Privacy Policy

Last updated: 19 June 2026


Table of Contents
Controller

Shantipath - Sacred Energy Bodywork
Maya Boycheva Bocheva
Hauptstraße 32
85716 Unterschleißheim
Germany


Authorised representative: Maya Boycheva Bocheva

Email: info@shantipaththerapy.com

Telephone: +49 176 76099407

Legal notice: https://shantipaththerapy.com/privacy-policy

Overview of Processing Activities

The following overview summarises the types of data processed, the purposes of processing and the categories of data subjects affected.


Types of data processed
  • Master data.
  • Employee data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and procedural data.
  • Log data.

Categories of data subjects
  • Service recipients and clients.
  • Employees.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Third parties.
  • Whistleblowers.

Purposes of processing
  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organisational procedures.
  • Audience building.
  • Organisational and administrative procedures.
  • Feedback.
  • Marketing.
  • Profiles containing user-related information.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.
  • Whistleblower protection.
  • Sales promotion.
  • Business processes and commercial procedures.

Applicable Legal Bases

Applicable legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of them in this privacy policy.


  • Consent (Art. 6(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is party or in order to take pre-contractual steps at the request of the data subject.
  • Legal obligation (Art. 6(1)(c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override those interests.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations in Germany apply. This includes, in particular, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). The BDSG contains special rules on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transfers, and automated individual decision-making including profiling. State data protection laws of the individual German federal states may also apply.


Security Measures

We take appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.


These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to data, as well as access, input, disclosure, availability and separation of data. We have also established procedures that ensure the exercise of data subject rights, deletion of data and response to data threats. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software and procedures, in line with the principles of data protection by design and by default.


Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. These technologies encrypt information transmitted between the website or app and the user’s browser, or between servers. A website secured by an SSL/TLS certificate is indicated by HTTPS in the URL.


Disclosure of Personal Data

In the course of processing personal data, it may happen that data is transferred to or disclosed to other bodies, companies, legally independent organisational units or persons. Recipients may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to protect your data.


International Data Transfers

If we transfer data to a third country, meaning a country outside the European Union (EU) or the European Economic Area (EEA), or if this takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies or companies, this is done only in accordance with legal requirements.


For data transfers to the United States, we primarily rely on the EU-U.S. Data Privacy Framework (DPF), which was recognised as a secure legal framework by the adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the relevant providers where applicable.


This dual safeguard is intended to provide comprehensive protection for your data. The DPF forms the primary layer of protection, while Standard Contractual Clauses serve as an additional safeguard. If there are changes to the DPF, the Standard Contractual Clauses act as a fallback mechanism.


Further information on the DPF and a list of certified companies can be found at https://www.dataprivacyframework.gov/.


General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is withdrawn or there is no longer any legal basis for processing. This applies where the original processing purpose no longer applies or the data is no longer required. Exceptions apply where legal obligations or special interests require longer retention or archiving.


Data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal enforcement or for protecting the rights of other natural or legal persons, will be archived accordingly.


If several retention periods or deletion deadlines apply to a piece of data, the longest period shall be decisive. Data that is no longer required for its original purpose but must be retained due to statutory requirements or other reasons will be processed only for the reasons justifying its retention.


Retention and deletion periods under German law
  • 10 years — Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and related organisational documents.
  • 8 years — Accounting documents such as invoices and expense receipts.
  • 6 years — Other business documents, including received commercial or business letters, copies of sent letters and other tax-relevant documents.
  • 3 years — Data required to consider potential warranty claims, damages claims or similar contractual claims and rights, based on the regular statutory limitation period.

Start of the period at the end of the year: If a period does not expressly begin on a specific date and is at least one year long, it starts at the end of the calendar year in which the triggering event occurred.


