Privacy Policy

This Privacy Policy explains how Sophiris Advisory ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website, coaching platform, and related services (collectively, the "Services"). We are committed to protecting your privacy and handling your personal data with transparency and integrity. This Policy is designed to comply with applicable data protection laws including: • The EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 • The Swiss Federal Act on Data Protection (nDSG / revDSG), in force September 2023 • The UK General Data Protection Regulation (UK GDPR) • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) • Applicable national data protection laws of EU member states If you are located in the European Economic Area (EEA), Switzerland, or the UK, Sophiris Advisory acts as the data controller for your personal data.

We collect the following categories of personal data: 2.1 Data You Provide Directly • Identity data: name, professional title, company name • Contact data: email address, phone number (if provided) • Assessment data: responses to coaching questionnaires, Coaching Gem assessments, and self-reported professional challenges • Communication data: messages, booking requests, and correspondence with Maria • Payment data: billing information (processed by third-party payment providers — we do not store card details) 2.2 Data Collected Automatically • Technical data: IP address, browser type, device information, operating system • Usage data: pages visited, session duration, clickstream data, referral source • Cookie data: as described in our Cookie Policy section below 2.3 Special Category Data Coaching conversations may touch on areas such as mental wellbeing, health, or workplace stress. Any such information is shared voluntarily and is treated with the highest level of confidentiality. We do not proactively solicit special category data (as defined under GDPR Article 9) and we process it only with your explicit consent or where necessary to provide coaching services you have requested. Note on health-related information: Sophiris Advisory is a professional coaching practice, not a healthcare provider. We do not provide medical advice or treatment. If you voluntarily share health-related information during coaching, it is treated as strictly confidential and processed only with your consent, in accordance with GDPR Article 9 (special category data).

For individuals in the EEA, Switzerland, and the UK, we process your personal data on the following legal bases: • Contract performance (GDPR Art. 6(1)(b)): To deliver coaching services, process bookings, and fulfil our obligations to you. • Legitimate interests (GDPR Art. 6(1)(f)): To improve our Services, maintain platform security, and send relevant follow-up communications where you are an existing client. We always balance our interests against your rights. • Consent (GDPR Art. 6(1)(a)): For marketing communications, use of non-essential cookies, and processing of any special category data. You may withdraw consent at any time. • Legal obligation (GDPR Art. 6(1)(c)): Where required by applicable law, including tax, financial reporting, or regulatory obligations. For California residents, we process personal data as a "business" under the CCPA. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

We use your personal data for the following purposes: • Delivering and personalising coaching services and assessments • Generating AI-assisted coaching insights from your assessment responses (processed by Anthropic's Claude API — see Section 6) • Communicating with you about sessions, bookings, and follow-ups • Sending transactional emails (session confirmations, results, reports) via Resend • Analysing anonymised, aggregated data to improve our coaching methodology • Maintaining the security and integrity of our platform • Complying with applicable legal obligations • Responding to enquiries and support requests We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review.

Our platform uses Anthropic's Claude AI model to generate personalised coaching insights, expert panel perspectives, and coaching reports based on your assessment responses. What this means for you: • Your assessment responses are sent to Anthropic's API for processing. Anthropic does not use API inputs to train its models by default, in accordance with their API data usage policy. • AI-generated insights are reviewed in context by Maria and are not used as the sole basis for coaching decisions. • All AI-generated content is treated as confidential coaching material. We have conducted appropriate due diligence on Anthropic's data processing practices. A Data Processing Agreement (DPA) is in place where required under GDPR. If you have concerns about AI processing of your data, you may request a coaching experience that does not involve AI-generated analysis — please contact us at maria@sophirisadvisory.com.

