top of page

Privacy Policy

Last updated: 4th March 2026

1. Who we are (data controller)

This website is operated by:

Paloma Schwarz – Little Sanctuary
24, rue de la Montagne
6962 Senningen
Luxembourg

Email: info@little-sanctuary.com
Website: www.little-sanctuary.com

Little Sanctuary offers workshops, retreats, coaching sessions and other wellbeing services for mothers.
Little Sanctuary, operated by Paloma Schwarz, is the data controller for the personal data processed via this website and in connection with our services.

We have not appointed a Data Protection Officer (DPO). For all privacy‑related questions, please contact us using the details above.​

2. What personal data we collect

We may collect and process the following categories of personal data when you interact with us:

  • Identification and contact details: name, email address, phone number, postal address.

  • Booking and participation data: event or workshop you register for, dates, attendance, dietary or accessibility preferences you choose to share.

  • Payment and billing information: billing address, payment amount, basic transaction details (payment is processed by third‑party providers; see section 5).​

  • Communication data: information you provide when you contact us (for example by email, contact form, or newsletter sign‑up) and any follow‑up correspondence.

  • Website usage data: IP address, device type, browser type, pages visited, date and time of visits, and other technical information collected via cookies and similar technologies (see section 7).

We generally do not collect sensitive (special category) personal data through the website.
However, during workshops, retreats or coaching sessions you may voluntarily share information about your physical or emotional wellbeing, which may qualify as health data under the GDPR.

We only record and process such information where it is clearly necessary for providing our wellbeing/coaching services, where you choose to share it, and only with your explicit consent.
We keep such information minimal, confidential and for no longer than necessary for the purposes described in this policy and to comply with legal or insurance obligations.

3. How we collect your data

We collect personal data directly from you when you:

  • contact us via the website contact form or by email

  • register for workshops, retreats or other events

  • purchase services from us

  • subscribe to our newsletter or mailing list

  • participate in coaching sessions or wellbeing activities

  • interact with our website (through cookies and analytics tools, where applicable)

We may also receive limited technical or usage data from third‑party services that support our website and analytics (see sections 6 and 7).​

4. Purposes and legal bases for processing

We process your personal data for the following purposes and on the following legal bases, in accordance with Article 6 and, where relevant, Article 9 GDPR.

  1. Provision of services and bookings

    • To register you for workshops, retreats and events, provide coaching sessions, manage your participation, and communicate practical details.

    • Legal basis: performance of a contract or steps taken at your request prior to entering into a contract (Article 6(1)(b) GDPR).

  2. Handling inquiries and communication

    • To respond to your questions, requests or feedback via email or contact form.

    • Legal basis: our legitimate interests in communicating with you and running our business effectively (Article 6(1)(f) GDPR).

  3. Payments and accounting

    • To process payments, issue invoices and comply with tax/accounting obligations.

    • Legal basis: performance of a contract (Article 6(1)(b)) and legal obligations (Article 6(1)(c)).

  4. Newsletters and marketing communications

    • To send you newsletters, updates and information about events or services, if you have subscribed or otherwise explicitly asked to receive them.

    • Legal basis: your consent (Article 6(1)(a)). You may withdraw your consent at any time by using the unsubscribe link or contacting us.

  5. Website operation and improvement

    • To operate and secure the website, understand how visitors use it and improve our services (for example via analytics).

    • Legal basis: our legitimate interests in maintaining, protecting and improving our website and services (Article 6(1)(f)), and, for non‑essential cookies/analytics, your consent via the cookie banner (Article 6(1)(a)).

  6. Wellbeing and health‑related information

    • To support you in wellbeing and coaching contexts where you voluntarily share information relating to your health, emotions or personal situation.

    • Legal basis: your explicit consent (Article 6(1)(a) and Article 9(2)(a)), and, where applicable, that processing is necessary for the provision of wellbeing/coaching services you request, subject to strict confidentiality and minimal recording.

  7. Legal claims and compliance

    • To establish, exercise or defend legal claims, and to comply with regulatory, tax and other legal obligations.

    • Legal basis: legal obligations (Article 6(1)(c)) and our legitimate interests in protecting our rights (Article 6(1)(f)).​

Where we rely on legitimate interests, we balance our interests against your rights and interests and only process personal data where they are not overridden.

5. Payments

Payments for services may be processed through third‑party payment providers such as:

  • Stripe

  • PayPal

These providers process your payment information directly and in accordance with their own privacy policies.
We do not store full credit card details on our servers.

During payment, your data may be transferred outside the European Economic Area (EEA), for example to the United States, by these providers.
Where such transfers occur, they are carried out under appropriate safeguards, such as the use of Standard Contractual Clauses or other mechanisms permitted under the GDPR, as described in the providers’ privacy notices.

