Privacy Policy

Privacy Policy

Introduction

Welcome to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. This policy describes how we (the operators of this website offering global shamanic services such as guided journeys, courses, psychopomp work, divination, also sound work, journaling, distant Reiki, HeartMath, circles, and downloadable audio files) collect, use, and share personal information when you use our website or services. It also explains your rights and choices regarding your personal data. We comply with applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and UK GDPR, California Consumer Privacy Act (CCPA) (as amended), and other relevant laws for users in jurisdictions such as Ireland, the rest of the EU, the UK, the United States (including California), and India. Our goal is to be transparent and use plain, accessible language for all our global users.

By using our website or services, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the site. We may update this policy from time to time (see “Changes to This Policy” below), and we will notify you of any significant changes. The latest version will always be available on this page, and the “Last updated” date will be revised accordingly.

Information We Collect

We collect personal information to provide our services, improve our website, and communicate with you. The types of data we collect fall into a few categories:

  • Information You Provide to Us: When you interact with our site or services, you may provide certain personal information. For example, when you subscribe to our newsletter, register for a course or circle, download an audio file, or contact us via a form or email, you might provide your name, email address, and other contact details. If you create an account or make a purchase (for instance, enrolling in a journey course or buying a downloadable file), you may provide additional details like billing address or phone number (if needed). We only ask for information that is relevant to the service you are using. We do not intentionally collect any sensitive personal information through the website (such as health details or religious beliefs) unless it is directly relevant and provided by you with consent. We kindly ask that you avoid submitting sensitive information in website forms. If you do share such information during our sessions or communications, we will treat it confidentially and only use it for the purposes for which you provided it.
  • Payment Information: If you purchase a service or product on our site, payments are processed by third-party payment processors (such as Stripe). We do not collect or store your full credit/debit card details on our servers. For example, when you enter your payment information, it is transmitted securely to Stripe. We may receive limited information about the transaction from the payment processor – such as your name, email, billing address, the last four digits of your card, payment amount, and confirmation that payment was completed – for record-keeping and to fulfill your order. All sensitive payment details (like card number, CVV) are handled by Stripe, which is PCI-DSS compliant and has its own stringent privacy and security practices. (Please refer to Stripe’s privacy policy for more information on their data handling.)
  • Information We Collect Automatically: Like most websites, we automatically collect certain data about your device and usage of our site to help us understand how visitors use our services and to improve the user experience. This may include:
    • Usage Data: When you visit our site, our systems and third-party analytics services (such as Google Analytics) may collect data like your IP address, browser type, device information, operating system, referring URLs, pages viewed, links clicked, and the dates/times of access. For example, we might know that a user from London visited our “Courses” page and then watched an embedded video. This information helps us analyse trends, administer and secure the site, and gather broad demographic information. We typically only see this data in aggregate form (e.g. overall website traffic statistics) and do not use it to identify you personally. However, some of this data (like IP addresses or cookie IDs) might be considered “personal data” under laws like GDPR, so we treat it accordingly.
    • Cookies and Similar Technologies: We use cookies and similar tracking technologies (like web beacons or pixels) on our website. Cookies are small text files that websites store on your device to help operate the site or remember your preferences. We use cookies for various purposes (see “Cookies and Tracking” below for details), such as to enable site functionality, remember your settings, and analyse how our site is used. For instance, when you first visit, a cookie might remember your language choice or that you closed a notification banner, so it doesn’t keep showing up. We also use analytics cookies to count visitors and see which content is popular. You have control over cookies – you can refuse or accept non-essential cookies via our cookie consent banner (for EU/UK users) or through your browser settings.
    • Email Tracking: If you sign up for our newsletter or other email updates via Mailchimp, the emails we send may include a tiny image file (tracking pixel) or unique link. This helps us know if you opened the email or clicked on certain content. We use this information to gauge the effectiveness of our communications and to provide you with more relevant content. You can always opt out of such tracking by unsubscribing from the emails (see “Marketing Communications and Consent” below).
  • Information from Third Parties: Occasionally, we might receive information about you from other sources to supplement what you provide. For example, if you sign up for an event through a third-party platform or if you interact with us on social media and choose to share info with us. We will treat any such combined information in accordance with this policy. (Currently, we do not actively obtain data from third-party sources aside from the services listed in this policy, but we include this notice for completeness.)

We do not knowingly collect personal information from children under the age of 13 (or under 16, as per GDPR in the EU, unless with parental consent). Our website and services are intended for adults. If you are a parent or guardian and believe we have collected a minor’s information without consent, please contact us so we can delete it (see “Contact Us” below).

How We Use Your Information

We use the collected information for the following purposes, and we always strive to do so on an appropriate legal basis (see “Legal Bases for Processing” for EU/UK users):

  • To Provide and Manage Services: We use your information to deliver our services and products to you. For example, if you enroll in a shamanic journey course or schedule a distant session, we use your provided details to register you, provide access or send you the necessary information, and record your participation. If you download an audio file, we process your request and send you the download link or file. We also use your data to manage customer relationships, such as maintaining your account (if you create one) and providing customer support.
  • To Communicate with You: We may use your contact information (like email) to send you important notices or confirmations related to the services you requested. This includes sending booking confirmations, receipts for purchases, reminders for upcoming circles, or 1 to 1 sessions, updates on any changes to scheduled events, or responses if you contact us with a question. These communications are typically transactional or service-related and are not promotional in nature. For instance, if you sign up for a webinar, we’ll email you the link and maybe a follow-up survey.
  • For Marketing and Newsletters (with Your Consent): If you expressly opt in, we will use your name and email to send you our newsletter and occasional promotional communications about new courses, events, services or resources that we think may interest you. Examples include announcements of new guided journey audio releases, upcoming circles, or blog posts about shamanic practices. We will only send you marketing emails if you have given us consent to do so (such as by ticking a signup box or confirming via a double opt-in email). You can withdraw your consent at any time (see “Marketing Communications and Consent” below for how to unsubscribe). We do not engage in spam – if you do not sign up for the newsletter, you will not receive marketing emails from us, and we do not share your email with third parties for their own marketing.
  • Analytics and Service Improvement: We use data about how users interact with our site (from cookies and usage data) to understand what is working and what isn’t, thereby improving our website design, content, and services. For instance, knowing which pages are most visited or how users navigate our site helps us optimize the user experience. We might analyze aggregate trends – e.g., many users from the EU visit our “Sound Work” page – which could guide us to create more content around that interest. We use Google Analytics for this purpose, which provides us reports on site usage (see “Third-Party Services” for more on Google Analytics). We may also use feedback you provide (through surveys or contact forms) to improve our offerings. Our use of analytics is geared towards enhancing our services and is not intended to profile you individually in any way that would significantly affect you.
  • Processing Payments and Orders: When you make a purchase or donation, we use the necessary personal information to process the transaction. This includes using payment details via Stripe to charge your card and using your email to send a receipt. We maintain records of transactions for accounting, tax, and legal purposes. For example, we keep invoice data as required by law, and Stripe may send us a transaction ID that we tie to your order for bookkeeping.
  • Security and Fraud Prevention: We may use information (like IP addresses or activity logs) to maintain the security of our website, services, and users. This includes monitoring for and preventing fraudulent transactions or unauthorized access to our systems. For instance, if we detect multiple failed login attempts or unusual activity from a certain IP address, we might investigate or block that IP to protect user accounts. We also might use your data to verify your identity when you make requests to exercise your rights (to ensure it’s really you making the request).
  • Legal Compliance: In some cases, we need to use or retain your information to comply with legal obligations. For example, for financial reporting and audit, we must keep records of payments and invoices. We may use and disclose personal data as required to respond to lawful requests by public authorities (e.g., to comply with a court order or law enforcement request), or to meet record-keeping obligations under applicable laws. Additionally, if you exercise privacy rights (like requesting deletion), we will use your info to fulfill those requests consistent with the law.
  • Other Purposes (with Notice to You): If we intend to use your personal information for a purpose that is different from the original purpose we collected it for, we will inform you and, if necessary, obtain your consent. We will not use your data in ways that are incompatible with the purposes described above without updating you. We do not engage in automated decision-making that produces legal or similarly significant effects on you – basically, no computers are making weighted decisions about you without human involvement (for example, we do not use algorithms to deny you services or anything like that).

