Privacy policy.

This policy applies to the processing of personal data carried out by Gates Solutions Sàrl in connection with the operation of the site peopleattractiontheory.com and the interactions arising from it (contact form, CV submission, VOD purchase, email exchanges, appointment bookings).

It is drafted to comply with both the revised Swiss Federal Act on Data Protection (nLPD, in force since September 1, 2023) and the European General Data Protection Regulation (GDPR, EU Regulation 2016/679), which applies to visitors residing in the European Union.

In case of divergent interpretation between the two frameworks, the provision most protective of the data subject applies.

The data controller is:

Gates Solutions Sàrl does not appoint a data protection officer (DPO), as its size and the nature of its processing do not make it mandatory under art. 37 GDPR or the nLPD.

Five distinct situations give rise to data collection:

a) Contact form

When you fill out the contact form, the following data is transmitted:

• Full name
• Professional email address
• Company name
• Phone number (optional field)
• Subject of the request
• Free text content of the message

This data transits through a Cloudflare Worker that performs invisible validation and anti-spam protection, then is stored in the Odoo CRM operated by Gates Solutions Sàrl.

b) CV submission via Jarvi

If you choose to submit a CV via the "Submit my CV" link, you are redirected to a Jarvi page specific to PAT, where you provide:

• Your CV in the format of your choice
• The details you enter (name, email, phone and, where applicable, additional professional information)

The submission takes place directly on the Jarvi infrastructure, operated by Jarvi Tech SAS (10 rue du Réage, 35510 Cesson-Sévigné, France). The data is processed by this subprocessor according to its own privacy policy, accessible from the submission page.

c) Appointment booking via Google Calendar

If you book a slot via a calendar link, you are redirected to Google Calendar Appointment Schedules. The data collected at this stage (name, email, booked slot) is processed by Google Ireland Ltd according to Google's privacy policy. No Google cookie is set on peopleattractiontheory.com, as the service is consulted exclusively via external redirect.

d) VOD purchase (Module 1 standalone)

When you click "Buy M1", you are redirected to a Stripe Payment Link. The data collected is:

• Name and email address (entered directly with Stripe)
• Payment data (card number, expiration date, CVC) — never transmitted to the PAT server, entered directly into the Stripe form
• Billing address (entered with Stripe)

After a valid payment, Stripe generates an invoice and a confirmation email. This email contains a unique access link to your VOD content hosted by Teachable.

e) Technical site connection

On each visit, your browser automatically transmits technical information (IP address, browser type, referring page, etc.) to the Cloudflare hosting infrastructure. These server logs are managed by Cloudflare according to its own retention and security policy. Gates Solutions Sàrl has no direct access to this raw data outside of a security incident investigation.

Important note

This site does not collect banking information (beyond what is strictly necessary via Stripe for the VOD purchase), ID document numbers, or special categories of data (ethnic origin, religious or political opinions, health, sexual orientation, etc.). If a free-text message you send incidentally contains such information, it will be processed with the same confidentiality as the rest, but we recommend avoiding sending it through this channel.

Each processing rests on an explicit purpose and an identified legal basis, in accordance with art. 6 GDPR and art. 31 nLPD.

Each data category has its own retention period, aligned with its purpose:

• Contact form data (Odoo CRM): kept for 3 years from the last active contact. Beyond that, it is archived or deleted depending on the situation.
• Details and CVs submitted via Jarvi: kept for 2 years from submission, with deletion possible at any time on request to [email protected].
• VOD data (Stripe purchase + Teachable access): the purchase email and invoice are kept for 10 years for accounting purposes (art. 958f Swiss CO). Your Teachable account stays active for the subscribed access period (currently 1 year post-purchase), then can be deleted on request to Teachable directly or via [email protected].
• Post-contact email exchanges: kept in the professional inbox according to the legal durations applicable to commercial exchanges (typically up to 10 years for items linked to invoicing).
• Server logs: managed by Cloudflare according to its own retention policy.
• Accounting data (invoices, supporting documents): 10 years, in accordance with Swiss legal obligation (art. 958f of the Code of Obligations).
• Cloudflare Web Analytics data: aggregated at site level, kept for 6 months on the free plan, without cookies or persistent identifiers and without any possible link to an identifiable person.

