Privacy Policy

Publication date: 27 October 2025

GS Baltic states SIA, incorporated under the laws of the Republic of Latvia (registration number: [40203448819), with its registered office at Krastmalas iela 51, Priedkalne, Latvia, LV-1024 (hereinafter — the “Company”, “we”, “us” and “our”), acts as a Data Controller in accordance with Regulation (EU) 2016/679 (“GDPR”) and the Latvian Law on Processing of Personal Data.

This Privacy Policy (the “Policy”) explains how we collect, use, store, share and protect your personal data (“Personal Data”) when you register for our online courses, attend our retreats, use our websites, or otherwise interact with us.

1. Scope

This Policy applies to all individuals whose Personal Data we process in connection with our activities. This includes, without limitation:

• users of our websites and online platforms;
• participants in our online programs and digital services;
• participants in our offline events, retreats, and related activities;
• applicants and participants in special programs that may require additional admission criteria;
• members of our online communities and communication channels (such as messaging groups or forums);
• any other persons who interact with us or otherwise provide Personal Data in the course of using our services.

Our services are intended for adults (18+). We do not knowingly collect Personal Data from children.

2. Categories of Personal Data We Process

Depending on how you interact with us and which services you use, we may collect and process the following categories of Personal Data:

• Identification and contact details: name, surname, email address, phone number, country or city of residence.
• Participation and booking details: selected program or event, dates, location, booking reference, payment status.
• Payment information: data required to process payments (handled by third-party payment providers). We do not store full card details.
• Health and safety information (special category, only with explicit consent): dietary restrictions, allergies, contraindications, and information relevant to participation in physical or aquatic activities.
• Insurance and emergency data: travel insurance provider/policy number and emergency contact person.
• Account and access data (for online services): login, password, preferences, communication settings.
• Technical data: IP address, device and browser type, log data, cookies and similar technologies.
• Communications and community content: inquiries, feedback forms, support requests, and messages in online communities or messaging groups.
• Photo and video recordings: images or videos created during events or activities, unless you opt out before the start of the event.
• Marketing preferences: your choices about receiving updates and promotional information.

3. How We Obtain Personal Data

We collect Personal Data:

• directly from you (forms, bookings, payments, correspondence, participation in events);
• automatically through your use of our websites (cookies, logs, analytics);
• from service providers that support our services (e.g., payment processors, webinar or messaging platforms), strictly within data protection agreements.

4. Purposes and Legal Bases of Processing

We process Personal Data only where we have a valid legal basis under the GDPR. Depending on the context, your Personal Data may be processed for the following purposes and on the following legal grounds:

Contract performance (Art. 6(1)(b) GDPR):

• to register and manage your booking or participation in our services and events;
• to provide access to online content or platforms;
• to communicate with you regarding schedules, updates, or changes;
• to handle payments and issue confirmations.
  

Legal obligations (Art. 6(1)(c) GDPR):

• to comply with accounting, tax, and record-keeping requirements;
• to respond to lawful requests from authorities.

Legitimate interests (Art. 6(1)(f) GDPR):

• to ensure the safety and security of our events, participants, and staff;
• to operate, improve, and secure our websites and services;
• to manage online communities and communication channels;
• to document events with photo and video materials (unless you opt out beforehand or object);
• to prevent fraud, misuse, or abuse of our services;
• to establish, exercise, or defend legal claims.

Consent (Art. 6(1)(a) GDPR):

• to send you marketing communications (email, messenger, SMS) according to your preferences;
• to use non-essential cookies and analytics tools;
• to process health or insurance data where relevant for participation in our events (Art. 9(2)(a) GDPR — explicit consent for special categories of data);
  
• to use photos or videos of you for promotional purposes where opt-in is required.

Vital interests (Art. 6(1)(d) GDPR):

• to protect your health and safety in emergencies (e.g., sharing insurance or emergency contact details with medical professionals).

5. Marketing and Communication Preferences

5.1. We may use your contact details to send you updates, offers, or information about our services only where we have a valid legal basis (your opt-in consent, or legitimate interest where permitted by law).
5.2. You can choose preferred channels (email, messaging apps, SMS) when giving consent.
5.3. You can withdraw consent or opt out at any time by:

• clicking “unsubscribe” in our emails;
• adjusting preferences in your account (where available);
• emailing contact@giving-school.eu. 

5.4. Even if you opt out of marketing, we may still send you service messages necessary for contract performance (e.g., booking confirmations, schedule changes, safety updates).