We ensure that any use of personal data is proportionate and limited to what is necessary in relation to the purposes stated. We do not sell your personal information to third parties, and we only share it in specific situations described in this policy (see “Data Sharing and Disclosure”).

Legal Bases for Processing (EEA/UK Users)

For individuals in the European Economic Area (EEA) or United Kingdom, we process your personal data only when we have a valid legal basis under GDPR/UK GDPR. This section explains the legal grounds we rely on for the processing activities described above:

  • Consent: We will rely on your consent in situations where it is required or appropriate. For example, we ask for your consent before sending you marketing emails or newsletters. Similarly, for certain cookies (like analytics or advertising cookies, if any) we will obtain your consent as required by law. When we rely on consent, you have the right to withdraw that consent at any time. For instance, you can unsubscribe from our mailing list at any moment, and we will stop processing your data for that marketing purpose.
  • Performance of a Contract: When we need to process your data to fulfil a contract with you or to take steps at your request before entering into a contract, this serves as our legal basis. For example, if you register for a paid course or purchase a downloadable file, we process your name, email, and payment info to provide you with what you paid for – that’s considered contractual necessity. Likewise, if you ask us to do something before formalizing a service (like answering questions about a course), processing your contact info to respond is part of entering into that service agreement with you.
  • Legitimate Interests: We may process your data for purposes that are in our legitimate interests (or those of a third party) provided such processing is not overridden by your data protection rights. We only rely on this basis after considering the potential impact on you (both positive and negative) and ensuring we’re not infringing on your rights unjustifiably. Examples of processing under legitimate interests include:
    • Improving and securing our services (it’s in our interest to ensure our website works well and is safe, and it generally aligns with your interest as a user too).
    • Basic analytics using tools like Google Analytics to understand usage of our site (we consider this a legitimate interest in running and improving our service; however, where required by law, we will still seek consent for analytics cookies out of an abundance of caution).
    • Communicating with existing customers about similar services you’ve already signed up for. For instance, if you participated in a past workshop, we might inform you of a similar upcoming event – this could be considered a marketing activity under legitimate interest, subject to applicable e-privacy laws. (We will always provide a clear opt-out in such communications.)
    • Preventing fraud and ensuring IT security for our website.

When we process based on legitimate interests, you have the right to object to that processing (see “Your Rights – GDPR” below). If you object, we will consider your request and will no longer process the data for that purpose unless we have a compelling legitimate reason, or it’s needed for legal claims.

  • Legal Obligation: We will process personal data when necessary for compliance with a legal obligation to which we are subject. For example, retaining transaction records for tax and accounting purposes (typically for a certain number of years as required by financial regulations) is a legal obligation. If authorities lawfully require information (such as for an investigation), we may need to process and share data to comply. Another example is honouring data subject rights requests under GDPR itself – fulfilling your deletion or access request involves processing your data to respond to you, which is something we are legally required to do.
  • Vital Interests: In very rare cases, we might need to process data to protect someone’s life or vital health interests. It’s unlikely to apply to our context (e.g., if during an in-person event someone has a medical emergency, using their info to inform medical personnel could be vital interest). Our website operations generally wouldn’t involve this, but we include it as a theoretical legal basis if ever applicable in extreme situations.
  • Public Task: This basis typically applies when processing is needed for tasks in the public interest or under official authority. This is not applicable to our private shamanic services business, so we do not rely on this basis.

If you have any questions about the legal bases on which we collect and use your personal data, feel free to contact us for more information. We aim to be transparent about why we collect each piece of data. In summary, we will ask for consent when required, use contract or legal duty when relevant, and only lean on legitimate interests for appropriate purposes after careful consideration.

Marketing Communications and Consent

We want to ensure you are in control of how you hear from us. We will only send you marketing or promotional communications (such as our newsletter, announcements about new services, or special offers) if you have consented to receive them. Here’s how we handle marketing communications and your choices:

  • Opt-In Consent: When you provide your email to us for the purpose of receiving newsletters or updates, we will often use a clear opt-in mechanism. This may be a sign-up form where you enter your email and perhaps check a box indicating you want to subscribe. In some cases (especially for EU/UK individuals), we may use a double opt-in process – after you sign up, you’ll receive an email asking you to confirm your subscription. This extra step required by some countries and recommended as best practice ensures that the email provided is valid and that you genuinely intended to subscribe. We do not use pre-ticked boxes or implicit consent for marketing; you have to actively agree.
  • Content of Emails: Our marketing emails will cover topics relevant to our offerings. This might include spiritual insights, upcoming events or circles, new downloadable content, or seasonal greetings. We strive to make these communications useful and not too frequent (for example, a monthly newsletter and occasional special announcements). Every marketing email will clearly state who it’s from and what it’s about in the subject line.
  • Unsubscribe Anytime: You have the right to withdraw your consent and stop receiving marketing emails at any time. Every promotional email we send will include an “Unsubscribe” link at the bottom. By clicking that link, you can remove yourself from our mailing list. Alternatively, you can contact us directly (via email or the contact form on our site) and request to be removed. We will promptly honor all opt-out requests. Once you unsubscribe, we will stop sending you marketing emails. (Please note, even if you opt out of marketing messages, we may still send you transactional or service-related communications as needed, such as a purchase receipt or a reminder of an event you signed up for, since those are not promotional.)
  • Third-Party Email Platform (Mailchimp): We use Mailchimp as our email marketing platform to manage our subscriber list and send out emails. When you sign up for our newsletter, the name and email address you provide are stored in our Mailchimp account. Mailchimp acts as a data processor on our behalf for these emails. They also provide us analytics on email campaigns (such as open rates or link clicks, as mentioned in “Information We Collect Automatically”). We have configured Mailchimp to comply with GDPR requirements for consent (for instance, we can show proof of your opt-in if needed, and we honour deletion requests by removing you from the list). Mailchimp is a U.S.-based service, but it has certified its adherence to the EU-U.S. Data Privacy Framework (and UK extension) to allow lawful transfer of EU/UK personal data to the U.S. We trust Mailchimp to keep your email data secure and not use it for other purposes. Of course, you can review Mailchimp’s own privacy policy for details on how they handle personal data.
  • SMS or Other Marketing: Currently, we do not use SMS/text messaging or phone calls for marketing. We primarily rely on email. If this changes in the future (for example, if we decide to send occasional text updates and you provide a phone number), we would only do so with your explicit consent, and we would provide a clear way to opt out (like texting “STOP” to unsubscribe).

