Privacy policy

 Last updated: June 2025

 

1. Introduction

Thank you for your interest in Bhakti Marga America and our beloved Guruji, Paramahamsa Sri Swami Vishwananda. Bhakti Marga America, a nonprofit religious organization registered in the United States ("Bhakti Marga America", "BM US", "we", "us", or "our"), respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains what types of personal data we collect, how we use and protect that data, and what rights you have. This Policy applies to all users worldwide, including those located in the United States, the European Union (EU), and other jurisdictions, and incorporates requirements from both US and EU privacy laws, including the General Data Protection Regulation (GDPR) and applicable US state consumer privacy laws (e.g., CCPA, VCDPA, CPA).

By accessing or using our website at www.bhaktimarga.us , https://ashram.bhaktimarga.us/ and any other domains owned by Bhakti Marga America and accessible through www.bhaktimarga.us , including but not limited to, www.bhaktimarga.us/donations, www.bhaktimarga.us/events, and www.shopbhakti.com, (collectively, the “Website”) and our practices for collecting, using, maintaining, protecting, and disclosing that information.  or interacting with us via electronic communications or third-party platforms, you accept the terms of this Privacy Policy.

2. Controller Details

The responsible legal entity for data processing is Bhakti Marga US, Entity Type – Religious Corporation, Represented by Hancock Estabrook, LLP
Registered office: 304 Demarest Parkway, Elmira, New York, 14905
Phone: +1 607 391 2860
Email: info@bhaktimarga.us
Tax ID: 30-1325886

3. Scope of this Policy

This policy applies to information we collect:
- On this Website;
- In email, text, and other electronic messages between you and this Website;
- When you interact with our advertising and applications on third-party websites...

The words of which the initial letter is capitalized have meanings defined under the following conditions... [Full Definitions Section]

This policy applies to information we collect:

• On this Website;

• In email, text, and other electronic messages between you and this Website;

• When you interact with our advertising and applications on Telegram, Facebook, Instagram, Youtube, Twitter, Flickr, or any other third-party websites and services, if those applications or advertising include links to this policy.

It does not apply to information collected by:

• Use offline or through any other means, including on any other website operated by Bhakti Marga America or any third party;

• Any third party, including through any application or content (including advertising) that may link to or be accessible from or through the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

4. Interpretation and Definitions

Interpretation 

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.

• Affiliate means an entity that controls, is controlled by or is under common control with a party

• E-Mail info@bhaktimarga.us 

• Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.

• Country refers to: United States of America

• Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.

• Personal Data is any information that relates to an identified or identifiable individual.

• Service refers to the Website.

• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used.

• Usage Data refers to data collected automatically, either generated using the Service or from the Service infrastructure itself (for example, the duration of a page visit).

• Website refers to: https://bhaktimarga.us

•  accessible from https://bhaktimarga.us

• You mean the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

5. Collecting and Using Your Personal Data

Types of Data Collected:
- Personal Data: Email address, First name and last name, Address, etc.
- Usage Data: IP address, browser type, pages visited, etc.
- Tracking Technologies and Cookies: Cookies, web beacons, and their purposes.

Types of Data Collected

Personal Data

While using Our Service, we may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

• Email address.

• First name and last name.

• Address, State, Province, ZIP/Postal code, City.

• Usage Data

6. Use of Your Personal Data

We use your data to:
- Provide and maintain our Service
- Manage your Account
- Fulfill contracts and contact you
- Send promotional content (if not opted out)
- Comply with legal obligations

Using Your Personal Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service. The technologies We use may include:

• Cookies or Browser Cookies. A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, you may not be able to use some parts of our Service. Unless you have adjusted Your browser setting so that it will refuse Cookies, our Service may use Cookies.

• Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser. 

We use both Session and Persistent Cookies for the purposes set out below:

• Necessary / Essential Cookies

Type: Session Cookies

Administered by: Us.

Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

• Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies

Administered by: Us.

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

• Functionality Cookies

Type: Persistent Cookies

Administered by: Us.

Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

For more information about the cookies, we use and your choices regarding cookies, please visit our Cookies Policy or the Cookies section of our Privacy Policy.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service, including to monitor the usage of our Service.

• To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.

• For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.

• To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products, or contracted services, including the security updates, when necessary or reasonable for their implementation.

• To provide You with news, special offers and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.

• To manage Your requests: To attend and manage Your requests to Us.

• For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.

• For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing, and your experience.

We may share Your personal information in the following situations:

• With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.

• For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.

• With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.

• With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.

• With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.

• With Your consent: We may disclose Your personal information for any other purpose with Your consent.

 7. Legal Basis for Processing

Depending on your location and activity, we rely on:

• Consent  
• Contractual necessity  
• Legal obligation  
• Legitimate interests  

For users located in the European Economic Area (EEA), this corresponds to the legal bases set out in Article 6 of the General Data Protection Regulation (GDPR).

8. Retention and Deletion of Personal Data

Data is retained only as long as necessary to fulfill purposes or comply with legal obligations. Users may request deletion unless retention is legally required.

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

You may update, amend, or delete Your information at any time by signing in to Your Account, if you have one, and visiting the account settings section that allows you to manage Your personal information. You may also contact Us to request access to, correct, or delete any personal information that You have provided to Us.

Please note, however, that we may need to retain certain information when we have a legal obligation or lawful basis to do so.

9. Disclosure of Personal Data

We may disclose data to:
- Acquirers in business transactions
- Law enforcement (where required, Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency))
- Enforce legal rights
- Prevent fraud or harm 

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation.

• Protect and defend the rights or property of the Company.

• Prevent or investigate possible wrongdoing in connection with the Service.

• Protect the personal safety of Users of the Service or the public.

• Protect against legal liability.

Unless stated otherwise below, the provision of your personal data is neither legally nor contractually obligatory, nor required for conclusion of a contract. You are not obliged to provide your data. Not providing it will have no consequences. This only applies if the processing      procedures below do not state otherwise.

10. Data Sharing and International Transfers

We may share personal data with:
- Service providers (e.g., Shopify, Stripe, Google, Meta)
- Affiliates under strict agreements
- Payment processors and media platforms
International transfers are safeguarded via SCCs, adequacy decisions, or the Data Privacy Framework.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

We share personal data with:

• Service providers (e.g., Shopify, Stripe, Google, Meta, Eventbrite, ..)

• Affiliates under strict data protection agreements

• Payment processors for donations and purchases

• Social platforms (e.g., YouTube, Facebook) for media delivery

All providers are bound by contracts and, where required, Standard Contractual Clauses (SCCs) or certified under the EU-US Data Privacy Framework.

International Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. In accordance with Art. 44 GDPR, we ensure that such transfers are subject to appropriate safeguards, such as European Commission-approved Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized mechanisms.

11. Children’s Privacy

Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information from Our servers.

If we need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, we may require Your parent's consent before We collect and use that information. If you believe we might have any information from or about a child under sixteen (16), please contact us at info@bhaktimarga.us.

12. Links to Other Websites

Our Website may contain links to third-party sites. We are not responsible for the content or privacy practices of those sites. Users should consult the privacy policies of external sites they visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

13. Webhosting and Online Shop

Webhosting

Sebastian Gates Web Development, Address: 1 Park Place, Grange Rath, Drogheda, Ireland, sebastian.gates@dkit.ie

WordPress.com: Hosting and software for the creation, provision and operation of websites, blogs and other online offerings; service provider: Aut O'Mattic A8C Ireland Ltd, Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://wordpress.com; Privacy Policy; Data Processing Agreement. Basis for transfer to third countries: EU-US Data Privacy Framework (DPF).

GoDaddy: Mail and website hosting, service provider: GoDaddy Operating Company, LLC, Corporate Headquarters, 2155 E., GoDaddy Way, Tempe, AZ 85284 USA, e-mail address: HQ@godaddy.com, Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.godaddy.com, Privacy Policy: https://www.godaddy.com/de-de/legal/agreements/privacy-policy, Data processing agreement: https://www.godaddy.com/de-de/legal/agreements/data-processing-addendum#id-4c4731e1-f2b1-4215-885b-38250197c52e , Basis for third country transfer: EU-US Data Privacy Framework (DPF).

