Privacy Policy

Last updated: July 2026

This Privacy Policy explains how Cecilia Nord and the registered business through which the services are provided collect, use, store, and protect personal information when you:

  • visit this website
  • contact us
  • book or purchase a distance Reiki session
  • participate in a session
  • subscribe to communications, where offered
  • otherwise interact with our services

In this Privacy Policy, "we", "us", and "our" refer to Cecilia Nord and the registered business operating the website and services.

We are committed to handling personal information carefully, transparently, and in accordance with applicable data-protection law, including the General Data Protection Regulation ("GDPR") and the Norwegian Personal Data Act.

1. Data controller

The data controller responsible for the processing described in this Privacy Policy is:

Business owner: Cecilia Nord Registered business name: [insert legal business name] Organisation number: [insert organisation number] Business type: Sole proprietorship registered in Norway Registered address: [insert registered business address] Email: [insert privacy contact email address]

The data controller determines why and how personal information is processed.

For questions about this Privacy Policy or the use of your personal information, contact us using the email address above.

2. Personal information we may collect

The information we collect depends on how you interact with the website and services.

2.1 Information you provide directly

We may collect:

  • full name
  • email address
  • telephone number
  • country or location
  • preferred language
  • time zone
  • booking date and appointment time
  • selected service
  • messages sent through contact or booking forms
  • information included in emails or other communications
  • billing details
  • purchase and payment status
  • booking history
  • cancellation or refund requests
  • feedback, reviews, or testimonials you voluntarily provide
  • information you voluntarily share before, during, or after a Reiki session

2.2 Payment information

Payments may be processed by an external payment provider.

We do not normally receive or store your complete debit or credit card details. The payment provider may process information such as:

  • cardholder name
  • billing address
  • payment method
  • payment amount
  • transaction identifier
  • payment status

The provider processes payment information according to its own privacy policy and security practices.

2.3 Technical and usage information

When you use the website, certain technical information may be collected automatically, including:

  • IP address
  • browser type
  • device type
  • operating system
  • language settings
  • approximate location derived from the IP address
  • pages visited
  • time spent on the website
  • referring website
  • links or buttons used
  • error and diagnostic information
  • cookie and consent preferences

This information may be collected through the website platform, server logs, cookies, or similar technologies.

Non-essential analytics or marketing technologies will only be used where the consent required by applicable law has been obtained.

2.4 Information from third-party providers

We may receive limited personal information from providers used to operate the services, including:

  • website-hosting providers
  • booking platforms
  • payment processors
  • calendar services
  • video-call platforms
  • email providers
  • analytics services
  • customer-support tools

The information received depends on the service, your settings, and the permissions you provide.

3. Information relating to health and wellbeing

During booking or communication, you may choose to share information relating to your physical or mental health, emotional wellbeing, medication, diagnosis, symptoms, or personal circumstances.

Such information may constitute sensitive personal information or a special category of personal data under the GDPR.

We do not need your complete medical history to provide a distance Reiki session.

Please do not send:

  • medical records
  • detailed diagnostic reports
  • full medication histories
  • identity documents
  • unnecessary information about trauma or mental health
  • other sensitive information that is not relevant to the practical delivery of the session

Where we intentionally request or store information concerning health, we will only do so where:

  • there is a valid legal basis under applicable data-protection law
  • an applicable condition for processing sensitive information has been met
  • the information is reasonably necessary for a clearly stated purpose
  • appropriate safeguards are used

Where we rely on your explicit consent, you may withdraw that consent at any time. Withdrawal does not affect processing that was lawful before consent was withdrawn.

Reiki is not medical or psychological treatment. Any information you share is not used to diagnose, treat, cure, or prevent a health condition.

4. Why we use personal information

We may use personal information for the following purposes.

