — protecting the integrity of the site, detecting unauthorised or fraudulent activity
- Compliance with legal obligations — conformity with fiscal, accounting and any other legal obligations applicable to the controller
- Defending legal rights — formulating, exercising or defending legal claims
3. Legal basis under GDPR
In accordance with Regulation (EU) 2016/679 (GDPR) and Law No. 190/2018 on the measures implementing GDPR in Romania, we process your personal data on the following legal grounds:
- Consent (Art. 6(1)(a) GDPR) — for processing for direct marketing, newsletters and commercial communications. Consent is freely given, specific, informed and unambiguous. You may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Performance of a contract (Art. 6(1)(b) GDPR) — for processing necessary for the performance of a contract to which you are party (purchase of products, coaching services, subscriptions) or for pre-contractual measures taken at your request
- Legitimate interests (Art. 6(1)(f) GDPR) — for site traffic analysis, ensuring security, fraud prevention and defending the legal rights of the controller, to the extent that your interests or fundamental rights and freedoms do not override those interests
- Compliance with a legal obligation (Art. 6(1)(c) GDPR) — for processing necessary to comply with fiscal, accounting and legal obligations to which the controller is subject under Romanian law
Supervisory authority: If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro, Str. Olari nr. 32, sector 2, Bucharest. You may also address your complaint to a competent court.
4. Who we share data with
We do not sell, rent or trade your personal data to third parties. We may disclose data exclusively in the following situations, in compliance with GDPR principles:
- Data processors: service providers with whom we have concluded data processing agreements — Google Analytics (traffic analysis), email marketing service providers, payment processors (WooCommerce/Stripe for online orders), hosting and IT infrastructure providers. They are authorised to process your data exclusively on our instructions and are contractually bound to maintain the confidentiality and security of the data.
- Public authorities and courts: where disclosure is required by law, warrant, court order, or for cooperation with law enforcement, tax or other authorities
- Business transfers: in the event of a merger, acquisition, restructuring or sale of company assets, data may be transferred to the successor or acquiring entity, in compliance with GDPR obligations and with prior notice to data subjects
- With your explicit consent: in any other situations, with your prior and informed consent
We have not sold, transferred or shared personal data with third parties for commercial purposes in the past 12 months and do not intend to do so in the future.
5. International data transfers
Certain services we use (Google Analytics, hosting services) may involve the transfer of your data to countries outside the European Economic Area (EEA). In such cases, we ensure that the transfer is carried out with adequate safeguards as required by GDPR, specifically:
- An adequacy decision by the European Commission (where applicable)
- Standard contractual clauses adopted by the European Commission
- The EU–US Data Privacy Framework certification mechanism (where the provider is certified)
Google LLC adheres to the Data Privacy Framework and provides adequate safeguards for data transfers to the USA. Detailed information is available in the Google Privacy Policy.
6. Cookies and tracking technologies
We use cookies and similar technologies (scripts, pixels) for the operation of the site, saving your preferences and analysing traffic. We also use Google Analytics with the Google Display Network Impressions Reporting feature.
Strictly necessary cookies are placed without consent. Analytical and marketing cookies require your explicit consent, expressed through the cookie banner on your first visit to the site.
Detailed information about the types of cookies used, their duration and how to manage consent can be found in our Cookie Policy. You can opt out of Google Analytics at: tools.google.com/dlpage/gaoptout.
7. Data retention periods
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable legal obligations. The criteria used to determine the retention period include: the nature of the data, the purpose of processing, legal retention obligations and applicable limitation periods.
- Contact and newsletter data: for the duration of the active subscription, until consent is withdrawn or an unsubscribe request is made; thereafter we delete the data within 30 days
- Transactional data (orders, invoices, payments): minimum 5 years from the end of the financial year in which the transaction occurred, in accordance with the Accounting Law No. 82/1991 and the Fiscal Code
- User account data: for the duration of the active account; after an account deletion request, data is removed within 30 days, except for data we are legally required to retain
- Technical data and logs: maximum 12 months from collection
- Customer support correspondence: 3 years from closure of the request, for the purpose of defending legal rights
- Cookie and traffic analytics data: in accordance with the lifetime of each cookie, as detailed in the Cookie Policy
Upon expiry of the retention period, data is permanently deleted or irreversibly anonymised so that it can no longer be associated with an identifiable person.
8. Data security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration or destruction. Measures in place include:
- Encryption of connections via SSL/HTTPS protocol for all data transfers
- Restricted access to personal data on a need-to-know basis
- Regular updates to systems and software applications
- Monitoring of activity and detection of unauthorised access
- Contractual confidentiality obligations imposed on service providers
Nevertheless, no method of internet transmission and no electronic storage solution can offer 100% absolute security. We make every reasonable effort to protect your data, but cannot guarantee the absolute security of transmissions you make to our site.
In the event of a personal data breach presenting a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR, and will notify ANSPDCP within the legal deadline of 72 hours.
9. Processing of minors’ data
Our site and services are intended exclusively for persons who have reached the age of 18. We do not knowingly collect or process personal data of persons below this age. By using the site, you declare that you are at least 18 years old.
If you become aware that a minor has provided us with personal data, please contact us immediately at [email protected]. We will promptly delete such data from our systems.
10. Rights of the data subject
As a data subject, you benefit from the following rights guaranteed by GDPR and Law No. 190/2018:
To exercise any of the above rights, send us a written request at [email protected]. We respond as soon as possible and in any case within 30 calendar days of receiving the request. For complex or numerous requests, the deadline may be extended by a further 60 days, with prior notice to you. The exercise of rights is free of charge. We may request proof of identity to prevent unauthorised access to your data.
11. Changes to this policy
We reserve the right to update or amend this Privacy Policy periodically, to reflect legislative changes, decisions of supervisory authorities or changes to our data processing practices.
The updated version will be published on this page with the “Last updated” date indicated. In the case of material changes affecting your rights, we will notify you by email (if you have provided your address) or through a visible notice on the site, at least 30 days before the changes take effect.
We encourage you to check this page periodically. Continued use of the site after publication of changes constitutes acceptance of those changes.
12. Controller contact details
ZPM Coaching SRL
Intrarea Morarilor 1–3, Saftica, Ilfov 077015, Romania
Email: [email protected]
Phone: +40 726 678 526
Website: www.bralgei.com
National Supervisory Authority for Personal Data Processing (ANSPDCP):
Str. Olari nr. 32, sector 2, Bucharest 024056 | www.dataprotection.ro | [email protected]
Related documents: Cookie Policy · Terms & Conditions · Disclaimer