Online shop

Which data do we process in the context of the online shop?

In the course of an order in our Online Shop on the website https://bhaktimarga.us/collections/shop-all, we process, inter alia, title, first and last name, company name, country, billing and shipping address, e-mail address, telephone number, spiritual name (optional), notes about the order (optional), information about the products or services you have ordered, including the order status, and payment information such as credit card number or other bank information. 

For what purposes and on what legal basis do we process this data?

The personal data collected as part of the online shop will only be used to fulfil your order. Therefore, the processing is necessary to fulfil contractual or quasi-contractual obligations (Art. 6 (1) lit. b GDPR), respectively consent (Art. 6 (1) lit. a GDPR respectively Art. 9 (2) lit. a GDPR), where the provision of your data is optional.

For our online shop on the website https://bhaktimarga.us/collections/shop-allwe use the e-commerce software Shopify.  Privacy policy of Shopify: Shopify International Limited, address: Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, e-mail: hilfe@shopify.de , Privacy Policy of Shopify https://www.shopify.com/legal/privacy. 

Shopify processes this data primarily on European servers. Shopify sends some data to its Canadian servers. Data transfers to Canada are legitimised by an adequacy decision. Occasionally, Shopify sends data to sub-processors in the USA. However, Shopify obliges them to comply with strict data protection obligations. 

Use of Shopify under Multi-License Structure

Our online shop is operated on the Shopify platform, which is provided under a centralized multi-license agreement managed by Bhakti Event GmbH, a company based in the European Union. Bhakti Marga America is an authorized user of this platform and operates the online shop for users located in the United States and countries outside the European Union (“Rest of World”).

All technical services, hosting, and backend infrastructure are maintained under the main Shopify license held by Bhakti Event GmbH (EU). Bhakti Marga America utilizes this infrastructure to manage the shop content, customer orders, shipping, payments, and all legally required customer interactions for users in its region.

To ensure proper handling of your personal data, Bhakti Marga America and Bhakti Event GmbH have entered into a formal Inter-Entity and Agency Agreement. This agreement outlines:

• Joint controllership responsibilities under applicable data protection laws, including GDPR (Art. 26),
• Cross-border data transfer safeguards, including the use of Standard Contractual Clauses (SCCs),
• Shared and separate responsibilities for customer support, consent collection, order fulfillment, and data subject rights (such as access and deletion requests).

Regardless of your location, your data is processed in accordance with our commitment to data security, privacy, and transparency, and is handled in compliance with both U.S. and EU data protection standards, as applicable.

Bhakti Event GmbH has concluded an order processing contract with Shopify in accordance with Art. 28 GDPR.

DPA from Shopify: https://www.shopify.com/legal/dpa#3-european-union-and-united-kingdom. 

Server log files

You can use our websites without submitting personal data.

Every time our website is accessed, user data is transferred to us or our web hosts/IT service providers by your internet browser and stored in server log files. This stored data includes for example the name of the site called up, date and time of the request, the IP address, amount of data transferred and the provider making the request. The processing is carried out based on the legal basis of our legitimate interests in ensuring the smooth operation of our website as well as improving our services.

Your data may be transferred to third countries outside the European Union for which an adequacy decision has been made by the EU Commission.

Proactive contact of the customer by e-mail

If you contact us proactively via email, we shall collect your personal data (name, email address, message text) only to the extent provided by you. The purpose of the data processing is to handle and respond to your contact request.

If the initial contact serves to implement pre-contractual measures (e.g. consultation in the case of purchase interest, order creation) or concerns an agreement already concluded between you and us, this data processing takes place based on Article 6(1)(b) GDPR.

If the initial contact occurs for other reasons, this data processing takes place based on Article 6(1)(f) GDPR for the purposes of our overriding, legitimate interest in handling and responding to your request. In this case, on grounds relating to your particular situation, you have the right to object at any time to this processing of personal data concerning you and carried out on the basis of Article 6(1)(f) GDPR.

We will only use your email address to process your request. Your data will subsequently be deleted in compliance with statutory retention periods unless you have agreed to further processing and use.

Collection and processing when using the contact form.

When you use the contact form, we will only collect your personal data (name, email address, message text) in the scope provided by you. The data processing is for the purpose of making contact.

If the initial contact serves to implement pre-contractual measures (e.g. consultation in the case of purchase interest, order creation) or concerns an agreement already concluded between you and us, this data processing takes place based on Article 6(1)(b) GDPR.

If the initial contact occurs for other reasons, this data processing takes place based on Article 6(1)(f) GDPR for the purposes of our overriding, legitimate interest in handling and responding to your request. In this case, on grounds relating to your situation, you have the right to object at any time to this processing of personal data concerning you and carried out on the basis of Article 6(1)(f) GDPR.

We will only use your email address to process your request. Finally, your data will be deleted, unless you have agreed to further processing and use.

14. Event Booking and Management

We collect registration and payment data for event participation (e.g., title, name, email, country, payment info). Legal basis: contract performance, legitimate interest, or consent.
Service providers include:
- Event Calendar App (UK)
- Brightstar (USA)
- Eventbrite (USA)
- Meetup (UK/US)
 - Retreat Guru (Canada)

Events 

What data do we process in the context of booking and managing events? 

If you register for our events or paid courses in the events calendar on our website, we will process your title, first and last name, country, address, email address, telephone number, spiritual name (optional), information about the event for which you have registered, payment data such as credit card number or other bank details, among other things. If you register for our free events in the event calendar on our website, we will process your username, email address, spiritual name (optional), information about the event for which you have registered, among other things. 

For what purposes and on what legal basis do we process this data? 

The personal data collected in the context of booking and managing the event will be used in particular to respond to your request. In addition, we may use the data collected to contact you directly and offer you similar offers and events based on your booking history and personal interests. The processing is necessary for the fulfilment of contractual or pre contractual obligations (Art. 6 GDPR). We may also ask for your explicit consent to the processing of personal data collected in connection with the booking and management of the event. Consent will be entirely voluntary.

Service provider for ticketing

Event Calendar App for Event Scheduling

We use Event Calendar App, a service provided by Event Calendar App Ltd, located at 86–90 Paul Street, London, EC2A 4NE, United Kingdom, to display upcoming events and manage event registrations directly through our website. When you view, sign up for, or interact with an event through Event Calendar App, certain personal data may be collected and processed — such as your name, email address, and event preferences.

The legal basis for this processing is the performance of a contract (Article 6(1)(b) GDPR), such as when you register for an event, and our legitimate interest (Article 6(1)(f) GDPR) in organizing and communicating about our events. If you choose to receive event updates or newsletters, the processing is based on your consent (Article 6(1)(a) GDPR).

Event Calendar App may store or process this data on servers located outside the European Economic Area (EEA). Where applicable, data transfers are secured by appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure compliance with EU data protection standards.

For more information, please review Event Calendar App’s privacy policy: https://eventcalendarapp.com/privacy.

Brightstar:  We are using the Brightstar as an online platform for event management and ticketing. We collect name , Date of birth, address and e-mail, payment details. Service Provider: Brightstar,  43 Main Street, Groton MA 01450, USA, Website  https://brightstarevents.com, Datenschutzerklärung: https://www.brightstarevents.net/privacy-policy. Basis for third-country transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the Service Provider). 

Eventbrite

We are using the Eventbrite as an online platform for event management and ticketing. We collect name ,Date of birth, address and e-mail, payment details. Service Provider: Eventbrite Inc. is a Delaware corporation with its principal place of business at 95 Third Street, 2nd Floor, San Francisco, California, 94103, Reg. No. 4742147. Legal basis: This processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR, .  Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:: https://www.eventbrite.com Privacy Policy: https://www.eventbrite.com/help/en-us/articles/460838/eventbrite-privacy-policy/ Data processing agreement:  Organizer Data Processing Agreement; Basis for third-country transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the Service Provider). 

