Core Values Recovery

Student Data Privacy & GDPR Consent Policy

Effective Date: February 2026

Purpose

This policy explains how Core Values Recovery (CVR) collects, uses, stores, and protects student data in compliance with:

• General Data Protection Regulation (GDPR)
• International Coaching Federation (ICF) accreditation requirements
• U.S. data privacy best practices

What Data We Collect

Required for Program Delivery

We collect only the minimum data necessary to run an ICF-accredited training program:

Enrollment & Contact:

• Full legal name
• Email address
• Phone number
• Mailing address (for certificate delivery)
• Emergency contact information

Academic Records:

• Session attendance records
• Assignments and reflections (submitted work)
• Observed coaching session recordings (minimum 5 per student)
• Performance evaluation results
• Final certification status (pass/fail)
• Transcript of hours completed

Financial Records:

• Payment plan selections
• Payment history
• Refund requests and resolutions

ICF Compliance Data:

• Enrollment date
• Completion/graduation date
• Credential pathway (ACC Track)
• Opt-in consent for ICF to contact you (required for graduation)

Optional Data (You Choose)

We only collect these with explicit consent:

Professional Development:

• LinkedIn profile (for alumni directory)
• Website URL (for referral network)
• Business name and contact info (for alumni directory)
• Areas of coaching specialization

Marketing & Testimonials:

• Photo/headshot (for success stories)
• Video testimonial recording
• Written testimonial with attribution
• Permission to share outcomes publicly

Alumni Engagement:

• Preferred communication channels
• Interest areas for continuing education
• Job board preferences

How We Use Your Data

Primary Uses (Required for Program Delivery)

Academic Administration:

• Track attendance and participation
• Grade assignments and performance evaluations
• Issue certificates of completion
• Maintain transcripts

ICF Compliance:

• Report graduation data to ICF (name, email, dates, hours completed)
• Respond to ICF accreditation audits
• Submit sample performance evaluations for validation

Program Improvement:

• Analyze aggregate success rates (no individual identification)
• Review student feedback to improve curriculum
• Track outcomes for evidence-based claims

Student Support:

• Contact you about program updates or schedule changes
• Send course materials and resources
• Provide mentor coaching and performance feedback
• Respond to your support requests

Secondary Uses (Require Opt-In Consent)

Alumni Services (Opt-In):

• Add you to alumni directory for peer referrals
• Send continuing education opportunities
• Share job postings and partnership opportunities
• Invite you to alumni events

Marketing (Opt-In):

• Share your success story (anonymously or with attribution)
• Use aggregate outcomes in promotional materials
• Feature you in case studies or testimonials

Research (Opt-In):

• Follow up on long-term coaching outcomes
• Invite participation in curriculum research
• Share findings with recovery coaching field

Data Storage & Security

Where We Store Data

Secure Platforms:

• Student records: Encrypted cloud storage (Google Workspace, enterprise tier)
• Session recordings: Password-protected cloud storage with expiration dates
• Financial records: Encrypted database with access controls
• Communications: End-to-end encrypted email (ProtonMail) for sensitive topics

Access Controls:

• Only authorized CVR staff can access student data (Director of Education + Program Coordinator)
• Faculty can only access data for students they’re directly teaching/evaluating
• Two-factor authentication required for all admin accounts

Retention Periods:

• Active students: Data retained throughout enrollment + 2 years post-graduation (ICF requirement)
• Alumni directory (opt-in): Retained until you request removal
• Financial records: 7 years (U.S. tax compliance)
• Session recordings: Deleted 90 days after performance evaluation is complete (unless you request copy)

Security Measures

Technical Safeguards:

• 256-bit AES encryption for stored data
• TLS 1.3 encryption for data in transit
• Regular security audits and penetration testing
• Automated backups with 30-day retention
• Disaster recovery plan with 24-hour RTO

Organizational Safeguards:

• Annual staff training on data privacy
• Written data handling procedures
• Vendor agreements with GDPR-compliant partners
• Incident response plan for data breaches

Your Rights Under GDPR

Right to Access

What it means: You can request a copy of all data we have about you.

How to exercise: Email privacy@bearecoverycoach.com with subject line “Data Access Request.”

Timeline: We’ll provide your data within 30 days, in a portable format (CSV/PDF).

Right to Correction

What it means: You can update or correct inaccurate data.

How to exercise: Email privacy@bearecoverycoach.com with corrections. We’ll update within 7 business days.

Right to Deletion (“Right to be Forgotten”)

What it means: You can request deletion of your data.

Limitations:

• We cannot delete data required for ICF compliance (2 years post-graduation).
• We cannot delete financial records required for tax compliance (7 years).
• We may retain anonymized aggregate data for research.

How to exercise: Email privacy@bearecoverycoach.com with subject line “Data Deletion Request.” We’ll delete all eligible data within 30 days and confirm completion.

Right to Restriction

What it means: You can limit how we use your data.

Example: “Don’t use my data for marketing, but keep it for program delivery.”

How to exercise: Email privacy@bearecoverycoach.com specifying restrictions.

Right to Data Portability

What it means: You can get your data in a machine-readable format to transfer elsewhere.

