THE MODERN MYSTIC PRIVACY POLICY & DATA PROTECTION STATEMENT

  The Modern Mystic ® is an online spiritual community and store offering content, events, readings, reports, courses, memberships, and related products and services. For the purposes of applicable privacy law, The Modern Mystic is the controller of the personal data described in this policy unless we expressly state otherwise. Privacy laws commonly require a privacy notice to explain who is collecting data, why it is being collected, how it is used, and how individuals can exercise their rights. (ICO) 

 This policy applies to personal data collected through:

• our website and online store;
• checkout, bookings, consultations, and reading requests;
• newsletter sign-up forms;
• customer support and direct messages;
• online community spaces, comments, forums, and memberships;
• digital downloads, events, webinars, and classes;
• cookies, analytics tools, pixels, and similar technologies.

  We handle personal data in line with the principles of:

• lawfulness, fairness, and transparency;
• purpose limitation;
• data minimisation;
• accuracy;
• storage limitation;
• integrity and confidentiality; and
• accountability.
      These principles are expressly stated in the GDPR framework and are      consistent with the broader transparency and fair-handling approaches      found in other major privacy laws. (European      Commission)

  Depending on how you interact with us, we may collect the following categories of personal data:

Identity and contact data
Name, display name, billing address, shipping address, email address, phone number, and account login details.

Order and transaction data
Products or services purchased, booking history, payment status, order history, refunds, and invoices. We do not store full payment card numbers ourselves; payments should be processed by PCI-compliant payment providers.

Profile and community data
Profile photo, username, biography, interests, comments, posts, private messages within the platform, group participation, and event attendance.

Reading and service data
Information you provide for astrology, tarot, mediumship, healing, spiritual guidance, or other services, which may include date of birth, time of birth, place of birth, questions you ask, notes we take during sessions, follow-up messages, and preferences relevant to the service.

Technical and usage data
IP address, device type, browser, operating system, language, pages viewed, referral source, time spent on pages, event logs, cookie identifiers, and analytics information.

Marketing and preferences data
Email preferences, subscription status, wishlist activity, abandoned basket information, survey responses, and communication choices.

Customer support data
Messages, contact forms, complaints, review content, and attachments you choose to send.

    Because The Modern Mystic operates in the spirituality and guidance space, some information users provide may be sensitive under certain laws. Under GDPR-style laws, data revealing religious or philosophical beliefs is special-category data; sensitive data may also include health information or details about sex life, depending on what a customer chooses to share. UK GDPR requires both a lawful basis and, for special-category data, an additional condition before processing begins. Brazil’s LGPD also treats religious belief and health data as sensitive personal data. (ICO)

For that reason, our policy is:

• we only ask for sensitive information when it is genuinely      needed for a service you requested;
• we ask customers not to send unnecessary sensitive      information;
• where required by law, we rely on explicit consent or      another valid legal condition before processing such data;
• we restrict access to this data to trained staff or trusted      processors who need it to deliver the service;
• we do not use sensitive data for advertising profiling.

  We collect personal data:

• directly from you when you create an account, place an order,      book a service, fill in a form, attend an event, join the community, post      content, or contact us;
• automatically through cookies, analytics, server logs, and      similar technologies when you use our site;
• from service providers that help us process orders, bookings,      payments, email marketing, shipping, fraud prevention, community hosting,      and analytics;
• in limited cases, from social platforms or third parties      where you connect with us through those services and choose to share data.

Privacy laws commonly require businesses to explain the categories of data collected, the sources of that data, the purposes of collection, and who data is disclosed to. (ICO)

  We use personal data to:

• create and manage customer and community accounts;
• process orders, payments, bookings, deliveries, and refunds;
• provide readings, reports, events, memberships, and customer      support;
• personalise user experience and remember preferences;
• manage the community, moderate content, and keep the space      safe;
• send transactional messages about orders, bookings, and      account activity;
• send marketing where permitted by law and where you have      consented or another lawful route applies;
• detect fraud, misuse, and security issues;
• maintain records for tax, accounting, legal, and      dispute-resolution purposes;
• improve our site, products, services, and content.

