1. PRIVACY NOTICE FOR MEMBERS & PARTICIPANTS
1.1 Introduction
Vajranandacharya, operating as Mandala of Light (referred to as “the sangha” or “we”), is a not-for-profit Buddhist religious body organized in the United States. We offer religious teaching, pastoral support, community practice, and related activities for members and participants, including individuals located in the European Union (“EU”).
We are committed to respecting the privacy of individuals who interact with our religious, educational, and community activities. This Privacy Notice explains how we collect, use, store, and share personal data, as well as the rights individuals have under the European Union General Data Protection Regulation (“GDPR”).
This Privacy Notice applies to all individuals located in the EU/EEA whose personal data we process, regardless of nationality.
1.2 Our Identity and Contact Details
Data Controller: Vajranandacharya
Email: privacy@mandalaoflight.org
Primary Purpose: Religious and contemplative education, teachings, community activities, and associated communications.
1.3 Categories of Personal Data We Collect
We may process the following categories of personal data:
● Contact information (name, email address, phone number, physical address)
● Membership and participation information
● Attendance at teachings, retreats, meetings, or events
● Pastoral support or counseling requests
● Conflict or misconduct reports
● Donation and contribution records
● Communications via email or messaging platforms
● Group chat logs and online participation records
● Audio or video recordings of teachings or meetings (when applicable)
Some of this data constitutes special category personal data concerning religious belief as defined under GDPR Article 9.
We do not sell personal data and we do not use personal data for advertising or profiling.
1.4 How We Collect Personal Data
We collect personal data through:
● voluntary form submissions
● retreat/event registrations
● donation platforms
● email communications
● spiritual or pastoral guidance
● community participation
● website interactions
● opt-in mailing lists
We may also receive personal data indirectly when a person registers another individual for a retreat or event (e.g., emergency contacts).
1.5 Purpose and Lawful Bases for Processing
We process personal data to:
● administer sangha membership and participation
● provide teachings, pastoral care, and spiritual guidance
● maintain community engagement and attendance records
● communicate with members and participants
● document pastoral concerns, conflicts, or misconduct
● manage donations and financial contributions
● comply with legal and tax obligations
● preserve records relevant to legal claims or safeguarding
We rely on the following legal bases under GDPR:
● Article 9(2)(d) — processing carried out in the course of legitimate activities by a not-for-profit Buddhist religious body in relation to its members or participants, provided the data is not disclosed outside the body without consent.
● Article 9(2)(f) — processing necessary for the establishment, exercise, or defense of legal claims (e.g., serious conflict or safeguarding matters).
● Article 6(1)(b) — necessary for the performance of participation or membership-related activities.
● Article 6(1)(c) — necessary for compliance with legal obligations (e.g., tax reporting).
● Article 6(1)(f) — necessary for our legitimate interests in operating and administering our religious community.
1.6 Special Category (Sensitive) Data
Religious affiliation is considered a special category of data under GDPR. We process such data only to the extent necessary for the sangha’s legitimate religious activities and only in relation to persons with whom we have a relevant relationship, consistent with GDPR Art. 9(2)(d).
1.7 Data Sharing and Third Parties
We may share data with:
● sangha leaders providing pastoral or administrative support
● legal, financial, or accounting professionals as required
● supervisory authorities or courts if legally mandated
● third-party processors who host or transmit data on our behalf (e.g., Google Workspace, Salesforce, Kajabi)
We do not publicly disclose membership, attendance, pastoral, or misconduct records.
We do not share data for commercial marketing and do not sell personal information.
1.8 International Transfer
Because we are based in the United States, personal data may be transferred outside the EU. We rely on third-party service providers that implement appropriate safeguards such as Standard Contractual Clauses (“SCCs”) approved by the European Commission.
1.9 Data Retention
We retain personal data only for as long as necessary to fulfill legitimate religious purposes or legal obligations. For example:
● membership and participation records are retained while an individual remains a member
● financial contribution records are retained for tax and accounting compliance
● serious safeguarding or misconduct records may be retained for legal claims defense or safeguarding needs
Specific retention schedules are provided in our Data Retention & Deletion Policy (Part 2).