We believe in permission-based marketing. That means you decide if and how you want to hear from us regarding promotional content. We will never sell or share your contact information with third parties for their own marketing purposes without your consent. If you have subscribed and later change your mind, we’ve made it easy to opt out. Our aim is to communicate with you in a way that’s respectful, relevant, and welcomed – and to stop when you no longer wish to receive our updates.

Cookies and Tracking

Like many websites, we use “cookies” and similar tracking technologies to enhance your experience and analyse usage of our site. This section explains our use of cookies and how you can manage your preferences:

  • What Are Cookies? Cookies are small text files placed on your device (computer, tablet, smartphone) when you visit a website. They allow the website to recognize your device and remember certain information about your visit (such as your preferences or whether you’re logged in). Cookies can be “first-party” (served by us, the site you visit) or “third-party” (served by another domain, such as analytics or advertising partners). We also may use related technologies like pixels (small images embedded in a webpage or email that track when they’re viewed) and local storage (which stores data in your browser).
  • Types of Cookies We Use:
    • Strictly Necessary Cookies: These are essential for our site to function properly. For example, if our site has a login or a shopping cart (in the case of future WooCommerce use), necessary cookies will enable those features (keeping you logged in or remembering your cart items). Without these cookies, certain services or features may not be accessible. These cookies do not require consent under most laws, but we still want you to know they exist. We currently use minimal essential cookies (mainly those that might be part of our content management system or payment process to maintain session state).
    • Preferences Cookies: If applicable, these cookies remember your choices to give you a more personalized experience. For instance, a cookie might save your language preference or other settings, so you don’t have to set them each time. (At the moment, our site is English-only, but if we had multi-language support or similar preferences, these cookies would apply.)
    • Analytics/Performance Cookies: We use these to collect information about how visitors use our website. The primary example is Google Analytics, which sets cookies to gather data on site usage (like which pages are visited, how long users stay, how they got to our site, and what they click on). The information collected is aggregated and not used to identify you personally; it helps us understand usage patterns and improve the site. For instance, analytics cookies may tell us that “50 users visited the Guided Journeys page this week” or that a certain blog post is getting very little traffic (so we might need to update it). We consider this insight valuable for improving our service. However, because analytics cookies are not strictly necessary, in jurisdictions like the EU and UK, we will obtain your consent before setting these cookies. If you opt out or do not allow these cookies, your experience of the site remains the same; it just means we won’t include your visits in our analytics data.
    • Marketing/Tracking Cookies: These cookies track your online activity to help deliver more targeted advertising or to measure advertising effectiveness. Important: at this time, we do NOT use any third-party advertising cookies or targeted advertising on our site. That means we are not currently showing ads or sharing data with ad networks like Facebook Pixel, Google Ads, etc., that would track you across different sites. If this changes in the future, we will update this policy and request any necessary consents. The only third-party cookies in use are related to analytics (and possibly embedded content as described below).
  • Cookie Consent (EU/UK): If you are visiting our site from the European Union, United Kingdom, or other regions that require cookie consent, you will see a cookie banner or pop-up on your first visit. This banner will inform you about our use of cookies and ask for your preferences. We will not set non-essential cookies (like analytics cookies) until you have given consent by clicking “Accept” (or a similar affirmative action) on that banner. You are free to decline or customize your choices (for example, you might only accept necessary cookies and reject analytics). If you decline, we will honor that – our site will still function, and only necessary cookies will be used. It’s also just as easy to withdraw consent as to give it; for instance, the banner may provide an option to later adjust your settings, or you can contact us to help you opt out. In summary, we respect and comply with cookie consent requirements: no tracking cookies will be dropped until you say okay.
  • Managing/Opting Out of Cookies: In addition to our site’s consent tools, you can manage cookies through your web browser settings. Most browsers allow you to view, delete, or block cookies (either from specific sites or all sites). You can usually find these options under the “Privacy” or “Security” section of your browser’s settings or preferences. Keep in mind, blocking all cookies may affect the functionality of many websites (including ours). If you only want to limit third-party advertising cookies, some browsers and browser extensions allow you to specifically block trackers. Another option is to use tools like browser extensions that increase privacy. For Google Analytics specifically, Google offers an opt-out browser add-on you can install to prevent your data from being used by GA on any site. We also honor the “Do Not Track” (DNT) setting in your browser to the extent possible – however, note that a universal standard for DNT is not fully established. Since we do not currently use cross-site tracking for advertising, if your browser sends a DNT signal, we will simply continue not to load any marketing trackers (as we have none) and will treat it as an opt-out of any non-essential tracking. For California residents, we also recognize the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing. In practical terms, since we don’t sell data, the main effect of GPC or DNT signals when using our site would be to ensure analytics cookies are disabled by default (which we’re doing via consent anyway).
  • Third-Party Content and Cookies: Some content or functionality on our site may be provided by third parties which could set their own cookies. For example:
    • If we embed a YouTube video in a blog post or a Google Map for location, those services might set cookies (YouTube might use cookies to track video views or suggest related videos; Google Maps might remember preferences). These are third-party cookies governed by the respective third party. We will endeavour to use privacy-friendly modes where available (for example, YouTube has a privacy-enhanced mode that limits tracking).
    • Social Media buttons (e.g., “Share on Facebook” or “Tweet this”) if present, may allow those platforms to set cookies to track the share or your login status with them.
    • Future use of WooCommerce (an e-commerce plugin) on our site could introduce cookies for managing cart sessions, remembering items, or tracking e-commerce analytics. If/when we implement WooCommerce for selling products or services directly on our site, we will update our cookie disclosures accordingly. Typically, WooCommerce uses necessary cookies for cart and checkout functionality, and possibly additional analytics if enabled.

In all cases, we will list these cookies in our cookie notice or policy and provide you a way to opt out of any that are not essential. We aim to be transparent about all cookies in use. If you have any questions about specific cookies or how to manage them, please contact us.

To summarize, cookies help us run and improve our site, but you remain in control. We provide upfront disclosure and the ability to opt in/out where required. Any non-essential cookies (especially those related to analytics or any future advertising) will only be active if you allow them. We value your preferences and will not treat you differently if you choose not to accept certain cookies (aside from the difference that we won’t have the data those cookies would provide). For more detailed information, you can refer to our [Cookie Policy] if we have a separate one or continue to reach out to us with any concerns.

Third-Party Services and Data Sharing

We utilize a few trusted third-party services to operate our website and deliver our offerings. This section details who these third parties are, what data is shared with them, and why. We also outline other circumstances where we might share your data. Rest assured, we do not sell your personal information to anyone. We only share data as outlined here and we ensure any third party we work with is obligated to protect your information.

