Privacy Policy
Wisdom of Soma
Operated by EstEye AB (Sweden)
Last updated: 27.02.2026
1 | Introduction
EstEye AB (company registration number 559357-4865), registered at Lillängvägen 8B, 83772 Duved, Sweden, operating under the brand name Wisdom of Soma (“Company”, “we”, “us”), respects your privacy and is committed to handling your personal data responsibly, transparently, and in accordance with applicable law.
This Privacy Policy explains how and why we collect, use, store, and protect personal data in connection with the services provided through Wisdom of Soma. It applies whenever you visit our Website, make an inquiry, book or participate in coaching sessions, enrol in programs or courses, subscribe to communications, attend retreats or events, or otherwise interact with us in a professional context.
We recognise that the nature of somatic coaching may involve the sharing of personal and, in some cases, sensitive information. For that reason, we place particular emphasis on confidentiality, data minimisation, and secure handling of information.
Personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as well as applicable Swedish data protection legislation. Where we provide services to individuals outside Sweden, we aim to apply the same high standard of protection regardless of location.
This Policy should be read together with our Terms & Conditions and Cookie Policy, which form part of the overall legal framework governing your relationship with Wisdom of Soma.
2 | Data Controller
For the purposes of applicable data protection legislation, EstEye AB acts as the data controller in relation to the personal data described in this Privacy Policy. This means that the Company determines the purposes for which and the manner in which your personal data is processed.
As data controller, EstEye AB is responsible for ensuring that personal data is handled lawfully, fairly, and transparently, and that appropriate safeguards are in place to protect your information.
The Company’s registered details are as follows:
EstEye ABCompany registration number: 559357-4865Lillängvägen 8B83772 DuvedSweden
If you have any questions regarding this Privacy Policy, the processing of your personal data, or if you wish to exercise any of your rights under applicable data protection law, you may contact us at:
Email: olga@wisdomofsoma.co
We will make reasonable efforts to respond to data protection inquiries promptly and in accordance with applicable legal requirements.
EstEye AB does not currently appoint a Data Protection Officer, as such appointment is not required under Article 37 GDPR based on the nature and scale of processing activities.
4 | Categories of Personal Data Collected
In order to provide the Services effectively and responsibly, we may collect and process different categories of personal data, depending on how you interact with Wisdom of Soma.
4.1 Identification and Contact Data
This includes basic information necessary to communicate with you and administer the Services, such as your name, email address, telephone number, and billing-related details. Such information is typically collected when you make an inquiry, book a session, enrol in a program, or complete a purchase.
4.2 Coaching-Related Information
In the context of somatic coaching, you may choose to share personal background information relevant to your participation. This may include reflections, experiences, or contextual information that supports the coaching process.
Where relevant to participation, you may also voluntarily provide limited health-related information. Such information is processed with particular care and only to the extent necessary for the provision of the requested Services.
We do not require you to disclose more information than is reasonably necessary for participation, and you remain free to determine what you choose to share during sessions.
4.3 Technical and Usage Data
When you visit the Website or interact with our online platforms, certain technical data may be collected automatically. This may include your IP address, device information, browser type, and general information about how you navigate and use the Website.
Such data is typically collected through analytics tools and is used to improve website functionality, security, and overall user experience.
4.4 Marketing and Communication Data
If you subscribe to newsletters or updates, we may process information relating to your communication preferences and your interaction with email communications. This may include subscription status, open rates, and click activity, where applicable.
You may withdraw consent to marketing communications at any time by using the unsubscribe function or by contacting us directly.
5 | Special Category Data (Health-Related Information)
In the course of somatic coaching, you may voluntarily share information relating to your physical or mental wellbeing. Depending on its nature, such information may qualify as “special category data” under Article 9 of the General Data Protection Regulation (GDPR).
Where health-related information is collected through structured intake forms, written submissions, or retained in coaching notes, the Company processes such data only on the basis of explicit consent pursuant to Article 9(2)(a) GDPR. Explicit consent is obtained through a clear and specific affirmative statement (for example, a dedicated consent checkbox referencing the processing of special category data for coaching purposes) prior to processing.
We recognise that information concerning health is particularly sensitive and requires enhanced protection. Accordingly, health-related data is processed only where it is strictly necessary for the provision of the requested Services and where a valid legal basis exists under applicable data protection law.
You remain free to determine what information you choose to disclose during sessions. Where health-related information is shared during coaching conversations, such disclosure is treated as covered by the explicit consent provided at intake.