Where deletion is requested, data may be retained in limited form where necessary to comply with legal obligations or to prevent re-contact.
1.10 Rights of Data Subjects
Individuals located in the EU have the following rights:
● access their personal data (Art.15)
● request rectification (Art.16)
● request erasure (Art.17) subject to lawful exceptions
● request restriction of processing (Art.18)
● data portability (Art.20) where applicable
● object to processing (Art.21)
● withdraw consent (Art.7) where consent applies
● lodge a complaint with a supervisory authority (Art.77)
● We will respond within GDPR-required timelines.
Instructions for exercising these rights are provided in Section 3 below.
1.11 Contact for Privacy Matters
Because we are located outside the EU and provide religious services to individuals within the EU, we are required to designate an EU Representative in accordance with GDPR Article 27.
All GDPR inquiries should be directed to this EU representative using the following contact information: Email: privacy@mandalaoflight.org
We will respond within the timelines required under GDPR.
1.12 Updates to This Notice
We may update this Privacy Notice from time to time. The most current version will be available upon request.
2. LAWFUL BASIS SUMMARY
To comply with GDPR transparency duties, our lawful bases are mapped as follows:
● Consent (Art. 6(1)(a)) — voluntary mailing lists, photographs, recordings
● Contractual Necessity (Art. 6(1)(b)) — retreat/event registrations
● Legal Obligation (Art. 6(1)(c)) — tax/financial records for donations
● Vital Interests (Art. 6(1)(d)) — emergency safety situations
● Legitimate Interests (Art. 6(1)(f)) — communications, community coordination, website operation, and the maintenance of a safe environment for all participants (including the investigation and handling of complaints, misconduct, and safeguarding concerns such as allegations of sexual harassment).
● Special Category Basis (Art. 9(2)(d)) — processing of religious affiliation data within a not-for-profit religious body
● Offense/Disciplinary Data (Art. 10 GDPR, Art. 9 GDPR) — Where matters involve allegations of criminal conduct that are reported to or investigated by competent authorities, the Sangha may process such information in accordance with Article 10 GDPR. In all other cases, People Support–related information is processed as special category personal data under Article 9 GDPR. Allegations and findings relating to misconduct or harmful behavior may be processed for safeguarding and disciplinary purposes in accordance with our internal policies and procedures.
● Where personal data is processed in connection with disciplinary matters, safeguarding concerns, or allegations of misconduct (including sexual harassment), such processing is carried out on the basis of legitimate interests, legal obligations, and/or the establishment, exercise, or defense of legal claims. In these circumstances, processing does not rely on the consent of the individual concerned and may include information relating to their conduct or actions where necessary to protect others or uphold community standards.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.
3. DATA SUBJECT RIGHTS STATEMENT
EU data subjects may exercise the following rights free of charge:
● Access to personal data
● Correction of inaccurate data
● Deletion of data in qualifying circumstances
● Restriction of processing
● Objection to processing (where based on legitimate interest)
● Withdrawal of consent at any time (where consent applies)
● Portability (applicable only to data provided under consent or contract)
● Complaint to a supervisory authority
Certain rights may be limited where processing is necessary for religious purposes under GDPR Art. 9(2)(d) or for legal obligations.
4. DATA REQUEST INSTRUCTIONS
To submit a GDPR request, individuals should provide:
1. Full name
2. Contact information
3. Nature of request (access, correction, deletion, restriction, objection, portability)
4. Sufficient details to identify the relevant data
5. Proof of identity (when necessary to prevent unauthorized disclosure)
Requests should be sent to:
Email: privacy@mandalaoflight.org
We will respond to requests within one month and may extend by up to two additional months where permitted by GDPR.
5. DATA CONTROLLER CONTACT INFORMATION
Controller: Vajranandacharya (Mandala of Light)
Email: privacy@mandalaoflight.org
Last updated: January, 2026