4.1 To provide the services

This may include:

  • receiving and managing bookings
  • confirming appointments
  • identifying the person who made the booking
  • arranging telephone or video communication
  • providing the booked Reiki session
  • sending practical preparation information
  • providing agreed follow-up
  • managing time-zone differences
  • responding to questions relating to a booking

4.2 To process payments and administer purchases

This may include:

  • processing payment
  • sending receipts and confirmations
  • maintaining transaction records
  • handling cancellations and refunds
  • preventing fraudulent or unauthorised transactions
  • resolving payment disputes

4.3 To communicate with you

We may use your contact information to:

  • answer enquiries
  • send booking confirmations
  • provide service updates
  • inform you about changes to an appointment
  • respond to complaints
  • send legally required notices
  • communicate about a purchased service

4.4 To comply with legal obligations

We may process and retain information where necessary to:

  • comply with accounting and tax requirements
  • fulfil consumer-law obligations
  • respond to lawful requests from authorities
  • document consent or agreements
  • establish, exercise, or defend legal claims
  • prevent and investigate fraud or misuse

4.5 To operate and secure the website

We may use technical information to:

  • deliver website functionality
  • identify and correct errors
  • prevent abuse and unauthorised access
  • maintain network and information security
  • understand technical performance
  • preserve consent records
  • maintain backups

4.6 To analyse and improve the website

With consent where required, we may use analytics to understand:

  • how visitors find the website
  • which pages are used
  • how the website performs
  • which languages or devices visitors use
  • how the booking journey may be improved

We do not intend to use sensitive information about Reiki clients for advertising profiles.

4.7 To send marketing communications

We will only send newsletters, promotional messages, or similar marketing communications where we have an appropriate legal basis.

Where consent is required, we will ask for it separately. Booking a session does not automatically subscribe you to marketing.

You may unsubscribe at any time by:

  • using the unsubscribe link in an email
  • changing your communication preferences, where available
  • contacting us directly

Service messages relating to an active booking are not marketing communications and may still be sent where necessary.

5. Legal bases for processing

Depending on the purpose, we may rely on one or more of the following legal bases.

5.1 Performance of a contract

We process information where necessary to:

  • accept and administer a booking
  • process payment
  • communicate about the booked service
  • provide the session
  • manage cancellations or refunds
  • fulfil our agreement with you

Without this information, we may be unable to accept or provide the service.

5.2 Steps taken before entering into a contract

We may process information when you contact us with questions or ask us to take steps before making a booking.

5.3 Legal obligation

We process certain information where necessary to comply with legal duties, including accounting, tax, consumer-protection, and record-keeping obligations.

5.4 Legitimate interests

Where permitted, we may process information based on legitimate interests, including:

  • securing the website
  • preventing fraud or misuse
  • responding to ordinary enquiries
  • maintaining appropriate business records
  • improving non-intrusive business processes
  • establishing or defending legal claims

We consider whether our interests are overridden by your rights and freedoms before relying on this basis.

We do not rely on legitimate interests for processing sensitive health information where the GDPR requires an additional condition under Article 9.

5.5 Consent

We may rely on consent for:

  • non-essential cookies
  • optional analytics
  • certain marketing communications
  • publishing a testimonial
  • recording a session, where separately agreed
  • specific processing of sensitive information where explicit consent is appropriate

You may withdraw consent at any time.

5.6 Legal claims and other permitted grounds

In limited circumstances, sensitive information may be processed where necessary for the establishment, exercise, or defence of legal claims, or where another condition permitted by applicable law applies.

6. Cookies and similar technologies

The website may use cookies and similar technologies.

6.1 Necessary technologies

Certain technologies may be necessary for:

  • website security
  • basic website functionality
  • booking functionality
  • payment processing
  • language preferences
  • remembering privacy choices
  • maintaining a user session

Where legally permitted, strictly necessary technologies may operate without consent.

6.2 Analytics and marketing technologies

Analytics, advertising, tracking pixels, and similar non-essential technologies will only be activated where the legally required consent has been provided.

You must be able to:

  • accept or reject non-essential technologies
  • make choices by category where relevant
  • withdraw or change consent later

Further details should be available through the website's cookie banner or cookie settings.

The exact technologies and providers used must be listed in the cookie settings or a separate Cookie Policy once the website configuration has been finalised.

7. How we share personal information

We do not sell personal information.

