Introduction
Protecting data effectively is particularly important to me. This applies both to my own data and to the data of my Reiki students. I therefore adhere to all legal regulations with the utmost care, responsibility and integrity, in particular the Data Protection Law (DSG) and the General Data Protection Regulation (GDPR). Important note: the DSG and the GDPR are very extensive and are therefore neither reproduced in full on the reiki.cc website, nor are all paragraphs commented on by me. Furthermore, not all technical terms are explained in detail (e.g. what a WLAN modem is), because the meaning of most terms can be assumed nowadays. However, I will inform you in the best possible and most detailed way in my own words (comprehensible practical relevance without a lot of legalese and without using “copy & paste” templates, data protection generators, as well as an AI application) about the essential provisions of data protection, in particular which personal data I process, how and why, and how long the data is stored and how. Furthermore, I will inform you about contact options and, of course, about your rights.
Data protection information
1) Purpose, manner, place and duration of data processing and data storage
Let’s start with how you can get in touch with me and which data is processed and stored;why, how, where and for how long. You can contact me either by e-mail, telephone, SMS (“normal” SMS, not messenger services such as WhatsApp, Telegram and the like), by post or in person (by coming to my front door unannounced).
Let’s start in reverse order: if you ring my doorbell and speak to me in person, no data will be stored. Since I am not always at home, or when I am there and am busy elsewhere and do not have time for you, I would like to point out that this option is not particularly useful. But no data is collected and therefore not stored.
If you send me mail, then you would have to provide some means of contact, otherwise communication by mail makes little sense. If you want me to send you a letter back, your name and address will only be kept (“stored”) by me for as long as is necessary for writing and sending the letter. Once the letter has been posted, your data is no longer with me and is therefore no longer stored (in this case, your letter with your address and name has already been shredded in advance).
In “modern” times, however, it makes more sense to contact me by text message, or ideally by e-mail, or even better: by telephone! In these three cases, your data will be stored for as long as is necessary and useful for answering your questions or finding an appointment.
What data would be collected in these cases and then stored and how? When you contact me by telephone or text message, only your telephone number is stored in the call list or text message history on my smartphone, and for as long as is necessary and useful to answer your questions. After that, the telephone number will be deleted from the call list or the entire SMS history.
Note: if you call me on the landline phone number, the call is currently forwarded to my mobile phone number, i.e. my smartphone. Calls to the landline are therefore equivalent to calls to the mobile number in terms of data protection.
If an appointment is made, your telephone number will be saved in the call list or the SMS history up to the appointment for any queries or postponements on your smartphone. After all, I need to be able to inform you if something comes up. Otherwise, as described at the beginning, you’ll be standing on my doorstep and I won’t be there.
You are also free to tell me your name (first name(s) and/or surname and academic title(s)) by text message or telephone. However, your name(s) and academic title(s) will not be stored anywhere (e.g. handwritten notes and the like), not even on my smartphone (e.g. in the “Contacts” app).
If an appointment has been made and the seminar has taken place, your telephone number will be deleted from the call list and/or the entire SMS history from my smartphone at the end of the seminar.
Further information: the agreed appointments are only saved in the “Notes” app on the smartphone and without any reference to names. I only note which day and time was agreed.
Which brings us to the last (first) option, namely contact by email. If you send me an email, your email address will be stored in my inbox for as long as it is necessary and useful for the reasons mentioned above.
You are also free to tell me your name(s) and academic title(s) in the e-mail. You don’t have to, but it is an advantage in terms of civilized communication. In addition, unlike communication by telephone or text message, I do not have to remember your name because it is in the e-mail.
The following also applies by e-mail: your e-mail address and the entire e-mail history will be stored in the e-mail program for as long as it is necessary and useful for your questions and/or an appointment. After that, the e-mail address is deleted in that all e-mails are first moved to the recycle bin and then permanently deleted from the recycle bin immediately afterwards.
The e-mail program is configured so that e-mail addresses are not automatically saved under “Contacts”.
