Privacy Policy

Effective Date: 01/01/2023
Last Updated: 24/02/2026

In Short

We collect only the information necessary to run IMMA Collective and deliver our consulting and community services.

We use trusted digital tools to operate our business.
We do not sell your data.
We only send marketing emails if you opt in.
You can request access, correction, or deletion of your data at any time.

Full details are below.

1. Data Controller

This website and the services offered under IMMA Collective are operated by:

Elisabeth Graf
IMMA Collective
via Montorio 60,
37131 Verona
Italy
Email: hello@immacollective.com
Website: www.immacollective.com

For the purposes of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Elisabeth Graf acts as the data controller.

2. What Personal Data We Collect

We collect and process personal data only when necessary for legitimate business purposes.

a) Information You Provide Directly

  • First and last name
  • Email address
  • Company name
  • Professional role or title
  • Business information shared during applications, calls, or participation in programs
  • Community profile information
  • Responses to forms, quizzes, or applications

b) When You Book a Call (via TidyCal)

  • Name
  • Email address
  • Scheduling details

c) When You Purchase Services (via Stripe)

  • Name
  • Email address
  • Billing address
  • Payment details (processed securely by Stripe; we do not store full credit card details)

d) Marketing Communications

  • Email address, if you choose to subscribe

You may unsubscribe at any time.

e) LinkedIn and Professional Communication

If you engage with us via LinkedIn:

  • Publicly available professional information
  • Communication history
  • Business contact details

We use LinkedIn for individual professional outreach only. We do not engage in mass scraping or automated profiling.

f) Website Usage Data

When you visit our WordPress website, limited technical information may be processed, such as:

  • IP address (where technically necessary)
  • Browser type and device information
  • Basic usage data

We use Simple Analytics, a privacy-focused analytics tool that does not rely on invasive tracking or behavioral profiling.

We do not intentionally collect special categories of data (such as health data, political opinions, religion, ethnicity, or biometric data).

3. Why We Process Your Data

We process personal data to:

  • Respond to inquiries
  • Deliver consulting, advisory, and community services
  • Manage contracts and payments
  • Operate and administer our community platform (Circle)
  • Schedule calls
  • Manage client relationships (via Notion CRM)
  • Support internal workflows and organization
  • Process form submissions and quizzes
  • Securely automate internal processes (Zapier)
  • Comply with legal, accounting, and tax obligations
  • Send marketing communications (only where consent has been given)

4. Legal Basis for Processing

Under GDPR, we rely on the following legal grounds:

  • Contractual necessity (to deliver services you request)
  • Legal obligations (such as accounting and tax compliance)
  • Legitimate interests (such as responding to business inquiries and managing professional relationships, provided these do not override your rights)
  • Consent (for marketing communications)

You may withdraw consent at any time without affecting prior lawful processing.

5. Service Providers (Data Processors)

To operate IMMA Collective, we use trusted third-party service providers who process personal data on our behalf. These may include providers for:

  • Website hosting and infrastructure
  • Community management and email communication
  • Payment processing
  • Appointment scheduling
  • Email and document management
  • Customer relationship management (CRM)
  • Form and quiz processing
  • Workflow automation
  • Website analytics
  • Professional communication management

At the time of writing, key providers include:

  • WordPress
  • Circle
  • Stripe
  • TidyCal
  • Google Workspace
  • Notion
  • Notion AI
  • Tally, Fillout, ScoreApp
  • Kondo
  • Zapier
  • Simple Analytics

From time to time, we may update or change service providers in order to improve our operations, security, or efficiency.

Any such providers will process personal data only on our behalf and will be contractually required to implement appropriate technical and organisational measures to protect personal data in accordance with applicable data protection laws.

You may request an updated list of current processors at any time by contacting us. at hello@immacollective.com

6. International Data Transfers

Some of our service providers may process personal data outside the European Economic Area (EEA), including in the United States.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including:

  • Standard Contractual Clauses approved by the European Commission
  • Participation in the EU–US Data Privacy Framework (where applicable)
  • Other legally recognized transfer mechanisms

You may request further information about these safeguards by contacting us.

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected and to comply with legal obligations.

In particular:

  • Contract and billing data: retained for up to 10 years in accordance with Italian tax law
  • Client relationship data: retained for the duration of the collaboration and a reasonable period thereafter
  • Inquiry data (non-clients): periodically reviewed and deleted if no longer necessary
  • Marketing data: retained until you unsubscribe or withdraw consent
  • Community data: retained for the duration of membership and a reasonable period thereafter

After the applicable retention period, data is securely deleted or anonymized.

8. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Request erasure of your data
  • Restrict processing
  • Object to processing based on legitimate interest
  • Request data portability
  • Withdraw consent at any time

To exercise your rights, contact:
hello@immacollective.com

We will respond within one month as required by GDPR.

You also have the right to lodge a complaint with the Italian supervisory authority:

Garante per la Protezione dei Dati Personali
www.garanteprivacy.it

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Secure cloud-based systems
  • Encrypted connections (HTTPS/SSL)
  • Access controls and role-based permissions
  • Two-factor authentication where available
  • Limiting access to personal data to what is necessary

While we take reasonable steps to protect data, no online system can guarantee absolute security.

10. Marketing Communications

If you opt in to receive marketing emails, you may unsubscribe at any time using the unsubscribe link in our emails or by contacting us directly.

We do not sell or rent personal data.

11. Automated Decision-Making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

12. Updates to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be published on this page with an updated revision date.