Skip to content
Kia Ora Healing · Valentina Mercadantekia ora healing
IT

Privacy

How I handle your data.

Last updated: 2026-06-09

This page describes how I handle the personal data collected through kiaorahealing.com. Processing complies with the Swiss Federal Act on Data Protection (FADP) and, where applicable, EU Regulation 2016/679 (GDPR).

Data controller

Valentina Mercadante, Biasca (TI), Switzerland. For any question about your data, write to valentina@kiaorahealing.com.

What I collect and why

I keep what's necessary for the services I offer online. Nothing more.

  • Newsletter sign-up. When you leave your email, I store: your address, the date you subscribed, your chosen language, and which welcome messages have already been sent. Lawful basis: your consent.
  • Transactional emails. Once you subscribe, I send you a free practice video and a short welcome sequence (at +2 and +5 days). You can unsubscribe at any time using the link at the bottom of every email.
  • Direct messages. If you email me to book a treatment or ask a question, I keep the exchange so I can reply and stay in context. Lawful basis: performance of your request.
  • Booking a treatment. When you book an appointment through the site, I store: your name, the email or phone number you leave, the chosen date and time, and any note you add. They are used to manage the appointment and to reach you if needed. Lawful basis: performance of your request.
  • Enrolment in a paid journey. When you enrol in a paid online journey (for example 21 Days of Wellbeing), I collect your name and email and process your payment. Full card details never pass through my systems: they are handled directly by Stripe. Lawful basis: performance of the contract.
  • Bot protection. The sign-up form uses Vercel BotID to tell humans from automated agents. This involves an anonymous technical check of your browser. Lawful basis: legitimate interest in protecting the service.

Who I trust with technical storage

To run this site I work with a small number of providers ("processors" under GDPR), chosen for their data-protection track record:

  • Vercel Inc. (United States): site hosting and the scheduled cron that sends the newsletter follow-ups. Servers run in Europe.
  • Supabase (servers in Switzerland, Zurich region): stores the subscriber list and the video materials.
  • Resend Inc. (United States): sends transactional and welcome emails.
  • Stripe Payments Europe (Ireland, with processing also in the United States): handles journey enrolment payments (card and TWINT). Full card details are managed by Stripe under the PCI-DSS standard and are never stored on my systems.
  • PostHog (data stored in the European Union): aggregate, anonymous site-usage statistics, without cookies, without screen recording, and without identifying data.

Where processing takes place outside Switzerland or the European Economic Area, I rely on providers that implement standard contractual safeguards (Standard Contractual Clauses) and on European-region storage where available.

Cookies and tracking

This site does not use profiling cookies, does not integrate ad tech, and does not share your data with social platforms. To understand how the site is used I use Vercel Web Analytics and PostHog: they collect aggregate, anonymous traffic and usage statistics, without cookies and without identifying you.

How long I keep the data

  • Active subscribers: until you unsubscribe or request deletion.
  • Unsubscribed: I keep your email as a technical marker to avoid accidentally re-adding you. If you'd like that marker removed too, just write to me.
  • Direct emails: kept as long as they remain useful to our conversation, then archived or deleted.
  • Bookings: kept to manage the appointments and then for as long as Swiss accounting obligations require, when the treatment is followed by a payment.
  • Enrolments and payments: I keep enrolment records and receipts for as long as required by Swiss accounting and tax obligations.

Your rights

You have the right to ask me to: access your data, correct it, delete it, restrict its processing, receive it in a readable format (portability), and object to processing. To exercise any of these rights, just write to valentina@kiaorahealing.com. I reply personally within a few days.

If you believe the processing is not compliant, you can contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) in Bern, or the supervisory authority of your country of residence in the EU.

Changes

If anything substantial changes in how I handle data, I'll update this page and the date at the top. The previous version remains available on request.