You may withdraw your consent at any time. However, withdrawal of consent may affect the Company’s ability to continue providing certain Services in a safe and appropriate manner.
The Company processes only the minimum amount of health-related information necessary for the intended purpose. Such data is not used for marketing, profiling, automated decision-making, or algorithmic evaluation.
Where coaching notes are maintained, they are limited in scope, stored securely, and accessed only where necessary. Where appropriate, data minimisation and pseudonymisation techniques are applied.
6 | Purposes and Legal Bases for Processing
We process personal data only where there is a clear and lawful basis to do so under applicable data protection legislation. The specific legal basis depends on the nature of your interaction with Wisdom of Soma and the purpose for which your data is used.
6.1 Provision of Services
Where you book or participate in coaching sessions, programs, courses, or retreats, we process your personal data for the purpose of delivering the requested Services. This includes managing bookings, administering programs, coordinating sessions, and processing payments.
The legal basis for this processing is the performance of a contract pursuant to Article 6(1)(b) GDPR. Without processing this data, we would not be able to provide the Services you have requested.
6.2 Communication
We may process your personal data in order to respond to inquiries, provide information about your booking, send service-related updates, or communicate practical details regarding participation.
Depending on the circumstances, this processing is based either on the performance of a contract pursuant to Article 6(1)(b) GDPR or on our legitimate interests pursuant to Article 6(1)(f) GDPR. Where reliance is placed on legitimate interests, such interests consist of maintaining effective and professional communication, ensuring service continuity, and administering our business operations in a proportionate and responsible manner.
Where processing is based on legitimate interests pursuant to Article 6(1)(f) GDPR, we rely on our legitimate interest in maintaining effective communication, ensuring service continuity, and administering our business operations. We have conducted a balancing assessment to ensure that such interests are not overridden by your fundamental rights and freedoms.
6.3 Marketing Communications
Where you subscribe to newsletters or updates, we process your contact details for the purpose of sending marketing communications, including information about future programs, events, or offerings.
The legal basis for such processing is your consent under Article 6(1)(a) GDPR. You may withdraw your consent at any time by using the unsubscribe function included in our emails or by contacting us directly. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Where applicable, subscription to marketing communications may involve a confirmation step (double opt-in) to ensure that consent is validly obtained. Marketing communications are sent periodically and are limited to information relevant to our Services. We do not engage in automated profiling for marketing purposes beyond basic email engagement metrics. You may withdraw consent at any time without affecting your access to Services.
6.4 Legal and Regulatory Compliance
We may process certain personal data in order to comply with legal obligations, including accounting, tax reporting, and record-keeping requirements under applicable law.
The legal basis for this processing is compliance with a legal obligation pursuant to Article 6(1)(c) GDPR.
6.5 Special Category Data
Where you voluntarily share health-related or other special category data in the context of coaching, such data is processed on the basis of your explicit consent in accordance with Article 9(2)(a) GDPR, and only to the extent necessary for the provision of the Services.
6.6 Website Analytics and Tracking Technologies
We use website analytics tools and, where applicable, marketing or tracking technologies in order to understand website usage, improve user experience, and measure engagement.
The legal basis for the processing of personal data through analytics cookies and marketing or tracking technologies is your prior consent pursuant to Article 6(1)(a) GDPR.
Such technologies are not activated unless and until valid consent has been provided through the website’s consent management interface. You may withdraw your consent at any time via the cookie settings link available on the website.
7 | Payment Processing
Payments for Services are processed through secure third-party payment providers, such as Stripe or other authorised processors that may be used from time to time. These providers specialise in secure transaction handling and are responsible for processing payment information in accordance with their own privacy policies and regulatory obligations.
The Company does not collect or store full payment card numbers, security codes, or complete banking credentials. Payment details are transmitted directly to the relevant payment provider using encrypted connections.
When you make a payment, certain limited information (such as your name, billing address, transaction amount, and payment status) may be made available to the Company for administrative and accounting purposes. This information is processed solely for managing bookings, maintaining financial records, and complying with legal obligations.
Payment service providers may act as independent data controllers or, depending on the nature of the processing, as data processors in relation to your payment information. The processing of your payment data is subject to the respective provider’s privacy policy and regulatory framework. We encourage you to review their privacy policies to understand how your financial information is handled.