Service Providers We Use

  • Google Analytics: We use Google Analytics (GA) to understand how visitors use our website. Google Analytics acts as our data analytics provider. It uses cookies and similar technologies to collect information about website use (as detailed in “Cookies and Tracking” above). The data collected (Internet Protocol (IP) address, browser type, pages visited, time spent, etc.) is transmitted to Google’s servers (which may be outside your country, e.g., in the United States) and aggregated for us. Google provides reports and insights, but we do not see individual user profiles – GA primarily gives us trends. We have configured Google Analytics to anonymize IP addresses for EU users (this means that Google truncates/anonymizes the IP as soon as technically feasible, reducing precision). Google acts as a “processor” of this usage data for us. Google is not supposed to use the GA data for their own purposes or share it (aside from as needed for the service or if required legally). We have accepted Google’s data processing terms which include the EU standard contractual clauses for data transfers, and Google LLC is certified under the EU-U.S. Data Privacy Framework, indicating it will handle EU/UK data in compliance with EU standards. If you prefer not to be included in Google Analytics tracking, you can opt out via our cookie banner or using Google’s opt-out tools as mentioned. For more details, see Google’s Privacy Policy and their page on how they use data from partner sites. (Note: We do not use Google Analytics for advertising features, so GA does not collect advertising identifiers or integrate with Google Ads in our setup.)
  • Mailchimp (The Rocket Science Group LLC): We use Mailchimp to manage our email newsletter and mailing list. When you subscribe to our newsletter or other marketing emails, your name and email address are stored on Mailchimp’s platform. Mailchimp helps us design and send emails to our subscriber list and tracks open rates and clicks (as described earlier). Mailchimp essentially processes your personal data (email, name, and engagement with emails) on our behalf for the purpose of sending communications. They do not contact you independently; you’ll only hear from us via their service. Mailchimp is based in the United States, so personal data (like your email) is transferred to the U.S. for processing. To ensure this is done lawfully for EU/UK users, Mailchimp has certified under the EU-U.S. Data Privacy Framework (DPF) and the UK extension, which means it commits to protect personal data received from Europe in line with European privacy standards. Additionally, Mailchimp incorporates Standard Contractual Clauses (SCCs) in its Data Processing Addendum as further protection. We have a Data Processing Agreement with Mailchimp that outlines their obligations in handling our subscribers’ data. In short, Mailchimp will not use your email for anything except as instructed by us (sending our newsletters) and as needed to maintain their service. If you unsubscribe from our emails, we will remove or suppress your contact in Mailchimp so they no longer process it except to abide by removal. You can review Mailchimp’s privacy policy for more information on their practices.
  • Stripe: Stripe is the third-party payment processor we use to handle online payments (credit/debit cards) securely. When you make a purchase or payment on our site (such as paying for a course or a service), the payment form is usually provided by Stripe or is integrated via Stripe’s secure API. Your payment details (card number, expiration, CVV, etc.) go directly to Stripe – even if you enter them on our site, they are transmitted securely to Stripe’s servers. Stripe then processes the transaction and returns a confirmation to us. Stripe may store your card information (especially if you opt to save it or for use in subscription billing), but this is on Stripe’s systems, not ours. We as the merchant can see certain information about the transaction in Stripe’s dashboard: e.g., your name, the amount, the last4 digits of your card, card type (Visa/Mastercard), maybe your IP and billing country, and whether the payment was successful. Stripe uses and protects your information according to their privacy policy. They are a large, reputable payment processor and are PCI-DSS compliant, meaning they adhere to high security standards for handling payment data. Stripe may also perform anti-fraud checks and could use your information for that purpose (for example, they might analyse a payment to detect fraud patterns). We share data with Stripe only to the extent necessary for processing payments – this includes the purchase details and your provided billing info. For EU/UK transactions, Stripe may act as an independent data controller for certain fraud prevention processes and must comply with GDPR. Stripe has Binding Corporate Rules and/or uses Standard Contractual Clauses to facilitate European data transfers, and as of now we believe they have also certified under the EU-U.S. DPF. We recommend reviewing Stripe’s Privacy Policy for full details on how they handle personal data. In summary, Stripe is an essential service provider that allows us to charge you safely; we trust them with your payment info under strict safeguards.
  • Web Hosting and IT Providers: Our website might be hosted by a third-party hosting company (for example, if we use a hosting service or cloud service to run our website). That means any data you provide through the site (your account info, form submissions, etc.) could be stored on servers that belong to that hosting provider. We will ensure that any hosting provider we use has appropriate security and privacy measures in place (many reputable hosts have certifications and compliance with standards). The hosting provider would technically have the ability to access data on the server, but they typically do not access or use it except for maintaining the server or as required by law. We won’t name a specific host here in case it changes, but you can inquire if needed. Similarly, we may use standard IT services like cloud storage or email service (e.g., if you email us, your email goes through our email service provider and is stored there). All such providers are vetted for security and, if outside our country, we ensure legal transfer mechanisms (like SCCs for EU data).
  • WooCommerce (Future Use): While not implemented at the moment, we may in the future use WooCommerce (a WordPress-based e-commerce plugin) to sell products or services directly on our site. If and when this happens, WooCommerce will collect personal data as part of the checkout process (name, email, billing/shipping address, etc., and order details). WooCommerce itself is software that runs on our website/servers, so data collected via it would be stored in our website database. However, WooCommerce may have extensions or integrations that connect to third-party services (for example, to calculate shipping rates, or to send transactional emails, or to process payments – which in our case is Stripe as mentioned). We will ensure that any such integrations are handled in compliance with privacy laws. Essentially, consider WooCommerce as an extension of our site’s data collection for e-commerce purposes. All data collected through it will be treated according to this Privacy Policy (and we’ll update the policy once WooCommerce is live to specify any new data points like shipping addresses if relevant). We will maintain appropriate safeguards for the e-commerce data (including using SSL encryption, etc.). If you make a purchase through a future online store on our site, the data will be used to fulfill your order and managed just like our current process, with Stripe processing the payment.
  • Other Third-Party Tools: We continuously improve our website and may introduce new tools or plugins. For example, we might use a scheduling tool for booking sessions, or a social media feed plugin to display our Instagram posts, or a commenting system for our blog. If any such tool collects or processes personal data, we will update this policy to inform you. We only choose reputable providers and strive to configure them to respect privacy (for example, disabling unnecessary data collection when possible). If you ever have a question about a specific feature on our site and how it works with your data, please ask us.

Other Data Sharing and Disclosure

We will only share or disclose your personal information outside of our organization and the service providers listed above in a few exceptional circumstances:

  • With Your Consent or at Your Direction: We may share information with third parties if you request or direct us to do so. For instance, if you ask us to collaborate with another healer or service provider and you want us to share your contact or context with them, we would do so with explicit permission. Another example: if we ever run a joint event with a partner and you sign up, we might ask if you consent to us giving your email to the co-host for coordination; if you agree, we’ll do so. In any such case, we’ll make sure you understand what info will be shared and with whom, and you can say no.
  • Legal Requirements and Safety: We might disclose personal information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand). We will evaluate any request carefully and only comply if legally obligated. Additionally, we may share information if we believe in good faith that such action is necessary to:
    • Comply with the law or legal process.
    • Protect and defend our rights, property, or safety, or that of our users or others. For example, sharing information with law enforcement to investigate fraud or a security incident.
    • Prevent or investigate possible wrongdoing in connection with the site or services (such as suspected fraud, harassment, or security breaches).
    • Protect against legal liability. This can include sharing information with our legal advisors in the event of a dispute or lawsuit.
  • Business Transfers: If in the future our business expands or changes structure – for instance, if we form a company, or in the unlikely event we consider a merger, acquisition by another organization, or sale of some or all of our assets – user information might be part of the assets transferred to or evaluated by the new owner/partner. If such a transfer happens, the acquiring party will likely take on the responsibilities described in this Privacy Policy regarding your personal data. We would inform you of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal data in that context. (To be clear, we have no current plans for this, but we include this clause as a standard transparency practice.)
  • Aggregated or De-Identified Data: We may share information that has been aggregated or anonymized in a way that it no longer is associated with an identifiable individual. For example, we might publish blog posts or reports showing trends (“X% of our site visitors are from Europe” or “Most requested shamanic service in 2025 was learning to journey”) or share testimonial statistics. This kind of data does not personally identify you and is not considered personal information. If we share such aggregated insights, we ensure no individual can be re-identified.

