Privacy Policy

2.1 Data You Provide Directly

• Name and email address (when you enrol in a programme, join a waitlist, or contact us).
• Payment information (processed securely by Stripe; we do not store your card details on our servers).
• Any information you include in messages sent to us via email or WhatsApp.

2.2 Data Collected Automatically

• IP address and approximate geolocation (country/region level).
• Browser type, operating system, device type, and User-Agent string.
• Pages visited, time spent on pages, and referral source.
• Session identifiers used for analytics and advertising attribution (see Section 5 below).

2.3 Advertising and Tracking Identifiers

When you consent to marketing cookies, we collect and process the following identifiers for advertising attribution and campaign optimisation purposes:

• _fbp (Meta Pixel browser cookie): a unique identifier set by the Meta Pixel on your browser.
• _fbc (Meta click identifier): captures the click ID from a Facebook ad click.
• emi_uid: a first-party session identifier generated by our website to connect your browsing session with any subsequent purchase event.
• Hashed email address: if you provide your email during checkout, a SHA-256 hashed version may be transmitted for advertising matching purposes. We never transmit your email in plain text to advertising platforms.

We use Meta's Conversions API to measure the effectiveness of our advertising campaigns on Facebook and Instagram. This system operates server-side, meaning data is sent directly from our server to Meta's servers, rather than solely relying on browser-based cookies.

When you consent to marketing cookies on our website, the following data may be transmitted to Meta via CAPI:

• Your IP address and User-Agent string (for matching and deduplication).
• The _fbp and _fbc identifiers set by the Meta Pixel (browser-side).
• Our internal session identifier (emi_uid).
• A SHA-256 hash of your email address (if provided during checkout).
• Purchase event data (event name, value, currency, timestamp).

This data is used exclusively for advertising attribution (understanding which ads led to enrolments) and campaign optimisation. It is transmitted only when you have given explicit consent for marketing cookies. If you decline marketing cookies, no data is sent to Meta via CAPI.

Meta processes this data as a joint controller for certain purposes and as a processor for others, under the Meta Business Tools Terms (available at facebook.com/legal/terms/businesstools). Meta is certified under the EU-US Data Privacy Framework.

We do not sell your personal data to any third party. We do not share your data with any party not listed above.

Some of our service providers process data outside the European Economic Area (EEA) and the United Kingdom. Where data is transferred to the United States, we rely on the following safeguards:

• The EU-US Data Privacy Framework (DPF), where the provider is certified (Stripe, Meta, Vercel).
• Standard Contractual Clauses (SCCs) approved by the European Commission, as an additional safeguard.

If either safeguard is invalidated in the future, we will implement appropriate alternative measures or cease the relevant data transfer.

• Purchase records and invoices: 7 years from the date of purchase (UK tax and accounting obligations under HMRC rules).
• Marketing data (email, consent records): retained until you withdraw consent. You may unsubscribe at any time.
• CAPI/advertising data: retained by Meta in accordance with their data retention policy. We do not control Meta's retention periods.
• Support correspondence: retained for 2 years from the date of your last message, unless a longer period is required for legal purposes.
• Website analytics data: aggregated and anonymised; no personal data is retained beyond 26 months.

Under the GDPR and UK GDPR, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): request deletion of your data where there is no legitimate reason for us to continue processing it.
• Right to restriction: request that we limit processing of your data in certain circumstances.
• Right to data portability: request your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact us at: privacy@europeanmeditationinstitute.com. We will respond within 30 days.

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with:

• The Information Commissioner's Office (ICO) in the United Kingdom: ico.org.uk
• Your national data protection authority in the EU, if you are an EU resident.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@europeanmeditationinstitute.com.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if we have your email address) and update the “Effective Date” at the top of this page. We encourage you to review this policy periodically.

European Meditation Institute Ltd
71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
Email: privacy@europeanmeditationinstitute.com
General enquiries: contact@europeanmeditationinstitute.com