Meetup

We are using the Meetup as an online platform for event management and ticketing.  We collect name , Date of birth, address and e-mail, payment details. This processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR.  Service Provider: VeraSafe United Kingdom Ltd.
37 Albert Embankment, London SE1 7TL United Kingdom, Contact form: https://verasafe.com/public-resources/contact-data-protection-representative Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website:: https://www.meetup.com Privacy Policy: https://help.meetup.com/hc/en-us/articles/360044422391-Privacy-Policy/?urlkey=help&topic=help&__topic_subdomain=1 Basis for third-country transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the Service Provider). 

Bookings and customer management via Retreat Guru

For our temple events we use the services of Retreat Guru, operated by BookRetreats Inc. (doing business as Retreat Guru), located at 908 Baker Street, Nelson, BC V1L 4J6, Canada, to manage event registrations, bookings, and related customer communications. When you make a booking or inquiry through Retreat Guru, your personal data (such as your name, email address, contact information, and booking preferences) may be collected and processed via their platform.

The legal basis for this data processing is the performance of a contract (Art. 6(1)(b) GDPR) and/or our legitimate interests (Art. 6(1)(f) GDPR) in facilitating event organization, customer service, and business operations. Where applicable, data may also be processed on the basis of your consent (Art. 6(1)(a) GDPR), especially for marketing-related communications.

Retreat Guru processes data in accordance with applicable privacy laws and may transfer data to jurisdictions outside the EU with appropriate safeguards in place.

For more information, please refer to Retreat Guru’s privacy policy: https://retreat.guru/privacy.

15. Media Platform App & Event Recordings

This privacy notice explains how Bhakti Marga America ("BM US") and Bhakti Event GmbH ("BM EU") process your personal data when you attend events with Paramahamsa Vishwananda or use the Bhakti Marga Media Platform App "Bhakti +", available via the Apple App Store, Google Play Store, or our websites.

Joint Controllership – Bhakti Marga Media Platform
Bhakti Event GmbH and Bhakti Marga America act as joint controllers under Article 26 GDPR in relation to media content created during Bhakti Marga events. The roles are defined as follows:

• BM US: Responsible for collecting and documenting valid consent for US-based users and event participants, as well as for video production and media processing for US and Rest of World (ROW) users.
• BM EU: Responsible for the technical implementation, media production, platform hosting, and data infrastructure for the EU region, including video production for the EU.

Data subjects may exercise their rights with either controller. Requests will be forwarded internally and processed in accordance with applicable legal requirements.

Events and Media Recordings
During events such as Darshan with Paramahamsa Sri Swami Vishwananda, photo and video recordings (including livestreams and video-on-demand) may be created and shared via the following channels:

• Bhakti Marga Media Platform App "Bhakti +"
• Bhakti Marga Website Livestream
• Bhakti Marga YouTube Channel
• Facebook, Instagram, Flickr
• Promotional print or digital materials

These recordings primarily feature Paramahamsa Vishwananda. While guest recordings are avoided where possible, this cannot always be guaranteed. To protect your privacy, livestream-free zones and black wristbands are available at all events.

Legal Basis for Processing
Depending on your location and activity, we rely on:

• Contractual necessity (Art. 6(1)(b) GDPR)
• Explicit consent (Art. 6(1)(a) / Art. 9(2)(a) GDPR) (e.g. via event registration forms)
• Legitimate interest (Art. 6(1)(f) GDPR) (spiritual outreach and communication)
• Data transfer safeguards (Art. 46 GDPR – SCCs)

Platform Operation & Regional Access
The Bhakti Marga Media Platform, including all streaming infrastructure, is operated by BM EU and licensed to BM US under a multi-license agreement. BM US manages US-facing content and is responsible for video production and media processing for US and ROW users. BM EU is responsible for video production and media processing for EU users. BM US does not have direct access to EU-based user data.
EU personal data is processed and hosted exclusively under the control of BM EU.
US users access the platform via regional interfaces managed by BM US.
Content recorded in the EU may be published by BM US only under BM EU’s authority and based on data subject consent under Art. 6(1)(a) and 9(2)(a) GDPR.
This setup does not constitute a data transfer under Art. 44 GDPR. Transfers to third-party platforms (YouTube, Flickr, Facebook, etc.) are governed by Standard Contractual Clauses (SCCs).

IP Tracking, Regional Redirection & Storage
When you access https://bhaktimarga.us, https://www.bhaktimarga.org, or use the Bhakti Marga Media Platform App, your IP address is used to determine your geographic region. Based on this, the following redirection and data handling procedures apply:

• EU-based users are automatically redirected to the EU Shopify platform operated by Bhakti Event GmbH (BM EU).
• All other users (including USA and Rest of World) are redirected to the US Shopify platform operated by Bhakti Marga America (BM US).

Regardless of which regional platform you are redirected to:

• All customer data is stored in a centralized Shopify EU database hosted by Bhakti Marga.
• Each legal entity (BM US or BM EU) is exclusively responsible for the data of users under its jurisdiction.
• There is no joint operational access to user data between the entities. Data responsibility is strictly separated and maintained in compliance with applicable privacy laws.

Data Categories Processed
We may process the following data via the app and event participation:

• Identification (name, country, spiritual name)
• Contact details (email)
• Pictures, video recordings, testimonials
• Device & session data (IP, app usage logs)
• Media content (videos, photos, language of interpretation)
• Subscription & transaction data
• Payment info (billing address, last four digits of card)

Data Collection Sources
Your data is collected when you:

• Register on the platform or app
• Purchase subscriptions
• Attend events and provide consent
• Use the app or website
• Contact our support team

Legal Bases for Processing

• Performance of a contract
• Explicit consent (e.g., for event recordings or newsletters)
• Legitimate interest (service security, fraud prevention)
• Compliance with EU/US data transfer rules (Art. 46 GDPR – SCCs)

Processors and Data Sharing

We use the following service providers as data processors under Article 28 GDPR:

International Transfers
Content made available to US viewers is shared only through platforms controlled by BM EU or via SCCs.
Where BM US uploads such content via local accounts, SCCs are in place between BM EU and BM US or relevant third-party providers.
Platforms with international sharing:

• Facebook Privacy Policy
• Instagram
• YouTube
• Flickr
• Twitter

Retention Periods
Personal data is stored only as long as necessary for the purposes outlined or as required by law. Once the purpose lapses or consent is withdrawn, data is deleted or anonymized.

Your Privacy Rights
Depending on your region (EU, USA, or ROW), you have the right to:

• Access your personal data
• Rectify inaccurate information
• Request erasure of data
• Restrict or object to processing
• Port your data to another provider
• Withdraw consent at any time
• File a complaint with the relevant supervisory authority (EU authorities listed at EDPB)

Security Measures
We implement the following safeguards:

• Access controls
• Encryption during transmission
• Logging and monitoring
• Regular backups
• Confidentiality agreements

Contact & Withdrawal of Consent
If you have any questions about this privacy policy or how your personal data is handled, or if you wish to exercise your data subject rights — including the withdrawal of consent — please contact the appropriate controller based on your location:

• For users in the United States and Rest of the World (ROW):
• Bhakti Marga America
  📧 Email: info@bhaktimarga.us
  Subject: Withdrawal of Consent
• For users in the European Union (EU):
• Bhakti Event GmbH
  📧 Email: dataprotection@bhaktimarga.org
  Address: Am Geisberg 1–8, 65321 Heidenrod, Germany
  Subject: Withdrawal of Consent

We will respond to your request without undue delay and in accordance with applicable data protection laws.
Please note that withdrawal of consent only affects future processing and does not affect the lawfulness of processing carried out prior to the withdrawal.

Learn more:

• Privacy Policy
• Legal Notice / Imprint

17. Social Media and Plugins and Marketing

We maintain presences on platforms such as:
- Facebook, Instagram, Telegram, YouTube, Twitter, TikTok, Meetup
- Plugins and APIs include: Google Maps, Google Tag Manager, YouTube embedding
Data processing may include behavioral tracking, analytics, and advertising.
Legal basis: legitimate interest, consent (for tracking), joint controllership (e.g. Facebook Fanpages).

