Legal
Privacy Policy
Technical status
The website is delivered through Cloudflare Pages. Forms are processed by a serverless function and forwarded as email using Mailgun in the EU region. No analytics or tracking services are currently active.
We, Psychedelia Retreats ("we", "us", "our"), are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you apply for or participate in our retreats.
Last updated: 13 July 2026
1. Data Controller
The party responsible for data processing within the meaning of the GDPR is:
Novuni BVKarveelweg 20
6222NH Maastricht
Netherlands
Email: [email protected]
Please send data protection enquiries to [email protected].
2. What Data We Collect
We may collect personal data from you, such as:
- Name and email address
- A motivational statement regarding your interest in the retreat
- Information about previous psychedelic experiences (if provided)
- Information gathered during the medical and psychological screening process
- Feedback and survey responses (if you choose to participate in research)
Medical and psychological screening data, as well as information about psychedelic experiences, may be special categories of personal data within the meaning of Art. 9 GDPR. We process this data on the basis of your explicit consent under Art. 9(2)(a) GDPR, obtained during the application or screening process. Consent is voluntary and may be withdrawn at any time by email with effect for the future. Without the information required for screening, we cannot assess your suitability for participation.
3. How We Use Your Data
We use the information we collect for the following purposes:
- to evaluate your application for the retreat
- to communicate with you regarding your application, the screening process, and retreat logistics
- to ensure your safety and the suitability of the retreat for you
- to carry out the retreat programme and provide appropriate support
- for internal planning and operational purposes
- for research purposes, where you have given explicit consent (the data is anonymised and aggregated)
Legal bases: Art. 6(1)(b) GDPR applies to processing your application, taking pre-contractual steps, and delivering a booked retreat. Technical operation, website security, server logs, and internal organisation required for safe delivery are based on our legitimate interests under Art. 6(1)(f) GDPR. Newsletter communication and voluntary research are based on your consent under Art. 6(1)(a) GDPR; Art. 9(2)(a) GDPR also applies to special categories of personal data.
4. Confidentiality and Disclosure of Data
Your personal data is treated confidentially. We do not sell or rent your personal data or disclose it for third-party marketing purposes. Access is limited to authorised team members and external professionals – in particular physicians, psychotherapists, and facilitators – insofar as this is necessary for the suitability assessment and safe delivery of the retreat. All persons involved are subject to confidentiality obligations. We may also disclose information where legally required to do so.
For retreats outside the European Union, particularly in Jamaica, we transfer personal data to professionals or retreat partners located there only to the extent necessary for suitability assessment, organisation, and safe delivery. Depending on the circumstances, such transfers are safeguarded by appropriate safeguards under Art. 46 GDPR, in particular EU standard contractual clauses, or are based on explicit consent following prior information in accordance with Art. 49 GDPR.
5. Your Rights
You have the right to:
- request access to the personal data we hold about you (Art. 15 GDPR)
- request the correction of inaccurate data (Art. 16 GDPR)
- request the deletion of your personal data, subject to statutory and ethical retention obligations (Art. 17 GDPR)
- request the restriction of the processing of your data (Art. 18 GDPR)
- receive your data in a structured, commonly used, and machine-readable format, or have it transferred to another controller (Art. 20 GDPR)
- object to the processing of your data where it is based on legitimate interests (Art. 21 GDPR)
- withdraw any consent given at any time, with effect for the future (Art. 7(3) GDPR)
- lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). For the controller based in the Netherlands, this is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also contact the supervisory authority at your habitual place of residence in the European Union.
To exercise these rights, or if you have questions about this Privacy Policy, please contact us at [email protected].
6. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of changes by posting the new Privacy Policy on this page. We recommend that you review this Privacy Policy periodically for changes.
7. Services and Processing Carried Out by the Platform
Current technical status
The following sections (7.1–7.5) describe the current technical processing operations. Google Analytics 4 and an automated newsletter marketing solution are planned but not active. Active email delivery for forms uses Mailgun.
7.1 Google Analytics 4 (audience measurement) – planned, not currently active
The use of Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), is currently only planned and not active. Google Analytics therefore does not measure use of this website, and no cookies or comparable technologies are used for this purpose.
- Planned legal basis: It will only be activated after prior consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG.
- Consent management: Before activation, a consent management tool will be introduced to prevent loading without prior consent and to enable withdrawal.
- Update: If activated, this Privacy Policy will be supplemented with the specific configuration, recipients, retention period, and any third-country transfers.
