Last updated: 10/2025
Blooming Souls – Coaching | Breathwork | Therapy
Stefanie Geibel Haxel
Rua de Moçambique 24 – 1. Andar, 1170-245 Lisboa, Portugal
Phone: +351 914 968 891
Email: contact@blooming-souls.com
Web: https://www.blooming-souls.com
We process personal data exclusively in accordance with the GDPR and—where applicable—Section 25 of the German TTDSG (storing/reading information on user devices, e.g., cookies).
Your rights (Arts. 15–21 GDPR): right of access, rectification, erasure, restriction, data portability, and objection.
Right to lodge a complaint: with the Portuguese Data Protection Authority CNPD (https://www.cnpd.pt) or any other competent EU supervisory authority.
Provider: STRATO AG, Otto-Ostrowski-Str. 7, 10249 Berlin, Germany (processing under a data processing agreement).
Data processed: IP address, date/time, requested URL, referrer, user agent, error codes if applicable.
Purpose/Lawful basis: technical provision and security of the website (Art. 6(1)(f) GDPR).
Retention: server log files are generally deleted after 7 days.
We use CookieYes as our consent management platform (CMP). You can grant, manage, and revoke consent at any time.
Strictly necessary cookies (e.g., language selection, security/load balancing): Art. 6(1)(f) GDPR; Section 25(2) No. 2 TTDSG.
All other cookies/technologies (e.g., analytics, marketing, Clarity, Instagram feed): only with your consent (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).
Withdrawal: via the Cookie settings link in the footer/within the CMP at any time.
The current cookie list (name, purpose, duration, provider) is always available in the CMP.
If you contact us by email or via a form, we process your details (name, email, message, and any additional content) to handle your request.
Lawful basis: Art. 6(1)(b) GDPR (pre-contractual/contractual) or Art. 6(1)(f) GDPR (communication).
Retention: until your request is completed; statutory retention obligations remain unaffected.
Provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany (processing under a DPA).
Data/processing: email address, optionally name; double-opt-in evidence; dispatch; performance metrics (opens/clicks).
Lawful basis: consent (Art. 6(1)(a) GDPR). You can revoke consent at any time via the unsubscribe link.
Retention: until revocation/deletion.
Further information: https://www.brevo.com/de/legal/privacypolicy/
Provider: Squarespace Ireland Ltd., Dublin / Squarespace Inc., New York, USA (processing under a DPA).
Data/processing: name, email, appointment details, optional messages; scheduling and confirmations.
Lawful basis: Art. 6(1)(b) GDPR (contract/appointment handling).
Third-country transfer: USA based on Standard Contractual Clauses (SCC); a residual risk of government access remains.
Purpose: usage analytics (e.g., heatmaps, click/scroll behaviour), technical diagnostics.
Data: truncated IP, device/browser data, interactions, referrer/page data; no recording of sensitive input fields.
Provider: Microsoft Ireland Operations Ltd., Dublin / Microsoft Corp., USA.
Lawful basis: consent via CMP (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).
Third-country transfer: USA via SCC; residual risk remains.
Provider: Google Ireland Limited, Dublin / Google LLC, USA (processing under a DPA depending on the service).
Lawful basis: consent via CMP (Art. 6(1)(a) GDPR; Section 25(1) TTDSG) — only for enabled, consent-requiring modules.
Currently used (please adjust):
Google Analytics 4: [YES/NO] — pseudonymous usage analytics; IP anonymization enabled; retention [14/26/38/50] months.
Google Tag Manager: [YES/NO] — manages tags; does not set its own cookies but may load tools.
Google Search Console / PageSpeed Insights / AdSense: [YES/NO] — as enabled.
Data categories: IP address, device/browser data, interactions, referrer, possibly location/conversion data.
Third-country transfer: USA via SCC; residual risk remains.
Opt-out/consent management: via CMP.
Purpose: display of our Instagram posts directly on the website.