While we select reputable providers and implement appropriate safeguards, the processing of payment data by third-party platforms remains subject to their own technical infrastructure and compliance frameworks.
8 | Third-Party Service Providers
In order to operate Wisdom of Soma effectively and securely, we engage selected third-party service providers who support the technical and administrative aspects of our business. These may include website hosting platforms (such as Squarespace), email communication and marketing providers (such as Flodesk), payment processors (such as Stripe), analytics tools (such as Google Analytics), and online course platforms (such as Kajabi or similar systems, if implemented in the future).
These providers may process personal data either on our behalf as data processors or, in certain circumstances, as independent data controllers, depending on the nature of the service provided. Where a provider acts as a processor, we seek to ensure that appropriate contractual arrangements are in place in accordance with Article 28 GDPR.
We select service providers that demonstrate appropriate security, confidentiality, and data protection standards. However, each provider operates under its own privacy policy and compliance framework, and the processing of personal data by such providers is subject to their respective terms.
Some of these providers may process personal data outside the European Economic Area (EEA). Where international data transfers occur, we seek to ensure that appropriate safeguards are implemented in accordance with GDPR, which may include the use of Standard Contractual Clauses or other legally recognised transfer mechanisms.
We do not sell personal data to third parties.
9 | Data Retention
We retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected, including the provision of Services, compliance with legal obligations, and the protection of legitimate business interests.
The appropriate retention period depends on the nature of the data and the context in which it was collected. In determining retention periods, we consider contractual requirements, statutory obligations, the sensitivity of the data, and the need to resolve potential disputes.
Client-related administrative and financial records, including invoices and payment documentation, may be retained for up to seven (7) years in accordance with applicable accounting and tax legislation.
Marketing-related data is retained until you withdraw your consent or unsubscribe from communications. Once consent is withdrawn, your contact details will be removed from marketing distribution lists within a reasonable timeframe, although minimal records may be retained to document the withdrawal of consent.
Coaching notes, where maintained, are typically retained for no longer than twenty-four (24) months following the end of the coaching relationship, unless a longer retention period is required for legal compliance, dispute resolution, insurance purposes, or the establishment, exercise, or defence of legal claims.
Where personal data is no longer necessary for its original purpose, it will be securely deleted, anonymised, or otherwise rendered inaccessible, unless continued retention is required by law. Retention periods may vary depending on statutory requirements applicable at the time of processing.
10 | Storage and Security
We take the security of personal data seriously and implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction.
Such measures may include secure digital storage environments, restricted access to information on a need-to-know basis, password-protected systems, encrypted communication channels where appropriate, and the use of reputable service providers with established security standards.
Access to personal data is limited to those who require it for legitimate business purposes. Where third-party processors are engaged, we seek to ensure that they are contractually bound to maintain appropriate security and confidentiality safeguards.
While we strive to protect personal data using commercially reasonable safeguards, no method of electronic transmission or storage can be guaranteed to be completely secure. For this reason, although we work to maintain a high standard of data protection, we cannot guarantee absolute security of information transmitted via the internet.
In the event of a data breach that poses a risk to individuals’ rights and freedoms, we will act in accordance with applicable legal obligations, including notification requirements where necessary.
11 | Your Rights Under GDPR
Under the General Data Protection Regulation (GDPR), you are entitled to certain rights in relation to your personal data. These rights are intended to give you transparency, control, and protection over how your information is handled.
Subject to applicable legal conditions and limitations, you have the right to request access to the personal data we hold about you and to obtain information about how it is processed. You may also request correction of inaccurate or incomplete data.
In certain circumstances, you have the right to request the erasure of your personal data, commonly referred to as the “right to be forgotten.” This right applies where the data is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and no other legal basis applies, or where processing is unlawful.
You may request restriction of processing in situations where the accuracy of the data is contested, where processing is unlawful but you oppose deletion, or where the data is required for the establishment, exercise, or defence of legal claims.
Where processing is based on consent or on the performance of a contract and carried out by automated means, you may have the right to receive certain personal data in a structured, commonly used, and machine-readable format and to request transmission to another controller where technically feasible.
You also have the right to object to processing based on legitimate interests, including direct marketing. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of your rights, you may contact us using the contact details provided in this Privacy Policy. We may request reasonable verification of identity before responding to a request. Requests will be handled in accordance with applicable legal timeframes.
If you believe that your personal data has been processed in a manner that does not comply with applicable law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) or with the supervisory authority in your country of residence within the European Union.