  For users in the UK, EEA, and similar jurisdictions, we rely on one or more of the following lawful bases:

• contract: to process orders, bookings, memberships,      and service delivery;
• consent: for optional marketing, some cookies, and      where required for sensitive information;
• legitimate interests: to run and improve our business,      secure our services, prevent fraud, moderate the community, and respond to      enquiries, where those interests are not overridden by your rights;
• legal obligation: where we must keep records, respond      to lawful requests, or comply with tax and consumer laws.
      ICO guidance states that privacy notices should explain the lawful basis      relied on, and if special-category data is used, the additional condition      must also be identified. (ICO)

    If you join our online community, some of your profile information and anything you post may be visible to other members, depending on the settings of the platform. Please do not post personal or sensitive information that you would not want other members to see. We may moderate, remove, restrict, archive, or retain community content where reasonably necessary to enforce community standards, investigate abuse, or meet legal obligations.

If you upload information about another person, you must have the right to share it.

   We may send newsletters, promotions, product updates, event invitations, and content recommendations by email or similar channels where you have opted in, where the law otherwise permits it, or where an existing-customer exception applies. Under PECR, marketing emails or texts to individuals generally require specific consent unless the “soft opt-in” applies for similar products or services sold or negotiated previously. Consent for electronic marketing must be freely given, and users must be able to opt out easily. (ICO)

You can unsubscribe at any time by:

• clicking the unsubscribe link in any marketing email;
• updating your account preferences;
• contacting us directly.

We keep a suppression list where needed so we can honour opt-out requests.

    We use cookies and similar technologies to:

• keep the website secure;
• remember your basket and settings;
• understand how visitors use the site;
• improve performance and design;
• measure campaign effectiveness; and
• [if applicable] support personalised advertising.

Under PECR, users must be told what cookies do and why they are used, and consent must be actively given for non-essential cookies. Essential cookies that are strictly necessary for a requested service, such as basket or security cookies, may be used without consent. (ICO)

Our cookie approach is:

• essential cookies load by default;
• analytics, advertising, and similar non-essential      technologies are used only after consent where required;
• users can change cookie choices through our cookie banner or      settings tool;
• where required, we honour browser-based privacy signals and      local legal requirements.

    Payments are processed by third-party payment providers. We receive payment confirmations, limited billing details, and transaction records, but we do not intentionally store full card details on our own systems. 

     We share personal data only where necessary and appropriate, including with:

• payment processors;
• e-commerce, booking, and website hosting providers;
• email and CRM providers;
• shipping and fulfilment partners;
• community platform providers;
• analytics and security providers;
• professional advisers such as accountants, lawyers, and      insurers;
• regulators, courts, law enforcement, or other authorities      where legally required;
• successors in the event of a merger, sale, or restructure.

We require processors and service providers to use personal data only on our instructions and under appropriate contractual protections where the law requires this. International privacy frameworks distinguish between controllers and processors/service providers and require documented safeguards for that relationship. (European Commission) 

   Because we operate online, your data may be processed in countries other than your own. Where applicable law requires safeguards for international transfers, we use measures such as:

• adequacy decisions;
• standard contractual clauses;
• equivalent contractual protections;
• transfer risk assessments; or
• other lawful mechanisms recognised by the relevant      jurisdiction.
      The EU framework expressly provides for safeguards such as adequacy      decisions, SCCs, and BCRs for transfers outside the EU, and Brazil’s ANPD      has separate international transfer rules. (European Commission)

    We keep personal data only for as long as it is reasonably necessary for the purpose for which it was collected, and then delete, anonymise, or securely archive it unless we must keep it longer for legal, tax, accounting, fraud-prevention, or dispute reasons. GDPR includes a storage-limitation principle, and California law requires notice of retention periods or the criteria used to determine them and says data should not be kept longer than reasonably necessary for the disclosed purpose. (European Commission)

Our standard retention approach is:

• Customer accounts: while active and for up to 24      months after inactivity
• Orders, invoices, and tax records: up to 7 years, or      longer if law requires
• Booking enquiries not completed: up to 12 months
• Reading notes, astrology birth details, and service      records: up to 24 months after the last service, unless you ask for      earlier deletion and we do not need to keep them
• Marketing records and consent logs: until you withdraw      consent, plus a limited suppression period to respect your choice
• Community content: while your account remains active      and for a reasonable archival period after closure, unless deletion is      required
• Support requests and complaint files: up to 24 months      after closure
• Backups: rolling backup cycles, normally overwritten      within 90 days unless needed for security or recovery