We may share information with carefully selected service providers where reasonably necessary to operate the website and provide the services.

These providers may include:

  • website-hosting providers
  • booking and scheduling platforms
  • payment processors
  • email-service providers
  • video-call and telephone platforms
  • calendar services
  • cloud-storage and backup providers
  • accounting and bookkeeping providers
  • technical-support providers
  • analytics providers, where consent has been given
  • professional advisers, such as accountants or lawyers

Providers may only receive the information reasonably necessary for their function.

Where a provider acts as a data processor on our behalf, it must process personal information according to our instructions and applicable data-protection requirements.

We may also disclose information:

  • where required by law
  • in response to a valid legal request
  • to protect a person from a serious and immediate safety risk
  • to investigate suspected fraud or unlawful conduct
  • to establish, exercise, or defend legal claims
  • in connection with a lawful transfer or restructuring of the business

8. Specific service providers

Before publishing this Privacy Policy, complete this section with the providers actually used.

The website and services may use:

Website hosting: [insert provider and country] Booking platform: [insert provider and country] Payment processor: [insert provider and country] Email provider: [insert provider and country] Video-call platform: [insert provider and country] Calendar provider: [insert provider and country] Analytics provider: [insert provider and country, or state that none is used] Cookie-consent provider: [insert provider and country] Accounting provider: [insert provider and country] Cloud-storage provider: [insert provider and country]

Links to the relevant providers' privacy information may be added here or made available through the website.

Do not list a provider unless it is actually used.

9. International transfers

Some service providers may process personal information outside Norway, the European Economic Area, or the country in which you live.

Where personal information is transferred outside the European Economic Area, we will use an appropriate legal mechanism where required, which may include:

  • a European Commission adequacy decision
  • approved standard contractual clauses
  • supplementary technical or organisational safeguards
  • another lawful transfer mechanism

The privacy practices and locations of the actual providers must be reviewed before this policy is published.

You may contact us to request further information about applicable transfer safeguards.

10. How long we retain personal information

We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, including legal, accounting, security, and dispute-resolution requirements.

Retention periods may include:

Booking and customer information

Retained for [insert period] after the session or last customer interaction, unless a longer period is legally required.

Accounting and transaction records

Retained for the period required under applicable Norwegian accounting and tax law.

General enquiries

Retained for [insert period, for example 12 months] after the enquiry has been resolved, unless continued retention is necessary.

Session notes

We do not create detailed clinical or medical records.

Any limited practical notes retained in relation to a session will be:

  • kept to a minimum
  • stored securely
  • retained for no longer than [insert period]
  • deleted earlier where no longer necessary, unless legal retention is required

Sensitive information

Sensitive information will be deleted when it is no longer necessary for the stated purpose, subject to any applicable legal requirement or need relating to legal claims.

Marketing information

Retained until you unsubscribe, withdraw consent, object to the processing, or the information is no longer needed.

A limited suppression record may be retained to ensure that an unsubscribe request continues to be respected.

Technical and analytics information

Retained according to the settings of the website, analytics, security, and consent tools used.

When information is no longer required, it will be deleted, anonymised, or securely disposed of.

11. Security

We use reasonable technical and organisational measures intended to protect personal information against:

  • unauthorised access
  • accidental loss
  • alteration
  • disclosure
  • destruction
  • misuse

Measures may include:

  • access controls
  • strong passwords
  • multi-factor authentication where available
  • encrypted connections
  • secure payment providers
  • software updates
  • restricted access to customer information
  • secure backups
  • data minimisation
  • appropriate agreements with service providers

No online service or method of electronic storage can be guaranteed to be completely secure.

You are responsible for protecting access to your own email account, devices, booking confirmations, and online accounts.

12. Data breaches

Where a personal-data breach occurs, we will assess the nature and possible consequences of the incident.

Where legally required, we will notify:

  • the relevant data-protection authority
  • affected individuals

Notifications will be made within the time limits required by applicable law.

13. Your data-protection rights

Depending on applicable law and the circumstances, you may have the right to:

Access

Request confirmation of whether we process your personal information and receive a copy of relevant information.

