Privacy Statement
This Privacy Statement explains how we collect, use, and protect personal data when you use goalsandprogress.com, the Life Goals Workbook sold through Gumroad, the Life Goals Companion App at /lifegoalsapp/, and the email newsletter (together, the “Services”). It applies to data subjects in Switzerland, the European Economic Area, the United Kingdom, and any other jurisdiction from which the Services are accessed.
1. Who is responsible
The data controller within the meaning of Art. 5 lit. j of the revised Swiss Federal Act on Data Protection (FADP) and Art. 4(7) of Regulation (EU) 2016/679 (GDPR) is:
Ramon Landes, sole proprietorship
Spitzengeerstrasse 11
8606 Naenikon, canton of Zurich
Switzerland
Contact for all privacy matters: support@goalsandprogress.com.
We have not appointed a Data Protection Officer. Designation is not mandatory for the Controller under Art. 37(1) GDPR or Art. 10 FADP because our processing does not consist of large-scale regular monitoring or large-scale processing of special-category data. Privacy questions are answered personally at the contact address above.
2. What we collect, why, and how long we keep it
| Data category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Server access logs at the hosting provider (IP address, user agent, requested URL, timestamp) | Operate the website, defend against abuse, debug errors | GDPR Art. 6(1)(f) legitimate interest in secure operation; FADP Art. 31(2)(d) | Up to 30 days at the hosting provider |
| Aggregated, cookieless analytics for the App (page view, country derived from IP, device class, referrer) | Understand which pages and surfaces visitors find useful | GDPR Art. 6(1)(f) legitimate interest in measuring service performance; FADP Art. 31(2)(d) | Aggregated indefinitely by Plausible; no individual record retained |
| Cookies and similar terminal-storage technologies set by analytics, advertising-measurement, and chat tools on the website (see the Cookie Policy for the current inventory) | Audience measurement, conversion tracking, live chat | GDPR Art. 6(1)(a) consent via cookie banner; ePrivacy Directive 2002/58/EC Art. 5(3); Swiss FMG Art. 45c | Per cookie lifetimes listed in the Cookie Policy |
| Email address and any voluntary information you provide on Newsletter signup | Send the email newsletter | GDPR Art. 6(1)(a) explicit consent via double opt-in; FADP Art. 31(1) | Until you unsubscribe, plus a short suppression record on legitimate-interest basis to prevent re-mailing |
| Order data for the Workbook (name, email, billing country, transaction reference), processed by Gumroad Inc. as merchant of record | Process your purchase, deliver the product, handle refunds, comply with tax and accounting law | GDPR Art. 6(1)(b) performance of contract; GDPR Art. 6(1)(c) legal obligation; FADP Art. 31(2)(a) | Ten years from the end of the calendar year of the transaction, per Swiss commercial-record retention obligations (Swiss Code of Obligations Art. 958f, Swiss VAT Act Art. 70). Card data is held by Stripe as Gumroad’s payment processor under their own retention rules. |
| Testimonial or feedback content you submit through Senja | Collect customer testimonials with explicit consent; improve the product | GDPR Art. 6(1)(a) consent given on the Senja form; FADP Art. 31(1) | Until you withdraw consent, or until the testimonial is no longer used (whichever is earlier) |
| Customer support correspondence | Respond to enquiries, resolve issues, evidence the support interaction | GDPR Art. 6(1)(b) performance of contract; Art. 6(1)(f) legitimate interest | Three years from the close of the support ticket |
| App local data (your goals, milestones, journal entries, habit logs) stored only in your browser’s localStorage on your device | Provide the App’s planning functionality | Not transmitted to the Controller; the Controller has no technical access | On your device until you clear browser storage |
| App data synced to your personal Dropbox (optional; only if you connect Dropbox) | Allow you to back up and sync your plan across your own devices | GDPR Art. 6(1)(b) performance of the sync feature you requested | In your Dropbox under your control; the Controller has no access |
We do not process special-category personal data within the meaning of Art. 9 GDPR or sensitive personal data within the meaning of Art. 5 lit. c FADP, except to the extent you voluntarily include it in a testimonial, support message, or planning entry stored on your own device.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).
3. Cookies
The website uses cookies and similar terminal-storage technologies. Strictly necessary cookies load without consent; all others load only after you give consent via the cookie banner. You can withdraw consent at any time via the consent management link in the footer of the website; relevant cookies are deleted on the next page load. A full per-cookie inventory is maintained at the Cookie Policy.
The App at /lifegoalsapp/ sets zero first-party cookies. Plausible analytics is cookieless by design. Third parties listed in Section 4 may set cookies on their own domains when their scripts or assets load.