We do not share your personal data with third parties for their own direct marketing purposes (for example, we’re not giving or selling your email list to another company so they can market to you). In fact, under California’s “Shine the Light” law, you have the right to request information about such practices – and our response would be that we engage in no such sharing unless you specifically consent to it. Any third party that processes your data does so under our instruction (like Mailchimp sending our emails) or under a permissible lawful scenario as outlined.

In all cases of data sharing, we evaluate the necessity and ensure that appropriate safeguards and agreements are in place. We limit what is shared to only what is required for the task. If you have questions about third parties we work with or need more detail on any of the above, please reach out to us.

Data Storage and International Transfers

We are a global service and, as such, your personal information may be stored and processed in different countries, including those outside of your home jurisdiction. Here we explain where data is stored, how long we keep it, and how we handle international data transfers to ensure your information remains protected to the high standards of laws like GDPR regardless of where it is processed.

  • Data Storage Locations: The personal data we collect is primarily stored on servers located in [Replace with hosting location, e.g., the European Union or United States]. For example, if our website is hosted on servers in the EU, your form submissions and account details reside on those EU servers. However, certain data will be transferred to and stored by the third-party services we use:
    • Data processed by Google Analytics may be stored on Google’s servers in the United States or other countries where Google maintains data centres.
    • Mailchimp stores our mailing list data on their servers in the United States.
    • Stripe may store payment-related data on servers in the U.S. and other jurisdictions as needed for payment processing (Stripe has a global infrastructure).
    • If we use cloud backups or other IT services, those may also involve storage in multiple regions (we will choose services that either store data in regions with adequate protection or have measures to comply with data protection requirements).

This means your personal information may be transferred to, or accessed from, countries outside of your country of residence. For instance, if you are in the EU, some of your data will be transferred to the United States because that’s where Mailchimp and portions of Google/Stripe operations are. Similarly, users in India or elsewhere should be aware that data might be processed in the EU or US.

  • International Data Transfer Safeguards: Whenever we transfer personal data across borders, especially from the European Economic Area (EEA), UK, or other regions with data protection laws, we take steps to ensure that appropriate safeguards are in place. These are in line with GDPR requirements for international transfers:
    • Standard Contractual Clauses (SCCs): We have agreements in place with our service providers (like Mailchimp, Stripe) that incorporate the European Commission’s Standard Contractual Clauses. These clauses are legal tools that bind the recipient of the data to protect it according to EU standards, even in a country that may not have the same legal protections.
    • Data Privacy Framework Certification: As mentioned, services like Mailchimp and Google are certified under the EU-U.S. Data Privacy Framework (DPF) and its UK extension. This means they have committed to specific privacy principles and are under oversight to ensure compliance when handling EU/UK personal data in the U.S. While no framework is perfect, this certification is one way to establish a legally approved transfer mechanism after the invalidation of the old Privacy Shield.
    • Binding Corporate Rules (BCRs): Some providers (e.g., Stripe or potentially our hosting if a big company) have BCRs approved for internal transfers of data within their corporate group. This is another layer ensuring all branches of a company handle data securely.
    • Your Consent and Necessity: In some cases, we might rely on your explicit consent for transfers (though this is rare and we prefer standardized safeguards). Or we transfer data as necessary to perform a contract with you – for example, if you’re signing up for an online course from outside the EU, the transfer of your data to our EU-based servers is necessary to provide the service you requested.
    • Assessment and Monitoring: We keep an eye on legal developments around data transfers. If any of our transfer mechanisms are deemed invalid or insufficient by regulators (as happened with Privacy Shield historically), we will promptly work to put alternative measures in place or seek guidance from the relevant authorities on how to proceed lawfully. We are committed to not just doing the minimum legally, but genuinely ensuring your data is safe wherever it is processed.
  • Data Retention: We store your personal information only for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. The exact duration may vary by data type and context:
    • Account and Service Data: If you create an account on our site or participate in our courses/services, we will retain your personal data for as long as your account is active or as needed to provide you services. If you delete your account or it’s inactive for a long period, we may remove or anonymize the data after a reasonable time (unless we need to keep it longer for legal reasons). You can also request deletion of your data – see “Your Rights” below.
    • Newsletter Subscription: We keep your email on our mailing list until you unsubscribe. If you opt out, we may keep your email on a suppression list to ensure we don’t accidentally send you emails again (as allowed by law). We might also retain proof of your initial consent (like sign-up logs) if needed to demonstrate compliance with anti-spam laws, but only for a reasonable period.
    • Transaction Records: We will retain payment and transaction records as long as required by law. For example, in many jurisdictions, financial records must be kept for a number of years (e.g., 7 years) for tax audit purposes. This means if you made a purchase, the basic data of that purchase (name, contact, amount, date, and maybe billing address) might be kept in our files for that duration. However, any sensitive payment data (card numbers) are not in our records, as those are with Stripe.
    • Analytics Data: Data collected via Google Analytics is typically retained for a certain period that we configure. We currently set our Google Analytics data retention to [e.g., 14 months] (just as an example). This means that data associated with cookies, user identifiers, or advertising identifiers will be deleted automatically from GA after that period. We only view aggregate reports, but it’s good practice not to keep raw analytics data indefinitely.
    • Communications: If you contact us (emails or contact form queries), we may retain those communications for a period to manage our relationship and in case we need to refer to past conversations. Typically, we might keep customer service emails for a year or two, unless you request deletion of your email conversation and we no longer need it.
    • Legal Holds: If we are in a legal dispute or are required by law to retain certain data (e.g., an ongoing investigation), we will keep the data as needed until the issue is resolved, even if that extends beyond the normal retention period.

Once the retention period is over, we will either delete your personal data or anonymize it (so it can no longer be associated with you) in a secure manner. For example, we might delete user account information from our database, and ensure any backups are also eventually purged. If deletion is not immediately possible (e.g., data stored in secure archives), we will ensure it’s isolated and protected until deletion is feasible.

  • Security Measures: (Though not exactly “storage,” it’s related) We take reasonable and appropriate measures to secure your personal data wherever it is stored. This includes using encryption (our website has HTTPS – meaning data you enter is encrypted in transit; our servers or cloud storage use encryption at rest where possible), access controls (only authorized personnel or service providers can access the data they need), and regular security assessments. We also ensure our staff or any persons who handle personal data are aware of their responsibilities and trained in protecting data. No system can be 100% secure, but we strive to use industry best practices to guard against unauthorized access, alteration, or loss of data.