7.2 Mailgun (form and transactional emails)
We use Mailgun by Sinch Mailgun to deliver form and transactional emails. Mailgun is configured for the EU region; email and form data is processed in the European Union. Form submissions are sent by email to the Psychedelia Foundation mailbox at [email protected].
- Purpose: Secure delivery of application, contact, and other form submissions, as well as contract-related communications.
- Legal basis: Art. 6(1)(b) GDPR for applications, pre-contractual steps, and contract-related communications; Art. 6(1)(f) GDPR for general contact enquiries.
- Newsletter: The newsletter form currently only forwards the submitted email address to the stated mailbox as an expression of interest. Automated newsletter delivery and marketing automation are not active. Before activation, a double opt-in process based on consent under Art. 6(1)(a) GDPR will be introduced.
7.3 Cloudflare Pages (hosting & form processing)
The website is delivered statically through Cloudflare Pages, a service of Cloudflare, Inc., USA. When the website is accessed, Cloudflare processes technically necessary connection and server log data, in particular the IP address, time, resource accessed, and user agent. A serverless function receives form submissions and passes them to Mailgun for email delivery.
- Purpose and legal basis: Website delivery, stability, and security based on our legitimate interests under Art. 6(1)(f) GDPR; form submissions are processed, depending on their purpose, under Art. 6(1)(b), (f), or – for information dependent on consent – (a) GDPR.
- Form security: Data is transmitted using TLS encryption. No database of form submissions is maintained on the server. A honeypot protects against spam without tracking users.
- Third-country transfer: Cloudflare is a provider based in the USA. Transfers are safeguarded by EU standard contractual clauses and Cloudflare’s certification under the EU-US Data Privacy Framework.
- Local content: Fonts and images are self-hosted; no fonts or images are requested from Google CDNs at runtime.
7.4 Cookies & Consent Management
This website currently uses only the functional language cookie i18n_redirected. It stores the selected language so that the website can be provided in the language version you requested.
- Necessity: The cookie is required for the language selection expressly requested by the user. Under § 25(2) no. 2 TDDDG, no consent is required for its storage; the associated processing is based on Art. 6(1)(f) GDPR.
- No services requiring consent: Because no analytics, tracking, or marketing services are currently active, no consent banner is present.
Before activating any service that requires consent, we will introduce a consent management tool and update this Privacy Policy.
7.5 Server Logs & Security
Cloudflare processes technically necessary server logs to deliver the website, defend against attacks, and investigate faults. The legal basis is our legitimate interest in secure and stable operation under Art. 6(1)(f) GDPR. Log data is retained only for as long as necessary for these purposes and is then deleted or anonymised, unless a statutory obligation or the investigation of a specific security incident requires longer retention.
8. Retention Period & Deletion
We store your personal data only for as long as necessary for the respective purposes, or as required by statutory, contractual, and ethical retention obligations. After that, the data is deleted or anonymised. The specific periods depend on the type of data:
8.1 Application Data
We store application data for the duration of the application process and any subsequent participation relationship. If no participation results, we delete the application data no later than six months after the process is concluded, unless you have consented to longer retention. Statutory retention obligations remain unaffected.
8.2 Interest List
If you have registered your non-binding interest in upcoming retreats or dates, we store the email address provided for as long as necessary to process your expression of interest, until you withdraw, or until the interest has evidently lapsed. The address is then deleted unless statutory retention obligations apply.
8.3 Screening and Health Data
We store medical and psychological screening data and information about psychedelic experiences only for as long as necessary for the suitability assessment, safe delivery of the retreat, and any required follow-up. It is then deleted. Statutory or professional documentation and retention obligations of the professionals involved remain unaffected. Data used for research on the basis of separate consent is anonymised as soon as identifying information is no longer required for the research purpose.
8.4 Newsletter and Contact Data
The email address submitted through the newsletter form is currently treated as an expression of interest and retained in accordance with Section 8.2. Once a newsletter is activated, we will store delivery data until you unsubscribe or withdraw consent; it will then be deleted unless limited evidence of consent is required to meet statutory accountability or defence obligations. Data from general contact enquiries is deleted once the enquiry has been conclusively processed and no statutory retention obligations apply.
Questions About Data Protection
If you have questions about this Privacy Policy or wish to exercise your rights, you can reach us at [email protected]. The Imprint with the full provider information can be found under Imprint.