Obesity Coaching Academy

Privacy Notice

In accordance with the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Last updated: 01 March 2026

1. Data Controller and Accountability

The data controller for the personal data processed in connection with the Obesity Coaching Academy certification training programme is Havu Health Coaching Ltd (trading as Obesity Coaching Academy), Inkeroistentie 3A, 00950 Helsinki, Finland.

For all privacy-related enquiries, including requests from Canadian individuals under PIPEDA, please contact: [email protected]. We will respond to written requests within 30 days.

2. Personal Data Collected and Sources

The following categories of personal data may be processed in connection with the Obesity Coaching Academy (“OCA”) online service and online store, in communications between OCA and its clients, and in the administration of client certifications: name of the person being certified (the client); email address and other contact details; purchase information; billing information; registration and booking information; information provided in feedback surveys; newsletter subscription data; and digital usage data.

Data sources: All personal data is collected, as a rule, directly from the data subject or from the data subject’s employer.

Cookies: The OCA online service and online store use strictly necessary cookies and similar tracking technologies. These are placed by OCA’s service partners solely for the technical operation of the service.

3. Why We Process Your Data and the Basis for Doing So

Based on your consent: Assessment of client suitability for the training programme; management of registrations and bookings; direct marketing; newsletter subscriptions; and analytics and personalisation of digital services. You may withdraw your consent at any time by contacting us at [email protected].

To fulfil our contract with you: Registration and management of clients and purchases; maintenance of client records; administration of certifications; client communications; and invoicing.

For our legitimate business interests: Improving the quality and content of the certification programme based on anonymised usage statistics; and understanding aggregate service performance through anonymised client feedback. We have assessed that these interests are not overridden by your rights and freedoms, as the data is anonymised before use and does not affect any individual decision made about you.

For Canadian clients, all collection, use, and disclosure of personal information is carried out only for the purposes identified above, which we consider to be purposes that a reasonable person would find appropriate in the circumstances.

What happens if you do not provide your data: Providing your personal data is a requirement for entering into and performing the certification contract with OCA. Without it, we are unable to register you as a client, administer your certification, issue your credential, or process your payment. Data collected on the basis of consent (such as for direct marketing and newsletter subscriptions) is optional; you may decline without affecting your ability to participate in the certification programme.

4. How Long We Keep Your Data

As a general rule, personal data is deleted no later than six months after the termination of the contractual relationship.

Certification records are retained for the duration of the active certification period (which is extended by one year upon each re-certification), plus a further five years, during which the individual may reinstate their certificate through re-certification.

Where processing is based on consent, processing ceases and the data is deleted as promptly as possible upon withdrawal of consent.

By way of exception: email addresses are retained for five years from the date of conclusion of the contract for the purpose of electronic direct marketing. Billing records are retained in accordance with applicable accounting legislation for a period of six years plus the current accounting year (6+1 years).

5. Who We Share Your Data With and International Transfers

Personal data may be transferred to data processors acting on behalf of OCA for the technical operation of our services. Such processors may be located outside the European Economic Area (EEA), the United Kingdom (UK), or Canada.

Where personal data is transferred outside the country or region in which it was collected, OCA takes steps to ensure it receives an equivalent level of protection. Canadian clients are informed that their personal data may be transferred outside Canada and may be subject to the laws of the country in which it is held.

For transfers from the EU/EEA: OCA relies on the European Commission’s standard contractual clauses or another appropriate transfer mechanism recognised under EU GDPR, such as the EU–US Data Privacy Framework.

For transfers from the UK: OCA relies on the International Data Transfer Agreement (IDTA) approved by the UK Secretary of State, or the UK Addendum to the EU standard contractual clauses, or another appropriate mechanism recognised under UK GDPR, such as the UK Extension to the EU–US Data Privacy Framework.

Transfers of personal data between the EU/EEA and the UK are currently made on the basis of the European Commission’s adequacy decision for the UK (adopted 19 December 2025), which permits such transfers without additional safeguards.

6. Your Rights

The following rights apply to all data subjects, including those in the EU, UK, and Canada.

You have the right to request access to the personal data OCA holds about you, including confirmation of whether we hold data about you, what it is, how it has been used, and with whom it has been shared.

You have the right to request the rectification or correction of inaccurate or incomplete personal data.

You have the right to request the erasure of your personal data, subject to applicable legal limitations.

Please note: The right to erasure may be limited by applicable law, including accounting and bookkeeping legislation.

You have the right to request the restriction of processing of your personal data in certain circumstances, for example while the accuracy of your data is being verified or while an objection is being assessed.

You have the right to data portability, i.e. to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another data controller.

You have the right to object to the processing of your personal data for direct marketing purposes at any time.

You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

Please note: If you exercise your right to erasure or withdraw your consent, you will no longer be able to participate in certification training or maintain an active certification.

OCA does not carry out any automated decision-making or profiling that produces legal or similarly significant effects for individuals.

To exercise any of the above rights, please contact us at [email protected]. We will respond within 30 days.

7. Right to Lodge a Complaint

If you believe your personal data has been processed in breach of applicable law, you have the right to lodge a complaint with the competent supervisory authority.

UK data subjects: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Website: www.ico.org.uk.

EU/EEA data subjects: The competent supervisory authority in your country of residence. In Finland: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), website: www.tietosuoja.fi.

Canadian data subjects: Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau, Quebec K1A 1H3. Website: www.priv.gc.ca.