In summary, your data might travel globally, but we treat it with care every step of the way. We implement internationally recognized safeguards and comply with all applicable data transfer rules. If you have questions about where your specific data is stored or the measures in place, please contact us. We can provide more specific details based on your interaction (for example, if you are in India and want to know if your data goes to Europe, we can clarify that flow). Our aim is to be transparent and protective of your information no matter where it is handled.

Data Security

We understand that the security of your personal information is important. We take a number of precautions to protect the data you share with us from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Here are some key aspects of our data security approach:

  • Website Security: Our website is secured using HTTPS encryption. This means that any data transmitted between your browser and our website (such as when you fill out a form or make a purchase) is encrypted in transit. You should see a padlock icon in your browser’s address bar when you visit our site, indicating the connection is secure. Encryption helps protect against eavesdropping by third parties while data is being sent over the internet.
  • Access Controls: Personal data collected is stored in systems that are protected by passwords and other security measures. Access to these systems is limited to authorized personnel who need the information to perform their job (for example, customer service, or site administration tasks). Each authorized person has unique credentials, and we follow the principle of least privilege – meaning they only have access to the minimum data necessary. We also make sure to revoke access promptly for anyone who no longer needs it (such as contractors or employees who leave).
  • Third-Party Security: We choose reputable third-party service providers (like Stripe, Mailchimp, Google) that have strong security track records. These providers invest heavily in security. For instance, Stripe is audited for PCI compliance (for handling credit card info securely). Mailchimp and Google have robust security teams and measures (as they detail on their sites). We review their security and privacy practices and ensure contracts are in place to enforce data protection. However, we note that while we rely on them, they operate their own systems – if any of those systems were ever compromised, we would take appropriate action in line with our incident response plan (and we would inform users and authorities as required by law).
  • Technical Measures: We use firewalls, anti-malware, and monitoring tools on our website and servers to guard against unauthorized access and detect suspicious activities. Software on our site (like the content management system or plugins) is kept up-to-date to patch security vulnerabilities. We may employ techniques like rate-limiting (to prevent brute-force attacks on login pages) and CAPTCHA challenges (to reduce spam or automated abuse on forms).
  • Data Encryption and Pseudonymization: Where possible, we encrypt personal data at rest. For example, if our database stores user passwords, they are salted and hashed (not stored in plain text) so that even we cannot read your password. If we store sensitive personal data (which we generally avoid, except maybe temporary storage of something like a private note in your profile if such existed), we would encrypt it. Certain identifiers may be pseudonymized (replaced with codes) in our internal systems if we don’t need the direct identifier regularly. By reducing direct identifiers, we minimize risk.
  • Backups: We perform regular backups of our website data to prevent accidental loss. These backups are securely stored. If a data loss incident (like hardware failure) occurs, we can restore from these backups. We ensure that backups are protected with the same level of security as our live data (including encryption and restricted access).
  • Training and Policies: We maintain internal policies on data protection and regularly remind our team of best practices (like not clicking suspicious links, how to handle user data properly, etc.). Since we are a small team, this is manageable and taken seriously. If we work with contractors (say, someone helping with email communications), we ensure they are bound by confidentiality agreements and are briefed on privacy/security expectations.
  • No Guarantee: While we are committed to protecting your data, it’s important to understand that no method of transmission over the internet or method of electronic storage is completely foolproof. Despite our efforts, we cannot guarantee absolute security. Cyber threats evolve, and there’s always some residual risk. In the unlikely event of a data breach (where we discover your personal data may have been accessed by an unauthorized party), we will act promptly: containing the breach, assessing impact, and notifying affected users and relevant authorities as required by law (for example, GDPR requires notification for certain breaches within 72 hours to data protection authorities). We would also provide guidance to you on steps to protect yourself, if applicable.

In using our site, we also encourage you to take precautions. Protect your account credentials (if you have an account on our site, use a strong unique password and don’t share it). Be careful about phishing attempts – we will never ask you for your password via email, and if something looks suspicious, reach out to us directly. When you finish using a secure area (like account or checkout), you may log out and close your browser if on a shared device.

Our commitment is to continually review and improve our security practices as needed. We appreciate your trust in us and will do our best to safeguard the information you entrust with us. If you have specific questions about security or suspect any vulnerabilities, please contact us; we welcome responsible feedback and will address concerns.

Your Privacy Rights

You have rights regarding your personal information, and we want to make sure you are aware of and can easily exercise these rights. Depending on your location and applicable law, your rights may include those provided under GDPR (for EU/EEA and UK individuals) and the CCPA (for California residents), among others. We extend many of these rights to all our users where feasible, because we believe in transparency and fairness.

Below, we outline specific rights for EU/UK users and California residents, and we also mention rights for other regions (such as India) in general terms. We then explain how you can exercise these rights and what to expect.

Rights Under GDPR (EU/UK)

If you are in the European Union, European Economic Area, or the United Kingdom, you have certain rights under the GDPR/UK GDPR with respect to your personal data that we hold. These include:

  • Right to Be Informed: You have the right to be informed about how your data is collected, used, and shared – and that’s the main purpose of this Privacy Policy. We aim to provide clear and honest information at the time of data collection (for example, brief notices on forms) and through this detailed policy.
  • Right of Access: You have the right to access the personal data we hold about you. This means you can ask us to confirm if we are processing your data and request a copy of that data (commonly known as a “Data Subject Access Request”). We will provide you with the information, usually within one month, detailing the categories of data, purpose of processing, and any parties it’s shared with, etc., as required by law. For example, you can ask, “What information do you have about me?” and we will supply (assuming you verified your identity) the details such as your profile info, interaction history, etc.
  • Right to Rectification: If any personal data we have about you is inaccurate or incomplete, you have the right to have it corrected. Upon your request, we will rectify erroneous information promptly. For instance, if your name was misspelled in our records or you changed your email address, you can ask us to update it and we will do so.
  • Right to Erasure (Right to Be Forgotten): You have the right to request that we delete your personal data .You can ask us to erase your information, and we will comply provided that we don’t have a legitimate reason to keep it (for example, we might need to retain certain transaction records for legal obligations, but we’ll let you know if that’s the case). If you withdraw consent for something and there’s no other legal ground to process your data, you can request deletion. We will also take steps to inform any third parties (processors) who have your data on our behalf to also erase it. For example, if you want your account removed entirely, we will delete your profile from our database and instruct Mailchimp to remove you from the email list as well.
  • Right to Restrict Processing: In certain situations, you can ask us to limit how we use your data. This could apply if you contest the accuracy of the data (you can request restriction while we verify/correct it), or if you object to our use and we are considering your request, or if processing is unlawful but you don’t want full deletion. While under restriction, we will store your data but not use it until the issue is resolved (except to the extent allowed, like ensuring the restriction is respected).
  • Right to Data Portability: You have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller (for example, another service provider), where technically feasible. This right applies when the processing is based on your consent or on a contract and is carried out by automated means. For example, if you provided us with a bunch of data through a profile or application and you want to take that data to a different service, we’ll give you a copy in a format like CSV or JSON that is easily reusable.
  • Right to Object: You have the right to object to our processing of your personal data in certain circumstances. Specifically, you can object to processing based on legitimate interests or to processing for direct marketing purposes. For instance, if we were sending you emails under the basis of “legitimate interest,” you could object and we would stop (in practice, we would anyway stop any marketing if you say so, since we treat it as opt-out). If we were processing data for research or statistical purposes, you could also object if you have grounds relating to your particular situation. In case you object to processing based on our legitimate interests, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is required for legal claims.
  • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on you. In simpler terms, this means if we were using algorithms to make major decisions about you without human involvement (like an automated system deciding you are denied a service, etc.), you can demand human intervention or challenge the decision. However, as noted earlier, we do not engage in automated decision-making of that nature with your data. We have no such automated processes in place that would significantly affect you. If that ever changes, we will inform you and ensure appropriate safeguards, including your right to contest such decisions.

