Privacy Policy

Applicable to the Business Partnership Program with Khí Tâm Therapy
Version 1.0 · Effective date: 17 July 2026
Operated by: Khi Tam Trading Limited (registered in England and Wales)  & Khi Tam Vietnam Ltd (authorised agent in Vietnam)

1. Introduction

This Privacy Policy ("Policy") describes how Khi Tam Trading Limited and its affiliates ("Khí Tâm", "we", "us") collect, use, store, and protect the personal data of Partners who register for the Business Partnership Program with Khí Tâm Therapy.

The Program comprises three Partner types:

  • Affiliate (CTV) — refers customers, earns commission
  • Master Trainer Partner (ĐTĐT) — holds Khí Tâm 500h/800h/1,200h certification, co-teaches
  • Business & Training Partner (KDĐT) — has (or plans) a physical venue

This Policy is designed to comply concurrently with:

  1. UK GDPR & Data Protection Act 2018 (primary framework — Khi Tam Trading Limited is registered in England and Wales)
  2. EU GDPR (for Partners in the EEA)
  3. Vietnam PDPD (Decree 13/2023/NĐ-CP) for Vietnamese Partners
  4. California CCPA/CPRA where applicable

Where frameworks differ, we apply the stricter standard.

2. Data Controller

Legal entityKhi Tam Trading Limited
Registered office91 Pathfield Road, London SW16 5PA, United Kingdom
VN agentKhi Tam Vietnam Ltd — Business licence 0317781218
Companies House15271299
ICO RegistrationPending (expected 3-10 days)
Data Protection contactsupport@khitamtherapy.com
FounderMaster Sridevi Tố Hải (Lê Thị Tố Hải)

3. Data we collect

3.1 Identity & contact data

  • Full name, email, phone, country code
  • City/Province, full address (if provided)
  • Legal entity type (VN individual / International / UK / other)

3.2 Professional & organisational data

  • Khí Tâm certification level (500h / 800h / 1,200h) — for ĐTĐT
  • Years of teaching, number of students (optional)
  • Company/organisation info (optional): name, type, website, address, industry
  • Venue information (KDĐT): address, area, existing or planned

3.3 Financial data

  • Payout method (VN Bank / UK Bank / Wise / Stripe)
  • Bank account number, account holder name, bank name
  • Tax ID (if applicable)
  • We do NOT store full credit card numbers — all payments are processed via Stripe; we see only the last 4 digits and transaction metadata.

3.4 Technical data

  • IP address, browser type, device identifiers, session cookies (collected automatically)
  • Referral source (referral code, UTM parameters)

4. Purposes & Legal Bases

PurposeUK/EU GDPR basisVietnam PDPD basis
Reviewing Partner applicationsArt. 6(1)(b) — Contract performanceArt. 11 — Consent + Contract
Calculating commission, processing payoutsArt. 6(1)(b)+(c) — Legal obligationArt. 11 — Contract
Fraud prevention, compliance checksArt. 6(1)(f) — Legitimate interestArt. 12 — Legitimate interest
Training updates, policy changesArt. 6(1)(b) — Within contract scopeArt. 11 — Consent
Marketing emailsArt. 6(1)(a) — Opt-in consentArt. 11 — Opt-in consent

5. Third-party sharing

We share your data only with necessary service providers: Stripe, Wise, Vercel, Neon (Postgres), Resend/Microsoft 365, Cloudflare, and tax authorities (where legally required).

We do NOT sell your data to any third party.

6. International transfers

Your data may be transferred from Vietnam to the UK (where Khi Tam Trading Limited is established), relying on UK Adequacy Regulations, Standard Contractual Clauses (SCCs), and PDPD Art. 25.

7. Retention periods

  • Active Partner records: duration of partnership + 7 years
  • Rejected applications: 12 months, then permanent deletion
  • Financial data, payout invoices: 7 years
  • Technical access logs: 90 days
  • Session cookies: until browser closed (session) or 12 months (persistent)

8. Your rights

Under GDPR and PDPD, you have the rights of access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection to direct marketing, withdrawal of consent, and complaint to a supervisory authority.

To exercise these rights, email support@khitamtherapy.com. We respond within 30 days (extendable to 60 for complex cases).

9. Security measures

  • All data encrypted with TLS 1.3 in transit
  • Passwords hashed with bcrypt (cost factor ≥ 12)
  • Database encrypted at rest (Neon Postgres)
  • Admin access requires mandatory 2FA
  • Audit logs for all sensitive-data changes
  • Daily backups with 30-day retention

10. Data breach handling

In the event of a breach: within 72 hours we notify ICO (UK) and the Cyber Security Department (VN); within 7 days we notify affected individuals if high risk.

11. Cookies

Our website uses essential cookies (no consent required), analytics cookies (GA4, Meta Pixel — consent via banner), and marketing cookies (Facebook Ads, TikTok — separate consent).

12. Children

The Partner Program is NOT for anyone under 18. If you are under 18, please do not register.

13. Changes to this Policy

We may update this Policy periodically. You will be notified by email at least 14 days before any material change.

14. Contact

Email: support@khitamtherapy.com
Address: 91 Pathfield Road, London SW16 5PA, United Kingdom