How to exercise: Email privacy@bearecoverycoach.com with subject line “Data Portability Request.” We’ll provide CSV/JSON files within 30 days.

Right to Object

What it means: You can object to specific data uses (e.g., marketing, research).

How to exercise: Email privacy@bearecoverycoach.com or click “Unsubscribe” in any marketing email.

Right to Withdraw Consent

What it means: You can revoke consent for optional data uses at any time.

How to exercise: Email privacy@bearecoverycoach.com. Changes take effect within 48 hours.

Data Sharing

Who We Share With

Required Sharing (ICF Compliance):

• International Coaching Federation (ICF): Name, email, enrollment/graduation dates, hours completed, credential pathway
• ICF purpose: Verify program completion for credential applications
• Opt-in required: Yes (you must consent for ICF to contact you, or you cannot graduate)

Service Providers (GDPR-Compliant):

• Google Workspace: Email, file storage, calendar (Business Associate Agreement in place)
• Zoom: Video conferencing for live sessions (encrypted, recordings deleted per schedule)
• Stripe: Payment processing (PCI-DSS compliant, we never see full credit card numbers)

Never Shared:

• We do not sell or rent student data to third parties.
• We do not share data with marketing affiliates without opt-in consent.
• We do not use student data to train AI models without explicit consent.

International Data Transfers

ICF is headquartered in the United States. By consenting to ICF data sharing, you acknowledge that your data will be transferred to the U.S. and processed under U.S. privacy laws (which may differ from GDPR standards).

Safeguards:

• ICF is Privacy Shield-certified (or equivalent framework)
• Data transfer agreements include Standard Contractual Clauses (SCCs)

Data Breach Notification

If We Experience a Breach

Within 72 hours:

• We’ll notify all affected students via email
• We’ll report to relevant data protection authorities (if GDPR applies)

Our notification will include:

• What data was compromised
• What we’re doing to mitigate harm
• Steps you can take to protect yourself (e.g., password reset, credit monitoring)

We commit to:

• Full transparency about what happened
• Forensic investigation to prevent recurrence
• Offering identity theft protection services if financial data was exposed

Consent Forms

Form 1: Required Data Collection (Program Enrollment)

I consent to CVR collecting and processing the following data for program delivery:

• Contact information (name, email, phone, address)
• Academic records (attendance, assignments, session recordings, evaluations)
• Financial records (payment history)

☐ Yes, I consent (required to enroll)

Form 2: ICF Data Sharing (Required for Graduation)

I consent to CVR sharing the following data with ICF:

• Name, email, enrollment date, graduation date, hours completed, credential pathway

I understand:

• ICF may contact me to verify program completion
• ICF will process my data under U.S. privacy laws
• Without this consent, I cannot receive a certificate of completion

☐ Yes, I consent to ICF data sharing (required to graduate)

Form 3: Alumni Directory (Optional)

I consent to CVR including my profile in the alumni directory:

• Name, email, website, business name, coaching specializations

I understand:

• This is visible to other CVR alumni and referral partners
• I can request removal at any time

☐ Yes, include me in the alumni directory (optional)
☐ No, do not include me

Form 4: Marketing & Testimonials (Optional)

I consent to CVR using my success story in marketing materials:

• Written testimonial with my name/photo
• Video testimonial
• Aggregate outcomes (e.g., “Our graduates earn X on average”)

I understand:

• I can specify anonymous vs. attributed use
• I can revoke this consent at any time

☐ Yes, you may use my testimonial (attributed)
☐ Yes, you may use my testimonial (anonymous only)
☐ No, do not use my testimonial

Form 5: Long-Term Research (Optional)

I consent to CVR contacting me for follow-up research on coaching outcomes:

• Annual surveys on coaching practice and client results
• Aggregate findings may be published (anonymously)

☐ Yes, contact me for research (optional)
☐ No, do not contact me for research

Contact & Complaints

Data Privacy Officer

Clay Johnson
Email: privacy@bearecoverycoach.com
Phone: (385) 722-3253

Response time: Within 3 business days for inquiries, 30 days for formal requests.

File a Complaint

If you believe we’ve violated your data privacy rights:

1. Internal complaint: Email privacy@bearecoverycoach.com
2. EU residents: File complaint with your national data protection authority (list of authorities)
3. U.S. residents: File complaint with Federal Trade Commission (ftc.gov/complaint)

Changes to This Policy

We review this policy annually. If we make material changes:

• We’ll notify all active students via email at least 30 days before changes take effect
• We’ll re-request consent for any new data uses
• You can withdraw from the program with full refund if you don’t agree to changes

Last updated: February 2026
Next review: February 2027

Summary: Your Data, Your Control

✅ We collect only what’s necessary for ICF-accredited training.
✅ You control optional uses (alumni directory, marketing, research).
✅ You can access, correct, or delete your data at any time.
✅ We’ll notify you within 72 hours if there’s a breach.
✅ We never sell your data to third parties.

Questions? Email privacy@bearecoverycoach.com

This policy meets ICF Standard Three requirements for GDPR-compliant student data consent and ICF Standard Two requirements for accessible privacy policies.