Presence in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data is generally processed within social networks for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you can contact us.

- Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication, and process data (e.g. IP addresses, time data, identification numbers, consent status); Inventory data (e.g. names, addresses).

- Data subjects: Users (e.g. website visitors, users of online services).

- Purposes of Processing: Contact requests and communication; Feedback (e.g. collecting feedback via online form); Marketing. Provision of our online services and user-friendliness.

- Legal basis: Legitimate interests

Further information on processing operations, procedures, and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.
• Facebook pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see under "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under "Device information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, so-called "Page Insights", for page operators so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information on Page Insights"  (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for transfer to third countries: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: Agreement on joint controllership: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint controllership is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• Telegram channels: We use the Telegram platform to send messages to subscribers of our Telegram channel; Service provider: Representative in the European Union: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium; Website: https://telegram.org/; Privacy Policy: https://telegram.org/privacy; Further information: We process the personal data of subscribers only to the extent that we can view and delete the subscribers as recipients of the channel. Beyond this, i.e. in particular for the sending of messages, the evaluation and provision of anonymous sending statistics for the channel operators and the administration of subscribers, Telegram is responsible under data protection law.
• X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Privacy Policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization). Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://twitter.com/de; Privacy Policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization); Data processing agreement: https://privacy.twitter.com/en/for-our-partners/global-dpa. Basis for third country transfer: Standard Contractual Clauses (https://privacy.twitter.com/en/for-our-partners/global-dpa).
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Basis for third country transfer: EU-US Data Privacy Framework (DPF). Option to object (opt-out): https://adssettings.google.com/authenticated.
• TikTok: We use TikTok and related tools provided by TikTok Inc., located at 5800 Bristol Parkway, Suite 100, Culver City, CA 90230, USA, to support our digital marketing and  advertising. This includes technologies such as the TikTok Pixel, which may collect or receive data (e.g., IP address, browser type, device ID, browsing behavior) to help us measure ad performance, optimize campaigns, and deliver relevant advertisements to users on and off TikTok.The legal basis for this data processing is our legitimate business interest in promoting our services. Where required by applicable law (such as the California Consumer Privacy Act [CCPA], the Virginia Consumer Data Protection Act [VCDPA], or similar state privacy laws), we also rely on your consent for the use of certain cookies and tracking technologies, particularly for cross-context behavioral advertising. You have the right to opt out at any time. For more details on how TikTok processes data, please see TikTok’s privacy policy: https://www.tiktok.com/legal/page/us/privacy-policy/en. To manage or revoke consent preferences, you can adjust your cookie settings on our website or visit: https://optout.aboutads.info

18. Third Party Providers Online Service 

To offer you a convenient website, we use, inter alia, cPanel, and YouTube (Google Maps and YouTube are together referred to as “content plug-ins”), and so-called social media plugins of the social networks.

18.1 YouTube

On our websites, we use the services of the video portal YouTube LLC., 901 Cherry Ave., 94066 San Bruno, CA, USA, ("YouTube") to integrate videos. In connection with the provision of YouTube, we use the "Enhanced Privacy Mode", which is intended to ensure that data is only transmitted to YouTube when the videos are accessed.

Thus, only if you interact with the video, a connection to YouTube will be established to be able to call up and display the video. In this context, YouTube stores at least the IP address, the date and time as well as the website you visited. In addition, a connection to Google's advertising network "DoubleClick" is established.

If you are logged into YouTube at the time, you visit our website, YouTube may establish a connection to your YouTube account. To prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.

For the purpose of ensuring improved usability and analyzing usage behavior, YouTube permanently stores cookies on your end device via your Internet browser. If you do not agree with this processing, you have the option to prevent the storage of cookies by a setting in your Internet browser. You can find more information on this above under "Cookies".

Google provides further information on the collection and use of data as well as your rights and protection options in this regard in the Privacy Notice.

18.2 Video conferencing, online meetings, webinars and online lectures and online courses and screen sharing

We use third-party platforms and applications (hereinafter referred to as "Conference Platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "Conference"). When selecting conference platforms and their services, we take into account the legal requirements.

Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants mentioned below. The scope of the processing depends, on the one hand, on which data is requested in the context of a specific conference (e.g. provision of access data or real names) and which optional information is provided by the participants. In addition to processing for the implementation of the conference, the data of the participants may also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, details of professional position/function, the IP address of the Internet access, details of the participants' end devices, their operating system, the browser and its technical and linguistic settings, information on the content of the communication processes, i.e. entries in chats, as well as audio and video data, as well as the use of other available features (e.g. surveys). The content of the communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, then further data may be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. of surveys) as well as video or audio recordings are logged, this will be communicated transparently to the participants in advance and they will be asked for consent if necessary.

Data protection measures of the participants: For the details of the processing of your data by the conference platforms , please note their data protection notices and select the optimal security and data protection settings for you within the settings of the conference platforms. Please also ensure that data and privacy are protected in the background of your recording for the duration of a video conference (e.g. by notifying roommates, locking doors and, as far as technically possible, using the function to make the background unrecognizable). Links to the conference rooms as well as access data may not be passed on to unauthorized third parties.

Notes on legal bases: If, in addition to the conference platforms , we also process the data of the users and the users ask for their consent to the use of the conference platforms or certain functions (e.g. consent to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the fulfilment of our contractual obligations (e.g. in participant lists, in the case of processing of interview results, etc.). In addition, users' data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

• Types of data processed: inventory data (e.g. names, addresses); contact details (e.g. email, phone numbers); Content data (e.g. submissions in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, timings, identification numbers, consent status).
• Data subjects: communication partners; Users (e.g. website visitors, users of online services). People depicted.
• Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; Contact requests and communication. Office and organizational procedures.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Further information on processing processes, procedures and services:
• Zoom: conferencing and communication software; Service Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://zoom.us; Privacy Policy: https://zoom.us/docs/de-de/privacy-and-legal.html; Data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA). Basis for third-country transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA)).

19. Advertising and Marketing

Bhakti Marga America uses Meta advertising tools (including Facebook and Instagram Ads) to promote spiritual events and activities, such as local appearances by Paramahamsa Vishwananda. These tools allow us to display targeted advertisements to individuals based on factors such as geographic location, page engagement, and platform interests.

Our advertising activities are limited to U.S.-based users. Campaigns are managed exclusively by Bhakti Marga America, and we do not intentionally target, access, or use personal data from individuals located in the European Union or other GDPR-regulated jurisdictions for these campaigns.

In connection with these tools, Meta Platforms Inc. may act as a joint controller of data, particularly where user interactions on Meta platforms are used for audience targeting or measurement. This may include the processing of personal data such as IP address, device information, interaction history, and inferred interests.

Where Meta processes data as a joint controller, such processing is governed by Meta’s Controller Addendum. For more information on how Meta processes personal data, please refer to Meta’s Data Policy.

You can manage your advertising preferences through your Facebook or Instagram account settings.

19.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to know what categories of personal information we collect, the purposes for which it is used, and with whom your information is shared. Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), you also have the right to opt out of the “sharing” of your personal information for cross-context behavioral advertising.

To opt out of targeted advertising through Meta, you can:

• Adjust your preferences via Facebook: Ad Preferences
• Adjust your preferences via Instagram: Instagram Ad Settings
• Submit a request using our Do Not Sell or Share My Personal Information form.

19.2 Notice to Users in the European Union

Although our advertising activities are limited to U.S. residents, this website is accessible from within the European Union. Bhakti Marga America does not intentionally target or process personal data of EU-based users for advertising purposes.

However, because Meta’s platforms are jointly controlled by Meta Platforms Ireland Ltd. for EU users, incidental processing of EU user data (e.g., from page visits or public engagement) may occur. In such cases, data processing is governed by Meta’s Joint Controller Addendum in accordance with Article 26 GDPR, and subject to Meta’s Privacy Policy.

Bhakti Marga America does not make decisions regarding the data of EU users, does not retain such data, and does not use it for ad targeting. If you are located in the EU, you may exercise your GDPR rights directly with Meta Platforms Ireland Ltd.

