Privacy & Cookie Policy

This Privacy & Cookie Policy explains how MySanctuary processes personal data when you visit mysanctuary.world, contact us, create or use an account, use the chatbot, or purchase products or memberships through the website.

1. Who we are

The controller responsible for the processing of personal data described in this policy is:

• Controller: MySanctuary.World

• Website: mysanctuary.world

• Email: info@mysanctuary.nl

If you have questions about this policy or about how your personal data is handled, you can contact us using the details above.

2. What personal data we process

Depending on how you use the website, we may process the following categories of personal data:

• Identity and contact data, such as your name, username, email address, phone number and postal address.

• Account and session data, such as login identifiers, session status, token version, profile settings and related security metadata.

• Order, membership and billing data, such as purchased items, subscription plan, payment status, shipping details and invoice-related data.

• Communications data, such as messages sent through the contact form, email replies and chatbot interactions.

• Technical and usage data, such as pages visited, referrer, timestamps, device/browser information, cookie and local storage preferences, and security event data.

• Affiliate interaction data, such as outbound clicks on affiliate links and related conversion attribution data made available by affiliate networks.

3. How we collect and use personal data

3.1 Contact form and direct enquiries

If you contact us through the contact form or by email, we process your name, email address and the contents of your message so that we can respond to your enquiry, continue the conversation where needed and keep basic records of customer service communications.

3.2 Accounts, login and member-only areas

If you create or use an account, we process your account profile data, login credentials, session information and related security metadata so that you can sign in, access protected areas, manage your profile, use community or dashboard features and keep your account secure.

Passwords are not stored in plain text. Authentication and session controls are used to maintain secure access to your account.

3.3 Orders, memberships and payments

If you buy a product, book a paid offering or start a membership checkout, we process the data needed to create the order or subscription, collect payment, deliver digital or physical services, send confirmations and maintain accounting records. This can include your name, email address, shipping details, selected items, subscription plan, payment status and customer identifiers used by our payment provider.

We do not intentionally store full card details ourselves. Payments are processed by our payment provider.

3.4 Emails and transactional communications

We may send operational emails such as contact form acknowledgements, account-related messages, order confirmations, shipping updates and membership confirmations where this is necessary to provide the requested service or complete a contract with you.

3.5 Chatbot and abuse prevention

If you use the chatbot, we process the content of your messages, recent conversation context and short-lived verification data so that the feature can respond and be protected against abuse. Recent chat history may also be stored locally in your own browser so that your conversation can persist on your device until you clear it.

We also use short-lived captcha and verification cookies, rate limiting and related security checks to protect forms, login and interactive features against spam, automated misuse and fraudulent activity.

3.6 Cookies, local storage and language preferences

We use a limited set of cookies and browser storage technologies for essential website functions, security, language preferences, consent preferences and, if you choose to allow them, analytics cookies.

3.7 Analytics

If you give consent for analytics cookies, we use Google Analytics 4 via Google Tag Manager to understand website traffic and improve the website. We configure Google Consent Mode with analytics denied by default and only granted after an active opt-in. We also disable Google Signals and advertising personalisation signals by default.

If you do not consent to analytics cookies, we may still use a privacy-friendly fallback pageview measurement system without analytics cookies. This fallback currently records limited event data such as the visited path, referrer, timestamp and platform so that we can understand basic website usage and maintain the website. We do not intentionally store IP addresses in our own application analytics payloads or analytics database for this fallback system, although hosting or network providers may still process IP addresses in server or network logs.

3.8 Affiliate links

Some pages include affiliate links. If you click an affiliate link, the relevant partner or network may process technical attribution data and may place its own cookies or similar technologies, subject to its own privacy information and the consent requirements that apply. We may receive reporting about clicks, conversions or commissions, but we do not intentionally receive your full payment card data from affiliate networks.

