Privacy Policy

Effective Date: 01.01.2026
Last Updated: 23.11.2025

1. Introduction

Thank you for visiting Reiki by Ulrike. Your privacy is important to me, and I am committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz - DSG).

This Privacy Policy explains what personal data I collect, how I use it, your rights regarding your data, and how to contact me with any questions or concerns.

Please read this Privacy Policy carefully before using my services or providing any personal information.

2. Data Controller

For the purposes of the GDPR, the data controller is:

Ulrike Rapf
Trading as: Reiki by Ulrike
Address: Ketzergasse 279
Perchtoldsdorf, Austria
Email: office@reikibyulrike.com
Website: www.reikiforeveryday.com

As I currently operate as a sole proprietor without employees, I do not have a designated Data Protection Officer (DPO). For all data protection inquiries, please contact me directly using the contact information above.

3. What Personal Data I Collect

I collect and process the following types of personal data:

3.1 Information You Provide Directly

When you use my services, I may collect:

  • Contact Information: Name, email address, phone number, mailing address, country/location, time zone
  • Account Information: Username, password (encrypted), communication preferences
  • Payment Information: Billing address, payment method details (processed securely through Stripe - see Section 7)
  • Health & Wellness Information: Information you voluntarily share about your stress levels, health concerns, wellness goals, symptoms, or conditions (for the purpose of tailoring Reiki sessions)
  • Session Information: Session preferences, feedback, progress notes, testimonials
  • Communication Records: Contents of emails, messages, or other communications with me

3.2 Information Collected Automatically

When you visit my website, I automatically collect:

  • Technical Data: IP address, browser type and version, device type, operating system, time zone setting
  • Usage Data: Pages visited, time spent on pages, links clicked, referral source, date and time of visits
  • Cookies and Tracking Data: Information collected through cookies and similar technologies (see Section 11)

3.3 Information from Third Parties

I may receive information about you from:

  • Payment Processors: Stripe provides transaction confirmation and payment status
  • Email Service Provider: Kit (ConvertKit) provides email delivery and engagement data
  • Social Media: If you interact with my Instagram account or other social media, I may receive publicly available profile information

4. Legal Basis for Processing Your Data

Under the GDPR, I must have a lawful basis to process your personal data. I process your data based on:

4.1 Consent (Article 6(1)(a) GDPR)

When you:

  • Subscribe to my email list or newsletter
  • Agree to receive marketing communications
  • Provide health information for Reiki sessions
  • Participate in surveys or provide feedback
  • Agree to testimonial use

You have the right to withdraw consent at any time.

4.2 Performance of a Contract (Article 6(1)(b) GDPR)

When processing is necessary to:

  • Deliver Reiki sessions you've booked
  • Provide digital products you've purchased
  • Fulfill membership services
  • Respond to your service inquiries
  • Process payments

4.3 Legitimate Interests (Article 6(1)(f) GDPR)

When it serves my legitimate business interests, such as:

  • Improving my website and services
  • Analyzing website usage and traffic patterns
  • Preventing fraud and ensuring security
  • Sending service-related (non-marketing) communications
  • Maintaining business records

I always balance these interests against your rights and will not process data in ways you wouldn't reasonably expect.

4.4 Legal Obligations (Article 6(1)(c) GDPR)

When required by law, such as:

  • Maintaining financial records for tax purposes
  • Responding to lawful requests from authorities
  • Complying with Austrian and EU legal requirements

5. How I Use Your Personal Data

I use your personal data for the following purposes:

5.1 Service Delivery

  • Providing distant Reiki sessions at the time agreed upon between you and me
  • Delivering digital products you've purchased
  • Managing your account and memberships
  • Communicating about your services (session confirmations, reminders, follow-ups)
  • Tailoring sessions to your specific needs

5.2 Communication

  • Sending you the free resources you've requested (e.g., Instant Calm Toolkit)
  • Sending email sequences and newsletters (with your consent)
  • Responding to your inquiries and providing customer support
  • Notifying you of important changes to services or policies

5.3 Marketing (with your consent)

  • Sending promotional emails about my services and products
  • Sharing wellness tips and educational content
  • Informing you about new offerings

You can opt out of marketing communications at any time.