20. Newsletter Subscription  and Communication

Purpose

If you subscribe to our newsletter, we use your personal data to send you updates about Bhakti Marga America, including upcoming events, services, spiritual content, promotions, and other relevant news. Our newsletter may also include automated or personalized content based on your interests and interactions.

What data is collected?

When you subscribe to our newsletter, we may collect and process the following types of data:

• Email address (required)
• First and last name (optional, for personalized communication)
• Subscription time and date
• IP address and device/browser metadata
• Consent status and log data
• Interaction data (e.g. email opens, clicks, unsubscribes)

Email Analytics & Tracking

Our emails include tracking technologies such as web beacons (also known as tracking pixels). These allow us to collect data on:

• Whether and when a newsletter was opened
• Which links were clicked
• The location and device used to access the email
• Technical data such as browser type and IP address

This information helps us to understand engagement and improve the content and timing of our emails. Analytics data may be stored in your subscriber profile to personalize future communication.

Legal Basis

• Consent: When you voluntarily subscribe to our newsletter, your data is processed based on your consent.
• Legitimate Interest: If you are an existing customer, we may send relevant updates based on our legitimate interest in maintaining contact, unless you object.
• Analytics & performance measurement are also based on your consent.

Unsubscribing and Consent Withdrawal

You may unsubscribe at any time by clicking the unsubscribe link in any of our emails or by contacting us at:
📧 info@bhaktimarga.us

After unsubscribing, your email address will be removed from the active mailing list.

Retention and Deletion

• We may retain unsubscribed email addresses for up to three years in a secure archive for documentation purposes (e.g. to prove prior consent).
• If legally required to respect your opt-out permanently, your email may be added to a blocklist.
• You may request earlier deletion, provided you confirm prior consent.

Newsletter Service Provider

We use Klaviyo, a service provided by Klaviyo Inc., 125 Summer Street, Floor 6, Boston, MA 02111, United States, to manage and send our newsletters.

Klaviyo processes your data on our behalf and complies with applicable data protection regulations. Klaviyo participates in the EU-U.S. Data Privacy Framework, ensuring appropriate safeguards for international data transfers.

For more details, see:

• Klaviyo Privacy Policy

Summary

21. Seva Form Data

Seva form 

When using the seva contact form, we collect your personal data (name, e-mail address, address, nationality, spiritual name, telephone number, talents, message text) only to the extent that you have provided it. The purpose of the data processing is to   establish contact. If the purpose of contacting us   is to   carry out pre-contractual measures (e.g. advice in the event   of interest in a purchase, the preparation of quotations) or an already in the case of a contract concluded between you and us, this data processing is carried out based on Art. 6(1)(b) GDPR. If contact is made   for other reasons, this data is processed based on Art. 6 para.  1 lit.  f GDPR is based on our overriding legitimate interest in answering your question. In this case, you have the right to object at any time, on grounds arising from your  particular situation,  to  the  processing of your personal data on the basis of Article 6(1)(f) of the GDPR. The processing of this data is based on Art. 6 (1) lit. b GDPR, insofar as your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures.  Your email address will only be used to process your request. Your data will then be deleted latest after 6 month, if you have not consented to further processing and use. In all other cases, the processing is based on our legitimate interest in the effective handling of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.

22. Payment Processing and Service Providers

Bhakti Marga America offers a variety of secure payment options for your convenience. To process your payments, we may share certain payment-related data with third-party payment service providers. For more information about how these providers handle your personal data, please consult their respective privacy policies.

Why do we use third-party payment providers?

We use third-party providers to enable efficient and secure online payments on our website and in our apps. Payment data is processed for:

• Fulfilling contractual or donation-related transactions;
• Compliance with legal and financial regulations.

Who receives your payment information?

In addition to financial institutions (such as your bank), we work with third-party payment processors who may receive your data to execute the transaction. Credit agencies may also be involved to verify your identity and assess creditworthiness, depending on the payment method selected.

What payment data may be collected?

The payment service providers may collect and process the following types of data:

• Full name
• Billing and shipping address
• Bank account or credit card details (card number, CVC, expiration date)
• Authentication data (e.g. passwords, TANs)
• Order or donation details (amount, recipient, purpose)
• IP address
• Time and date of transaction
• Device and browser information
• Consent status
• Cookies and other identifiers

Please note: We do not receive or store your full credit card or account data. We only receive confirmation or failure status regarding the transaction.

Legal basis for processing payment data

Your personal data may be processed for payment purposes based on:

• Your consent, where required (you may withdraw your consent at any time);
• Contract performance, such as fulfilling your donation or order;
• Legal obligations, such as record-keeping and fraud prevention.

Additional terms and privacy policies

Please note that payment processing is additionally governed by the terms and privacy policies of the respective payment providers. We recommend that you read their policies carefully before completing your transaction.

How long is your payment data stored?

Retention periods vary depending on the provider and applicable financial regulations. Generally, data is stored only as long as necessary for payment processing and legal compliance.

 What rights do you have?

You may exercise your data protection rights such as access, correction, deletion, or objection. For data processed by the payment provider, please contact them directly using the information in their privacy policy.

 Payment Providers We Use

We offer multiple payment methods so you can choose the one most convenient for you. These include:

• Visa
• Mastercard
• American Express
• Maestro
• UnionPay
• ShopPay
• Apple Pay
• Google Pay
• PayPal
  

Visa

Provider Contact Details
Visa Inc.
Visa Europe Limited
1 Sheldon Square
London, W2 6TT, United Kingdom
https://www.visa.com

Purpose of Processing
We use Visa for secure and reliable processing of credit card transactions.

What data does Visa collect?
Visa may collect and process:

• Name and surname
• Email address
• Visa card number
• Transaction details (date, time, amount)

Visa may also conduct profiling and data analysis to prevent fraud and security threats. For details, see Visa’s privacy policies:

• https://www.visa.com/legal/global-privacy-notice.html
• https://www.visa.co.uk/legal/global-privacy-notice/jurisdictional-notice-eea.html

Data Transfers
Visa may process data outside the U.S. or EU.
We have a contractual agreement in place with Visa to ensure adequate data protection safeguards where applicable.

Legal Basis
Visa processes your data based on:

• Consent (if required),
• Contract performance (e.g. processing a donation),
• Legal obligations (e.g. financial reporting).

Retention Period
Visa stores data for as long as necessary to fulfill the transaction and comply with financial laws.

Your Rights
You may exercise your rights (such as access, correction, deletion) directly with Visa.

 Use of Mastercard, AMEX, Union Pay, EPS

• Mastercard: Payment services (technical connection of online payment methods); service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.mastercard.de/de-de.html. Privacy Policy
• AMEX, American Express payment services (technical connection of online payment methods); service provider: American Express Theodor-Heuss-Allee 112 60486 Frankfurt am Main Germany; Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.americanexpress.com Privacy Policy
• Union Pay International Co, Ltd, German Branch, An der Welle 4, 60322 Frankfurt, for the payment brands "CUP" and "Union Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website:Pay" http://www.unionpayintl.com/en/aboutUs/com, Privacy Policy

•  Discover

Provider Contact Details
Discover Financial Services
2500 Lake Cook Road
Riverwoods, IL 60015, USA
https://www.discover.com

Purpose of Processing
We use Discover to enable secure credit card transactions for users based in the United States and other regions where Discover is supported.

What data does Discover collect?
Discover may process:

• Name and contact information
• Credit card details (number, expiration, CVC)
• Transaction details (amount, date, merchant info)
• IP address and device/browser information

Legal Basis
Processing is based on your consent, the need to fulfill a contract (e.g. a donation or purchase), or compliance with legal obligations.

Data Transfers
Discover processes data primarily within the United States.

Retention Period
Data is retained as long as necessary for payment processing and regulatory compliance.

Your Rights
Please refer to Discover’s privacy policy:
https://www.discover.com/privacy-statement/
For any data-related concerns, you may contact Discover directly.