In addition to these rights, GDPR also includes the right to withdraw consent at any time (for data that we process based on consent). We’ve already covered that in sections like marketing – you can revoke your consent whenever, and it won’t affect the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with a Data Protection Supervisory Authority, especially in the country where you live or work, or where the issue occurred. For example, if you are in Ireland, you can complain to the Data Protection Commission (DPC); if in the UK, to the Information Commissioner’s Office (ICO); if in France, to CNIL, and so on. We would appreciate the chance to address your concerns directly first, but it is your right to go to the authorities if you believe your data protection rights have been violated.

We will not charge you for exercising these rights in most cases. If a request is unfounded or excessive (for example, repetitive requests), the law permits a fee or refusal, but we aim to honor legitimate requests.

California Privacy Rights (CCPA/CPRA)

If you are a resident of California, you are protected by the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act (CPRA) of 2020. These laws provide California consumers with specific rights regarding their personal information. Below is a summary of your California privacy rights:

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell or share about you. More specifically, you can request that we disclose to you:
    • The categories of personal information we have collected about you.
    • The categories of sources from which we collected the personal information.
    • The business or commercial purpose for collecting (and if applicable, selling or sharing) personal information.
    • The categories of third parties with whom we have disclosed your personal information.
    • The specific pieces of personal information we have collected about you (essentially an access request similar to GDPR).

When you make a verifiable request for this information, we will provide it for the 12-month period preceding your request (you can also request information beyond 12 months as CPRA allows, to the extent available). We are required to give you this information in a portable and (if possible) readily usable format, typically within 45 days of your request (which can be extended once by another 45 days with notice to you if needed).

  • Right to Delete: You have the right to request deletion of personal information that we have collected from you and retained, subject to certain exceptions. Upon receiving a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Common exceptions under CCPA/CPRA include if the information is needed to: complete the transaction or service you requested, detect security incidents or protect against illegal activity, comply with a legal obligation, or for certain internal uses that are compatible with the context of collection (for example, if you’ve bought something, we might need to keep records for financial legal requirements). If we must deny your deletion request due to an exception, we will inform you of the reason.
  • Right to Opt-Out of Sale or Sharing of Personal Information: CCPA gives you the right to opt out of the “sale” of your personal information. CPRA expanded this to include the right to opt out of “sharing” of personal information for cross-context behavioral advertising. Important note: We do not sell your personal information for money, and we do not share it for targeted advertising as defined by the law (as of the date of this policy). In other words, we don’t exchange your data with third parties for the purpose of them profiling you and serving you ads on other websites. Therefore, we don’t have a “Do Not Sell or Share My Personal Information” link because we do not engage in those practices. However, if we ever were to consider something that could be construed as a sale or sharing (for instance, using advertising cookies that share info with an ad network), we would implement the appropriate opt-outs and obtain consent. Additionally, we honor the Global Privacy Control (GPC) signal, which is a browser setting that communicates an opt-out preference. If we detect a GPC signal from your browser, we will treat it as a valid request to opt out of any sale/sharing of personal info. Again, since we don’t sell/share data in that manner, the main effect is ensuring we continue not to load any trackers that could be considered a “sale/share” in the legal sense.
  • Right to Correct: Under CPRA (effective 2023), California residents have the right to request correction of inaccurate personal information that we hold about them. If you find that any of your information is incorrect, you can request that we correct it, and we will take appropriate action to do so (similar to the GDPR right to rectification).
  • Right to Limit Use of Sensitive Personal Information: CPRA introduced the right for consumers to limit the use and disclosure of “sensitive personal information” if a business uses it for certain secondary purposes. Examples of sensitive personal info under California law include things like precise geolocation, race/ethnicity, health information, biometrics, etc. We do not collect or use sensitive personal information in ways that trigger this right (we do not profile you based on sensitive data or use it for anything beyond providing a service, if we even have any). For instance, while someone’s spiritual beliefs could be considered sensitive, we only know such information if you voluntarily share it in the context of receiving a service, and we only use it to serve you, not for any secondary purpose. If we ever did handle sensitive info beyond what’s necessary, you would have the right to tell us to limit its use (to only that which is necessary to perform the services or comply with law). Should that scenario arise, we will provide a clear “Limit Use of Sensitive Info” option. Currently, there’s no separate sensitive use to limit in our practices.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA rights. This means we will not deny you goods or services, charge you a different price, or provide a different level of quality just because you exercised your privacy rights. For example, if you ask us to delete your data or opt out of sale, we won’t suddenly give you a worse experience or deny you access. CCPA does allow providing incentives (like a discount in exchange for data) as long as they are permitted, but we do not offer any such data-for-benefit programs at this time. If we ever did, we’d ensure they are compliant and fair.

Additionally, California’s “Shine the Light” law (Civil Code Section § 1798.83) allows users of our site who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. However, as noted, we do not share personal information with unaffiliated third parties for their own direct marketing, so there is nothing to disclose in that regard. If you have questions about this, you can always contact us.

Exercising California Rights: To exercise any of the rights described above (know, delete, opt-out, correct, limit) as a California resident, you or your authorized agent can submit a request to us – see “Exercising Your Rights” below. We will need to verify your identity (or the agent’s authority) before fulfilling the request, which may involve asking you to provide information that matches our records. We aim to respond within the statutory time frames (generally 45 days, with possibility of a 45-day extension, which we’ll inform you about if needed). For opt-out of sale requests, if we had any, those we would honor within 15 business days as required. But again, since we don’t sell data, you won’t find yourself needing to do much here beyond perhaps opting out of cookies if you choose.

We extend similar rights to all our users where practicable. Even if you are not in California or the EU, you can still contact us to request access or deletion of your data, and we will do our best to honor it (unless we have a specific lawful reason not to). We believe you should have transparency and control no matter where you live.

Other International Privacy Rights

  • India: If you are in India, note that the Digital Personal Data Protection Act, 2023 (DPDP Act) was recently enacted to provide individuals with rights over their personal data. While the law is new and implementation is underway, it is expected to grant rights similar in spirit to GDPR, such as the right to access and correct your data, and the right to grievance redressal. We strive to respect your rights under any applicable Indian privacy laws. This means you can request information about your data or ask for deletion/correction, and we will respond in accordance with the law’s requirements. We also will ensure that if we transfer data outside India, it’s done in line with any regulations (once they are in force). Although the detailed rules under the DPDP Act are forthcoming, our default approach is transparency and honouring reasonable privacy requests from users, regardless of jurisdiction.
  • Other Regions: If you are in a country or state with privacy laws (for example, other U.S. states like Virginia, Colorado, etc., which have passed their own privacy laws, or countries like Australia, Brazil’s LGPD, Canada’s PIPEDA, etc.), you may have specific rights under those laws. We intend to comply with all applicable laws. You can contact us to inquire or make requests related to your data rights under those regimes as well. In many cases, the rights will overlap with what we’ve already described (access, deletion, etc.). For instance, Brazil’s LGPD gives rights to confirm existence of processing, access data, correct, delete, etc., which are very much in line with GDPR – and we cover those. We are committed to respecting the highest standard of rights across the board.

