GDPR

GDPR COMPLIANCE NOTICE

European Union, United Kingdom, and Switzerland Data Protection Rights

Dr. Wanda Hill / Dr Hill DM Health

Effective Date: April 19, 2026
Last Updated: April 19, 2026

1. INTRODUCTION AND APPLICABILITY

This GDPR Compliance Notice provides comprehensive information for individuals located in the European Economic Area (EEA), United Kingdom (UK), and Switzerland regarding how Dr. Wanda Hill, doing business as Dr Hill DM Health, collects, processes, uses, stores, protects, transfers, and discloses your personal data in compliance with the General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), and Swiss Federal Act on Data Protection (Swiss DPA). This Notice supplements our Privacy Policy and provides specific information about your data protection rights under European law, our legal obligations as a data controller, and how you can exercise your rights. By using our Services, you acknowledge that we have provided you with clear, transparent, and comprehensive information about our data processing practices and your rights, and where required by law, you provide your freely given, specific, informed, and unambiguous consent to our processing of your personal data as described herein.

2. DATA CONTROLLER INFORMATION

Dr. Wanda Hill operating as Dr Hill DM Health is the data controller responsible for processing your personal data as described in this Notice and our Privacy Policy. As the data controller, we determine the purposes for which and the means by which your personal data is processed, and we are responsible for ensuring compliance with applicable data protection laws and implementing appropriate security measures to protect your personal data.

Contact Information:
Dr. Wanda Hill / Dr Hill DM Health
Email: [email protected]
Phone: +1 (321) 693-2963
Website: drhilldmhealth.com

For all inquiries regarding data protection, privacy rights, or GDPR compliance, please contact us using the information above, and we will respond within the required timeframes (typically within one month, with possible extension to three months for complex requests).

3. YOUR RIGHTS UNDER THE GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following comprehensive rights regarding your personal data:

3.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation whether we process your personal data and, if so, to access that personal data and receive comprehensive information about our processing activities, including the categories of data processed, purposes of processing, recipients of data, retention periods, your rights, the source of data not collected directly from you, and information about automated decision-making. We will provide one free copy of your personal data in a commonly used electronic format (additional copies may incur a reasonable administrative fee based on costs).

3.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain rectification of inaccurate or incomplete personal data without undue delay. We will communicate any rectification to recipients of your data unless impossible or involving disproportionate effort, and we will inform you of those recipients upon request.

3.3 Right to Erasure / Right to Be Forgotten (Article 17 GDPR)

You have the right to obtain erasure of your personal data without undue delay where: the data is no longer necessary for the purposes collected; you withdraw consent and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; erasure is required for legal compliance; or the data was collected from a child. However, this right does not apply where processing is necessary for: exercising freedom of expression; legal compliance; public interest in public health; archiving, research, or statistical purposes; or establishing, exercising, or defending legal claims.

3.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where: you contest data accuracy (during verification); processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing (pending verification of overriding grounds). When restriction applies, we will only process your data with your consent or for legal claims, protection of others' rights, or important public interest.

3.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. You have the right to have data transmitted directly between controllers where technically feasible.

3.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to processing based on legitimate interests or public interest, including profiling, on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for legal claims. You have an absolute right to object to direct marketing (including profiling for marketing), and we will cease such processing immediately upon objection.

3.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time with the same ease as giving consent. Withdrawal does not affect lawfulness of processing before withdrawal. To withdraw consent, contact us at [email protected], click "unsubscribe" in emails, text "STOP" to SMS, or adjust cookie preferences.

3.8 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with your local supervisory authority if you believe our processing violates data protection laws.

EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK

Swiss Federal Data Protection and Information Commissioner (FDPIC):
Website: https://www.edoeb.admin.ch
Address: Feldeggweg 1, 3003 Bern, Switzerland

4. LEGAL BASIS FOR PROCESSING

We process your personal data based on the following legal grounds under Article 6 GDPR:

4.1 Consent (Article 6(1)(a))

We process data based on your freely given, specific, informed, and unambiguous consent for: marketing emails and SMS (where required); non-essential cookies; health data processing beyond contractual necessity; and other activities requiring explicit consent. You may withdraw consent at any time.