Elo

Provider Contact Details
Elo Serviços S.A.
Rua Dr. Geraldo Campos Moreira, 147 – Brooklin
São Paulo – SP, 04571-010, Brazil
https://www.elo.com.br

Purpose of Processing
Elo is a Brazilian payment card network. We use Elo to process payments from users in Brazil.

What data does Elo collect?
Elo may collect and process:

• Name and contact information
• Card details
• Transaction data (amount, date, location)
• IP address and device metadata

Legal Basis
Processing is based on consent, contract performance, or compliance with Brazilian and international financial regulations.

Data Transfers
Elo may process data in Brazil and potentially in other jurisdictions with appropriate safeguards.

Retention Period
Data is stored for as long as needed for payment processing and financial compliance.

Your Rights
You can review Elo’s privacy policy at:
https://www.elo.com.br/politica-de-privacidade

UnionPay

Provider Contact Details
China UnionPay (CUP)
Building B, No.6, Lane 3999, Xiupu Road
Pudong New District, Shanghai, China
http://www.unionpayintl.com

Purpose of Processing
We support UnionPay to accommodate users primarily from China and other Asian regions.

What data does UnionPay collect?
UnionPay may process:

• Name and contact info
• Card and transaction details
• Geolocation and device data
• IP address and browser type

Legal Basis
Processing is carried out for the purpose of contract execution, fraud prevention, and compliance with applicable financial laws.

Data Transfers
UnionPay may transfer data to countries outside the EU/US. We rely on contractual safeguards to protect this data in accordance with international standards.

Retention Period
UnionPay retains data for regulatory and fraud-prevention purposes, in line with local legal requirements.

Your Rights
You can find more information in UnionPay’s privacy policy:
http://www.unionpayintl.com/en/privacy.html

JCB

Provider Contact Details
JCB Co., Ltd.
5-1-22, Minami Aoyama, Minato-ku
Tokyo 107-8686, Japan
https://www.global.jcb/en/

Purpose of Processing
JCB is a Japan-based international credit card company. We offer this option for users who prefer using JCB cards.

What data does JCB collect?
JCB may collect:

• Name and address
• Card information
• Transaction metadata
• Location, device, and browser data

Legal Basis
Processing is based on your consent, performance of a contract (donation or purchase), or compliance with financial regulations.

Data Transfers
JCB processes data primarily in Japan and may transfer data internationally. Appropriate safeguards are in place where required.

Retention Period
JCB retains data as required under Japanese and international financial regulations.

Your Rights
Please refer to JCB’s privacy policy here:
https://www.global.jcb/en/privacy/

Shopify Payments (via Stripe)

What data does Shopify Payments collect?
Shopify Payments (processed via Stripe) may collect:

• Name and billing address
• Email and order information
• Payment method details (e.g., card number, expiration, security code)
• Transaction amount and currency
• IP address and device/browser metadata

Legal Basis
Processing is based on the performance of a contract (e.g., donation or order), legal obligations (e.g., tax and accounting), or our legitimate interests in fraud prevention and secure payment handling.

Data Transfers
Stripe processes data within the EU and may transfer data to third countries. Standard contractual safeguards are in place.

Retention Period
Data is stored for as long as required by financial and tax regulations.

Your Rights
Please refer to:

• Shopify Privacy Policy
• Stripe Privacy Policy

Google Pay

What data does Google Pay collect?
Google Pay may collect:

• Name and contact details
• Linked card or payment account
• IP address and device information
• Payment amount and transaction metadata
• Location (for security and fraud detection)

Legal Basis
Processing is based on your consent, contract performance (e.g., completing a transaction), and fraud prevention.

Data Transfers
Google may transfer data globally. Adequate protection mechanisms are applied where required.

Retention Period
Data is retained in accordance with Google's policies and financial recordkeeping requirements.

Your Rights
Please refer to:

• Google Privacy Policy 

Apple Pay

What data does Apple Pay collect?
Apple Pay may collect:

• Encrypted payment token and metadata
• Device account number
• Dynamic transaction code
• Minimal transaction-related details (not including full card info)

Legal Basis
Processing is based on contract performance and legitimate interests in secure authentication and fraud prevention.

Data Transfers
Apple may process transaction data on servers located outside your country. Information is anonymized or pseudonymized.

Retention Period
Apple retains payment information only as necessary for transaction processing and support.

Your Rights
Please refer to:

• Apple Pay Privacy Overview

Stripe (Direct Use)

What data does Stripe collect?
Stripe may collect:

• Name, address, and contact details
• Payment method and transaction metadata
• IP address, device/browser data
• Credit check data (for some payment types)

Legal Basis
Processing is based on contract performance, legal obligations (e.g., tax law), and Stripe’s legitimate interest in fraud prevention. If credit scoring is performed, it is based on a balancing of interests.

Data Transfers
Data may be transferred internationally with contractual safeguards in place.

Retention Period
Data is retained as long as necessary to fulfill transactions and legal requirements.

Your Rights
Please refer to:

• Stripe Privacy Policy

PayPal Express

What data does PayPal Express collect?
PayPal may collect:

• Name and email
• PayPal account details
• Device type, browser, and IP address
• Payment and transaction metadata
• Location and session cookies

Legal Basis
Processing is based on contract performance, your consent (e.g., for cookies), and legitimate interest in providing a smooth and secure checkout experience.

Data Transfers
PayPal processes data in the EU and US. Safeguards are in place where applicable.

Retention Period
PayPal retains data as required by financial law and its internal risk and compliance rules.

Your Rights
Please refer to:

• PayPal Privacy Policy

PayPal Check-Out (incl. Pay Later / SEPA / Credit Card)

What data does PayPal Check-Out collect?
PayPal may collect:

• Name, address, and account/payment method details
• Order data and transaction history
• Credit information (for “Pay Later” or invoice payments)
• Device and browser metadata

Legal Basis
Processing is based on contract performance and legitimate interest (e.g., creditworthiness checks, fraud protection).

Data Transfers
Data may be shared with credit agencies and processed internationally with appropriate safeguards.

Retention Period
Data is stored in accordance with financial laws and internal risk management standards.

Your Rights
Please refer to:

• PayPal Privacy Policy

Ratepay (used for Invoice via PayPal)

What data does Ratepay collect?
Ratepay may collect:

• Full name and contact information
• Payment method and transaction data
• Credit check and score values
• Address verification data

Legal Basis
Processing is based on contract performance and legitimate interest in conducting credit assessments for deferred payments.

Data Transfers
Data is processed within the EU and may be shared with credit agencies. Ratepay applies standard protections.

Retention Period
Data is retained for as long as necessary to fulfill payment processing and financial compliance.

Your Rights
Please refer to:

• Ratepay Privacy Policy
• Credit Agency Info

Donations via Shopify

The processing of donations of the Bhakti Marga America Church is carried out via the Shopify software

Online shop system: We use the Shopify e-commerce software for online donation management on our website. Shopify International Limited, address: Victoria Buildings, 2nd Floor 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, e-mail: hilfe@shopify.de, Shopify's privacy policy https://www.shopify.com/legal/privacy .Shopify processes this data primarily on European servers. Shopify sends some data to its Canadian servers. Data transfers to Canada are legitimised by an adequacy decision.Shopify's addendum https://www.shopify.com/legal/dpa. For more information, please visit the online shop's page https://www.shopify.com/legal/privacy.

23. Cookies and Tracking Technologies

Cookies

What are cookies?
Cookies are small text files stored on your device by your browser when you visit a website. These files help recognize your browser on future visits and enable certain functions or user preferences.

Why do we use cookies?
We use cookies to:

• Enable essential website features (e.g. navigation, session management)
• Improve performance and usability
• Secure our services
• Remember your preferences (e.g. language or location)

Technically Necessary Cookies
These cookies are essential to the functioning of our website and cannot be disabled in our systems. They allow you to:

• Navigate pages securely
• Use services such as shopping carts, logins, and form submissions
• Stay recognized during a session

Without these cookies, parts of the website may not function properly.

