Haritha International Sound Healing School (referred to in this policy as "Haritha", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect when you visit harithasoundhealing.com, register for a course or retreat, contact us, or interact with our content — and how we use, share, store, and protect that information.
This policy is written to comply with the General Data Protection Regulation (EU 2016/679, GDPR), the UK GDPR, India's Digital Personal Data Protection Act 2023 (DPDP), the EU Digital Markets Act (DMA), and the consent requirements signalled through Google Consent Mode v2. If you have any questions, please write to info@harithasoundhealing.com.
1. Who we are
Haritha International Sound Healing School is a Yoga Alliance certified teacher training school based in Rishikesh, India, founded by Aashish Rastogi in 2015. We deliver residential and non-residential programs in sound healing, Tibetan singing bowl therapy, Reiki, chakra and crystal healing, yoga, meditation and Ayurveda.
For the purposes of GDPR, Haritha acts as the data controller of the personal information described below. Our registered address is:
- Haritha International Sound Healing School, Swargashram, Rishikesh, Uttarakhand 249304, India
- Email: info@harithasoundhealing.com
- Phone: +91-91058-88015
2. Data we collect
2.1 Information you give us directly
When you submit a form on our site, we collect what you choose to share. Specifically:
- Enquiry & contact forms: name, email address, country, phone number (optional), and the message you write.
- Online registration: full name, email, phone, country, course, preferred cohort dates, dietary preferences and any health notes you choose to disclose.
- Newsletter subscription: email address only.
- Blog comments: name, email address, website URL (optional), and the comment text.
- Payment information: we do not receive or store your card or bank details. Payments are processed by PayPal (international students, USD) and by direct bank transfer or UPI receipts uploaded as image / PDF (Indian students). We retain the PayPal transaction ID and the proof-of-payment image only.
2.2 Information collected automatically
When you browse our site, our servers and analytics tools record the following automatically:
- Device & connection data: IP address, browser and operating-system identifiers, screen size, language preference, referring URL, pages viewed and the time spent on each.
- Cookies and similar technologies: see Section 6.
- Approximate location: derived from your IP address (used by Google Consent Mode v2 to decide whether to apply EU-style or non-EU defaults).
2.3 Information we receive from third parties
- PayPal: when you complete a payment, PayPal shares the payer email, name, country, transaction ID and capture status with us. We do not receive your card details.
- Google Analytics 4: when consent is granted, we receive aggregated, pseudonymised behavioural reports.
- Social media integrations: if you contact us via Facebook Messenger, Instagram DM, or WhatsApp, the platform shares your handle, profile picture and message with us.
3. How we use your information
We use the data described above for the following purposes:
| Purpose | Examples |
|---|---|
| Replying to enquiries | Sending you course brochures, answering follow-up questions, scheduling a call. |
| Processing registrations | Confirming your booking, holding your seat, sending pre-arrival instructions. |
| Processing payments | Issuing PayPal invoices, verifying bank transfer receipts, sending payment receipts. |
| Sending transactional emails | Booking confirmations, payment receipts, course schedule updates, post-course certificates. |
| Newsletters | Sending occasional editorial updates, upcoming retreat announcements (only if you opted in). |
| Improving our website | Analytics aggregates on which pages are popular, how visitors navigate, where we can simplify the user experience. |
| Compliance & record-keeping | Statutory tax records, regulatory enquiries from authorities, fraud prevention. |
4. Legal basis for processing (GDPR Art. 6)
We rely on the following legal bases:
- Contract performance (Art. 6(1)(b)): processing booking, payment and accommodation information is necessary to deliver the course or retreat you registered for.
- Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails and newsletter subscription. You can withdraw consent at any time without affecting prior processing.
- Legitimate interests (Art. 6(1)(f)): for fraud prevention, network security, anonymised website analytics, and replying to your enquiries.
- Legal obligation (Art. 6(1)(c)): retaining accounting records for the period required by Indian tax law.
5. Third-party processors we use
We share personal data with the following third parties strictly for the purposes set out below. Each is bound by their own privacy notice and (where applicable) Data Processing Agreement with us:
| Service | Purpose | Region |
|---|---|---|
| PayPal | International payment processing | Global (US-headquartered) |
| Hostinger | Web hosting, server logs, file storage | EU / India / Singapore (depending on data centre) |
| Google Tag Manager + Google Analytics 4 | Behaviour analytics, conversion tracking | Global (EU servers for EEA traffic) |
| Google Ads | Remarketing & campaign measurement (only with your consent) | Global |
| Gmail SMTP | Sending transactional email notifications | US |
| YouTube | Embedded video showcases on certain pages | Global |
| bunny.net Fonts | Privacy-friendly font CDN — no cookies, no IP logging | Slovenia, EU |
| Bing IndexNow | Re-crawl notifications for SEO. We send only public URLs — never your personal data. | Global |
We do not sell, rent or trade your personal data with anyone outside this list. We may disclose information when legally compelled (e.g. court order, lawful authority request) or to protect our rights and safety.
