Privacy Policy
Applicable to the Business Partnership Program with Khí Tâm Therapy
Version 1.0 · Effective date: 17 July 2026
Operated by: Khi Tam Trading Limited (registered in England and Wales) & Khi Tam Vietnam Ltd (authorised agent in Vietnam)
1. Introduction
This Privacy Policy ("Policy") describes how Khi Tam Trading Limited and its affiliates ("Khí Tâm", "we", "us") collect, use, store, and protect the personal data of Partners who register for the Business Partnership Program with Khí Tâm Therapy.
The Program comprises three Partner types:
- Affiliate (CTV) — refers customers, earns commission
- Master Trainer Partner (ĐTĐT) — holds Khí Tâm 500h/800h/1,200h certification, co-teaches
- Business & Training Partner (KDĐT) — has (or plans) a physical venue
This Policy is designed to comply concurrently with:
- UK GDPR & Data Protection Act 2018 (primary framework — Khi Tam Trading Limited is registered in England and Wales)
- EU GDPR (for Partners in the EEA)
- Vietnam PDPD (Decree 13/2023/NĐ-CP) for Vietnamese Partners
- California CCPA/CPRA where applicable
Where frameworks differ, we apply the stricter standard.
2. Data Controller
| Legal entity | Khi Tam Trading Limited |
| Registered office | 91 Pathfield Road, London SW16 5PA, United Kingdom |
| VN agent | Khi Tam Vietnam Ltd — Business licence 0317781218 |
| Companies House | 15271299 |
| ICO Registration | Pending (expected 3-10 days) |
| Data Protection contact | support@khitamtherapy.com |
| Founder | Master Sridevi Tố Hải (Lê Thị Tố Hải) |
3. Data we collect
3.1 Identity & contact data
- Full name, email, phone, country code
- City/Province, full address (if provided)
- Legal entity type (VN individual / International / UK / other)
3.2 Professional & organisational data
- Khí Tâm certification level (500h / 800h / 1,200h) — for ĐTĐT
- Years of teaching, number of students (optional)
- Company/organisation info (optional): name, type, website, address, industry
- Venue information (KDĐT): address, area, existing or planned
3.3 Financial data
- Payout method (VN Bank / UK Bank / Wise / Stripe)
- Bank account number, account holder name, bank name
- Tax ID (if applicable)
- We do NOT store full credit card numbers — all payments are processed via Stripe; we see only the last 4 digits and transaction metadata.
3.4 Technical data
- IP address, browser type, device identifiers, session cookies (collected automatically)
- Referral source (referral code, UTM parameters)
4. Purposes & Legal Bases
| Purpose | UK/EU GDPR basis | Vietnam PDPD basis |
|---|---|---|
| Reviewing Partner applications | Art. 6(1)(b) — Contract performance | Art. 11 — Consent + Contract |
| Calculating commission, processing payouts | Art. 6(1)(b)+(c) — Legal obligation | Art. 11 — Contract |
| Fraud prevention, compliance checks | Art. 6(1)(f) — Legitimate interest | Art. 12 — Legitimate interest |
| Training updates, policy changes | Art. 6(1)(b) — Within contract scope | Art. 11 — Consent |
| Marketing emails | Art. 6(1)(a) — Opt-in consent | Art. 11 — Opt-in consent |
5. Third-party sharing
We share your data only with necessary service providers: Stripe, Wise, Vercel, Neon (Postgres), Resend/Microsoft 365, Cloudflare, and tax authorities (where legally required).
We do NOT sell your data to any third party.
6. International transfers
Your data may be transferred from Vietnam to the UK (where Khi Tam Trading Limited is established), relying on UK Adequacy Regulations, Standard Contractual Clauses (SCCs), and PDPD Art. 25.
7. Retention periods
- Active Partner records: duration of partnership + 7 years
- Rejected applications: 12 months, then permanent deletion
- Financial data, payout invoices: 7 years
- Technical access logs: 90 days
- Session cookies: until browser closed (session) or 12 months (persistent)
8. Your rights
Under GDPR and PDPD, you have the rights of access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection to direct marketing, withdrawal of consent, and complaint to a supervisory authority.
To exercise these rights, email support@khitamtherapy.com. We respond within 30 days (extendable to 60 for complex cases).
9. Security measures
- All data encrypted with TLS 1.3 in transit
- Passwords hashed with bcrypt (cost factor ≥ 12)
- Database encrypted at rest (Neon Postgres)
- Admin access requires mandatory 2FA
- Audit logs for all sensitive-data changes
- Daily backups with 30-day retention
10. Data breach handling
In the event of a breach: within 72 hours we notify ICO (UK) and the Cyber Security Department (VN); within 7 days we notify affected individuals if high risk.
11. Cookies
Our website uses essential cookies (no consent required), analytics cookies (GA4, Meta Pixel — consent via banner), and marketing cookies (Facebook Ads, TikTok — separate consent).
12. Children
The Partner Program is NOT for anyone under 18. If you are under 18, please do not register.
13. Changes to this Policy
We may update this Policy periodically. You will be notified by email at least 14 days before any material change.
14. Contact
Email: support@khitamtherapy.com
Address: 91 Pathfield Road, London SW16 5PA, United Kingdom