6. Data Sharing and Disclosure

6.1. We do not sell your Personal Data. We share it only as necessary for the purposes described in this Policy and under strict confidentiality obligations.
6.2. Categories of recipients include:

• Payment processors (e.g., Stripe, PayPal) to handle payments;
• IT and hosting providers (e.g., cloud platforms, CRM systems) to operate our websites and services;
• Communication providers (e.g., email, SMS, Zoom, Telegram, WhatsApp) to deliver messages, sessions, and community access;
• Event partners and venues to organise logistics (minimal data only);
• Medical providers or insurers in emergencies, to protect vital interests;
• Professional advisors (legal, accounting, auditors) where required by law;
• Authorities where disclosure is required by applicable law or legal proceedings.
  6.3. All service providers acting as Data Processors are bound by written contracts in accordance with Art. 28 GDPR and may not use your data for their own purposes.

7. International Data Transfers

7.1. We primarily store and process Personal Data within the European Economic Area (EEA).
7.2. Some service providers may be located outside the EEA/UK or store data in third countries (e.g., the United States). Where this occurs, we ensure appropriate safeguards, such as:

• an adequacy decision of the European Commission (Art. 45 GDPR); or
• Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR), with supplementary safeguards where necessary; or
• other lawful transfer mechanisms permitted under GDPR.

7.3. Copies of the relevant safeguards (e.g., SCCs) are available upon request.

8. Data Retention

8.1. We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting requirements.
8.2. Retention periods depend on the data type and applicable Latvian law:

• Accounting and contractual records (invoices, booking confirmations, contracts): kept for at least 5 years after the end of the financial year, and up to 10 years where required by Latvian tax legislation.
• Account data (online services): kept until you close your account, and for up to 3 years thereafter to handle possible claims.
• Health and insurance data (special category): kept only for retreat preparation and duration, then deleted within 30 days after the event.
• Emergency contact details: deleted immediately after the retreat ends.
• Marketing consents and preferences: kept until withdrawn, but not longer than 2 years after the last interaction.
• Photo and video recordings: kept until you object or withdraw consent, unless needed for legal defence or archiving.
• Cookies and technical data: as described in our Cookie Policy.

8.3. When retention is no longer justified, we delete or anonymise the data. Anonymised data may be retained indefinitely for statistical or research purposes.

9. Security Measures

9.1. We apply appropriate technical and organisational measures to protect Personal Data against unauthorised access, accidental loss, misuse, or disclosure.
9.2. Measures include: secure hosting with trusted providers within the EEA or under appropriate safeguards; encryption in transit (e.g., HTTPS/TLS); password protection and role-based access; limiting access to those who need it; staff awareness and confidentiality obligations.
9.3. No method of transmission or storage is fully secure. If we become aware of a data breach affecting your rights and freedoms, we will notify you and the supervisory authority as required by law.

10. Cookies and Tracking Technologies

10.1. Our websites use cookies and similar technologies to ensure proper functioning, improve user experience, analyse traffic, and, where you give consent, for marketing purposes.
10.2. Types of cookies: strictly necessary, functional, analytics, and marketing (used only with consent).
10.3. On your first visit you will see a cookie banner to accept, reject, or customise preferences. You can change choices at any time via our cookie settings.
10.4. For details, see our separate Cookie Policy.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

• access your Personal Data (Art. 15);
• rectification (Art. 16);
• erasure (“right to be forgotten”, Art. 17);
• restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interests, including profiling, and to object to direct marketing (Art. 21);
• withdraw consent at any time (Art. 7(3)) without affecting lawfulness of prior processing;
• not to be subject to automated decision-making producing legal or similarly significant effects (Art. 22) – we do not perform such processing.

To exercise your rights, email contact@giving-school.eu. We may need to verify your identity. We aim to respond within one month, extendable where permitted by law due to complexity or number of requests.

12. Supervisory Authority & Complaints

If you believe your Personal Data is processed unlawfully or your rights are infringed, you have the right to lodge a complaint with a supervisory authority.

Lead supervisory authority: Data State Inspectorate of Latvia (Datu valsts inspekcija)

• Address: Elijas iela 17, Rīga, LV-1050, Latvia
• Email: info@dvi.gov.lv
• Website: https://www.dvi.gov.lv/
  

You may also complain to your local data protection authority in the EU/EEA, the UK, or your country of residence.

13. Updates to This Policy

We may update this Policy from time to time to reflect changes in law, our practices, or services. Updated versions will be published on our websites with the “Last updated” date. Where changes are significant, we will provide prior notice (e.g., by email or on-site notice).

14. Contact Us

If you have questions, requests, or concerns regarding this Policy or our processing of Personal Data, contact us at:

 GS Baltic states SIA
Registration No.: 40203448819
Registered address: Ropažu nov., Garkalnes pag., Priedkalne, Krastmalas iela 51, LV-1024
Email: contact@giving-school.eu