6. Cookies and tracking technologies
We use cookies and similar technologies to recognise repeat visits, measure usage, and (with your consent) personalise content. Our site implements Google Consent Mode v2 — when you first visit from the EU, UK, EEA or Switzerland, advertising and analytics cookies are denied until you opt in via the consent banner. Visitors from other regions see the same banner but default to allow analytics.
Categories of cookies we use
- Essential (always on): Laravel session, anti-CSRF token, language preference. These cannot be disabled because the site won't function without them.
- Analytics (consent-gated): Google Analytics 4. Used to count page views, time on page, and traffic source. IP addresses are pseudonymised before storage.
- Advertising (consent-gated): Google Ads conversion pixel and remarketing tag. Used to measure ad-driven enrolments and show relevant ads on other Google partner sites.
- Personalisation (consent-gated): remembers your preferred currency, cohort filter and any settings you saved.
You can change your choice at any time by clicking the "Cookie settings" link in our footer, which re-opens the consent banner. You can also block or delete cookies directly through your browser's settings — note that this may affect site functionality.
7. How long we keep your data
- Enquiry messages: 24 months from your last contact, then deleted.
- Course registrations and payment records: 7 years (Indian Companies Act requirement for accounting records).
- Newsletter subscriptions: until you unsubscribe (every email contains a one-click unsubscribe link).
- Server logs and access records: 90 days.
- Analytics data (Google Analytics 4): 14 months default retention; aggregate reports retained indefinitely.
- Blog comments: for as long as the post is published. If you ask us to remove a comment, we delete it within 14 days.
8. Your rights
Under GDPR, UK GDPR and the DPDP Act, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
- Restriction — ask us to pause processing in specific circumstances.
- Portability — receive your data in a structured, machine-readable format (CSV / JSON) so you can transfer it elsewhere.
- Object — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — at any time, without affecting prior processing.
- Lodge a complaint with a supervisory authority — in the EU, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO); in India, the Data Protection Board once it is constituted.
To exercise any of these rights, email info@harithasoundhealing.com with the subject line "Data Rights Request". We respond within 30 days as required by GDPR. We may need to verify your identity before disclosing personal data.
9. International data transfers
Haritha is based in India. When EU / EEA / UK residents interact with our site, their personal data is transferred to and processed in India. India is not currently the subject of an EU Commission adequacy decision under Art. 45 GDPR. We rely on the following safeguards under Art. 46 GDPR:
- Standard Contractual Clauses (SCCs) with our EU-based processors (e.g. PayPal Europe, bunny.net).
- Encrypted transit — every form submission, payment and analytics call is transmitted over HTTPS (TLS 1.2 or higher).
- Encrypted storage on our hosting infrastructure with strict access controls.
- Data minimisation — we collect only the data needed for the stated purpose.
10. How we protect your data
We implement appropriate technical and organisational measures to protect your personal data:
- HTTPS (Let's Encrypt) enforced site-wide.
- Anti-CSRF tokens on every form submission.
- Server-side input validation and sanitisation against XSS, SQL injection and CSRF.
- Role-based access controls in our admin panel; every administrator action is logged.
- Password hashing using bcrypt with per-user salts.
- Regular backups with encryption at rest.
- Restrictive cookie attributes (
Secure,HttpOnly,SameSite=Lax).
Despite these measures, no transmission over the internet is 100% secure. If you become aware of any vulnerability or suspected breach, please contact us immediately at info@harithasoundhealing.com.
11. Children's privacy
Our courses are designed for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18 without parental consent. If you believe we have inadvertently collected such data, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time to reflect changes in our practices or legal obligations. The "Last updated" date at the top of this page indicates when the latest revision was made. Material changes will be highlighted by an announcement on our homepage and (where appropriate) by email to active newsletter subscribers.
13. Contact us
If you have any question about this policy, want to exercise a right, or want to make a complaint, please contact:
- Data Protection Contact: Aashish Rastogi, Founder
- Email: info@harithasoundhealing.com
- Phone: +91-91058-88015
- Address: Haritha International Sound Healing School, Swargashram, Rishikesh, Uttarakhand 249304, India