Rights of Data Subjects

As a data subject under the GDPR, you have various rights, particularly under Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you based on Art. 6(1)(e) or Art. 6(1)(f) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing, including related profiling.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain access to that data and further information in accordance with legal requirements.
  • Right to rectification: You have the right to request completion of incomplete data or correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right to request that data concerning you be erased without undue delay or, alternatively, that processing be restricted.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request transmission to another controller.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners, for the initiation, performance and handling of contractual relationships and comparable legal relationships. This also includes pre-contractual measures at the request of the relevant person and communication in connection with the respective contractual relationship.


The processing serves in particular the fulfilment of our contractual main and secondary obligations. This includes providing agreed services, processing service disruptions, cancellations, terminations, refunds and other contract-related declarations and enquiries.


The data processed may include master data such as name, address and, where applicable, company; contact data such as email address and telephone number; contract and service data; usage and performance data; payment and billing data; and communication content and history.


We also process data to protect our rights and fulfil legal obligations, including commercial and tax retention obligations, documentation obligations and accountability obligations. External service providers such as IT and telecommunications providers, payment service providers, banks, tax advisors and legal advisors may be involved where this is necessary for contract performance or legal compliance.


Personal data is disclosed to third parties only where this is required for contract performance, pre-contractual measures, legitimate interests or legal obligations. Data is deleted as soon as it is no longer required for the above purposes and no statutory retention obligations apply.


Legal bases: Art. 6(1)(b), Art. 6(1)(c) and Art. 6(1)(f) GDPR.


Provision of the Online Offering and Web Hosting

We process user data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.


  • Types of data processed: Usage data; meta, communication and procedural data; log data; content data.
  • Data subjects: Users, such as website visitors and users of online services.
  • Purposes: Provision of our online offering, user-friendliness, IT infrastructure and security measures.
  • Legal basis: Legitimate interests under Art. 6(1)(f) GDPR.

Provision of the online offering on rented storage space: We use storage space, computing capacity and software from a server provider, also referred to as a web host.


Collection of access data and log files: Access to our online offering is logged in server log files. These may include the address and name of accessed websites and files, date and time of access, data volume transferred, notification of successful access, browser type and version, operating system, referrer URL, IP addresses and requesting provider. Log file information is stored for a maximum of 30 days and then deleted or anonymised, unless further retention is required as evidence.


Email sending and hosting: Our web hosting services also include the sending, receiving and storage of emails. For these purposes, sender and recipient addresses, email content and related transmission information may be processed.


ALL-INKL: IT infrastructure and related services, including storage space and computing capacity. Service provider: ALL-INKL.COM - Neue Medien Münnich, owner René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. Website: https://all-inkl.com/. Privacy policy: https://all-inkl.com/datenschutzinformationen/.


Use of Cookies

Cookies are functions that store information on users’ devices and read information from them. Cookies may be used for various purposes, such as functionality, security, comfort and analytics. We use cookies in accordance with legal requirements. Where required, we obtain the user’s consent in advance. Where consent is not required, we rely on our legitimate interests, particularly where storage or reading of information is strictly necessary to provide expressly requested content and functions.


Whether personal data is processed using cookies depends on whether consent is required. If consent is given, it serves as the legal basis. Without consent, processing is based on our legitimate interests as explained in this privacy policy and in the context of the respective services.


Cookie storage duration
  • Temporary cookies / session cookies: These are deleted at the latest after the user leaves the online offering and closes their browser or app.
  • Permanent cookies: These remain stored after the device is closed. Unless otherwise stated, users should assume that permanent cookies may be stored for up to two years.

Users may withdraw consent at any time and object to processing in accordance with legal requirements, including through their browser privacy settings.


Cookie settings / objection option: https://cloud.ccm19.de/manage_usettings/


Consent management: We use a consent management solution to obtain, record, manage and revoke user consent for cookies and comparable technologies. Consent declarations are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements.


Contact and Enquiry Management

When contacting us, for example by post, contact form, email, telephone or social media, and in the context of existing user and business relationships, the details of the enquiring persons are processed to the extent necessary to respond to enquiries and any requested measures.