Three exceptions where it is necessary that your name is also sent by e-mail:
Firstly, if you would like to make an appointment for a seminar with me and have completed the previous Reiki level with another Reiki teacher, you will be asked to send me the certificate of the previous level. It is of course also possible to bring the certificate in person. If the certificate is sent by e-mail, I hereby confirm that the previous Reiki level has been completed and then delete the entire e-mail from the inbox and then immediately from the recycle bin.
You can therefore assume that your data will only be stored on the certificate for inspection for a few minutes.
Secondly, if I make a home visit in the case of people with restricted mobility and receive the signed Declaration of Consent (this also contains further data: address, telephone number, e-mail address, date, Reiki level) by email in advance.
In this case, the Declaration of Consent is immediately stored in encrypted form on the computer and on external storage media. As with the first option, the e-mail is then immediately deleted in its entirety, including the attachment.
Upon receipt of the Declaration of Consent, I will provide you with my account details and send you the invoice (which contains only your address in addition to your name) by e-mail immediately after receipt of payment.
The invoice is already stored in encrypted form on my computer and will be irretrievably deleted from the e-mail program together with the e-mail immediately after it has been sent.
Thirdly, if the procedure is the same as in the second case due to a telephone consultation.
Note: in the interests of a smoother administrative process, it is an advantage if you inform me of your name and home address when you make an appointment, either by telephone or by e-mail. Why? Because I can then prepare the invoice and the certificate with these two details and do not have to enter and print them out when you are present. This is purely a recommendation, but it is not mandatory.
In the case of telephone notification, the data is written down by hand, the documents are created and stored in encrypted form and the note is then shredded. If you send it by e-mail, the documents are also created in the same way and your data is immediately deleted from the e-mail program.
These are the different ways in which and where your data is processed by me and stored via these contact options. In these cases, your data will not be stored in the e-mail program or on your smartphone for longer. Your data will not be stored longer in the e-mail program or on my smartphone.
The following exception: in all cases in which there is no refund of your already paid fee (e.g. because you have canceled an ongoing seminar prematurely), I will send you an e-mail stating why the fee was not refunded, together with a reference to the respective passage(s) of the GTC. This e-mail will remain in your outbox for three years. Why? Because I store it for this usual (limitation period) period in order to provide evidence of any claims.
But what about other storage media and the data on the invoice, the Declaration of Consent and the certificate (hereinafter referred to as “documents”)?
The following data is available/stored on the documents: your first name(s) and surname and academic title(s) (if applicable). Furthermore, the Reiki level to which you have been initiated and the date of initiation.
The Declaration of Consent and the invoice also state your home address (invoices must include the name and address of the recipient of the service for amounts of 400 euros or more) and the Declaration of Consent also states your e-mail address, your telephone number and both of your signatures.
The e-mail address and telephone number are therefore required in order to be able to verify you in the event that your rights are granted (e.g. correction of data). It would be easier to also store your date of birth. However, I do not do this because I want to keep personal data to a minimum.
I therefore hereby explicitly and unequivocally point out that no further data about you will be collected, processed or stored, in particular date of birth, gender, health data, conversation notes, etc., or whatever data and information you have voluntarily provided me with, regardless of the communication channel. I would also like to point out that your documents will only be saved as PDF files and that your data will not be saved again in other programs such as Excel, Access and the like.
Further note: if you send me personal data of your own accord that goes beyond the requested data (e.g. ID card data, health data, etc.), I will delete it immediately and you will receive a notification that it has been deleted. The notification of the deletion of unsolicited data remains stored in the e-mail program for three years as proof of deletion.
What happens if you make a bank transfer to my account? In this case, your account details are stored at my bank. My bank is an Austrian bank and, like every bank, is subject to strict regulations that guarantee the greatest possible security. Your account number identifies you, which is why an account number also falls under “personal data”. I therefore handle this data just as carefully as all other data. Access to online banking is only possible with a password or fingerprint. The account statements, which also contain your account number, are stored on my computer in encrypted form.