4. Legal bases

Under the GDPR/AVG, we rely on one or more of the following legal bases depending on the processing activity:

• Performance of a contract: for account access, purchases, memberships, fulfilment, billing and operational service messages.

• Legitimate interests: for customer service, website security, fraud prevention, short-term logging, internal troubleshooting, certain non-cookie privacy-friendly analytics and general website administration, provided these interests are not overridden by your rights and freedoms.

• Consent: for analytics cookies, consent-based tracking technologies and any other processing where consent is required.

• Legal obligation: where we must retain or disclose data for tax, accounting, fraud prevention, law enforcement or other legal compliance purposes.

5. Cookies and browser storage in use

The website currently uses or may use the following categories of cookies or similar browser storage:

• Strictly necessary/security: authentication/session cookies, CSRF/session initialization cookies, captcha verification cookies, and similar measures required to keep the website secure and working properly.

• Preferences: language preference cookies and consent preference storage in the browser.

• Analytics: Google Analytics cookies only after your consent.

• Local storage: consent preferences and, where you use the chatbot, recent chat history stored in your own browser.

You can change your analytics consent using the website's consent controls. Refusing analytics cookies does not block access to the website.

6. Recipients and service providers

We may share personal data with service providers or recipients where necessary for the purposes described above, including:

• Hosting and infrastructure providers used to run the website and APIs.

• Cloud storage and media delivery providers used to store uploaded media.

• Google services used for consent-based analytics.

• Payment and checkout providers used to process orders and memberships.

• Email providers used to send transactional emails and handle contact form messages.

• AI/chat infrastructure providers and model providers used to generate chatbot responses.

• Affiliate networks or partner platforms when you interact with affiliate links.

• Professional advisers, authorities or counterparties where disclosure is required or reasonably necessary by law or to protect our legal position.

We do not sell your personal data to third parties for their own independent marketing use.

7. International transfers

Some of our service providers may process personal data outside the European Economic Area, including in countries such as the United States. Where that happens, we aim to use a lawful transfer mechanism, for example an adequacy decision where available, or standard contractual clauses and supplementary measures where required.

Because international transfer arrangements can vary by provider and may change over time, you can contact us if you want more specific information about the safeguards relevant to a particular processing activity.

8. Retention periods

We keep personal data only for as long as necessary for the purposes described above, unless a longer retention period is required by law. In general:

• Contact form submissions and customer service correspondence are kept for as long as reasonably necessary to handle the enquiry and any follow-up, and then for a limited period for record-keeping.

• Account data is kept while your account remains active and for a limited period afterwards where needed for security, dispute handling or legal compliance.

• Order, invoice and core administration records are generally kept for 7 years where required for Dutch tax and accounting compliance.

• Consent preferences are stored in the browser for up to 12 months unless you clear them sooner.

• Captcha, verification and rate-limit related data is kept for short periods only, typically minutes or hours, unless a longer period is necessary to investigate abuse or security incidents.

• Analytics data is kept only for as long as necessary under the relevant tool settings and our operational needs.

9. Your rights

Under the GDPR/AVG, you may have the right to:

• request access to the personal data we hold about you;

• request correction of inaccurate or incomplete data;

• request deletion of personal data in certain circumstances;

• request restriction of processing in certain circumstances;

• object to processing based on legitimate interests;

• withdraw consent at any time where processing is based on consent;

• receive a copy of certain data in a portable format where the right to data portability applies;

• lodge a complaint with the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

You can exercise your rights by emailing info@mysanctuary.nl. We aim to respond within one month.

10. Automated decision-making

We do not intentionally use solely automated decision-making or profiling that produces legal effects or similarly significant effects on you within the meaning of the GDPR.

11. Complaints

If you have a complaint about how we use your personal data, please contact us first so that we have a chance to resolve the issue. You also have the right to submit a complaint to the Autoriteit Persoonsgegevens via its official website.

12. Changes to this policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in the law, our providers or the way the website works. The latest version will always be published on this page with the updated revision date above.