Data Protection and Privacy Policy

Policy Statement:

At Altar of Earth, we are deeply committed to protecting the privacy and security of the personal data we collect, process, and store. We understand that personal data is a precious resource, and its responsible handling is fundamental to maintaining the trust of our community, participants, and all individuals interacting with our services. This Data Protection and Privacy Policy outlines our unwavering commitment to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK General Data Protection Regulation (UK GDPR), as well as adhering to key principles found in US privacy frameworks (such as general consumer privacy expectations, and where applicable, principles from laws like the California Consumer Privacy Act (CCPA) or health data principles from HIPAA).

Our mission to connect individuals to ancestral ties and nature for mental well-being inherently involves sensitive personal information. We recognise that the journey of healing is deeply personal, and privacy is a cornerstone of that trust. Therefore, we approach data protection not merely as a legal obligation, but as an ethical imperative, ensuring transparency, security, and respect for individual rights at every stage of data processing.

1. Scope

This policy applies to all personal data processed by Altar of Earth, whether collected online, offline, or through any other means. This includes data pertaining to:

  • Website visitors

  • Service users and participants

  • Employees and volunteers

  • Contractors and partners

  • Anyone else whose personal data is processed by or on behalf of Altar of Earth.

It covers all systems, services, activities, and operations where personal data is processed.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • Special Categories of Personal Data (Sensitive Personal Data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. Given our work in mental well-being, health data may be processed.

  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Altar of Earth is typically the Controller of the personal data it processes.

  • Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

  • Data Subject: The identified or identifiable natural person to whom the personal data relates.

  • GDPR: The General Data Protection Regulation (EU) 2016/679.

  • UK GDPR: The UK General Data Protection Regulation (retained EU law as amended by the Data Protection Act 2018).

3. Data Protection Principles (GDPR Core)

Altar of Earth adheres strictly to the seven key principles of the GDPR, which are fundamental to lawful data processing:

  1. Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means we will always have a valid legal basis for processing, be clear about what data we collect and why, and communicate this clearly to individuals.

  2. Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

  3. Data Minimisation: Personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We will not collect excessive data.

  4. Accuracy: Personal data is accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

  5. Storage Limitation: Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data will be securely deleted or anonymised when no longer needed.

  6. Integrity and Confidentiality (Security): Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

  7. Accountability: Altar of Earth, as the data controller, is responsible for, and must be able to demonstrate compliance with, the above principles. We maintain records of processing activities and implement data protection by design and default.

4. Lawful Bases for Processing Personal Data

Altar of Earth will only process personal data when we have a valid lawful basis as set out in Article 6 of the GDPR. These include:

  • Consent: The individual has given clear consent for us to process their personal data for a specific purpose.

  • Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.

  • Legal Obligation: The processing is necessary for us to comply with the law (not including contractual obligations).

  • Vital Interests: The processing is necessary to protect someone’s life.

  • Public Task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

  • Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For Special Categories of Personal Data, additional conditions from Article 9 of the GDPR must be met (e.g., explicit consent, substantial public interest, or for health or social care purposes where specific conditions are met).

5. Types of Personal Data Collected and Processed

The types of personal data we may collect and process include, but are not limited to:

  • Identity Data: Name, date of birth, gender.

  • Contact Data: Email address, postal address, telephone numbers.

  • Health Data (Special Category): Information related to mental and physical health, well-being, and any conditions relevant to participation in our nature-based and ancestral connection programs. This is collected with explicit consent and only where necessary for safe and effective service provision.

  • Payment Data: Billing address, payment card details (processed securely via third-party payment processors, we do not store full card details).

  • Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.

  • Usage Data: Information about how you use our website, products, and services.

  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

  • Ancestral/Family Information: Non-identifiable or pseudonymised data relating to ancestral lines or family history may be discussed in the context of our services, but direct personal data of other living individuals will not be collected without explicit consent where required.

6. How We Collect Personal Data

We collect personal data through various methods, including:

  • Direct Interactions: When you register for our services, subscribe to newsletters, fill out forms, participate in surveys, or communicate with us directly (via email, phone, or in person).

  • Automated Technologies or Interactions: As you interact with our website, we may automatically collect Technical Data and Usage Data using cookies and similar technologies.

  • Third Parties or Publicly Available Sources: We may receive personal data from third parties (e.g., analytics providers, payment processors, social media platforms) where permitted by law and relevant privacy settings.

7. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To provide and manage our services and programs, including personalized support based on your needs.

  • To process payments and manage accounts.

  • To communicate with you about our services, updates, and relevant information.

  • To send you marketing communications (if you have consented to receive them).

  • To improve our website, services, and user experience through analytics.

  • To comply with legal obligations and regulatory requirements.

  • For internal record keeping, administration, and reporting.

  • To ensure the safety and well-being of all participants, particularly vulnerable adults and children, in line with our safeguarding policies.

8. Data Subject Rights (GDPR Rights)

Under GDPR, individuals have the following rights regarding their personal data. Altar of Earth is committed to upholding these rights:

  • The Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data. This policy serves that purpose.