    We store personal data using reputable service providers with appropriate technical and organisational measures. Our safeguards include, where appropriate:

• role-based access controls;
• strong passwords and multi-factor authentication;
• encryption in transit and, where available, at rest;
• secure payment processing;
• logging and monitoring;
• vendor due diligence and data processing agreements;
• periodic review of who has access to what;
• secure backup and recovery processes;
• secure deletion and disposal procedures.
      The GDPR’s principles of integrity, confidentiality, and accountability      require organisations to protect data appropriately, and major privacy      frameworks use similar security expectations. (European      Commission)

     When personal data is no longer needed, we dispose of it securely. Depending on the system, this may include:

• permanent deletion from live systems;
• anonymisation where deletion is impractical but      identification is no longer needed;
• secure shredding of paper records;
• deletion or scheduled overwrite of backups in line with      backup cycles;
• documented deletion requests to processors and service      providers where applicable.

    Depending on where you live, you may have rights to:

• be informed about how your data is used;
• access your data;
• correct inaccurate data;
• delete data;
• restrict or object to certain processing;
• receive a portable copy of data in some circumstances;
• withdraw consent;
• opt out of certain targeted advertising or sale/sharing      practices where applicable;
• limit the use of sensitive personal information where local      law gives that right;
• complain to a regulator.
      GDPR rights include the rights to be informed, access, rectification,      erasure, restriction, portability, objection, and rights relating to      automated decision-making. California rights include rights to know,      delete, opt out, correct, limit certain uses of sensitive information, and      non-discrimination. (European      Commission)

To exercise your rights, contact: [insert email/contact page].
We may need to verify your identity before acting on a request.

    For California residents, where the CCPA/CPRA applies, this section supplements the rest of the policy.

We may collect the following categories of personal information:

• identifiers;
• customer records information;
• commercial information;
• internet or network activity;
• geolocation data derived from IP or device settings;
• sensitive personal information such as account login      credentials and, if you voluntarily provide it, information that may      reveal spiritual or philosophical beliefs.

We collect this information from:

• you directly;
• your device and browser;
• service providers;
• payment, booking, and community platforms.

We use it for:

• order fulfilment and service delivery;
• customer service;
• site functionality and analytics;
• fraud prevention and security;
• marketing where permitted;
• legal and recordkeeping obligations.
• We do not sell or share personal      information for cross-context behavioural advertising.

If we collect sensitive personal information, we use it only for the purposes described at collection and not for unrelated profiling. California law requires notice at or before collection of categories, purposes, sensitive-data categories if collected, and retention periods or criteria. It also provides rights to know, delete, correct, opt out of sale/sharing, limit certain uses of sensitive information, and be free from discrimination for exercising rights. (cppa.ca.gov)t.

   If you are in Canada, Brazil, Australia, or another region with local privacy rights, we will handle your data in line with applicable law and respond to rights requests as required. PIPEDA applies to private-sector organisations collecting, using, or disclosing personal information in the course of commercial activity and is built around 10 fair information principles. Australia’s APP framework requires a clearly expressed, up-to-date privacy policy and notice of collection matters. Brazil’s LGPD applies in a range of situations including where processing is aimed at offering goods or services to individuals in Brazil and sets specific rules for sensitive personal data and international transfers. (priv.gc.ca)

      The Modern Mystic is intended for adults. We do not knowingly collect personal data from children under 16 years of age, without appropriate authorisation where required by law. If we learn that a child’s data has been provided without proper permission, we will delete it as soon as reasonably possible.

    We do not make legally significant decisions based solely on automated processing. If we use recommendation tools, fraud checks, or basic personalisation, these are used to support service delivery and site operation rather than to make solely automated decisions with legal or similarly significant effects.

      If you have a privacy concern, please contact us first at DataProtection@TheModernMystic.Com so we can try to resolve it. You may also complain to your local supervisory authority or privacy regulator where applicable.

      We may update this policy from time to time to reflect changes in law, technology, our services, or our business practices. When we do, we will update the “Last updated” date and, where appropriate, give additional notice.