5.4 Business Operations

  • Processing payments and managing transactions
  • Maintaining financial and business records
  • Analyzing website performance and user behavior
  • Improving my services based on feedback
  • Preventing fraud and ensuring security

5.5 Legal Compliance

  • Complying with legal and regulatory requirements
  • Responding to lawful requests from authorities
  • Protecting my legal rights and interests

6. How Long I Keep Your Data

I retain personal data only as long as necessary for the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

Retention Periods:

  • Active Clients/Customers: Data retained while you use my services and for 3 years after your last interaction, to allow for follow-up, testimonials, and potential re-engagement
  • Email Subscribers: Until you unsubscribe, plus 6 months for administrative purposes
  • Financial Records: 7 years from the end of the fiscal year (Austrian tax law requirement)
  • Website Analytics: Aggregated and anonymized data may be retained indefinitely
  • Marketing Consents: Until withdrawn, or if no engagement for 3 years
  • Cookies: As specified in cookie settings (typically 1-12 months)

After the retention period, I will securely delete or anonymize your personal data.

Your Right to Request Deletion: You may request deletion of your data at any time (see Section 9).

7. Who I Share Your Data With

I do not sell, rent, or trade your personal data to third parties for their marketing purposes.

I may share your data with the following categories of recipients:

7.1 Service Providers (Data Processors)

I use trusted third-party service providers to support my business operations. These providers process data on my behalf and are contractually obligated to protect your data:

Website Hosting:

  • Provider: World4You
  • Purpose: Website hosting and maintenance
  • Location: Austria

Email Marketing:

  • Provider: Kit (ConvertKit)
  • Purpose: Email delivery, list management, automation
  • Location: USA (covered by EU-US Data Privacy Framework)

Payment Processing:

  • Provider: Stripe
  • Purpose: Secure payment processing
  • Location: USA (covered by EU-US Data Privacy Framework)
  • Note: I do not store full credit card information; Stripe handles this securely

Analytics:

  • Provider: not included yet [If you use Google Analytics or similar]
  • Purpose: Website traffic analysis and improvement
  • Location: [Location]

Customer Relationship Management:

  • Provider: myself
  • Purpose: Managing client communications and records

7.2 Legal and Regulatory Authorities

I may disclose your data if required by law, court order, or governmental regulation, or to:

  • Protect my legal rights
  • Prevent fraud or criminal activity
  • Protect the safety of any person

7.3 Business Transfers

If my business is sold, merged, or acquired, your personal data may be transferred to the new owner, who will continue to honor this Privacy Policy.

8. International Data Transfers

As I offer services globally, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

Safeguards for International Transfers:

When I transfer data outside the EEA, I ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework: Service providers like Stripe and Kit participate in this framework, ensuring adequate data protection
  • Standard Contractual Clauses (SCCs): I use EU-approved SCCs with service providers where applicable
  • Your Consent: By using my services, you consent to these transfers

For more information about specific safeguards for your data, please contact me.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

9.1 Right to Access (Article 15)

You have the right to request a copy of the personal data I hold about you.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances, such as:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Note: I may need to retain certain data to comply with legal obligations (e.g., financial records for tax purposes).

9.4 Right to Restriction of Processing (Article 18)

You can request that I limit how I use your data in certain situations, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Article 20)

You can request a copy of your data in a structured, commonly used, machine-readable format, and request that I transfer it to another controller.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

9.8 Right Not to Be Subject to Automated Decision-Making (Article 22)

I do not use automated decision-making or profiling that produces legal or similarly significant effects.

9.9 Right to Lodge a Complaint

If you believe I am not complying with data protection laws, you have the right to lodge a complaint with your local supervisory authority.

In Austria:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb[at]dsb.gv[dot]at
Website: www.dsb.gv.at

How to Exercise Your Rights:

To exercise any of these rights, please contact me at office@reikibyulrike.com. I will respond to your request within one month (this may be extended by two additional months for complex requests).

For verification purposes, I may ask you to confirm your identity before processing your request.

10. Data Security

I take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, alteration, or disclosure.

Security Measures Include:

  • Encryption: Sensitive data is encrypted in transit (SSL/TLS) and at rest where appropriate
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Secure Service Providers: I work only with reputable providers who meet GDPR security standards
  • Regular Backups: Data is backed up securely to prevent loss
  • Password Protection: Strong passwords and secure authentication for accounts
  • Regular Reviews: Periodic review of security practices and policies

However, please note: No method of transmission over the internet or electronic storage is 100% secure. While I strive to protect your data, I cannot guarantee absolute security.