How long will your documents be stored?
In Austria, there is an obligation to keep records. I am therefore obliged to keep books and records for tax collection (see federal tax regulation) for seven years, or even longer if proceedings are pending. This means that I must store the invoice and the account statements for at least seven years (the retention period always begins at the end of the calendar year in which the invoice was issued).
The Declaration of Consent is stored for the same period of time as the invoice in order to be able to provide information for possible legal claims or to be able to verify you for your requests (e.g.: correction of your data).
Both the invoice and the Declaration of Consent will be permanently and irretrievably deleted (and without notification to you) no later than three years after expiry of the retention obligation.
I will store the certificate for as long as I have a valid business license so that I can issue you a new certificate if you lose your certificate. If the invoice and the Declaration of Consent have already been deleted due to the expiry of the deadline, I can still issue you a new certificate with the correct date of initiation at that time.
Special provision: in the case of a telephone consultation (as described in point 4 of the GTC), a screenshot of the smartphone screen will be taken after the call, showing which telephone number I spoke to and for how long. This serves as proof that the call for which you paid took place. The screenshot is stored on the computer and on the external storage media for three years. Why? Because after this period, claims can generally be considered time-barred. After this period, the screenshot is irretrievably deleted.
What about the granting of your rights, e.g. information, correction or deletion of data? If I, as the controller, respond to your request, the correspondence will be stored in the e-mail program for three years in order to prove that I have fulfilled my obligation to respond to your request. After three years, the correspondence will be permanently deleted without notification to you. In the case of a final deletion of all data, the correspondence of the confirmation mail is also permanently deleted immediately after the confirmation mail, because otherwise it would not be a complete deletion. If you then submit a new application for information, you can logically only receive negative information.
Which brings us to the next important point, namely the security and protection of your data.
2) Security and data protection
Your data and documents are protected in the best possible way by means of organizational and technical measures. In detail, this is done as follows:
Only I have access to the smartphone, e-mail address, computer and external storage media. All carriers of data and documents are password-protected and no one, except myself, is in possession of the passwords. Unless it is a pure combination of numbers, the passwords are always a combination of upper and lower case letters + numbers + special characters.
All documents with the data are stored exclusively electronically. During a seminar, one copy each of the Declaration of Consent, the invoice and the certificate are made using aphotocopier (the Reiki student receives the originals at the end of the seminar). After the seminar, the copies are scanned and saved on the computer and the external storage media. The copies are shredded immediately after storage. A shredder with security level P-7 is used for this purpose. P-7 is the highest security category according to DIN 66399. Furthermore, P-7 also fulfills the NSA/CSS (National Security Agency / Central Security Service) requirements, which are prescribed for the highest levels of secrecy.
What about the security of the computer, the external storage media and the computer programs?
All data/documents are stored on three independent, highly secure systems.
System 1 (external storage media): 256-bit AES hardware encryption, FIPS 140-2 Level 3 certification, password-protected (more than 50 characters), irrevocable data deletion after 10 incorrect entries
(AES: Advanced Encryption Standard; FIPS: Federal Information Processing Standard)
System 2 (external storage media): 256-bit AES hardware encryption, FIPS-compliant, PIN authentication (15 digits = 1 trillion variants), irrevocable data deletion after 10 incorrect entries
System 3 (computers and external storage media): 256-bit AES/Twofish/Serpent (three ciphers in a cascade; XTS mode) software encryption, password-protected (more than 50 characters + a combination of more than 1000 key files)
(Twofish/Serpent: additional symmetric encryption algorithms)
In principle, storing the data only on the computer would be enough (and would also reduce the risk of someone accessing another system), but I feel a strong obligation to back up the data, which is why there are also external storage media. Nothing lasts forever, not even a computer. A sudden software or hardware failure and all data is gone. To avoid these situations, I have additional backups.
