Privacy Policy

1. Introduction

This Privacy Policy explains how Pediatric Interventions ("PI", "we", "us", or "our") collects, uses, stores, and protects your personal information.

Legal Framework: This Privacy Policy is issued in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR")
• Act No. 110/2019 Coll., on the processing of personal data, as amended
• Act No. 89/2012 Coll., the Civil Code, as amended

This Privacy Policy ensures the information obligation of the data controller pursuant to Article 13 GDPR towards data subjects. We are committed to protecting your privacy and complying with all applicable Czech and EU data protection laws.

Controller & Contact

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use our services, we collect the following information:

Registration Information:

• Your name
• Email address
• Phone number
• Billing address
• Payment information (processed through Stripe)

Child and Family Information:

• Child's name, age, and date of birth
• Developmental and medical history
• Current concerns and challenges
• Educational and therapeutic support history
• Family background and context

Health and Medical Information:

• Medical documents you upload to your client dashboard
• Information about your child's diagnoses, medications, and treatments
• Developmental assessments and evaluations
• Functional laboratory test results (provided to you by third-party laboratories)
• Progress observations and updates you record in your dashboard

Communication Information:

• Content of consultations (notes, discussions)
• Messages sent through the client dashboard
• Email correspondence
• Any other information you choose to share with us

2.2 Information Collected Automatically

When you access our website and client dashboard, we automatically collect:

Technical Information:

• IP address
• Browser type and version
• Device type and operating system
• Access times and dates
• Pages visited and actions taken

Consent Records:

When you register for our services, we record your IP address at time of registration, your browser information (user agent), date and time of consent, which version of our Terms and Privacy Policy you agreed to, and your country and city from registration. This information is collected to demonstrate compliance with data protection laws (GDPR Article 7) and to maintain a verifiable record of your consent.

Cookies: For detailed information about cookies, please see our Cookie Policy.

2.3 Information from Third Parties

We may receive limited information from:

• Stripe — Payment processing information and transaction status (United States)
• Zoom — Technical information about consultation attendance, including meeting attendance records and duration (United States)
• Laboratory Providers (Vibrant Wellness, Nordic Laboratories) — Functional laboratory test results that you authorize them to share with us (United States)
• Total Wellness Empowerment Inc (Health Coach) — Educational interpretation of functional laboratory results. Data shared includes name, age, gender, lab test results, and relevant health history. Legal basis: your explicit consent (Article 9(2)(a) GDPR) and separate Health Coach Service Agreement. Governed by a Data Processing Agreement between Pediatric Interventions and this provider (Article 28 GDPR) (United States)

2.4 Free Consultation Inquiries

If you submit a request for a free consultation but do not register for our services, we collect your name, email address, phone number, and any information you provide in the inquiry form. Legal basis: your consent (Article 6(1)(a) GDPR) and our legitimate interest in responding to your inquiry (Article 6(1)(f) GDPR).

We retain your inquiry information for 30 days to respond to your questions and allow you time to decide whether to proceed with registration. If you do not register within this period, we permanently delete your information. You may request immediate deletion at any time by contacting us at dita@pediatricinterventions.com. If you register for our services, your information becomes part of your client account and is retained according to our standard data retention policy described in Section 9.

3. Legal Basis for Processing

Under the GDPR and Act No. 110/2019 Coll., we must have a legal basis to process your personal information. We rely on the following legal bases:

3.1 Contract Performance (Article 6(1)(b) GDPR)

Processing is necessary to provide the services you have contracted for, including managing your membership and account, providing consultations and support, processing payments, and delivering educational materials and support plans.

3.2 Consent (Article 6(1)(a) and Article 9(2)(a) GDPR)

For processing special categories of personal data (health information), we rely on your explicit consent, which you provide when registering for our services, uploading medical documents to your dashboard, or sharing health information during consultations. You have the right to withdraw your consent at any time by contacting us at dita@pediatricinterventions.com or by using the cancellation function in your client dashboard.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

We may process certain information based on our legitimate interests in improving our services, ensuring security of our systems, preventing fraud, and responding to legal requests. We only rely on legitimate interests when they do not override your fundamental rights and freedoms.

3.4 Legal Obligations (Article 6(1)(c) GDPR)

We may process your information to comply with legal obligations, including tax and accounting requirements, mandatory reporting obligations (e.g., suspected child abuse), and responding to valid legal requests from authorities.

3.5 Demonstrating Consent (Article 7(1) GDPR)

We are legally required under GDPR Article 7(1) to be able to demonstrate that you have given consent for processing your personal data, particularly your child's health information (special category data under Article 9). To fulfill this legal obligation, we record your IP address at the time of registration, your browser information (user agent string), the date and time you gave consent, which version of our documents you agreed to, and your country and city from registration. This data is retained for the same period as your account data (see Section 9) and is used solely to prove that valid consent was obtained.

4. How We Use Your Information

4.1 Providing Services

Delivering the PI Development Program; conducting intake and monthly consultations; creating and updating your individualized support plan; providing weekly updates and ongoing support; interpreting functional laboratory results for educational purposes; and communicating with you about your child's progress.

