Skip to main content
Privacy at Haritha International Sound Healing School

Legal

Privacy Policy

Last updated: June 2026

Haritha International Sound Healing School (referred to in this policy as "Haritha", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect when you visit harithasoundhealing.com, register for a course or retreat, contact us, or interact with our content — and how we use, share, store, and protect that information.

This policy is written to comply with the General Data Protection Regulation (EU 2016/679, GDPR), the UK GDPR, India's Digital Personal Data Protection Act 2023 (DPDP), the EU Digital Markets Act (DMA), and the consent requirements signalled through Google Consent Mode v2. If you have any questions, please write to info@harithasoundhealing.com.

1. Who we are

Haritha International Sound Healing School is a Yoga Alliance certified teacher training school based in Rishikesh, India, founded by Aashish Rastogi in 2015. We deliver residential and non-residential programs in sound healing, Tibetan singing bowl therapy, Reiki, chakra and crystal healing, yoga, meditation and Ayurveda.

For the purposes of GDPR, Haritha acts as the data controller of the personal information described below. Our registered address is:

2. Data we collect

2.1 Information you give us directly

When you submit a form on our site, we collect what you choose to share. Specifically:

  • Enquiry & contact forms: name, email address, country, phone number (optional), and the message you write.
  • Online registration: full name, email, phone, country, course, preferred cohort dates, dietary preferences and any health notes you choose to disclose.
  • Newsletter subscription: email address only.
  • Blog comments: name, email address, website URL (optional), and the comment text.
  • Payment information: we do not receive or store your card or bank details. Payments are processed by PayPal (international students, USD) and by direct bank transfer or UPI receipts uploaded as image / PDF (Indian students). We retain the PayPal transaction ID and the proof-of-payment image only.

2.2 Information collected automatically

When you browse our site, our servers and analytics tools record the following automatically:

  • Device & connection data: IP address, browser and operating-system identifiers, screen size, language preference, referring URL, pages viewed and the time spent on each.
  • Cookies and similar technologies: see Section 6.
  • Approximate location: derived from your IP address (used by Google Consent Mode v2 to decide whether to apply EU-style or non-EU defaults).

2.3 Information we receive from third parties

  • PayPal: when you complete a payment, PayPal shares the payer email, name, country, transaction ID and capture status with us. We do not receive your card details.
  • Google Analytics 4: when consent is granted, we receive aggregated, pseudonymised behavioural reports.
  • Social media integrations: if you contact us via Facebook Messenger, Instagram DM, or WhatsApp, the platform shares your handle, profile picture and message with us.

3. How we use your information

We use the data described above for the following purposes:

PurposeExamples
Replying to enquiriesSending you course brochures, answering follow-up questions, scheduling a call.
Processing registrationsConfirming your booking, holding your seat, sending pre-arrival instructions.
Processing paymentsIssuing PayPal invoices, verifying bank transfer receipts, sending payment receipts.
Sending transactional emailsBooking confirmations, payment receipts, course schedule updates, post-course certificates.
NewslettersSending occasional editorial updates, upcoming retreat announcements (only if you opted in).
Improving our websiteAnalytics aggregates on which pages are popular, how visitors navigate, where we can simplify the user experience.
Compliance & record-keepingStatutory tax records, regulatory enquiries from authorities, fraud prevention.

We rely on the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing booking, payment and accommodation information is necessary to deliver the course or retreat you registered for.
  • Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails and newsletter subscription. You can withdraw consent at any time without affecting prior processing.
  • Legitimate interests (Art. 6(1)(f)): for fraud prevention, network security, anonymised website analytics, and replying to your enquiries.
  • Legal obligation (Art. 6(1)(c)): retaining accounting records for the period required by Indian tax law.

5. Third-party processors we use

We share personal data with the following third parties strictly for the purposes set out below. Each is bound by their own privacy notice and (where applicable) Data Processing Agreement with us:

ServicePurposeRegion
PayPalInternational payment processingGlobal (US-headquartered)
HostingerWeb hosting, server logs, file storageEU / India / Singapore (depending on data centre)
Google Tag Manager + Google Analytics 4Behaviour analytics, conversion trackingGlobal (EU servers for EEA traffic)
Google AdsRemarketing & campaign measurement (only with your consent)Global
Gmail SMTPSending transactional email notificationsUS
YouTubeEmbedded video showcases on certain pagesGlobal
bunny.net FontsPrivacy-friendly font CDN — no cookies, no IP loggingSlovenia, EU
Bing IndexNowRe-crawl notifications for SEO. We send only public URLs — never your personal data.Global

We do not sell, rent or trade your personal data with anyone outside this list. We may disclose information when legally compelled (e.g. court order, lawful authority request) or to protect our rights and safety.