We share your personal data only with trusted service providers who process data on our behalf under appropriate contractual safeguards: • Supabase (Supabase Inc. — EU region): Database hosting and storage. Data processed in the EU. • Anthropic (Anthropic PBC, USA): AI model processing for coaching insights. Anthropic maintains data processing terms in their API policies. We apply appropriate contractual safeguards for EU data transfers. • Resend (Resend Inc.): Transactional email delivery. • Vercel (Vercel Inc., USA): Platform hosting and deployment. Vercel maintains a GDPR-compliant DPA and EU SCCs. • Calendly (Calendly LLC, USA): Session scheduling. Subject to SCCs. • Google (Google LLC): Google Workspace for internal communications. Subject to SCCs. We do not sell, rent, or trade your personal data to any third party for marketing purposes. We do not share your data with advertisers. International Transfers: Where we transfer personal data outside the EEA, Switzerland, or UK, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms under applicable law.

We retain your personal data only for as long as necessary for the purposes set out in this Policy, and in accordance with applicable law: • Assessment and coaching data: Retained for the duration of your coaching engagement plus 3 years, to support continuity of coaching and professional accountability. • Booking and correspondence records: 3 years from last contact. • Financial and billing records: 7 years, as required by applicable tax and accounting laws. • Technical/usage logs: 90 days on a rolling basis. • Marketing communications: Until you unsubscribe or withdraw consent. Where data is no longer required, we securely delete or anonymise it. You may request early deletion of your data at any time — subject to our legal retention obligations (see Section 8).

Depending on your location, you may have the following rights: Under GDPR / UK GDPR / Swiss nDSG: • Right of access — obtain a copy of the personal data we hold about you • Right to rectification — correct inaccurate or incomplete data • Right to erasure ("right to be forgotten") — request deletion of your data • Right to restriction — request that we limit how we process your data • Right to data portability — receive your data in a structured, machine-readable format • Right to object — object to processing based on legitimate interests or for direct marketing • Rights related to automated decision-making — request human review of any automated decisions Under CCPA / CPRA (California residents): • Right to know what personal information is collected, used, shared or sold • Right to delete personal information • Right to opt-out of the sale or sharing of personal information (we do not sell data) • Right to non-discrimination for exercising your rights • Right to correct inaccurate personal information • Right to limit use of sensitive personal information Under PIPEDA (Canadian residents): • Right to access and correct your personal information • Right to withdraw consent (subject to legal and contractual restrictions) Under LGPD (Brazilian residents): • Rights equivalent to those under GDPR, including access, correction, deletion, portability, and objection To exercise any of these rights, please contact us at: maria@sophirisadvisory.com We will respond within 30 days (or sooner, as required by applicable law). We may need to verify your identity before processing your request. We do not charge a fee for reasonable requests. If you are in the EEA and believe we have not handled your request appropriately, you have the right to lodge a complaint with your local supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA): www.dpa.gr

Our platform uses the following types of cookies and similar technologies: • Strictly necessary cookies: Required for the platform to function. These cannot be disabled. • Functional cookies: Remember your preferences and session state. • Analytics cookies: Help us understand how visitors use the platform (anonymised). Used only with your consent. We do not use third-party advertising cookies or tracking pixels. You can control cookie preferences through your browser settings. Note that disabling certain cookies may affect platform functionality. A cookie consent mechanism will be presented on your first visit where required by applicable law.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include: • Encryption of data in transit (TLS/HTTPS) and at rest • Access controls and authentication requirements • Regular security reviews of third-party integrations • Supabase Row Level Security (RLS) for database access controls • Anthropic API key protection and rotation procedures In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required under GDPR) and affected individuals without undue delay.

Our Services are intended for professionals and business executives. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us at maria@sophirisadvisory.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by email (if you are a registered user) or by posting a prominent notice on our website with the updated date. Continued use of our Services after such notification constitutes your acceptance of the updated Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Sophiris Advisory Email: maria@sophirisadvisory.com Website: www.sophirisadvisory.com Data Controller (EEA/UK/Switzerland): Sophiris Advisory We aim to respond to all privacy-related enquiries within 5 business days.