A considered approach to your data.

The controller responsible for the processing of your personal data on this website is:

Kathrin Rotter c/o Bufete Marrero Henning, C/ San Miguel 68A, 8º 07002 Palma de Mallorca, Spain Email: kr@o-kind.com

Processing is governed by Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR / RGPD) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).

The competent supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), www.aepd.es.

We process personal data only to the extent necessary to provide a functional website and our services, and on a clear legal basis. This policy explains what we collect, why, for how long, who processes data on our behalf, and the rights you have.

We do not use analytics, advertising or tracking technologies, and we do not sell personal data.

Contact form. When you use a contact form we process your name, email address, the topic you select and your message, in order to respond to your enquiry. Legal basis: performance of pre-contractual steps at your request (Art. 6(1)(b) GDPR) and our legitimate interest in responding to enquiries (Art. 6(1)(f) GDPR).

Account and login. To create an account we process your name, email address and password. The password is hashed by our authentication provider and is never stored by us in plain text. Legal basis: performance of the contract for your account (Art. 6(1)(b) GDPR).

Payments. When you purchase a service, payment is handled by Stripe. We receive the transaction status (for example, whether a payment succeeded) but not your full card number. Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and compliance with legal obligations such as invoicing and tax retention (Art. 6(1)(c) GDPR).

Bookings, classes and event requests. When you book a reading, register for a live class or request a gathering, we process the data you provide for that booking in order to deliver the service. Legal basis: performance of the contract (Art. 6(1)(b) GDPR).

Server logs. Our hosting provider automatically records technical data such as your IP address and the time of access in server log files, for the purpose of operating, securing and stabilising the website. Legal basis: our legitimate interest in a secure and functional website (Art. 6(1)(f) GDPR).

Newsletter and marketing. If a newsletter or marketing communication is offered, we send it only after you have given your explicit consent, which you may withdraw at any time. Legal basis: consent (Art. 6(1)(a) GDPR).

We use a single strictly necessary cookie to keep you signed in to your account (a session / authentication cookie, e.g. `sb-…-auth-token`).

We do not use analytics, advertising or tracking cookies of any kind.

Strictly necessary cookies that are required to deliver a service you have explicitly requested do not require consent. For that reason this website does not display a cookie-consent banner.

We engage the following processors (encargados del tratamiento), who process personal data only on our documented instructions and under a data processing agreement:

• Supabase — database, authentication and file storage (hosted on EU servers, AWS region Stockholm / eu-north-1) • Stripe — payment processing • Resend — delivery of transactional email • Vercel — website hosting and server log files

Each processor is granted access only to the data needed to perform its function.

Some of our processors (Stripe, Resend and Vercel) are based in the United States, which means personal data may be transferred outside the European Economic Area.

Such transfers take place on the basis of the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, together with additional safeguards where required, to ensure an adequate level of protection for your data.

Although Supabase Inc. is a US-based company, the personal data it processes for us is stored exclusively on servers within the European Union (AWS region Stockholm, Sweden) and is therefore not transferred to a third country.

As a general rule we retain personal data only for as long as necessary for the purpose for which it was collected, or for as long as the related account or contractual relationship is in place.

Where the law requires it — in particular for invoicing, accounting and tax purposes — we retain the relevant records for the statutory retention periods, after which the data is deleted or anonymised.

You have the following rights in relation to your personal data:

• Access — to obtain confirmation of and a copy of the data we hold about you • Rectification — to have inaccurate or incomplete data corrected • Erasure — to have your data deleted where the legal conditions are met • Restriction — to have processing restricted in certain cases • Portability — to receive your data in a structured, machine-readable format • Objection — to object to processing based on our legitimate interests • Withdrawal of consent — to withdraw any consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, contact us at kr@o-kind.com. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), www.aepd.es.

This website and its services are not directed at children. Users must be at least 18 years old (or the minimum age required by applicable law) to create an account or purchase a service. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, please contact us at kr@o-kind.com and we will delete it.

Our services — including Human Design readings, Kundalini Yoga classes, coaching and gatherings — are offered for well-being, education and personal growth. They are not medical, psychological or therapeutic treatment, do not constitute a diagnosis, and are not a substitute for professional healthcare. If you have any health concern, please consult a qualified healthcare professional.

We may update this Privacy Policy to reflect changes in our services or in the applicable law. The current version is always available on this page, with the date of the latest update shown above.