Privacy Policy

1. What I Collect

The information I collect depends on how you interact with my website. The table below summarises what is collected in each area:

I do not use tracking pixels, behavioural advertising networks, or social media cookies on this website.

2. How I Use Your Information

I use personal information only for the purposes for which it was collected:

• To confirm appointments and send Zoom session details
• To process and record signed consent / waiver agreements
• To respond to enquiries and provide customer support
• To communicate about art purchases or shipping
• To send occasional updates about new content, services, or events (you can opt out at any time)
• To maintain legally required records of consent for energy healing sessions
• To comply with applicable law or respond to lawful requests

I will never sell, rent, or trade your personal information to third parties for marketing purposes.

3. Energy Healing Practice — Special Category Data

Specifically:

• Consent records (signed waiver agreements) are stored in encrypted JSON log files in a private server directory (/private/consent-submissions/) outside the web root — they cannot be accessed via a browser URL.
• Records include: name, email, phone, electronic signature confirmation, IP address, timestamp, and agreement to specific terms.
• Confirmation emails are sent via Brevo (transactional email provider) to both you and me upon form submission.
• Session recordings, if any, are governed by the specific consent you provided at the time of signing.
• I do not share health-related information with any third party except as required by law.

Lawful basis (Texas residents): Processing is based on your express consent given at the time of signing. You may withdraw consent at any time by contacting me — withdrawal does not affect the lawfulness of prior processing.

4. Minor Clients

Energy healing sessions for clients under 18 require a parent or legal guardian to complete a separate Minor Client Consent Waiver Agreement. In those cases:

• The guardian's information (name, relationship, email, phone, electronic signature) is collected and stored.
• The minor's name and date of birth are collected solely to verify eligibility and maintain the consent record.
• Minor data is stored in a separate private log file (minor-submissions.json) with the same access controls as adult records.
• I do not knowingly collect personal data from children under 13 for any purpose other than the consent record described above.
• If you believe a minor's data has been collected in error, please contact me immediately for deletion.

5. Email Communications

Transactional emails (appointment confirmations, consent form receipts, support responses) are sent via Brevo (formerly Sendinblue), a third-party email delivery service. Brevo processes your email address on my behalf under their own privacy policy. I do not share your data with Brevo beyond what is necessary to deliver the email.

If I send you occasional newsletters or updates, you can unsubscribe at any time by:

• Clicking the unsubscribe link in any marketing email, or
• Emailing me directly at david@davidleewilliamson.com

Transactional emails (appointment confirmations, form receipts) cannot be opted out of as they are necessary to fulfil the service you requested.

6. How I Protect Your Information

I take reasonable technical and organisational measures to protect your data, including:

• Consent and form submission records stored in a private server directory outside the web root, inaccessible via any public URL
• HTTPS encryption on all pages of this website
• CSRF (cross-site request forgery) token protection on all forms
• Access to stored records limited to me personally
• Email delivery via industry-standard TLS-encrypted SMTP (Brevo)

No method of electronic storage or transmission is 100% secure. While I strive to use commercially acceptable means to protect your information, I cannot guarantee absolute security.

7. Data Retention

I retain personal data for as long as necessary for the purpose it was collected:

• Consent / waiver records — retained for a minimum of 7 years to satisfy professional insurance and legal record-keeping requirements
• Appointment records — retained for 2 years after the session date
• Contact / enquiry messages — retained for 12 months after the conversation concludes
• Art purchase enquiries — retained for 3 years for sales record purposes
• Server access logs — retained for up to 90 days for security monitoring

After the applicable retention period, records are securely deleted. You may request early deletion — see Your Rights below.

8. Third-Party Services

I use a small number of trusted third-party services to operate this website. Each processes only the data necessary for their function:

I do not use Google Analytics, Facebook Pixel, or any other behavioural tracking or advertising platform on this website.

Links to external websites (e.g., Zoom, PayPal for donations) are governed by those platforms' own privacy policies. I am not responsible for their practices.

9. EU Visitors — GDPR Rights GDPR

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). This website offers a dedicated EU/GDPR consent form for EU-based clients of my energy healing practice.

For EU visitors, personal data is processed on the following lawful bases:

• Consent (Article 6(1)(a)): For energy healing session consent, recording consent, and email communications
• Contract (Article 6(1)(b)): For appointment scheduling and fulfilling services you have requested
• Legitimate interests (Article 6(1)(f)): For security monitoring and improving this website

Your GDPR rights include the right to access, rectify, erase, restrict processing, data portability, and to object to processing. You also have the right to withdraw consent at any time and to lodge a complaint with your national data protection authority.

10. Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

• Access: Request a copy of the personal information I hold about you
• Correction: Ask me to correct inaccurate or incomplete information
• Deletion: Request deletion of your data (subject to legal retention requirements — see Section 7)
• Opt-out: Unsubscribe from marketing emails at any time
• Portability: Request your data in a portable, machine-readable format
• Withdrawal of consent: Withdraw consent for data processing at any time — this does not affect the lawfulness of prior processing

To exercise any of these rights, contact me using the details in Section 12 below. I will respond within 30 days. Note that consent/waiver records may be subject to mandatory retention periods under professional insurance requirements and cannot always be deleted on request.

11. Changes to This Policy

I may update this Privacy Policy from time to time to reflect changes in my services, legal obligations, or best practices. When I do:

• The updated policy will be posted on this page with a new effective date
• Material changes will be highlighted at the top of this page for 30 days after publication
• Continued use of this website after the updated effective date constitutes acceptance of the revised policy

The previous version of this policy was focused on art purchases only and was effective from March 23, 2025. This version supersedes it entirely.

12. Contact Me

If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a data concern, please reach out:

Governing Law: This Privacy Policy is governed by the laws of the State of Texas, United States. EU residents retain all rights afforded under the GDPR, which shall take precedence where required by applicable law.