4.2 Contract Performance (Article 6(1)(b))

Processing is necessary to: perform our contract with you (delivering purchased products/services, managing accounts, processing payments, providing support); or take steps at your request before entering a contract.

4.3 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations, including: retaining transaction records for tax/accounting; responding to lawful legal processes; complying with data breach notification requirements; and fulfilling consumer protection obligations.

4.4 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate interests (or third-party interests), except where overridden by your rights and freedoms, including: business operations and service delivery; service improvement and innovation; direct marketing to existing customers (soft opt-in); fraud prevention and security; legal rights protection; and network/information security. You may object to processing based on legitimate interests.

4.5 Vital Interests (Article 6(1)(d))

In rare circumstances, processing may be necessary to protect vital interests in medical emergencies where you cannot provide consent.

4.6 Special Categories - Health Data (Article 9(2))

For health-related data, we rely on: explicit consent for processing health information for wellness coaching purposes; and preventive medicine / health or social care provisions (to the extent applicable, noting we are wellness coaches, not healthcare providers).

5. CATEGORIES OF PERSONAL DATA PROCESSED

We process the following categories of personal data:

Identifying Information: Name, email, phone, address, date of birth, age, gender, government ID (if required), username, password (encrypted), account preferences.

Financial Information: Payment card details (processed by PCI-compliant third parties), bank account information, billing/shipping addresses, transaction history, order details, refund information.

Health and Wellness Information (Special Category Data): Health goals, current health status, weight/height/measurements (voluntary), dietary preferences/restrictions/allergies, exercise habits, sleep patterns, stress levels, medical conditions (voluntary disclosure), medications/supplements (voluntary), previous diet attempts, food journals, progress photos (voluntary), and other health information you choose to provide for wellness coaching purposes.

Technical Information: IP address, browser type/version, operating system, device information, unique device identifiers, screen resolution, mobile network information, referring/exit URLs, pages viewed, clickstream data, search queries, links clicked, files downloaded, time on pages, scroll depth, cookies and tracking data.

Communications: All messages, emails, calls, texts, chat transcripts, support tickets, feedback, reviews, testimonials, survey responses, community posts, and other correspondence.

Social Media Information: Profile information, username, profile picture, friends/followers (if permission granted), posts/likes/shares from our social pages.

6. RECIPIENTS AND THIRD-PARTY DISCLOSURES

We share your personal data with the following categories of recipients:

Payment Processors: Stripe, PayPal (payment processing, fraud detection) - receive name, email, billing address, payment method, transaction details.

Email/Communication Services: Email marketing platforms, SMS providers (sending communications) - receive name, email, phone, communication preferences, engagement data.

Course/Content Platforms: Learning management systems, membership platforms (hosting courses, tracking progress) - receive name, email, account information, progress data.

Analytics Providers: Google Analytics, Facebook Pixel (understanding usage, measuring marketing) - receive IP address (anonymized when possible), device information, usage data, cookie identifiers.

CRM Systems: Customer relationship management platforms (managing customer relationships) - receive contact information, communication history, purchase history.

Customer Support: Helpdesk software (providing support) - receive name, email, support inquiries, conversation history.

Cloud Hosting: AWS, Google Cloud, Microsoft Azure (data storage, infrastructure) - receive all stored data.

Security Services: Cloudflare, fraud detection services (protection, fraud prevention) - receive IP addresses, device information, behavioral data.

Legal/Professional Services: Legal counsel, accountants, auditors (obtaining professional advice) - receive information necessary for the specific service.

Legal Authorities: Law enforcement, courts, regulatory bodies (when legally required) - receive information as required by law.

Business Transfers: Potential buyers, successors, assignees (in mergers, acquisitions, asset sales) - may receive all data, subject to continued protection obligations.

7. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to, stored in, and processed in the United States and other countries outside the EEA, UK, or Switzerland. We implement the following safeguards for international transfers:

7.1 Standard Contractual Clauses (SCCs)

We use European Commission-approved Standard Contractual Clauses (Module 2: Controller to Processor) with service providers receiving your data, providing contractual guarantees for data protection.

7.2 Adequacy Decisions

Where possible, we transfer data to countries recognized by the European Commission or UK/Swiss authorities as providing adequate data protection.