  • The Right of Access: Individuals have the right to request access to their personal data and supplementary information.

  • The Right to Rectification: Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete.

  • The Right to Erasure (the 'Right to be Forgotten'): Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

  • The Right to Restrict Processing: Individuals have the right to request the suppression or restriction of their personal data’s processing in certain circumstances.

  • The Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

  • The Right to Object: Individuals have the right to object to the processing of their personal data in certain circumstances, particularly for direct marketing or processing based on legitimate interests or public tasks.

  • Rights in relation to Automated Decision Making and Profiling: Individuals have rights concerning decisions based solely on automated processing, including profiling, that produces legal or similarly significant effects concerning them.

To exercise any of these rights, please contact our Designated Safeguarding Lead / Data Protection Contact at the details provided below. We will respond to your request within one month (or within 30 days, reflecting US general expectations) and verify your identity before fulfilling the request.

9. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share personal data with:

  • Service Providers: Trusted third-party service providers who assist us in operating our website, conducting our business, or providing services to you (e.g., payment processors, email service providers, IT support). These providers are contractually bound to keep your information confidential and secure and to use it only for the purposes for which we disclose it to them.

  • Legal and Regulatory Authorities: When required by law, court order, or governmental regulation, or if we believe in good faith that such action is necessary to comply with legal processes, protect our rights or property, or ensure the safety of our users or the public.

  • In Case of Emergency: If there is an urgent safeguarding concern or immediate risk of harm to an individual, information may be shared with relevant authorities (e.g., police, social services/child/adult protective services) in accordance with our safeguarding policies and legal obligations, without delay.

10. International Data Transfers

As Altar of Earth operates internationally (UK and US), personal data may be transferred to, and stored at, a destination outside of the European Economic Area (EEA) and the UK. Where such transfers occur, we will ensure appropriate safeguards are in place as required by GDPR and UK GDPR, such as:

  • Transferring to countries deemed to provide an adequate level of data protection by the European Commission or UK Secretary of State.

  • Using standard contractual clauses (SCCs) approved by the European Commission or UK.

  • Reliance on Binding Corporate Rules (BCRs) where applicable.

11. Data Security

Altar of Earth implements robust technical and organisational measures to protect your personal data against unauthorised access, unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption: Using encryption for data in transit and at rest where appropriate.

  • Access Controls: Restricting access to personal data to only those employees, volunteers, and contractors who have a legitimate business need to access it.

  • Security Policies: Implementing strict internal data security policies and procedures.

  • Regular Audits: Regularly auditing our systems and practices for vulnerabilities.

  • Staff Training: Ensuring all personnel are trained in data protection and security best practices.

12. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

13. Data Breach Notification

In the event of a personal data breach (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), Altar of Earth will act swiftly and diligently:

  • We will assess the risk to individuals' rights and freedoms.

  • If the breach is likely to result in a high risk to those rights and freedoms, we will notify the affected individuals without undue delay.

  • We will notify the relevant supervisory authority (e.g., the Information Commissioner's Office (ICO) in the UK) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

  • We will keep detailed records of any personal data breaches.

14. Children's Privacy (Specific to under 18s)

While our primary safeguarding policy addresses children, we reiterate our commitment to protecting children's privacy under this policy.

  • We do not knowingly collect personal data from children under 13 without verifiable parental consent, where required by law (e.g., COPPA in the US, and similar GDPR considerations).

  • If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete that information as quickly as possible.

  • For children aged 13-17, we will process data in accordance with GDPR principles, acknowledging their evolving capacity and rights.

15. Your Responsibilities

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

16. Contact Information and Complaints

If you have any questions about this privacy policy or our data protection practices, or if you wish to exercise any of your data subject rights, please contact our:

Designated Safeguarding Lead / Data Protection Contact: Melissa Main Email: contact@altarofearth.org

You also have the right to make a complaint at any time to the relevant supervisory authority for data protection. In the UK, this is the Information Commissioner's Office (ICO) (www.ico.org.uk). In the EU, you can contact the data protection authority in your country of residence. While we would appreciate the chance to deal with your concerns before you approach the supervisory authority, you have the right to complain at any time.

17. Policy Review

This policy will be reviewed and updated regularly, at least annually, or as required by changes in legislation, guidance, or our data processing activities. The latest version will always be available on our website.

Disclaimer: This Data Protection and Privacy Policy provides a comprehensive framework based on the GDPR and UK GDPR. While it incorporates general principles of data privacy often found in US laws, it is important to note that the US does not have a single, overarching federal privacy law similar to GDPR, but rather a patchwork of sectoral and state-specific laws (e.g., CCPA for California residents, HIPAA for health information). This document should be considered a robust template and must be reviewed, adapted, and approved by qualified legal counsel in the specific UK region and relevant US states where Altar of Earth operates to ensure full compliance with all applicable local data protection and privacy laws.