Your data is never sold, rented or transferred to third parties for commercial purposes. It is shared only with a limited number of technical subprocessors necessary for the operation of the site and the business, governed by a data processing agreement compliant with art. 28 GDPR and art. 9 nLPD.

This list is kept up to date. Any substantial addition of a new subprocessor will be flagged on this page, and the "Last modified" date at the top will be revised accordingly.

Several subprocessors above involve transfers or storage outside the EU and Switzerland: Cloudflare (United States), Google (United States, via an Irish contracting entity for Workspace), Stripe (Ireland + United States), and Teachable (United States).

The legal safeguards associated with these transfers are:

• Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework, which constitutes a transfer framework recognized by the European Commission (adequacy decision of July 10, 2023) and by the Swiss Federal Data Protection Commissioner.
• Google Ireland Ltd is the European contracting entity for Google Workspace. Further transfers to US servers are carried out under Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the equivalent protection commitments required by the Schrems II decision.
• Stripe Payments Europe Ltd. is the European contracting entity for VOD payments. Further transfers to US infrastructure are carried out under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs).
• Teachable Inc. (United States) handles access to VOD content post-purchase. The transfer of your email to Teachable is carried out under the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) according to Teachable's current certification.

If you reside in the European Union or Switzerland, you may ask us at any time for a copy of the safeguards applicable to a specific transfer by writing to [email protected].

In accordance with the nLPD and the GDPR, you have the following rights at any time:

• Right to access: obtain confirmation of the processing and a copy of your data.
• Right to rectify: have inaccurate or incomplete data corrected.
• Right to delete: request the deletion of your data, subject to legal retention obligations (notably accounting).
• Right to port: receive your data in a structured and usable format.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent, at any time, where processing relies on this ground.
• Right to define the fate of your data after death (only for visitors residing in France, in accordance with the Loi Informatique et Libertés).

To exercise these rights, send an email to [email protected] specifying the right invoked and, if necessary, the data concerned.

The response will reach you within a maximum of 30 days. No proof of identity is required by default. In case of serious doubt about the identity of the requester (request from an email address different from the one originally used, for example), additional verification may be requested.

The following technical and organizational measures are in place:

• All site traffic is encrypted in HTTPS, via TLS certificates automatically renewed by Cloudflare.
• Forms are protected by invisible anti-spam protection, without persistent cookies.
• Contact form data is server-side validated before transmission to the Odoo CRM.
• Stripe payments are processed directly with Stripe, never stored on the PAT server side (tokenization).
• Access to internal tools (Odoo CRM, professional inbox, Cloudflare infrastructure) is restricted to Guillaume Alexandre, protected by a strong password and two-factor authentication.
• No backup of your data is performed on unencrypted media.

No system being infallible, in case of a personal data breach likely to create a risk for your rights and freedoms, you will be informed within the deadlines provided by the GDPR (notification to the competent authority within 72 hours, communication to affected individuals without undue delay) and by the nLPD.

The site peopleattractiontheory.com is aimed at an adult professional audience (recruitment teams, executives, conference organizers, trainers). The services offered are not intended for persons under 16.

No targeted collection of data concerning minors is carried out. If you believe that a minor under 16 has submitted their data through this site, immediately contact [email protected] for deletion.

If you believe your rights are not respected, and after seeking an amicable solution by email with Gates Solutions Sàrl, you may file a complaint with the competent authority:

This policy may be modified to reflect technical, legal or organizational changes. The "Last modified" date at the top of the page is the authoritative reference.

In case of substantial modification (addition of a major new subprocessor, change of purpose, extension of a retention period), a visible notification will be displayed on the site for at least 30 days.

For any request relating to your personal data or the exercise of your rights: