Effective date: 10/25/24
This privacy notice applies if you are a resident of a country within the European Economic Area, Switzerland, or the United Kingdom. If you are not a resident of a country within the European Economic Area, Switzerland, or the United Kingdom, please click here.
This Privacy Policy sets out how Dharma Ocean Foundation (“Dharma Ocean”, “we”, “us” or “our”) collects, stores, uses and discloses your personal data and provides additional information, such your rights with regard to processing activities.
1. Who we are and who is responsible for the processing of your personal data?
Dharma Ocean Foundation is responsible for the processing of your personal data (“controller” of your personal data).
If you have any inquiries about the processing of your personal data, you can contact us at: info@dharmaocean.org. You can also contact our administrative team at: info@dharmaocean.org.
2. What is processing of personal data?
“Personal data” means information about an identifiable individual. “Processing” collectively refers to all operations that can be performed on personal data, in particular collecting, storing, or using personal data. Within the European Union processing of personal data is primarily regulated by the European General Data Protection Regulation (“GDPR”).
3. Who does this privacy policy apply to?
This privacy policy applies to you, if you get in contact with us, as we may process your personal data depending on the circumstances. Particularly, it applies to participants and teachers of our programs.
In limited circumstances, this privacy policy may also apply to you if third parties provide us with your personal data, in particular when one of our participants lists you as an emergency contact.
4. How do we collect and process your personal data?
When you interact with us, we may collect and process your personal data for various reasons. In the following paragraphs we explain our processing activities.
- 4.1 Contacting us
When you contact us with a request for information or any other inquiry, e.g. through our website or on social media, we will process your personal data to assist you with your inquiry. The legal basis for this is Article 6 (1)(f) GDPR.
- 4.2 Application for our retreats and programs
Upon application to our retreats and programs, we will process the personal data you provided such as your name, contact details, date of birth, details on the booked retreat or program and other details provided in response to the registration questionnaire based on Article 6(1)(b) GDPR. The processing is necessary to process your application. - 4.3 Administration of our retreats and programs
In order to provide you with the retreat or program you have registered for, we may process your personal data. We may- use your personal data to provide and deliver the products and services you have requested,
- contact you with additional information, additional inquiries or due to a cancellation or change in event details,
- share retreat materials with you and other participants in the specific program you attended, which may include providing your likeness through photographs, recorded audio and/or videos of the program.
The legal basis for the processing is Article 6(1)(b) GDPR as far as the processing is necessary to fulfill our contract with you or, as the case may be, Article 6(1)(f) GDPR as far as we pursue the legitimate interest of providing you with additional information on the retreat or program you booked.
We may also process medical information about you, any medication you are taking, allergies, past and current mental and psychiatric issues and any mobility issues you may have.
Upon registration you may fill in a health questionnaire on a voluntary basis. We only process this medical data based on your revocable explicit consent pursuant to Article 9 (2)(a) GDPR. The processing helps us to cater the retreat experience to suit your situation. You may at any time revoke your consent.
- 4.4 Emergency Contacts
We may process your personal data if one of our participants has provided your name and contact details as an emergency contact. The legal basis for the processing is Article 6 (1)(f) GDPR as we pursue the legitimate interest of being able to contact someone in case of an emergency. - 4.5 Invoice and billing
When you book a retreat or program with us, we will process your personal data such as your name, contact details and details about the service you booked in order to prepare and send invoices or receipts to you. The legal basis for this is Article 6 (1)(b) GDPR as this is necessary to perform the contract with us. We may also disclose your personal data to our payment service provider. The legal basis for this is Article 28 GDPR in conjunction with the respective data processing agreement. - 4.6 Pictures and videos of our retreats and programs
We may take photos or record audio or video footage of our programs and retreats. We may use any pictures, videos or audio recordings that reflect your likeness for different purposes. The legal basis for the processing is Art. 6 (1)(b) GDPR as we conclude a binding contract about the use of your pictures, videos or audio recordings. You may ask us any time, though, to not further use pictures, videos or audio recordings reflecting your likeness. - 4.7 Online Programs
For our online programs, where announced, we will capture video and audio recordings of our participants and teachers. The legal basis for the processing is Article 6 (1)(b) GDPR as the recording is necessary to fulfill the service or employment contract with us. - 4.8 Use of our Website
If you visit our website for informational purposes, we process your IP address, information on the device and browser you are using (operating system, browser type and version, host name of the device), the referrer URL, time and date of your request and clickstream data. We process this data to display to you our website correctly, enable its core functions, and to ensure the stability and security of our site. The legal basis for this data processing is Art. 6 (1)(1)(b) GDPR, insofar as it serves to provide our website to you, and Art. 6 (1)(1)(f) GDPR, as we have a legitimate interest to ensure the security of our website, a user-friendly, effective and secure experience and smooth access to its key functions. - 4.9 Cookies and other Tracking Technologies
To provide our website and its functions (e.g. language settings, cookie settings), we place cookies on your device and use similar technologies (jointly referred to as “cookies” or “cookie”). A cookie is a small piece of data placed on your computer’s hard drive that allows us to remember you for your next visit, to help improve our services to you, and to sometimes identify you for security purposes.