4. Third parties we share data with
The following third parties process personal data on our behalf or receive personal data through technical integrations. “DPF” means the recipient is self-certified under the EU-US Data Privacy Framework and the Swiss-US DPF (Commission Implementing Decision (EU) 2023/1795). “SCCs” means the European Commission Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).
| Recipient | Country | Role | Transfer mechanism |
|---|---|---|---|
| Hosting provider | European Union | Server hosting for the Site, processor | Within EEA; no transfer needed |
| Gumroad Inc. | United States | Merchant of record for Workbook sales; processes payment, taxes, and delivery | DPF |
| Stripe (via Gumroad) | United States | Payment card processing on Gumroad’s behalf | DPF; SCCs in Stripe’s DPA with Gumroad |
| Plausible Insights OÜ | Estonia, EU | Cookieless analytics for the App | Within EEA; no transfer needed |
| Senja Pty Ltd | Australia | Testimonial and feedback collection | Australia has partial adequacy; SCCs apply for non-adequate scenarios |
| Dropbox Inc. (only if you connect Dropbox) | United States | App-folder sync of your planning file at your request | DPF; SCCs in Dropbox API terms |
| Google LLC (Google Fonts) | United States | Font delivery; sees IP and basic browser info, no cookies set | DPF |
| Adobe Inc. (Adobe Fonts / Typekit) | United States | Font delivery; sees IP, may set a font-serving cookie on its own domain | DPF |
| Cloudflare Inc. (unpkg, cdnjs) | United States | Content delivery network for app icons and lazy-loaded image-export library | DPF |
| QR-code generation API | Cyprus | Generates the QR code for the App’s calendar-reminder feature, only when used | Within EU; no transfer needed |
| Email service provider | European Union | Delivery of the Newsletter, processor | Within EEA; no transfer needed |
| Web analytics, advertising-pixel, and live-chat third parties listed in the Cookie Policy | Various (mostly US) | Audience measurement, conversion tracking, live chat | DPF or SCCs as applicable; see the Cookie Policy for the per-tool inventory |
We do not sell personal data, share personal data for cross-context behavioural advertising, or use personal data for profiling that produces legal effects.
5. Transfers outside Switzerland and the EEA
Where personal data is transferred to a recipient outside Switzerland and the EEA, we rely on one of the following safeguards, in this order of preference: an adequacy decision of the European Commission or the Swiss Federal Council; the recipient’s self-certification under the EU-US Data Privacy Framework (and the Swiss-US DPF for transfers originating in Switzerland); or the European Commission Standard Contractual Clauses (Decision (EU) 2021/914) combined with supplementary measures where required by the Court of Justice judgment of 16 July 2020 in case C-311/18 (Schrems II).
6. Your rights
Under Swiss FADP and the EU GDPR, you have the right to:
- access personal data we hold about you and receive information about how it is processed (Art. 15 GDPR; Art. 25 FADP);
- rectify inaccurate or incomplete data (Art. 16 GDPR; Art. 32(1) FADP);
- erase personal data in certain circumstances (Art. 17 GDPR; Art. 32(2) FADP);
- restrict processing in certain circumstances (Art. 18 GDPR);
- receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20 GDPR; Art. 28 FADP);
- object to processing based on legitimate interests (Art. 21 GDPR);
- withdraw consent for processing based on consent, without affecting the lawfulness of prior processing (Art. 7(3) GDPR);
- lodge a complaint with a supervisory authority (Section 9 below).
To exercise these rights, write to support@goalsandprogress.com from the address associated with the relevant data, or include enough information for us to verify your identity. We respond within one month of receipt, extendable by a further two months for complex or numerous requests with notification within the first month (GDPR Art. 12(3)). No fee is charged unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act (Art. 12(5) GDPR).
For data held only in your browser’s localStorage (your App planning data), you exercise these rights yourself by editing the data in the App or by clearing your browser storage. We have no copy.
7. Security
The Site is served over HTTPS. Newsletter, support, and order communications are sent through reputable providers with their own security measures. App planning data stays on your device unless you actively save a file or connect Dropbox. We take reasonable technical and organisational measures to protect personal data against accidental loss, unauthorised access, and unauthorised disclosure, but no internet-based service can be guaranteed perfectly secure.
8. Children
The Services are not designed for users under 16 in the EU, EEA, Switzerland, or the United Kingdom, or under 13 in the United States. We do not knowingly collect personal data from children below these ages. If you believe we have, please contact us at support@goalsandprogress.com and we will delete it.
9. Complaints
If you believe we are processing your personal data unlawfully, please contact us first at support@goalsandprogress.com so we can try to resolve the issue. You also have the right to lodge a complaint with a data protection authority:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern, Switzerland
edoeb.admin.ch
If you are in the EU, you may also lodge a complaint with the supervisory authority of your usual place of residence, your place of work, or where the alleged infringement took place.
10. Changes to this Statement
We may update this Statement to reflect changes in the Services, applicable law, or processors. We will update the “Last updated” date at the top. For material changes (in particular changes that affect the categories of data we collect, the legal basis for processing, or the recipients), we will post a notice on the website for at least 30 days; where the change concerns consent-based processing, we will request renewed consent before the change takes effect.
11. Contact
Questions about this Statement or about your personal data: support@goalsandprogress.com.