4.2 Administrative Purposes

Managing your account and membership; processing payments and maintaining billing records; responding to your inquiries and requests; and sending service-related announcements.

4.3 Service Improvement

Understanding how our services are used, identifying areas for improvement, and developing new educational resources.

4.4 Legal and Safety

Complying with legal obligations, protecting the safety of children and families, preventing fraud or misuse of services, and enforcing our Terms and Conditions.

4.5 Educational Use of Anonymized Data (With Your Consent)

With your separate, optional consent, we may use anonymized case information for educational purposes, including professional webinars and lectures, educational case studies, training materials for healthcare professionals, and educational content for parents and families.

When we use case information for educational purposes, all identifying information is removed (names, photos, specific locations, dates), case details may be modified to prevent identification, and we may combine or aggregate information where possible. This consent is entirely optional and is not required to receive our services. You have the right to withdraw consent at any time by contacting us at dita@pediatricinterventions.com. Note that withdrawal does not apply to anonymized information already published or presented.

5. Information Sharing and Disclosure

5.1 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Internal Access and Administrative Support

Your personal data may be accessed by:

Primary Therapist: Full access to all client information necessary to provide the PI Development Program services; responsible for all clinical and educational aspects of your program.

Administrative Assistant: Limited access to client information necessary to perform administrative support functions. Role includes scheduling consultations, managing client communications via email and dashboard, organizing documents, and other administrative tasks. Operates as an independent contractor under a Data Processing Agreement (Article 28 GDPR). Location: Czech Republic — all data transfers use end-to-end encrypted email (ProtonMail with AES-256 encryption).

All persons with access to your personal data are bound by strict confidentiality obligations (employment contracts or Data Processing Agreements), trained on GDPR and data protection requirements, subject to access controls limiting access to only necessary information, required to use encrypted communication methods (ProtonMail) for any personal data transfers, and prohibited from using client data for any purpose outside their assigned responsibilities.

Access Principle: We follow the principle of "least privilege" — staff and contractors access only the minimum personal data necessary to perform their specific functions.

Your Rights: You have the right to know who has accessed your data. Contact us at dita@pediatricinterventions.com if you have questions about data access.

5.3 Third-Party Service Providers

We share information with trusted third-party service providers who assist us in operating our services. All third-party providers are contractually required to maintain appropriate security measures and comply with GDPR requirements (Article 28 GDPR).

All providers use Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR). Total Wellness Empowerment Inc operates under a Data Processing Agreement with Pediatric Interventions (Article 28 GDPR).

5.4 Laboratory Providers

When we order functional laboratory tests on your behalf, we share necessary information (name, contact details, shipping address) with the laboratory. The laboratory has its own privacy policy governing their use of your information. We recommend reviewing the privacy policies of Vibrant Wellness and Nordic Laboratories.

5.5 Legal Requirements

We may disclose your information if required by law or in good faith belief that such action is necessary to comply with legal obligations, protect and defend our rights or property, prevent fraud or illegal activity, or protect the safety of children, individuals, or the public.

5.6 Mandatory Reporting

As professionals working with children, we are subject to mandatory reporting laws. We may be legally required to report suspected child abuse, neglect, or imminent danger to appropriate authorities without your consent.

5.7 Business Transfers

If Pediatric Interventions is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. This means your personal data may be transferred to, stored, or processed in countries that may not have the same data protection laws as the Czech Republic or EU.

Third-party providers processing data outside the EEA include Stripe, Zoom, Google Analytics, Bluehost, Kit, laboratory providers (Vibrant Wellness, Nordic Labs), and Total Wellness Empowerment Inc. Health data transfers to Total Wellness Empowerment Inc are transmitted via end-to-end encrypted email (ProtonMail with AES-256 encryption) and governed by a Data Processing Agreement.

Medical documents uploaded to our dashboard are stored on Bluehost servers in the United States, which is necessary for service delivery. By uploading medical documents, you explicitly consent to this international transfer and storage (Article 9(2)(a) GDPR).

These providers represent that they comply with applicable data protection laws and have implemented appropriate safeguards such as Standard Contractual Clauses (SCCs) (Article 46(2)(c) GDPR), technical and organizational security measures, and encryption of data in transit and at rest. Many of these international data transfers are necessary for the performance of our contract with you (Article 49(1)(b) GDPR).

We acknowledge that international data transfers carry inherent risks. We continuously monitor the legal landscape and will update our practices as regulations evolve. If you have concerns, please contact us at dita@pediatricinterventions.com.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption: Data transmitted between your browser and our servers is encrypted using SSL/TLS
• Secure Data Transfers: Health data shared with our health coach partner uses end-to-end encrypted email (ProtonMail with AES-256 encryption)
• Access Controls: Access to personal information is restricted to authorized personnel only
• Secure Hosting: Our servers are hosted in secure facilities with physical and digital protections
• Password Protection: Your client dashboard is password-protected
• Regular Updates: We keep our systems and software up to date with security patches

Our service providers maintain industry-standard security certifications: Stripe is PCI DSS Level 1 certified, ISO 27001, and SOC 2 Type II; Zoom holds ISO 27001, SOC 2, and HIPAA compliant infrastructure; and Google holds ISO 27001, ISO 27018, and SOC 2/3 certifications.