Legal Basis
For users in the European Economic Area (EEA), technically necessary cookies are used based on our legitimate interest in providing a functional, secure, and user-friendly website. For any cookies beyond that (e.g., for marketing or analytics), your prior consent is required.

Managing Cookies
You can control and manage cookies through your browser settings. You can also delete cookies already stored on your device at any time. Please note that disabling cookies may limit your access to certain features.

Here are links on how to manage cookies in common browsers:

• Chrome: Manage cookies in Chrome
• Edge: Manage cookies in Microsoft Edge
• Firefox: Enable/Disable cookies in Firefox
• Safari: Manage cookies in Safari

Your Rights (EEA Users)
If you are located in the EEA, you may object to the use of cookies based on our legitimate interest, if reasons arise from your particular situation. You also have the right to withdraw any cookie consent at any time for non-essential cookies.

Use of the Cookie Consent Plug-in from WebToffee

We use the GDPR Cookie Consent Plug-in from WebToffee of Mozilor Limited (10 Paxton Crescent, Shenley Lodge, Milton Keynes MK5 7PY, United Kingdom; "WebToffee") on our website.

The plug-in enables you to give your consent to data processing via the website, in particular to set cookies, as well as to make use of your right of revocation for consents already provided. The data processing serves the purpose of obtaining and documenting necessary consents to data processing and thus to comply with legal obligations. Cookies may be deployed for this purpose. Among other things the following information can be collected and transmitted to WebToffee: anonymised IP address, User ID, consent status, date and time of the consent or rejection. This data will not be passed on to any other third parties.

The data processing is carried out on the basis of Article 6 para. 1 lit. c GDPR to comply with a legal obligation. For more information about data protection at WebToffee, please visit: https://www.webtoffee.com/privacy-policy/

Analysis

Use of Google Analytics 4

We use the Google Analytics web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "Google") on our website.

The data processing serves the purpose of analyzing this website and its visitors as well as for marketing and advertising purposes. To this end, Google will use the information obtained on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.

In this context, the following information may be collected, among others: IP address, date and time of page view, click path, information about the browser you are using and the device you are using (device), pages visited, referrer URL (website from which you accessed our website), location data, purchase activity. Your data may be linked by Google to other data, such as your search history, your personal accounts, your usage data from other devices, and any other data Google may have about you.

Plug-ins

Use of the Google Tag Manager

Our website uses the Google Tag Manager from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "Google"). This application manages JavaScript tags and HTML tags which are used to implement tracking and analysis tools. The data processing serves to facilitate the needs-based design and optimisation of our website. The Google Tag Manager itself neither stores cookies nor processes personal data. It does, however, enable the triggering of further tags which may collect and process personal data. You can find more detailed information on the terms and conditions of use and data protection at https://www.google.com/intl/de/tagmanager/use- policy.html

Use of GoogleMaps

Our website uses the function for embedding Google Maps by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, "Google")

This feature visually represents geographical information and interactive maps. Google also collects, processes, and uses data on visitors to the website when they call up pages with embedded Google maps.

Your data may also be transmitted to the USA. For the USA, there is an adequacy decision of the EU Commission, the Trans-Atlantic Data Privacy Framework (TADPF). Google has certified itself in accordance with the TADPF and has thus undertaken to comply with European data protection principles.

The use of cookies or comparable technologies is carried out with your consent based on Art. 25 para. 1 p. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a GDPR. The processing of your personal data is carried out with your consent based on Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time without affecting the legality of the processing carried out with your consent up to the withdrawal.

Further information on the data collected and used by Google, your rights and privacy can be found in Google’s privacy policy at https://www.google.com/privacypolicy.html. You also have the option of changing your settings in the data protection centre, allowing you to administer and protect the data processed by Google.

Font Awesome

This site uses Font Awesome to display fonts and symbols uniformly. The provider is Fonticons, Inc., 6 Porter Road Apartment 3R, Cambridge, Massachusetts, USA.

When you access a page, your browser loads the necessary fonts into your browser cache to display texts, fonts, and symbols correctly. For this purpose, the browser you use must connect to Font Awesome’s servers. This gives Font Awesome knowledge that this website was accessed via your IP address. The use of Font Awesome is based on Art. 6 Para. 1 lit. f GDPR. We have a legitimate interest in the uniform presentation of the typeface on our website. If appropriate consent has been requested, processing is carried out exclusively based on Art. 6 Para. 1 lit . B. Device fingerprinting). Consent can be revoked at any time.

If your browser does not support Font Awesome, your computer will use a standard font.

Further information about Font Awesome can be found in Font Awesome’s privacy policy at:
https://fontawesome.com/privacy

Google reCAPTCHA

We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on this website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of reCAPTCHA is to check whether data entry on this website (e.g. in a contact form) is done by a human or by an automated program. To do this, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information (e.g. IP address, length of time the website visitor stays on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

The storage and analysis of the data is based on Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and SPAM. If appropriate consent has been requested, processing is carried out exclusively based on Art. 6 Para. 1 lit . B. Device fingerprinting. Consent can be revoked at any time.

Further information about Google reCAPTCHA can be found in the Google Privacy Policy and the Google Terms of Use under the following links:
https://policies.google.com/privacy?hl=de and
https://policies.google.com/terms?hl=de

You can find more detailed information on the data processing and data protection at https://www.google.de/intl/de/policies/ and at https://developers.google.com/fonts/faq.

Use of Google Translate

We use the translation service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) on our website via API integration. The data processing serves the purpose of presenting the information provided on the website in a different language. In order for the translation to be automatically displayed after you have selected a national language, the browser you are using connects to the Google servers. Cookies may be used for this purpose. Thereby, among other things, the following information can be collected and processed: IP address, URL of the page visited, date and time. Your data may be transferred to the USA. For the USA, there is an adequacy decision of the EU Commission, the Trans-Atlantic Data Privacy Framework (TADPF). Google has certified itself in accordance with the TADPF and has thus undertaken to comply with European data protection principles.

The use of cookies or comparable technologies is carried out with your consent on the basis of Art. 25 para. 1 p. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a GDPR. The processing of your personal data is carried out with your consent on the basis of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time without affecting the legality of the processing carried out with your consent up to the withdrawal. You can find more information on the collection and use of your data by Google at: https://www.google.com/policies/privacy/.

Use of YouTube

We use the  YouTube video  embedding function of Google Ireland  Limited (Gordon House,  Barrow Street,   Dublin 4, Ireland; "YouTube"). YouTube is a partnership with Google LLC (1600 Amphitheatre Parkway, Mountain View,   CA 94043, USA; 'Google').  

The feature displays videos  that have been deposited with YouTube in an iFrame on the website. In doing so,  the "Advanced Privacy Mode" option is  activated. As a result, YouTube does not store any information about the visitors to the website. Only when you watch  a video is the information about it transmitted to YouTube and stored  there. If necessary, your data will be transferred to  the USA. For the  US, there  is an adequacy decision from the  EU Commission:  the Trans-Atlantic Data Privacy Framework (TADPF).  YouTube has certified itself in accordance with  the TADPF  and is therefore obliged to comply with European  data protection principles. The use of cookies or similar technologies is carried out with your consent pursuant   Art. 6(1)(a) GDPR. The processing of your  personal data is carried out with your consent pursuant to Art.   6(1)(a) GDPR. You can withdraw consent at any time without affecting the lawfulness of the processing  carried out on the basis of the consent  until  the withdrawal.

You   can find more information about the collection  and  use of data  by YouTube  and  Google as  well as the  associated rights  and options for protecting your privacy in YouTube's privacy policy (https:// www.youtube.com/t/privacy). 

Use of Flickr

- Flickr, operated by Flickr, Inc, Flickr c/o Yahoo! Inc, 701 First Avenue, Sunnyvale, CA 94089, USA. Further information can be found in Flickr's privacy policy. Basis for the transfer to third countries: Standard contractual clauses. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.flickr.com, Privacy Policy: https://www.flickr.com/help/privacy. Data processing agreement: https://www.flickr.com/help/dpa.

API Keys

We make use of certain APIs, in order to provide specific features.