The smartphone is protected by fingerprint + PIN code (more than 10 digits). Each individual app on the smartphone (e.g.: notes, bank, e-mail, SMS) is also protected and can only be unlocked using a fingerprint. If the fingerprint does not work, the second option is only possible by entering a PIN code (more than 10 digits). The smartphone itself is always up to date with the latest software.
The computer also has the latest version of the operating system and firewall.
Furthermore, the smartphone and computer are equipped with software that recognizes and fends off threats from the Internet in the best possible way according to current technical standards. The software also regularly checks for data leaks.
The WLAN modem for the Internet connection is also password-protected (more than 20 characters), security type WPA2 and all connections are made exclusively via VPN (Virtual Private Network).
The e-mail address is protected by a password (more than 30 characters) + two-way authentication (authenticator app on the smartphone).
And one more piece of information about deleting the history: every time I use a PDF of your documents, the corresponding entry in the registry is deleted, which means that it is no longer possible to see the names of the last PDF used in the history of the PDF program.
And finally: when the documents are finally deleted from the encrypted data carriers, the entire free area (i.e. including the recycle bin, where all the “deleted” files are just waiting to be overwritten – i.e. still exist) is then shredded on the computer using the Gutmann method. All data is therefore overwritten 35 times and can no longer be restored.
All these measures represent the greatest possible security according to the current state of the art. However, we would like to point out once again – as already described in point 18 of the GTC – that there can be no 100% security. On the one hand, individuals or organizations can gain access to computers and smartphones and, on the other hand, a password can be guessed at random or cracked if you only try all variants long enough. But to give you an idea of what this means for software encryption on storage media: a 256-bit encryption means that there are approximately 1080 possibilities. To visualize this: if one possibility were a grain of rice, then 256-bit corresponds to the entire universe full of grains of rice. Finding a real grain of rice by chance in the entire universe is, I would say, impossible. And even with a systematic brute force attack, it would take longer than the universe will still exist according to current knowledge … I can’t say now whether this will still be the case in the future with the use of quantum computers. When the time comes, there will be an update on data security on this website. Today, in the here and now, your data is protected in the best possible way.
3) Disclosure of data
Your data and documents will not be passed on to anyone unless there is a legal basis for a request to do so from official/governmental bodies (e.g. tax office, court). Your data and documents will never be passed on by me, not even to my tax consultancy firm as part of the annual tax return. The tax consultancy firm will only receive the income, but no associated personal data.
4) Technical data
Reiki is a simple technique. With this in mind, I have also commissioned the design of the website. As you will have noticed, when you visit the website, there is no cookie banner where you have to agree, disagree or whatever. No. I don’t have any of these technical bells and whistles. I prefer to eat cookies with lots of chocolate chips, but I don’t need to see cookie banners on my screen all the time. Since many other users feel the same way, there are no cookie banners on the reiki.cc website that you have to react to. This just holds you up and gets you “out of the flow” rather than “into the flow” (again, to be seen in relation to Reiki).
Other website operators swear by collecting user profiles (in order to improve their advertising activities, for example), but I don’t care because I don’t want to bother anyone with advertising emails on principle, or be affected by them myself. I prefer to collect real experiences with people made of flesh and blood rather than virtual data made of bits and bytes. And I am interested in the traces that someone leaves in my energy field and not in the traces that someone leaves on my website.
However, it is absolutely necessary to access certain “data” for the proper operation of a website, otherwise the entire system would not work. For comparison: when I sent a letter in the “old school” way in the last century to get a product brochure from a company, it was essential that I firstly wrote my sender’s address and secondly had to inform the company what exactly I wanted. And that’s how it works on the Internet.
If you are now reading the section of this website, then you have already clicked on the menu item. When you clicked, your browser sent a request to the web server of the hosting provider of reiki.cc (in my case, this is the company ALL-INKL.COM, based in Germany and GDPR-compliant). Included in this request is your IP address, otherwise the web server would not know who to send the request back to.