Rectification

Ask us to correct inaccurate or incomplete personal information.

Erasure

Ask us to delete personal information where there is no lawful reason to continue processing it.

This right is not absolute. Some information may need to be retained to comply with legal obligations or address legal claims.

Restriction

Ask us to restrict how personal information is used in certain circumstances.

Objection

Object to processing based on legitimate interests.

You may object to direct marketing at any time.

Data portability

Receive certain information you provided in a structured, commonly used, and machine-readable format and, where technically feasible, request transfer to another controller.

Withdrawal of consent

Withdraw consent at any time where processing is based on consent.

Withdrawal does not affect the lawfulness of processing completed before consent was withdrawn.

Complaint

Submit a complaint to a competent data-protection authority.

Automated decision-making

You have rights relating to certain decisions made solely by automated means that produce legal or similarly significant effects.

We do not currently intend to use personal information to make such decisions.

14. How to exercise your rights

To exercise a data-protection right, contact:

Email: [insert privacy contact email address]

Please state:

  • your name
  • the right you wish to exercise
  • enough information for us to understand and locate the relevant records

We may need to request reasonable information to verify your identity before responding. Do not send identity documents unless they are specifically requested and necessary.

We will respond within the period required by applicable law.

Requests are normally free of charge. A reasonable fee may be charged, or a request may be refused, where permitted by law and the request is manifestly unfounded or excessive.

15. Complaints to a supervisory authority

We would appreciate the opportunity to address your concern directly first.

You also have the right to lodge a complaint with a competent data-protection authority.

As the business is established in Norway, the relevant Norwegian authority is:

Datatilsynet – The Norwegian Data Protection Authority

You may also be entitled to contact the data-protection authority in the country where you live, work, or believe an infringement occurred.

16. Children's information

The website and booking services are intended primarily for adults.

Persons under 18 should not independently submit booking information or sensitive information.

Where a Reiki session involving a minor is expressly agreed, the involvement and consent of a parent or legal guardian will be required as appropriate.

We do not knowingly use children's personal information for behavioural advertising or marketing profiles.

If you believe that a child has submitted personal information without appropriate consent, contact us so that we can review and, where appropriate, delete it.

17. Testimonials and reviews

We will not publish your name, image, testimonial, review, or session experience on the website or in marketing without an appropriate legal basis.

Where we ask for consent to publish a testimonial, the request will explain:

  • what will be published
  • where it may appear
  • whether your full name, first name, initials, location, or image will be used

You may withdraw consent for future use by contacting us. Withdrawal may not require the recall of printed material already distributed, but we will stop new use where reasonably possible.

Submitting private feedback does not automatically give us permission to publish it.

18. Session recordings

We do not record Reiki sessions, telephone conversations, or video calls as a standard practice.

If a recording is ever proposed, you will be informed in advance about:

  • the purpose
  • what will be recorded
  • who will have access
  • how long it will be retained
  • whether participation is optional

Any consent required by law will be obtained before recording begins.

You must not record a session without prior agreement.

19. Links to external websites

The website may contain links to external websites or services.

We do not control and are not responsible for the privacy practices, security, or content of external providers.

You should review the privacy information of any external website you choose to visit.

20. Social media

If you interact with us through a social-media platform, the platform may process personal information according to its own privacy terms.

Information posted publicly on social media may be visible to others.

Please do not send sensitive health information through public comments or social-media messages.

Where possible, practical booking and privacy matters should be handled through the official website or business email address.

21. Changes to this Privacy Policy

We may update this Privacy Policy where:

  • the website changes
  • new service providers are introduced
  • the services change
  • legal requirements change
  • our processing practices change

The latest version will be published on the website with the updated revision date.

Where a change materially affects how personal information is used, we will provide additional notice where required.

22. Contact

For questions, requests, or concerns relating to privacy or personal information, contact:

Cecilia Nord Registered business name: [insert legal business name] Organisation number: [insert organisation number] Email: [insert privacy contact email address] Registered address: [insert registered business address]

Book a session