  • Types of data processed: Contact data, content data, meta, communication and procedural data.
  • Data subjects: Communication partners.
  • Purposes: Communication, organisational and administrative procedures, feedback and user-friendly provision of our online offering.
  • Legal bases: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Contact form: When contacting us via our contact form, email or other communication channels, we process the personal data provided to respond to and handle the respective request. This usually includes name, contact details and any additional information provided.


Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications only with the consent of the recipients or on another legal basis. If the content of the newsletter is described during registration, that content is decisive for the user’s consent. Usually, providing an email address is sufficient to subscribe. For personalised communication, we may also ask for a name or other information where necessary.


We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to prove that consent was previously given. Processing is limited to possible defence against claims. In cases where objections must be permanently observed, we may store the email address in a blocklist for that purpose.


The registration process is logged on the basis of our legitimate interests in proving that it was conducted properly. If we engage a service provider to send emails, this is based on our legitimate interests in an efficient and secure mailing system.


Newsletter content: Information about us, our services, promotions and offers.


Opt-out: You may unsubscribe from our newsletter at any time, for example via the unsubscribe link at the end of each newsletter or by contacting us.


Measurement of opening and click rates: Newsletters may contain web beacons that allow us or our mailing service provider to measure whether newsletters are opened and which links are clicked. The source file contained a locked premium placeholder in this section; the unavailable passage should be reviewed before publication.


CleverReach: Email sending and automation services. Service provider: CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany. Website: https://www.cleverreach.com/de. Privacy policy: https://www.cleverreach.com/de-de/datenschutz/.


Promotional Communication by Email, Post, Fax or Telephone

We process personal data for promotional communication, which may take place via various channels such as email, telephone, post or fax in accordance with legal requirements.


Recipients have the right to withdraw consent at any time or to object free of charge to promotional communication using the contact details provided above.


After withdrawal or objection, we store the data required to prove the previous authorisation for contact or sending for up to three years after the end of the year in which the withdrawal or objection took place. Processing is limited to possible defence against claims. We may also store data necessary to prevent renewed contact, such as email address, telephone number or name.


Legal bases: Consent under Art. 6(1)(a) GDPR and legitimate interests under Art. 6(1)(f) GDPR.


Web Analytics, Monitoring and Optimisation

Web analytics, also referred to as reach measurement, serves to evaluate visitor flows to our online offering. It may include behaviour, interests or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can see, for example, when our online offering or its functions and content are most frequently used, and which areas require optimisation.


We may also use testing procedures to test and optimise different versions of our online offering or its components.


Unless otherwise stated, profiles may be created for these purposes, meaning data summarised for a usage process. Information may be stored in and read from a browser or device. Collected information may include visited websites, used elements, technical information such as browser, operating system and usage times. If users have consented to location data collection, location data may also be processed.


We use IP masking, meaning pseudonymisation by shortening the IP address. Generally, no clear user data such as names or email addresses are stored in the context of analytics, A/B testing and optimisation; instead, pseudonyms are used.


Legal bases: Consent under Art. 6(1)(a) GDPR where third-party services require consent; otherwise legitimate interests under Art. 6(1)(f) GDPR.

Google Analytics

We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analytics information to a device and recognise which content users have accessed, which search terms they used, whether they returned to content or interacted with our online offering. Time and duration of use, referral sources and technical aspects of devices and browsers may also be stored.


Google Analytics does not log or store individual IP addresses for EU users. For EU traffic, IP address data is used only to derive approximate geolocation data and is then immediately deleted. IP queries are performed on EU-based servers before traffic is forwarded for processing.


Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Website: Google Analytics. Privacy information: https://business.safety.google/privacy/. Opt-out plugin: https://tools.google.com/dlpage/gaoptout.


Google Tag Manager

We use Google Tag Manager, a Google tool that enables website tags to be managed centrally via a user interface. Tags are small code elements on our website that help record and analyse visitor activity. Google Tag Manager itself does not create user profiles, does not store cookies with user profiles and does not perform independent analyses. Its function is limited to simplifying and efficiently managing tools and services used on our website. Nevertheless, when using Google Tag Manager, the user’s IP address may be transmitted to Google for technical reasons.


Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy information: https://business.safety.google/privacy/.

Plugins, Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers. These may include graphics, videos or maps.


The integration of such content requires that third-party providers process the user’s IP address, as they could not send the content to the user’s browser without it. Third-party providers may also use pixel tags for statistical or marketing purposes. Pseudonymous information may be stored in cookies on the user’s device and combined with information from other sources.


Legal bases: Consent under Art. 6(1)(a) GDPR where required; otherwise legitimate interests under Art. 6(1)(f) GDPR.


Google Fonts

We use Google Fonts to provide fonts and symbols in a technically secure, maintenance-free and efficient manner. The provider may receive the user’s IP address so that the fonts can be made available in the user’s browser. Technical data such as language settings, screen resolution, operating system and hardware may also be transmitted. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Website: https://fonts.google.com/. Privacy information: https://business.safety.google/privacy/.


YouTube Videos

We embed video content from YouTube. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Website: https://www.youtube.com. Privacy information: https://business.safety.google/privacy/.


Videos embedded in our online offering may be stored on YouTube and integrated using the “youtube-nocookie” domain in enhanced privacy mode. In enhanced privacy mode, only information necessary for the display, control and optimisation of video playback may be stored before the video is played. Once a video is played, additional information may be processed by YouTube for analysing user behaviour, storing it in user profiles and personalising content and advertising. Cookie storage may last up to two years.


Privacy Information for Whistleblowers

The German source text contained several locked premium placeholder passages in this section. The available parts indicate that data from whistleblowers, affected persons and involved parties may be processed in the context of a whistleblower procedure, including names, contact data, location, information about witnesses or affected persons, information about persons against whom a report is directed, details of alleged misconduct and other relevant information provided in the report.


Where data is processed to fulfil legal obligations under the German Whistleblower Protection Act (HinSchG), the legal basis may include Art. 6(1)(c) GDPR and, for special categories of personal data, Art. 9(2)(g) GDPR in conjunction with the relevant provisions of the BDSG and HinSchG.


This section should be reviewed carefully before publication because the original file did not contain the full unlocked legal text.


Changes and Updates

We ask you to inform yourself regularly about the content of our privacy policy. We update this privacy policy whenever changes to the data processing activities we carry out make this necessary. We will inform you if changes require action on your part, such as renewed consent, or any other individual notification.


If this privacy policy contains addresses and contact information of companies and organisations, please note that these may change over time and should be checked before contact is made.


Definitions

This section provides an overview of terms used in this privacy policy. Where terms are legally defined, their statutory definitions apply. The explanations below are intended primarily to aid understanding.


Employees

Employees are persons who are in an employment relationship, whether as staff members, employees or in similar positions. Employee data includes all information relating to these persons in the context of their employment, such as identification data, bank and salary data, working hours, leave entitlements, health data and performance assessments.


Master Data

Master data includes essential information required to identify and manage contractual partners, user accounts, profiles and similar assignments. This may include names, contact details, addresses, telephone numbers, email addresses, dates of birth and specific identifiers such as user IDs.


Payment Data

Payment data includes information required for processing payment transactions, such as bank details, invoices, payment history and other billing information.


Contact Data

Contact data includes information used to contact persons or organisations, such as postal addresses, email addresses, telephone numbers and similar communication details.


Content Data

Content data includes textual or visual messages and contributions, as well as related information such as authorship or time of creation.


Contract Data

Contract data includes information relating to contractual relationships, such as the subject matter of the contract, duration, customer category and related contractual details.


Usage Data

Usage data includes information about how users interact with online offerings, such as page views, duration of visits, click paths, intensity and frequency of use, device types, operating systems and interactions with content and functions.


Meta, Communication and Procedural Data

Meta, communication and procedural data includes information such as IP addresses, time data, identification numbers, involved persons and other technical or organisational data generated during communication or processing operations.


Tracking

Tracking refers to the observation and analysis of user behaviour, often by means of cookies, web beacons or similar technologies, for example for analytics, marketing or audience-building purposes.

Shanti Path Logo