This personal data element (IP address) is therefore “processed” by the hosting provider on the basis of the GDPR. However, it is technically necessary, otherwise the entire internet would not work.
However, a GDPR-compliant hosting provider only processes the IP address for as long as is necessary for the secure and proper operation of the requests and, if necessary, to comply with legal obligations (e.g. for law enforcement authorities in the event of illegal activities).
The storage period of the hosting provider of reiki.cc can be viewed on its website on a daily basis under the data protection information.
All technical cookies, such as those that store your surfing behavior in your browser when you visit my website, so that you always remain on the respective language version (unless you take a conscious action and switch to the other language), simply serve to ensure that you have a wonderfully “simple” surfing experience and do not have to be constantly annoyed because your browser randomly redirects you somewhere at your whim.
These technical cookies run in the background on your browser and I, as the person responsible for the reiki.cc website, have no access to them. In short, there are technical cookies that are necessary for the proper operation of a website and for which no consent is required under the GDPR.
However, the consent requirement for cookies begins when they are not technically necessary for the functioning of a website, such as the tracking tools of Google Analytics. No tracking tools are installed on the reiki.cc website and therefore no cookie banner pops up.
However, the hosting provider itself processes so-called “server log files” to ensure smooth operation. This is, for example, your IP address (as already described). In addition, further data is logged due to legitimate interest in accordance with the GDPR: time of access, amount of data sent in bytes, browser used, the operating system, and the referrer (URL from which the website was visited).
This data is stored for the same length of time as the IP address. As the operator of a website – and therefore also as a customer of a hosting provider – you also have access to this data in the KAS (customer administration system). However, this does not allow any conclusions to be drawn about the identity of the user of the website.
It is therefore clearly stated that I, as a user of the hosting provider, do not store any data from the hosting provider, in particular the IP address.
However, an IP address would only allow conclusions to be drawn about the city or region, but not the exact residential address of the user. This requires a legal basis, such as that of a law enforcement agency.
In short and in summary: I do not process or store any data from the log files.
Furthermore, it should be mentioned that the entire reiki.cc website is possible without providing or entering your personal data. I have therefore deliberately decided not to use a contact form, as I have found that these forms usually do not work (and the inquiry ends up in nirvana) and on the other hand, the contact options that you would receive after a contact form inquiry are available to you immediately for full use. All you have to do is call me directly or send me an e-mail or text message and the ball is rolling. Without any detours or extra typing.
Further information: the reiki.cc website uses SSL encryption (Secure Socket Layer). SSL encryption means that data transmitted via the website cannot be read or manipulated by third parties. This is particularly useful for online shopping to prevent hackers from stealing your password to your customer area or your credit card details.
In the case of reiki.cc, however, SSL encryption is not necessary from this point of view because there are no data input options. The entire reiki.cc website is designed to be as simple as possible, as already described several times, because this is entirely in the spirit of Reiki. Reiki is also simple.
However, since I always pay attention to the greatest possible security according to the current state of the art in all aspects of data protection, SSL encryption is “simply” included. You can recognize an encrypted connection by the “https//” address line and a symbol in the browser line. This can be a lock or two lines with two circles (extended security level).
5) Controller
According to the GDPR, a “controller” is a natural or legal person (or other bodies) who decides on the processing of personal data.
The controller is hereby disclosed:
Ing. Peter Knopf
Brünnerstraße 190/7/2
1210 Vienna/Austria/Europe
T: +43 1 2082828
M: +43 660 2088888
E: knopf.office@gmail.com
6) Your rights
As a “data subject” (the person whose data is processed by the controller), you have the following rights: information, access, rectification, restriction, portability, objection and erasure (being forgotten) of your data.
What does this mean in specific cases?
Right to information: you have the right to be informed about the collection and processing of your personal data. The generic term is the “principle of transparency”. The controller has the “obligation to provide”. This means that visitors to a website must be informed in advance about what happens to their data. I think I have explained this in detail. If you still have any questions, please feel free to contact me.