12 | Cookies and Analytics
Our Website uses cookies and similar technologies to ensure its proper functioning, to understand how visitors interact with the Website, and, where applicable, to support communication and marketing activities.
Cookies are small text files placed on your device when you visit a website. Some cookies are strictly necessary for the Website to operate securely and effectively. Others help us analyse traffic patterns, improve user experience, and understand how our content is used. Where relevant, marketing or tracking technologies may be used to measure the effectiveness of communications or advertising.
Cookies used on the Website may include:
Strictly necessary cookies, which enable core functionality such as page navigation and access to secure areas of the Website;
Analytics cookies, which allow us to understand how visitors use the Website and help us improve its structure, content, and performance;
Marketing or tracking cookies, where applicable, which may support communication, outreach, or audience measurement activities.
Where required under applicable law, non-essential cookies will only be placed on your device with your prior consent. Consent is obtained through a cookie banner or similar consent management mechanism when you first access the Website. You may withdraw or modify your consent at any time through the available cookie settings.
Further information regarding specific cookies, retention periods, and third-party tools used is provided in our separate Cookie Policy.
Nothing in this section limits your rights under applicable data protection legislation.
13 | International Data Transfers
As we provide Services to clients worldwide and rely on certain digital service providers, personal data may in some circumstances be transferred to, stored in, or accessed from countries outside the European Economic Area (EEA).
Where such transfers occur, we implement appropriate safeguards in accordance with Chapter V GDPR to ensure a lawful and secure transfer of personal data. These safeguards may include the use of Standard Contractual Clauses (SCCs) approved by the European Commission, reliance on adequacy decisions adopted by the European Commission, and, where applicable, participation in the EU–US Data Privacy Framework. These mechanisms are designed to ensure that personal data transferred outside the EEA benefits from a level of protection essentially equivalent to that guaranteed within the European Union.
We take reasonable steps to assess whether third-party service providers maintain appropriate technical and organisational measures to protect personal data, including in situations involving cross-border processing.
Where required, supplementary measures may be implemented to enhance the protection of transferred data. Transfers are limited to what is necessary for the provision of Services, the operation of the Website, communication with clients, and the legitimate functioning of the business.
You may request further information regarding applicable safeguards by contacting us using the details provided in this Privacy Policy.
Nothing in this section affects your rights under applicable data protection legislation.
14 | Automated Decision-Making
We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant consequences for individuals within the meaning of Article 22 of the General Data Protection Regulation (GDPR).
This means that decisions relating to participation in our Services, communication, or client management are not made solely by automated systems without meaningful human involvement. We do not use algorithms or automated tools to make decisions that would materially affect your rights, contractual status, access to Services, or personal circumstances.
Where technical tools are used to support administrative functions — such as analytics, email systems, or booking platforms — these tools do not replace human judgment in decisions relating to individual clients.
Should this position change in the future, we will update this Privacy Policy accordingly and ensure that any such processing complies with applicable data protection legislation, including providing appropriate safeguards and transparency.
Nothing in this section limits your rights under GDPR in relation to automated processing.
15 | Updates to this Policy
We may update or revise this Privacy Policy from time to time in order to reflect changes in applicable legislation, regulatory guidance, technological developments, or our business practices.
The most current version of the Privacy Policy will always be published on the Website together with the date of the latest update. Where changes materially affect the way in which personal data is processed, we will take reasonable steps to provide appropriate notice, where required by law.
Continued use of the Website or Services after an updated version has been published constitutes acknowledgement of the revised Policy.
We encourage you to review this Privacy Policy periodically to remain informed about how your personal data is handled.
16 | Data Protection Principles
In processing personal data, EstEye AB adheres to the core principles set out in Article 5 of the General Data Protection Regulation (GDPR). These principles form the foundation of how personal data is handled within Wisdom of Soma and reflect our commitment to responsible, transparent, and lawful data governance.
Personal data is processed lawfully, fairly, and in a transparent manner. We ensure that a valid legal basis exists before processing personal data and that individuals are provided with clear information regarding how and why their information is used. Transparency is a central element of our approach to data protection.
Personal data is collected for specified, explicit, and legitimate purposes. We do not process personal data in ways that are incompatible with those original purposes. Where new or additional processing activities are introduced, they are assessed for compatibility with the original purpose and, where required, communicated appropriately.