6. Third‑party service providers (recipients of data)

We use trusted third‑party service providers to help us operate our website and business.
These providers only process your personal data on our documented instructions and where necessary to provide their services.

These may include:

  • Website hosting and infrastructure: Wix.com Ltd (website platform and hosting)

  • Payment processing: Stripe, PayPal

  • Email and newsletter services: Kit

  • Analytics tools: Google Analytics (if enabled)

Some of these providers may be located outside the EEA (for example in the United States).
In such cases, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms, to protect your personal data in accordance with GDPR requirements.

We may also share personal data with professional advisers (such as accountants, lawyers, or insurers) where necessary to comply with legal obligations or to protect our legal rights.​

We do not sell your personal data to third parties.​

7. Cookies and website analytics

Our website uses cookies and similar technologies.
Cookies are small text files stored on your device that help the site function and provide us with information about how it is used.

We use the following types of cookies:

  • Strictly necessary cookies: required for the website to function properly (for example, security and session cookies).

  • Preference cookies: to remember your settings (such as language preferences).

  • Analytics cookies (if enabled): to collect information about how visitors use our site (pages visited, time spent, browser type, approximate location based on IP address, etc.) so we can improve our content and services.

If we use Google Analytics or similar tools:

  • IP anonymisation is enabled where possible, so that your full IP address is not stored.

  • Analytics cookies are only set with your consent via the cookie banner.

  • Data is used in aggregated form to understand trends and usage patterns.

You can manage or disable cookies through your browser settings.
If you disable non‑essential cookies, some features of the website may not function optimally, but the site will still be accessible.

Further details are provided in our cookie banner and/or cookie settings tool, where you can update your preferences at any time.

8. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy or to comply with legal, accounting and insurance obligations.

Typical retention periods are:

  • Contact and inquiry data: up to 12 months after our last communication, unless needed longer in connection with services or legal claims.

  • Client and booking records (including invoices): for the duration of the relationship and then for 6–10 years, according to applicable tax and accounting laws and professional insurance requirements.

  • Newsletter subscription data: until you unsubscribe, plus a short period to record your opt‑out.

  • Coaching notes and wellbeing‑related information: for the duration of the coaching relationship and, where required by insurance or professional standards, up to  6 years after the end of the relationship.

  • Cookie and analytics data: according to the retention settings of the relevant tools, usually between a few months and 2 years (see cookie/analytics provider documentation).

Where we cannot specify exact periods, we use criteria based on the nature of the data, the context and the potential risk, and we regularly review the need to keep the data.

9. Data security

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures may include:

  • Secure website hosting and encrypted connections (HTTPS)

  • Access controls and authentication measures

  • Keeping software up to date and using security tools provided by our hosting platform

  • Limiting access to personal data to those who need it for their role and have confidentiality obligations

However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.​

10. Children’s data

Our services are primarily intended for adults.
In cases where activities involve children (for example family workshops), any personal data relating to minors is provided and managed by a parent or legal guardian.

We do not knowingly collect personal data directly from children without parental consent.
If you believe that a child has provided us with personal data without parental consent, please contact us so that we can take appropriate action.​

11. Your rights under GDPR

If you are located in the European Economic Area (EEA), you have the following rights in relation to your personal data, subject to the conditions and exemptions set out in the GDPR:

  • Right of access: to obtain confirmation whether we process your personal data and receive a copy.

  • Right to rectification: to have inaccurate or incomplete data corrected.

  • Right to erasure: to request deletion of your personal data in certain circumstances (“right to be forgotten”).

  • Right to restriction of processing: to request that we restrict the processing of your data in certain cases.

  • Right to object: to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct marketing.

  • Right to data portability: to receive the personal data you have provided to us in a structured, commonly used and machine‑readable format and, where technically feasible, to have it transmitted to another controller.

  • Right to withdraw consent: where processing is based on your consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise these rights, please contact us at info@little-sanctuary.com.
We may need to verify your identity before responding and we will respond without undue delay and in any event within one month, in accordance with GDPR.

You also have the right to lodge a complaint with your national data protection authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
In Luxembourg, this is the Commission nationale pour la protection des données (CNPD) (www.cnpd.public.lu).

12. Changes to this policy

We may update this privacy policy from time to time, for example to reflect changes in our services, legal requirements or how we process personal data.

The updated version will always be posted on this page and will take effect when it is published.
Where appropriate, we may also notify you of important changes by email or by displaying a notice on the website.​

13. Contact

If you have any questions about this privacy policy or how we handle your personal data, please contact:

Paloma Schwarz – Little Sanctuary
Email: info@little-sanctuary.com
Address: 24, rue de la Montagne, 6962 Senningen, Luxembourg

PRIVACY POLICY

CONTACT

©2026  Paloma Schwarz

bottom of page