Right to access: you have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, if so, which data. On this point, I would like to make the following very clear: I do not provide any information about data subjects, of any kind, to people who either call me “anonymously”, or call me from another telephone number (or send a text message) that I have not saved from the data subject, or send me an e-mail from an e-mail address that I have not saved from the data subject.
Criminals can save themselves such attempts to steal data from scratch. You don’t need to have studied the GDPR to do this, common sense will tell you that something is not quite right. Your rights can therefore only be granted by me if I can verify them to the best of my knowledge and belief. This is possible, for example, using the telephone number + your e-mail address.
In this case, the person responsible must be called from this telephone number + a short confirmation e-mail must also be sent from the e-mail address. Why is this necessary? Nowadays you can use “caller ID spoofing” to fake any telephone number. If I only see the stored telephone number, this does not mean that the caller is actually the person concerned. This is why two-way authentication also requires confirmation by email.
Conversely (if the person concerned only writes an email), there is a risk that data criminals will use an email address that looks very similar (e.g. an “l” is replaced by a “1”). If you click on “Reply”, someone else will receive the data. Therefore, a phone call is also required in this case. After verification, the application will only be answered by e-mail (no telephone information).
Another option is for you to arrange a personal appointment with me so that I can personally verify that you are the person concerned (if necessary by presenting an official photo ID).
Another option is for you to use the forms for applications to the data protection authority.
Right to rectification: you can have incorrect personal data rectified. Practical example: you have married and now have a new surname. If you send me a request to this effect, I will make a corresponding note in the documents.
Right to restriction of processing: a restriction on the processing of personal data can mean, for example, that the data may not be processed because it is currently being checked for accuracy. Or it can mean that the data is no longer required, but must be stored for legal reasons.
Right to data portability: this means that the data subject has the right to switch from provider A to provider B and provider A “transfers” provider B the data. This makes sense, for example, if you want to switch from one email provider to another email provider and “take” your own extensive contact list with you. Of course, a transfer also works if you change from Reiki teacher A to Reiki teacher B.
However, I would like to point out that it makes more sense and saves more time to give this data to Reiki teacher B straight away because of the minimum amount of data I have stored (name, address, telephone number, e-mail address, etc.).
Right to object: data subjects can object to the processing of their data. For example, if the data is used for advertising purposes. In my case, this does not apply because my Reiki students do not receive any newsletters or advertisements, regardless of the communication channel.
However, an objection is not possible if the data processing is necessary due to legal obligations (e.g. retention obligation).
Right to erasure / right to be “forgotten”: the right to erasure exists in particular if the data is no longer required for the purpose for which it was originally collected and processed. If there are no other reasons (see objection) against this, a request for erasure must be submitted to the controller.
Furthermore, the controller must inform all other controllers to whom the data has already been disclosed of the request for erasure. As I do not pass on any data, this does not apply.
Your right not to be subject to profiling should also be mentioned. This could be the case, for example, when granting a loan or applying for a job, where an automatic program runs in the background and candidates are eliminated on the basis of some criteria without a human being carrying out an additional check. In short: I do not use such methods.
Information on the processing period: applications that you send to the person responsible will be answered immediately, but within one month at the latest. If it takes longer (up to a maximum of three months), you will receive a notification within one month stating the reasons for the extension of the deadline.
If no data on the applicant is available/stored, the applicant will receive a negative notification within the same period.
7) Contact options
I have set out and explained the main provisions of data protection and your rights to the best of my knowledge and belief. Should you be of the opinion that information is missing or not (or no longer) correct, please contact me so that I can supplement or correct it accordingly. You can find my contact details in point 5 of this data protection information and in the imprint.
You can also contact the supervisory authority at any time (right to lodge a complaint). In Austria, this is the data protection authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
T: +43 1 52152-0
E: dsb@dsb.gv.at
Status of the data protection information: 4.4.2025
© by Ing. Peter Knopf