In short, no matter where you are, we want you to have control over your personal information. We will do our best to accommodate your requests, even if not legally mandated in every jurisdiction, because treating users fairly is a core principle for us.

How to Exercise Your Rights

Exercising your privacy rights is easy. To make any request regarding your personal data, please contact us through any of the methods provided in “Contact Us” below. For efficiency, we suggest emailing us at [Contact Email] with the details of your request. Please include:

  • Your name and the email address associated with your use of our services (so we can locate your records).
  • What right you wish to exercise (e.g., “I want to access my data” or “Please delete my account and all data” or “Opt-out of newsletter”).
  • Any relevant context or details that will help us fulfil your request (for example, if you are requesting specific pieces of data, describe them; if an agent is acting for you, have them provide proof of authorization).

Verification: For your security, we will need to verify your identity (or if you have an authorized agent, verify their authority and your identity) before completing certain requests, especially for access, deletion, or correction of sensitive data. We might do this by:

  • Asking you to confirm some personal details that we have on file (for instance, we may ask you to reply from the email address we have on record, or answer a question about a past interaction).
  • In some cases, we might ask for a form of identification (though generally verifying via known communication channels suffices).
  • If an authorized agent (like an attorney or someone with power of attorney) makes the request, we will ask for proof (like a written permission from you and verification of their identity).

We will not require you to create an account just to make a request, and we will only use the information you provide in a request to verify and fulfil that request.

Response Time: We will respond to your request as quickly as we can. Under GDPR, we aim for within one month. Under CCPA, within 45 days. We often can get back sooner. If we foresee it taking longer (due to complexity or volume of requests), we will inform you of the extension and the reason (and in the EU/UK context, it could be extended by up to 2 more months if necessary; in California, an extra 45 days if needed). Our response will typically be in writing, usually via email, unless you request an alternative method.

What to Expect:

  • For an access request, we will provide the information requested or explain if any part cannot be provided (due to legal reasons) and cite the relevant exemptions if applicable.
  • For deletion, we will confirm once we have deleted your data (or the extent to which we could delete, if some is retained under exceptions). We will also inform our processors (like Mailchimp, etc.) to delete data they hold on our behalf.
  • For correction, we will confirm the data has been corrected or completed.
  • For an opt-out of selling/sharing (if it were relevant), we would confirm that we have processed that, but as noted, we don’t sell data.
  • If we cannot fulfil a request, we will explain why. For instance, if you request deletion but we have to keep certain data for legal obligations, we’ll tell you what we cannot delete and why (e.g., “We cannot delete your transaction invoice from 3 months ago due to tax regulations, but we have deleted other data not required to be kept”).

We will accommodate reasonable requests free of charge. If a request is manifestly unfounded or excessive (e.g., you make repetitive requests), we may charge a reasonable fee or refuse to act on it, but we will explain our decision in such a case. That said, we have not encountered such issues and will try to work in good faith to provide you with your data.

Data Portability: If you request it, we can provide your information in a commonly used electronic format (such as CSV or JSON file). This would include the personal data you have provided to us directly and any data we have about you that is feasible to export.

Authorized Agents (California): If you are a California resident and you want someone else to make a request on your behalf, California law permits this. The agent will need to demonstrate you’ve given them signed permission to do so, and they must verify their identity. If the agent doesn’t have your power of attorney, we will also require you to verify directly with us that you authorize the request (for instance, by confirming with us via email or phone). This is to prevent fraud.

We do not discriminate against anyone for exercising their rights. You will receive the same quality of service from us regardless of whether you’ve made requests or not. Our goal is to empower you with control over your personal information. If you have any questions about your rights or how to use them, please contact us – we’re here to help.

Changes to This Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

  • Notification of Changes: If we make significant changes to this Privacy Policy, we will notify you by posting a prominent notice on our website (for example, a banner or pop-up notification, or a highlighted message on the homepage) and/or by sending you a direct notification if you have provided us with contact information (such as an email address for those subscribed to our newsletter or users with accounts). The notice will outline the key changes and direct you to the updated policy. For minor or non-material changes (such as clarifications, typographical corrections, or updates that do not negatively impact your privacy rights), we may not send out a specific alert, but the new effective date will signal that an update has occurred.
  • Effective Date: Each version of this Privacy Policy will have an “Last updated” date at the top. The most current version is the one that applies to your interactions with us. Older versions, to the extent archived, are superseded by the latest version. We maintain change logs internally and can provide historical versions upon request to the extent required or if you’re interested in seeing what changed.
  • If You Don’t Agree: If we update the Privacy Policy and you do not agree with the changes, you should discontinue using our website and services. If applicable, you may also contact us to request deletion of your data. Continuing to use our site after the updated Privacy Policy goes into effect will signify that you have read and understood the revised terms.

We make these updates to keep our promise of transparency. We will not materially reduce your rights under this Privacy Policy without taking steps to obtain your consent (where required by law). For example, we wouldn’t suddenly start collecting new categories of personal data or using your data for new purposes not stated here without informing you and getting appropriate consent or giving you a chance to opt out.

If you have any questions about changes to this policy, you can always reach out to us for clarification. Your trust is important to us, and we want to ensure you feel comfortable with how we handle your information at all times.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and address any issues you may have.

Contact Information:

  • Email: [connect@lucindawells.com] – This is the quickest way to reach us for privacy-related inquiries or requests.
  • Contact Form: You can also send us a message through the contact form on our website [at Contact Us page]
  • Mailing Address: Lucinda Wells, Unit A, 82 James Carter Road, Mildenhall Industrial Estate, Suffolk, IP28 7DE. (If you prefer to send us a written request or if required for formal communications. Please note: This address is provided for privacy correspondence; do not send payments or returns to this address.)

Data Controller: For the purposes of EU/UK data protection law (GDPR), the “data controller” of your personal information is Lucinda Wells, the owner/operator of www.lucindawells.com. If we have appointed a representative in the EU (not usually needed if we are established in the EU) or a Data Protection Officer (DPO) (usually not mandatory for us unless we process large-scale sensitive data), we would provide their contact details here as well. (At present, we have not appointed a formal DPO as our scale and nature of processing does not require it, but we handle these duties internally.)

We will respond to your inquiries as soon as possible, generally within a few business days. If you are contacting us to exercise a privacy right, please see the “Exercising Your Rights” section above for more details on the process and verification steps.

We value your feedback. If there’s anything you feel is unclear or not covered in this Privacy Policy, let us know – we may update the policy or clarify to you directly. Your privacy and satisfaction with how we handle your data is very important to us.

Thank you for taking the time to read our Privacy Policy. We appreciate the trust you place in us and are committed to safeguarding your personal information while you explore the world of shamanism and meditation with us.