Strictly necessary cookies are cookies without which the service cannot be provided. Therefore, these cookies are always activated and cannot be rejected. The legal basis for the use of the cookies and the respective data processing is Article 6 (1)(b) GDPR.
We may also use other categories of cookies that are not strictly necessary. These categories may include, for example, analytics cookies or marketing cookies. We will only use these cookies if you have provided your explicit consent pursuant to Article 6(1)(a) GDPR via our cookie banner/consent management tool.
You may find more information on the cookies, e.g. information on the provider, purpose of the cookie, lifespan of the cookies and the data categories processed as well as the retention period, in our cookie banner.
- 4.10 Other processing activities
In specific cases, we may process your personal data for the following purposes:- We may process your personal data to improve our facilities and services. The legal basis is Article 6(1)(f) GDPR.
- We may process your personal data to comply with legal obligations that we face (e.g. regarding data retention under commercial or tax law). The legal basis for such data processing is Article 6 (1)(c) GDPR in conjunction with the relevant legal provisions.
- We may process your personal data if we sell our company, a part of it or other assets, or in case we buy another company, a part of it or other assets. The legal basis for this data processing is our legitimate interest (Article 6 (1)(f) GDPR) to further manage our company through mergers, acquisitions, or other corporate changes.
- We may have a legal obligation to participate in investigations and proceedings of public authorities and the government. The legal basis for processing your personal data in this regard is Article 6 (1)(c) GDPR in conjunction with the respective provision establishing our legal obligations.
- We may also process your personal data to protect our rights and safety, our contract and business partners and others, including through assertion of or participation in legal proceedings. The legal basis for this data processing is either a respective legal obligation to this effect (Article 6 (1)(c) GDPR in conjunction with the relevant legal provisions) or our legitimate interest or of those affected to assert legal claims (Article 6 (1)(f) GDPR). If we use your personal data for other purposes than those stated above, we will provide specific notification at the time of collection.
5. Will we provide your personal data to third parties?
We do not rent or sell your personal data to third parties. However, for some of the aforementioned purposes we may disclose your personal data to others, such as our local retreat centers where we hold our retreats and programs, communication service providers (e.g. mail relay providers), newsletter and contact form providers, IT and IT security providers, software providers (including software as a service solutions) and other providers that help us operate our systems and facilities (including maintaining our online payment system and provide us with fraud prevention services). The legal basis for respective data transfers is Art. 28 GDPR in conjunction with the respective data processing agreement concluded with the recipient. Through these agreements, we have contractually bound these recipients to process your personal data only on our behalf and in accordance with our instructions.
We may also transfer your personal data to other third parties for some of the purposes and according to the legal basis mentioned above in this privacy notice, e.g. to lawyers and tax advisors, notaries, courts, government authorities and agencies.
6. Will we transfer your data to outside the European Economic Area?
We are a US-based company. Thus, we will transfer your personal data to the US. We May also transfer your personal data to the UK and other countries where we have operations or support providers.
When sharing your personal data with external recipients (see above), some of your personal data may be transferred to other companies within the US or other countries, including third countries outside the EU / EEA where laws may not provide the same level of protection for your personal data as the
GDPR does. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavor to take the required measures to maintain an adequate level of data protection when sharing your personal data with recipients established in such countries.
In the case of a transfer to a country outside of the EEA, this transfer is either safeguarded by a so-called adequacy decision from the European Commission declaring that such country or recipient provides for an adequate level of data protection, or, if such adequacy decision does not exist, the conclusion of EU Standard contractual clauses (https://ec.europa.eu/info/law/law-topic/data- protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) and additional measures, if necessary.
7. For how long will we retain your personal data?
We retain your personal data only for as long as is necessary for the purpose for which it is processed and delete it afterwards, unless we are required by law to retain it for a longer period (e.g. to comply with statutory retention obligations under tax law).
8. What are my rights with regard to processing my personal data?
You may have the following data protection rights, depending on the circumstances of the specific case, which you may exercise by contacting us as set out above:
- 8.1 Access
You have the right to require information as to whether your personal data is retained and request access to your personal data and/or copies of such data, including purposes of processing, the processed data categories, its recipients as well as potential data retention periods. - 8.2 Rectification, restriction of processing, deletion
You have a right to request the rectification, deletion or restriction of processing of your personal data, for example if (i) it is incomplete or inaccurate, (ii) it is no longer necessary for the purposes for which it was collected, or, (iii) the consent on which the processing was based has been withdrawn. - 8.3 Refusal or withdrawal of your consent to data processing
You have the right to refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time. - 8.4 Automated decision-making including profiling
We do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you. - 8.5 Right to data portability
You may have the right to receive the data, which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from use. You also have the right to transmit this data directly to another controller, where technically feasible. - 8.6 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data where we process your personal data based on our legitimate interests (Art. 6 (1)(1)(f) GDPR). In case we process your personal data for direct marketing purposes, you have the right to object at any time. - 8.7 Right to lodge a complaint with the competent supervisory authority
You have a right to take legal action against any potential breach of your rights regarding the processing of your personal data, as well as to lodge a complaint with the competent supervisory authority.