Your Responsibility: Please keep your account credentials confidential and notify me immediately if you suspect unauthorized access to your account.

11. Cookies and Tracking Technologies

My website uses cookies and similar tracking technologies to enhance your experience and analyze website usage.

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the website remember your preferences and improve functionality.

11.2 Types of Cookies I Use

Essential Cookies (strictly necessary):

  • Purpose: Enable core website functionality (e.g., security, accessibility)
  • Legal Basis: Legitimate interest (necessary for website operation)
  • You cannot opt out of these cookies

Analytics Cookies (optional):

  • Purpose: Help me understand how visitors use my website (e.g., pages visited, time spent)
  • Provider: [If you use Google Analytics or similar]
  • Legal Basis: Consent
  • You can opt out via cookie settings

Marketing Cookies (optional):

  • Purpose: Track your online activity to show relevant ads
  • Provider: [If applicable]
  • Legal Basis: Consent
  • You can opt out via cookie settings

11.3 Managing Cookies

You can control and manage cookies through:

  • Cookie Banner: When you first visit my website, you can accept or reject optional cookies
  • Browser Settings: Most browsers allow you to refuse or delete cookies
  • Cookie Settings Page: [Link to dedicated cookie settings page if you have one]

Note: Blocking or deleting essential cookies may affect website functionality.

For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.

12. Third-Party Links

My website may contain links to third-party websites (e.g., social media, blog resources, payment processors, affiliate products).

Please note: I am not responsible for the privacy practices or content of external websites. This Privacy Policy applies only to my website and services.

I encourage you to review the privacy policies of any third-party sites you visit.

13. Children's Privacy

While I provide services to clients of all ages, clients under 18 years of age require consent from a parent or legal guardian before using my services or providing personal data.

I do not knowingly collect personal data from children under 14 years of age without parental consent (the age of digital consent in Austria under Article 8 GDPR and Section 4(4) DSG).

If I become aware that I have collected data from a child without proper consent, I will delete it promptly.

Parents/Guardians: If you believe your child has provided personal data without consent, please contact me immediately.

14. Changes to This Privacy Policy

I may update this Privacy Policy from time to time to reflect changes in my practices, services, legal requirements, or for other operational reasons.

When I Make Changes:

  • I will update the "Last Updated" date at the top of this policy
  • For significant changes, I will notify you via email (if you're a subscriber or client) or through a prominent notice on my website
  • Continued use of my services after changes indicates acceptance of the updated policy

I encourage you to review this Privacy Policy periodically to stay informed about how I protect your data.

15. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, I will:

  • Notify the Austrian Data Protection Authority within 72 hours of becoming aware of the breach (as required under Article 33 GDPR)
  • Notify you directly without undue delay if the breach poses a high risk to your rights and freedoms (as required under Article 34 GDPR)

The notification will include:

  • The nature of the breach
  • The likely consequences
  • Measures taken or proposed to address the breach
  • Contact information for further inquiries

16. Your Consent

By using my website, subscribing to my email list, booking services, or purchasing digital products, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein.

Specifically, you consent to:

  • Collection and processing of personal data as outlined in this policy
  • Sharing data with service providers as described in Section 7
  • International data transfers as described in Section 8
  • Use of cookies and tracking technologies as described in Section 11

You have the right to withdraw your consent at any time by contacting me or using the opt-out mechanisms provided (e.g., unsubscribe links in emails).

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how I handle your personal data, please contact me:

Ulrike Rapf
Reiki by Ulrike
Email: office[at]reikibyulrike[dot]com
Website: www.reikibyulrike.com
Address: Ketzergasse, Perchtoldsdorf, Austria

I will respond to your inquiry within one month. For complex requests, this may be extended by up to two additional months, and I will inform you of any delay.

18. Supervisory Authority

You have the right to lodge a complaint with the Austrian Data Protection Authority if you believe I am not handling your personal data in compliance with GDPR:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb[at]dsb.gv[dot]at
Website: www.dsb.gv.at

Last Updated: 23.11.2025

>