7.2 Your Responsibility

You are responsible for keeping your account password secure and confidential, not sharing your login credentials with others, logging out of your account when finished, and notifying us immediately if you suspect unauthorized access.

7.3 No Absolute Security

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information.

8. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify the Czech Data Protection Authority (Úřad pro ochranu osobních údajů — ÚOOÚ) within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay with details of the nature of the breach, likely consequences, measures taken, steps you can take to protect yourself, and contact information for further inquiries.

9. Data Retention

9.1 Active Membership

We retain your personal information for as long as you maintain an active membership with us.

9.2 After Cancellation

When you cancel your membership, we retain your information for 5 years after cancellation. This retention period is based on our legitimate interest (Article 6(1)(f) GDPR) in allowing you to easily resume services, maintaining continuity of care, and following industry standards for wellness and coaching services.

You have the right to request deletion of your data at any time during this 5-year period (Article 17 GDPR). Contact us at dita@pediatricinterventions.com and we will permanently delete your information within 30 days. After 5 years, all personal data is automatically and permanently deleted from our systems (Article 5(1)(e) GDPR), except anonymized data used for research or statistical purposes and records required for legal compliance or defending legal claims.

If you specifically request that we retain your information beyond 5 years, we will honor your request based on your explicit consent (Article 6(1)(a) GDPR) and keep your data securely until you request deletion or resume services.

9.3 Legal and Accounting Records

Billing records and invoices are retained for 5 years from the end of the tax year in which the transaction occurred, as required by Act No. 563/1991 Sb., on Accounting, as amended (Section 31). This retention is based on legal obligations (Article 6(1)(c) GDPR) and does not include health information, medical documents, consultation notes, or other client service data — only basic billing information (invoice number, amount, date, service description).

9.4 Backup Systems

Deleted data may remain in backup systems for a limited time (typically 30–90 days) before being permanently removed. This data is not accessible or used during that period.

10. Your Rights Under GDPR

As a data subject under the GDPR and Act No. 110/2019 Coll., you have the following rights:

• Right of Access (Article 15 GDPR): Request confirmation of whether we process your personal data and obtain a copy. Most information is accessible through your client dashboard.
• Right to Rectification (Article 16 GDPR): Request correction of inaccurate or incomplete personal information. Much can be updated directly through your dashboard.
• Right to Erasure / "Right to be Forgotten" (Article 17 GDPR): Request deletion of your personal information when it is no longer necessary, you withdraw consent, or processing is unlawful. Note: this right is not absolute — we may need to retain certain information for legal obligations.
• Right to Restriction of Processing (Article 18 GDPR): Request that we limit processing of your information in certain circumstances.
• Right to Data Portability (Article 20 GDPR): Receive your personal data in a structured, machine-readable format.
• Right to Object (Article 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Article 7(3) GDPR): Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
• Right Not to be Subject to Automated Decision-Making (Article 22 GDPR): We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at dita@pediatricinterventions.com or by mail at Pediatric Interventions, Josefa Obadala 3492, 767 01 Kroměříž, Czech Republic. We will respond within one month (extendable by two additional months in complex cases). Requests are processed free of charge unless manifestly unfounded, excessive, or repetitive (Article 12(5) GDPR). We may ask you to verify your identity to protect your privacy (Article 12(6) GDPR).

11. Right to Lodge a Complaint

If you believe we have not handled your personal information properly, you have the right to lodge a complaint with the supervisory authority:

You also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work if different from the Czech Republic.

12. Children's Privacy

Our services are designed for parents and families, not for use directly by children. We collect information about children only as provided by their parents or legal guardians for the purpose of delivering our educational support services.

By using our services, you represent that you are the parent or legal guardian of the child and have the authority to provide information about them and consent to our processing of that information. By registering, you confirm parental authority or legal guardianship as defined in Section 858 et seq. of Act No. 89/2012 Coll., the Civil Code. We treat all information about children as special category data requiring explicit consent and heightened protection.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. If we make material changes to how we process your personal information, we will notify you by posting a notice on our website, sending an email to the address associated with your account, and providing notice through your client dashboard. Changes will be effective as of the date specified in the updated policy. Your continued use of our services after the effective date constitutes acceptance of the updated policy. Previous versions of this Privacy Policy are available upon request.

14. Cookie Policy Summary

We use two categories of cookies on our website:

• Essential Cookies (no consent required — Article 6(1)(f) GDPR): Necessary for website function, including session management, login functionality, security, and storing your cookie preferences.
• Analytics Cookies (consent required — Article 6(1)(a) GDPR): Google Analytics to understand website usage and improve our services. Only loaded with your explicit consent via our cookie banner and can be disabled at any time.

We do not use advertising cookies, third-party marketing cookies, or social media tracking cookies. For detailed information, please see our Cookie Policy.

15. Contact Us

We are committed to working with you to obtain a fair resolution of any privacy concerns.