Data flow: when the feed loads, content is fetched directly from Instagram (Meta Platforms); your IP address and browser information may be transmitted to Instagram/Meta. Instagram may set cookies or similar technologies.
Lawful basis: consent (Art. 6(1)(a) GDPR; Section 25(1) TTDSG).
Provider: Meta Platforms Ireland Ltd., Dublin / Meta Platforms Inc., USA.
Third-country transfer: USA via SCC; residual risk remains.
Note: Without consent, no Instagram content is loaded.
Purpose: protect forms/comments against spam.
Data: IP address, user agent, input content/timestamp, referrer; technical checks (e.g., honeypot, time measurement).
Lawful basis: legitimate interest in preventing abuse (Art. 6(1)(f) GDPR).
Third-country transfer: none if optional checks against public spam databases are disabled (recommended default).
Retention: spam entries are regularly deleted; legitimate comments are subject to statutory retention rules.
Purpose: building/managing page content.
Cookies/storage: may set a persistent “elementor” cookie to store editor/layout state (for logged-in admin/editor users only). For visitors, Elementor does not process personal data unless widgets collecting data (e.g., form widget) are used.
Lawful basis: technically necessary (Art. 6(1)(f) GDPR; Section 25(2) No. 2 TTDSG).
Note: Data collected via Elementor forms is covered in Section 5 (Contact/Forms).
Purpose: temporary maintenance page.
Data/cookies: possibly a session cookie for logged-in admins to preview/bypass the maintenance page; no processing of visitor data.
Lawful basis: technically necessary (Art. 6(1)(f) GDPR; Section 25(2) No. 2 TTDSG).
Purpose: language switching on the site.
Data/cookies: preference cookie storing the chosen language (e.g., “msls” with language code), retained for up to 12 months.
Lawful basis: technically necessary / user preference (Art. 6(1)(f) GDPR; Section 25(2) No. 2 TTDSG).
Third-country transfer: none.
Purpose: internal media management in the WordPress backend.
Processing: applies only to logged-in authorized users (e.g., admin/editor); no additional processing of visitors’ personal data.
Lawful basis: Art. 6(1)(f) GDPR (efficient content management).
Purpose: website backups. Backups may contain personal data (e.g., form entries, user accounts, comments).
Lawful basis: legitimate interest in availability/integrity of systems (Art. 6(1)(f) GDPR).
Storage location: locally on the server and—if configured—at third-party storage providers (e.g., Dropbox, Google Drive, S3). In that case, data is transferred to the respective provider (possibly third country/USA with SCC).
Retention: backups are created in cycles and automatically deleted after [e.g., 30/60/90 days].
Purpose: accessibility/usability features (e.g., contrast, font sizes).
Data/cookies: stores your display/accessibility settings in the browser (cookie or local storage).
Lawful basis: technically necessary / user preference (Art. 6(1)(f) GDPR; Section 25(2) No. 2 TTDSG).
Third-country transfer: none.
Purpose: editorial workflow (duplicate posts/pages).
Processing: backend-only for logged-in users; no additional processing of visitor data.
Lawful basis: Art. 6(1)(f) GDPR.
Our pages contain simple links to Instagram/LinkedIn; there are no plugins that transfer data automatically. Data processing only occurs after you click and access the platform, in which case the platform’s privacy policy applies.
We retain personal data only as long as necessary for the respective purpose or as required by statutory retention periods. Data is then routinely deleted or anonymised.
We implement appropriate technical and organisational measures (TLS encryption, access/permission management, backup/recovery processes) to protect data against loss, misuse, or unauthorised access.
We have concluded data processing agreements (Art. 28 GDPR) with our service providers where required (including STRATO, Brevo, Microsoft, Google, Squarespace, and any cloud storage used with UpdraftPlus).
Where data is transferred to third countries (in particular the USA), this is based on Standard Contractual Clauses (SCC); a residual risk of government access cannot be fully excluded.
We will update this policy when our services, legal requirements, or processes change. The current version is always available on this page.