7.3 Supplementary Measures

In addition to SCCs, we implement technical and organizational measures including: end-to-end encryption in transit and at rest using industry-standard protocols (TLS 1.2+, AES-256); data minimization (transferring only necessary data); pseudonymization and anonymization where feasible; strict access controls and authentication; contractual commitments from processors regarding data protection and governmental access request transparency; regular security audits and assessments; and incident response procedures.

7.4 Your Rights Regarding Transfers

You may request information about the safeguards we use for international transfers and obtain copies of Standard Contractual Clauses by contacting [email protected].

8. DATA RETENTION PERIODS

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law:

Account Data: Retained while account is active, plus 3 years after account closure or last activity (for customer service, legal compliance).

Transaction Records: Retained for 7 years after transaction (tax, accounting, legal compliance requirements).

Marketing Data: Retained until consent is withdrawn, plus 30 days (processing withdrawal), then deleted unless required for legal compliance.

Course/Program Data: Retained for duration of program access, plus 2 years after completion (support, certificate issuance).

Health Data: Deleted within 30 days of account closure or upon request, unless retention required for legal compliance or defense of legal claims.

Communications: Retained for 3 years (customer service, quality improvement), then deleted.

Technical/Log Data: Retained for 90 days to 1 year (security, system optimization), then deleted or anonymized.

After retention periods expire, we securely delete or anonymize data in accordance with our data retention and deletion policies.

9. DATA SECURITY MEASURES

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Measures: Industry-standard encryption (TLS 1.2+ for transmission, AES-256 for storage); secure authentication and access controls; regular security testing and vulnerability assessments; intrusion detection and prevention systems; firewalls and network security; secure backup and disaster recovery; pseudonymization and anonymization where appropriate.

Organizational Measures: Data protection policies and procedures; employee training on data protection; access restrictions (need-to-know basis); confidentiality agreements with employees and processors; incident response procedures; regular compliance audits; data protection impact assessments for high-risk processing; vendor security due diligence.

While we implement robust security measures, no system is completely secure, and we cannot guarantee absolute security of data transmitted over the internet.

10. AUTOMATED DECISION-MAKING AND PROFILING

We do NOT engage in automated decision-making that produces legal effects or similarly significantly affects you without human intervention. We may use limited automated processing for: email segmentation (assigning to email lists based on interests); content recommendations (suggesting courses/products); fraud detection (flagging suspicious transactions for manual review); and spam filtering. You have the right to request human intervention, express your point of view, and contest any automated decisions that significantly affect you.

11. HOW TO EXERCISE YOUR RIGHTS

To exercise any of your GDPR rights, submit a written request to [email protected] with subject line "GDPR Request - [Right Name]" and include: your full name, email address used with our Services, description of the right you wish to exercise, specific details of your request, and proof of identity (if required for verification).

Verification: We may request additional information to verify your identity before processing requests, particularly for access, erasure, or rectification requests.

Response Timeframe: We will respond within one (1) month of receipt. For complex requests or high volumes, we may extend by two (2) additional months and will inform you of the extension and reasons.

No Fee: Exercising your rights is free of charge unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

Refusal: If we refuse your request, we will explain the reasons and inform you of your right to lodge a complaint with a supervisory authority.

12. CHILDREN'S DATA

We do not knowingly collect, process, or maintain personal data from individuals under 18 years of age. If we discover we have collected data from a minor, we will immediately delete it. Parents or guardians who believe we have collected data from a minor should contact us immediately at [email protected].

13. CHANGES TO THIS NOTICE

We may update this GDPR Notice to reflect changes in our practices or legal requirements. Material changes will be communicated by email to registered users or by prominent notice on our website at least 30 days before taking effect. Continued use of Services after changes constitutes acceptance. We encourage periodic review of this Notice.

14. CONTACT INFORMATION AND COMPLAINTS

Data Controller Contact:
Dr. Wanda Hill / Dr Hill DM Health
Email: [email protected]
Phone: +1 (321) 693-2963

For GDPR Requests or Complaints:
Email: [email protected]
Subject: "GDPR Request" or "Data Protection Inquiry"

We are committed to resolving complaints fairly and promptly. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

This GDPR Compliance Notice provides European residents with comprehensive information about their data protection rights and is incorporated into our Privacy Policy and Terms of Service.