// legal

Privacy Policy

Last updated: May 2026  ·  Applies to all pages and services operated by Desislava Penkova

01

Who is responsible for your data

The data controller for all personal data collected through this website and its associated tools is:

Desislava Penkova
Execution Architecture
Email: desislava@penkova.outlook.com

If you have any questions about how your data is handled, contact the address above directly.

02

What data is collected and why

Data is collected only when you actively submit it through this site. The table below covers every collection point.

Where collected Data collected Why
Assessment gate Full name, work email, company, phone (optional), WhatsApp (optional) To send results and follow up regarding the engagement
Pre-work intake form Answers to 5 session preparation questions To prepare for the booked session. Read before the call, not during it.
Payment page No payment data is collected directly. Payment is processed by Stripe under their own privacy policy.

No data is collected passively through tracking pixels, advertising cookies, or third-party analytics beyond what is described in Section 5.

03

Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, data is processed on the following legal bases:

Processing activity Legal basis
Sending assessment results Consent — given explicitly at the assessment gate before results are shown
Following up about services Consent — given explicitly at the assessment gate
Preparing for a booked session Legitimate interest — directly related to a service you have requested
Processing payment Contract performance — necessary to complete the engagement you have agreed to

Consent can be withdrawn at any time by contacting desislava@penkova.outlook.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

04

How long data is kept

Data is kept only as long as necessary for the purpose it was collected.

Data type Retention period
Assessment submissions (no booking) 12 months from submission date
Pre-work intake answers Duration of the engagement plus 6 months
Client engagement data 5 years from end of engagement for legal and accounting purposes

After the applicable retention period, data is permanently deleted from all systems.

05

Third parties and data sharing

Personal data is never sold, rented, or shared with third parties for marketing purposes. Data may be processed by the following service providers as part of operating this site:

Service Purpose Location
GoHighLevel (GHL) CRM. Stores contact records and session notes. United States (SCCs in place)
Stripe Payment processing. Operates under its own privacy policy. United States (SCCs in place)
Calendly Session booking. Processes name and email to confirm appointments. United States (SCCs in place)

SCCs refers to Standard Contractual Clauses — the EU-approved mechanism for lawful data transfers to countries outside the EEA. Each provider listed above operates under their own privacy policy and is contractually bound to handle data only as instructed.

06

Your rights

Under GDPR and equivalent regulations, you have the following rights regarding your personal data:

Access Request a copy of the personal data held about you.
Correction Request that inaccurate or incomplete data is corrected.
Deletion Request that your data is deleted, subject to legal retention obligations.
Portability Request your data in a structured, machine-readable format.
Objection Object to processing carried out on the basis of legitimate interest.
Withdraw consent Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact desislava@penkova.outlook.com. Requests are responded to within 30 days. If you believe your data has been mishandled, you have the right to lodge a complaint with your national data protection authority.

07

Cookies and tracking

This site does not use advertising cookies, tracking pixels, or third-party analytics. No cookie consent banner is required because no non-essential cookies are set.

Session functionality may use strictly necessary cookies to maintain state across pages. These cookies are not used to identify you across sites and do not require consent under GDPR.

08

Changes to this policy

This policy may be updated when services or data practices change. The date at the top of this page reflects the most recent revision. Material changes will be communicated directly to active clients by email.

Questions about this policy?

Contact: desislava@penkova.outlook.com

Response within 2 business days.