6. Cookies and tracking technologies

We use cookies and similar technologies to recognise repeat visits, measure usage, and (with your consent) personalise content. Our site implements Google Consent Mode v2 — when you first visit from the EU, UK, EEA or Switzerland, advertising and analytics cookies are denied until you opt in via the consent banner. Visitors from other regions see the same banner but default to allow analytics.

Categories of cookies we use

  • Essential (always on): Laravel session, anti-CSRF token, language preference. These cannot be disabled because the site won't function without them.
  • Analytics (consent-gated): Google Analytics 4. Used to count page views, time on page, and traffic source. IP addresses are pseudonymised before storage.
  • Advertising (consent-gated): Google Ads conversion pixel and remarketing tag. Used to measure ad-driven enrolments and show relevant ads on other Google partner sites.
  • Personalisation (consent-gated): remembers your preferred currency, cohort filter and any settings you saved.

You can change your choice at any time by clicking the "Cookie settings" link in our footer, which re-opens the consent banner. You can also block or delete cookies directly through your browser's settings — note that this may affect site functionality.

7. How long we keep your data

  • Enquiry messages: 24 months from your last contact, then deleted.
  • Course registrations and payment records: 7 years (Indian Companies Act requirement for accounting records).
  • Newsletter subscriptions: until you unsubscribe (every email contains a one-click unsubscribe link).
  • Server logs and access records: 90 days.
  • Analytics data (Google Analytics 4): 14 months default retention; aggregate reports retained indefinitely.
  • Blog comments: for as long as the post is published. If you ask us to remove a comment, we delete it within 14 days.

8. Your rights

Under GDPR, UK GDPR and the DPDP Act, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
  • Restriction — ask us to pause processing in specific circumstances.
  • Portability — receive your data in a structured, machine-readable format (CSV / JSON) so you can transfer it elsewhere.
  • Object — object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — at any time, without affecting prior processing.
  • Lodge a complaint with a supervisory authority — in the EU, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO); in India, the Data Protection Board once it is constituted.

To exercise any of these rights, email info@harithasoundhealing.com with the subject line "Data Rights Request". We respond within 30 days as required by GDPR. We may need to verify your identity before disclosing personal data.

9. International data transfers

Haritha is based in India. When EU / EEA / UK residents interact with our site, their personal data is transferred to and processed in India. India is not currently the subject of an EU Commission adequacy decision under Art. 45 GDPR. We rely on the following safeguards under Art. 46 GDPR:

  • Standard Contractual Clauses (SCCs) with our EU-based processors (e.g. PayPal Europe, bunny.net).
  • Encrypted transit — every form submission, payment and analytics call is transmitted over HTTPS (TLS 1.2 or higher).
  • Encrypted storage on our hosting infrastructure with strict access controls.
  • Data minimisation — we collect only the data needed for the stated purpose.

10. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data:

  • HTTPS (Let's Encrypt) enforced site-wide.
  • Anti-CSRF tokens on every form submission.
  • Server-side input validation and sanitisation against XSS, SQL injection and CSRF.
  • Role-based access controls in our admin panel; every administrator action is logged.
  • Password hashing using bcrypt with per-user salts.
  • Regular backups with encryption at rest.
  • Restrictive cookie attributes (Secure, HttpOnly, SameSite=Lax).

Despite these measures, no transmission over the internet is 100% secure. If you become aware of any vulnerability or suspected breach, please contact us immediately at info@harithasoundhealing.com.

11. Children's privacy

Our courses are designed for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18 without parental consent. If you believe we have inadvertently collected such data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal obligations. The "Last updated" date at the top of this page indicates when the latest revision was made. Material changes will be highlighted by an announcement on our homepage and (where appropriate) by email to active newsletter subscribers.

13. Contact us

If you have any question about this policy, want to exercise a right, or want to make a complaint, please contact:

Have a privacy question?

We respond to all data rights requests within 30 days.

Email info@harithasoundhealing.com with the subject "Data Rights Request" and we will get back to you with a verification step and a clear timeline.

Email us