We apply the principle of data minimisation. Only personal data that is adequate, relevant, and limited to what is necessary for the provision of Services, compliance with legal obligations, or legitimate business operations is collected and processed. We do not intentionally collect excessive or unnecessary information.
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Individuals are encouraged to inform us of any changes to their contact details or other relevant information so that records remain current and reliable.
Personal data is retained only for as long as necessary in light of contractual, legal, regulatory, and professional considerations. Retention periods are determined based on the nature of the data, the purpose of processing, and applicable statutory requirements. Once data is no longer required, it is securely deleted, anonymised, or otherwise rendered inaccessible, unless continued retention is legally required.
We implement appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data. These measures are designed to protect information against unauthorised access, unlawful processing, accidental loss, destruction, or damage.
Finally, we recognise the principle of accountability. As data controller, EstEye AB accepts responsibility for demonstrating compliance with applicable data protection legislation. We seek to maintain internal processes, documentation, and safeguards that support lawful and responsible data handling practices across our operations. These principles apply to both electronic and paper-based records, where applicable.
17 | Exercising Your Rights
If you wish to exercise any of your rights under applicable data protection legislation, including those set out in the General Data Protection Regulation (GDPR), you may submit a request using the contact details provided in this Privacy Policy. Requests should be made in writing and should clearly describe the nature of your request, the right you seek to exercise, and any relevant context that may assist us in responding efficiently.
In order to protect your privacy and prevent unauthorised disclosure of personal data, we may request reasonable verification of your identity before processing your request. This may involve confirming certain contact details already held by us or requesting additional identifying information where appropriate. Such verification measures are implemented solely to safeguard personal data and prevent misuse.
We will respond to valid requests without undue delay and, in any event, within one (1) month of receipt, in accordance with Article 12 GDPR. Where a request is complex or where multiple requests are submitted, this period may be extended by up to two additional months. If an extension is required, you will be informed within the initial one-month period together with an explanation of the reasons for the delay.
In certain limited circumstances, we may refuse to act on a request where it is manifestly unfounded, excessive, or where a legal exemption applies under applicable data protection legislation. Where a request is refused, we will provide an explanation of the reasons, subject to any legal restrictions that may apply.
Requests are generally handled free of charge. However, where requests are manifestly unfounded or excessive — in particular because of their repetitive nature — we may charge a reasonable administrative fee reflecting the cost of processing the request or decline to act, as permitted under Article 12(5) GDPR.
Our aim is to handle all data subject requests fairly, consistently, and in accordance with applicable legal standards.
18 | Data Breach Response
We maintain internal procedures designed to identify, assess, and respond to personal data breaches in a structured and responsible manner. A personal data breach may include accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
In the event of a suspected or confirmed incident, we will promptly conduct an internal assessment to determine the nature and scope of the breach. This assessment may include evaluating the categories and volume of personal data affected, the number of individuals potentially impacted, the sensitivity of the data involved, and the likelihood and severity of any resulting risk to the rights and freedoms of individuals.
Where a personal data breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the General Data Protection Regulation (GDPR). Where notification cannot be made within this timeframe, the reasons for delay will be documented and communicated as required by law.
If a breach is likely to result in a high risk to individuals, we will also inform affected individuals without undue delay, unless an exception under applicable law applies — for example, where appropriate technical and organisational measures have rendered the data unintelligible to unauthorised persons.
In parallel with any required notifications, we will take reasonable steps to contain the incident, mitigate potential adverse effects, and implement corrective measures designed to reduce the likelihood of recurrence. This may include reviewing internal processes, strengthening security safeguards, or enhancing monitoring mechanisms where appropriate.
Our approach to breach response reflects our broader commitment to accountability, transparency, and the responsible handling of personal data.
19 | Children’s Data
The Services provided through Wisdom of Soma are designed for individuals who are at least eighteen (18) years of age. We do not intentionally target, solicit, or knowingly collect personal data from minors.
We recognise that the protection of children’s personal data requires particular care under applicable data protection legislation. Accordingly, if we become aware that personal data has been collected from an individual under the age of eighteen without an appropriate legal basis, including valid parental consent where required, we will take reasonable steps to investigate the matter and delete such data without undue delay.
If a parent or legal guardian believes that a minor has provided personal data to us, they are encouraged to contact us using the details set out in this Privacy Policy. We will review the information promptly and take appropriate corrective action where necessary.
This section is intended to reinforce that the Services are structured as adult professional coaching services and are not directed toward children.