These APIs may include the following third party services: Google Maps (API key), Meetup (OAuth token), PayPal (email, Client ID, Client Secret), Eventbrite (API key, auth URL, Client Secret), and Zoom (email, Client ID, Client Secret).

24. Rights of Data Subjects

Rights of persons affected and storage duration

Duration of storage

After contractual processing has been completed, the data is initially stored for the duration of the warranty period, then in accordance with the retention periods prescribed by law, especially tax and commercial law, and then deleted after the period has elapsed, unless you have agreed to further processing and use.

Rights of the affected person

If the legal requirements are fulfilled, you have the following rights according to art. 15 to 20 GDPR: Right to information, correction, deletion, restriction of processing, data portability. You also have a right of objection against processing based on art. 6 (1) GDPR, and to processing for the purposes of direct marketing, according to art. 21 (1) GDPR.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)

IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE TERMS. THE APPLICABLE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS DATA PROTECTION POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN PROOF COMPLEX REASONS FOR THE PROCESSING THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOM OR THE PROCESSING IS FOR THE USE OF ASSERTING, EXERCISE OR DEFENSE FORMATION OF LEGAL CLAIMS ( OBJECTION PURSUANT TO ARTICLE 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT IT IS CONNECTED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR THE PURPOSE OF DIRECT ADVERTISING (OBJECTION PURSUANT TO ARTICLE 21 (2) GDPR).

Right to complain to the regulatory authority

You have the right to complain to the regulatory authority according to art. 77 GDPR if you believe that your data is not being processed legally.

You can lodge a complaint with, among others, the supervisory authority responsible for us. In case you could not solve your problem with us directly, you can also complain to your local data protection authority or the place of the suspected violation. Contact information of these authorities can be accessed at the website of the European Data Protection Board European Data Protection Board (EDPB)..

Right to object

If the data processing outlined here is based on our legitimate interests in accordance with Article 6(1)f) GDPR, you have the right for reasons arising from your particular situation to object at any time to the processing of your data with future effect.

If the objection is successful, we will no longer process the personal data, unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests or rights and freedoms, or the processing is intended for the assertion, exercise or defence of legal claims. 

25. Security Measures

We implement a variety of security measures designed to maintain the safety of your personal data we store and process. 

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, safeguarding availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we take the protection of personal data into account as early as the development and selection of hardware, software and processes in accordance with the principle of data protection, through technology design and data protection-friendly default settings. TLS/SSL encryption (https): To protect user data transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting the data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated and more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is displayed in the URL if a website is secured by an SSL/TLS certificate. For example, to protect the transmission of confidential information that you send to us as the website provider, we use SSL encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL encryption is activated, the data you transmit to us cannot be read by third parties. However, no security system is impenetrable, and we cannot guarantee the security of our systems 100%. In the event that any personal data under our control is compromised as a result of a security breach, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose personal data may have been compromised and or the competent data protection authority.

26. U.S. State Privacy Rights  (California, Virginia, Colorado, Connecticut, Utah)

This section applies solely to individuals who reside in California, Virginia, Colorado, Connecticut, or Utah, and supplements the information provided in this Privacy Policy. These residents may have additional rights under their respective state consumer privacy laws.

Your Privacy Rights

Subject to certain exceptions, you may have the following rights:

• Right to Know and Access: Request information about the categories and specific pieces of personal data we have collected about you in the past 12 months, including:
• The categories of personal data collected
• The sources from which the data was collected
• The business or commercial purpose for collecting the data
• The categories of third parties with whom the data was shared
• The specific personal data collected
• Right to Delete: Request the deletion of your personal data, subject to certain legal and operational exceptions (e.g., if needed to complete transactions or comply with legal obligations).
• Right to Correct (available in CA, VA, CO, CT): Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information (California only): Request restrictions on the use of sensitive personal data, such as religious beliefs or spiritual identifiers.
  Note: We only use sensitive data as necessary for core religious purposes and never for inferring characteristics.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal data as defined by U.S. state privacy laws.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Appeal (VA, CO, CT): If we deny your request, you may appeal our decision.

How to Exercise Your Rights

To exercise any of your privacy rights, please contact us using one of the following methods:

• Email: info@bhaktimarga.us
• Phone: +1 607 391 2860
• Mail: Bhakti Marga US, 304 Demarest Parkway, Elmira, NY 14905, USA

Please include your state of residence and clearly specify which right you wish to exercise. We may need to verify your identity before processing your request (e.g., by confirming your email address or other identifying information).

Authorized Agents (California Only)

California residents may designate an authorized agent to make requests on their behalf. To do so, you must provide the agent with written authorization, and we may require confirmation of that designation directly from you.

Additional California Notices

In accordance with Cal. Civ. Code §1789.3, California residents may contact the Complaint Assistance Unit of the California Department of Consumer Affairs at:
1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, USA,
or by phone at (800) 952-5210 or (916) 445-1254.

We will not discriminate against you for exercising your rights. This means we will not deny you services, charge you different prices, or provide you with a different level of service based on your request.

Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy. For example:

• Event participation and donation records: 7 years (for legal and financial compliance)
• Newsletter engagement data: Until consent is withdrawn or after 3 years of inactivity
• Analytics and usage data: Up to 14 months

Updates to This Section

We may update this section as state privacy laws evolve. Please check this Privacy Policy periodically for the latest version.

27. European Union Data Subjects Rights 

EU Residents

If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data, as outlined below.

For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure. Bhakti Marga will be the controller of your Personal Data processed in connection with the Services.

If there are any conflicts between this section and any other provision of this Privacy Policy, the provision or portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following applies to you, please contact us at dataprotection@bhaktimarga.org. Note that we may also process Personal Data of our customers’ end users or employees in connection with our provision of certain services to customers, in which case we are the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data.

The “Categories of Personal Data We Collect” section above details the Personal Data that we collect from you.

The “Our Commercial or Business Purposes for Collecting Personal Data” section above explains how we use your Personal Data.

We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others, as further described below.

• Contractual Necessity: We process the following categories of Personal Data as a matter of “contractual necessity”, meaning that we need to process the data in order to carry out our obligations under the Terms of Service, including providing the Services.
• Profile or Contact Data
• Payment Data
• Other Identifying Information You Voluntarily Choose to Provide
• Other Identifying Information Another User Chooses to Provide to You
• Legitimate Interest: We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties:
  • Providing, customizing and improving the Services
  • Marketing the Services
  • Corresponding with you
  • Meeting legal requirements and enforcing legal terms
  • Completing corporate transactions
• Device/IP Data
• Web Analytics
• Geolocation Data
• Other Identifying Information Another User Chooses to Provide to You
• We may also de-identify or anonymize Personal Data to further our legitimate interests. Examples of these legitimate interests include:
• Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection. This information may include:
• sensitive data, such as the belief commitment  according to Art. 9 GDPR
• Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

The “How We Share Your Personal Data” section above details how we share your Personal Data with third parties.

EU and UK data subject rights

You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email us at dataprotection@bhaktimarga.org. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

• Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging on to your account.

• Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by logging on to your account in the BM web application.

• Erasure: You can request that we erase some or all of your Personal Data from our systems.

• Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.

• Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.

• Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.

• Restriction of Processing: You can ask us to restrict further processing of your Personal Data.

• Right to File Complaint: You have the right to lodge a complaint about Bhakti Marga  practices with respect to your Personal Data with the supervisory authority of your country or EU Member State. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en.

28. EU Representative pursuant to Article 27 GDPR

Pursuant to Article 27 of the GDPR, we have appointed the following company as our representative in the European Union:

EU Representative:

Bhakti Event GmbH, Am Geisberg 1-8,65321 Heidenrod, Germany

Data subjects and supervisory authorities may contact our EU representative for all issues related to the processing of personal data by Bhakti Marga America in accordance with the GDPR.

29. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Revisions will be posted on this page with an updated “Last Updated” date.
 Users are encouraged to review the policy regularly. Continued use of our services after updates implies acceptance of the changes.

 

Last update: 07.06.2025