Privacy Policy & Data Lifecycle Notice

Effective: July 15, 2026

New in this version: voluntary annual survey and de-identified industry data

Active members may voluntarily participate in an annual industry survey. Responses use predefined controlled choices only, covering broad operating region, experience, primary service, approximate CAD price band, service channels, technology mode, AI disclosure, privacy process, and complaint process. There is no free-text field, and the survey does not collect client identities, cases, revenue, exact locations, or sensitive consultation information. Participation is not a condition of membership, verification, ranking, or service approval. While a survey is open, a member can update or withdraw the response and can obtain their own choices in the self-service copy.

No individual response, MemberID, or identity is published. Publication requires at least 10 valid responses, independent approval by a different administrator, an immutable aggregate snapshot, and minimum-cell controls. An entire mutually exclusive dimension is suppressed where subtraction could reveal a small group. Public figures describe only that year's voluntary member sample; they are not national, regional, or population market statistics. Raw responses default to human deletion or unlinking review 36 months after survey closure. Published irreversible statistical snapshots contain no individual answers.

New in this version: de-identified public case library

A Professional or Institutional member with current human-reviewed identity verification may submit a bilingual working case under their own scope or an active institution they are authorized to administer. Before publication, the contributor declares explicit de-identified consent, a composite/synthetic case, or a historical-public basis; automated identifier and claims checks run; and a content administrator reviews combined-field re-identification risk, provenance, scope, and limitations before creating an immutable approved version.

The case store processes contributor-scope type, broad region, adult age band, time band, consent/provenance basis, a masked consent reference, bilingual context/method/observation/limitations, risk flags, and human decisions. It prohibits names, contacts, URLs, account/document numbers, exact dates, birth data, exact age/address/coordinates, minors, consultation transcripts, report bodies, and raw consent documents. Public pages reveal neither contributor identity nor the internal masked reference. Withdrawal or irreversible anonymization immediately hides member-owned cases; governance records default to human review 84 months after publication ends.

New in this version: institutional public brands, team consent, and cases

An active institution may submit bilingual brand content, service scope, boundaries, public complaint routing, and de-identified cases. An independent administrator creates an immutable approved version. Approval of the institution account does not approve its brand content, and the public page reads only a still-active approved snapshot.

Each team member personally consents to public name/title display; an owner or administrator cannot consent for them. Withdrawal removes the member immediately. Case submission blocks obvious emails, URLs, telephone numbers, and long identifiers and must not contain client identity, exact address, consultation/report body, or an outcome guarantee. These publication-governance decisions default to human review 84 months after publication ends.

New in this version: governed service delivery

Human-reviewed offerings may use minimized appointments, versioned informed consent, order states, report-version metadata, receipt acknowledgement, follow-up categories, and human refund records. GFSA does not collect payment-card data, client questions, birth/health/legal/financial details, consultation narratives, or report bodies in this workflow. A report record contains only a masked external-governed-store reference and SHA-256.

Service-governance records default to a human review 84 months after the relationship ends. A deletion request stops new booking and cancels unconfirmed orders; confirmed, delivery, follow-up, or refund duties must close before irreversible anonymization. Necessary consent-version, state, and refund-accountability records may remain minimized for retention, third-party rights, complaint, and legal needs.

1. Scope and accountability

This notice explains how the Global Feng Shui Association website, member centre, institutional and named-team authorization, public member profiles, identity verification, CPD, certificates, advanced-tier applications and peer review, contact, and complaint processes handle personal information. An institutional accountable owner separately accepts responsibility for data control, role revocation, privacy requests, and complaint routing. Applicable law depends on the service, the individual’s location, and the activity; this notice does not promise that one jurisdiction’s rights apply unconditionally everywhere.

Consent is not a blank cheque. Necessary member-account processing, membership terms, public publication, identity verification, CPD, and optional communications are recorded separately. Merely using the public website is not consent to every optional purpose.

2. Information we process

  • Member account: username, hashed password, person or organization name, email, telephone, country/region, member type, status, and dates.
  • Institutions and team authorization: institution name and region, accountable owner, controller and privacy contacts, complaint officer, named-member roles, hashed invitation tokens, acceptance, revocation, ownership-transfer, and administrator-approval events. Raw invitation tokens are not stored.
  • Institutional public content: bilingual brand overview, service scope and boundaries, website, complaint route, each member's team-publication consent/title, de-identified case working copies, risk flags, human decisions, and immutable approved versions.
  • Member-authored public content: bilingual biography, expertise, services, qualifications, location, selected contact details, fee disclosure, languages, delivery methods, and service boundaries. Submission does not publish content until human approval.
  • Identity verification: method, issuing region, masked reference, public registry URL, and a minimized summary. This portal does not ask members to upload raw identity documents or full document numbers.
  • CPD and certificates: learning activity, date, credits, masked evidence reference, public verification URL, human decision, and annual status.
  • Advanced tiers and peer review: applicant statements, evidence index/summary, public portfolio URL, an immutable snapshot of the applicable standard, reviewer eligibility and conflict declarations, confidential assessments, recommendations, reasoned decisions, validity, revocation, and event history.
  • Governance and support: contact messages, complaints, evidence, investigation, decisions, remedies, discipline, appeals, and necessary event history, which may contain third-party information.
  • Technical and security: session cookies, IP address, browser identifier, CSRF tokens, security events, and administrator audit history.

This website does not currently collect or store payment-card numbers directly. If payment functionality is introduced, the relevant processor, purpose, and terms will be disclosed separately.

3. Purposes and processing context

We use information to create and administer accounts, manage human-approved institutions and least-privilege team authorization, assess applications, provide membership services, publish information expressly selected and approved for publication, process CPD and certificates, operate advanced-tier peer review under a published standard, answer enquiries, operate complaint/discipline/appeal procedures, protect the website, meet legal obligations, and preserve accountability evidence. Public profiles, verification indicators, advanced-tier public indicators, and optional communications have separate choices and events.

Rule-based risk flags may help identify outcome guarantees, fear marketing, or out-of-scope claims, but they do not make final publication, membership-tier, discipline, or privacy decisions. Authorized people perform human review, observe separation of duties, and record reasons.

4. Publication, sharing, and international context

Only fields a member asks to publish, that pass review, and that remain in an active publication state are public. A valid advanced tier publishes only its level/title, governing policy version, and validity dates. Masked identity references, verification summaries, internal CPD evidence, application statements, peer-reviewer identities and confidential assessments, complaint material, administrator notes, and account credentials are not public-profile content.

We may disclose the minimum necessary information to people or providers supporting service delivery, peer review, website operation, security, legal requirements, investigations, or professional advice, subject to purpose and confidentiality limits. The website serves international visitors. Where information is lawfully accessed or processed across jurisdictions, protection and government-access rules may differ. You may ask about categories of recipients relevant to a specific request.

5. Retention, holds, and disposal

These are initial operational defaults established July 14, 2026. They begin a human disposal review; they are not unconditional automatic-deletion promises. Open access requests, complaints, appeals, security incidents, contracts, certificate, peer-review, or institution-authorization governance, third-party rights, or a legal hold can override ordinary timing.

CategoryTriggerDefaultEnd-of-period action
Member accountAccount closure24 monthsAnonymize after exception review
Public member profilePublication stops12 monthsDelete content after review
Identity verificationFinal decision36 monthsReview, then delete minimized fields
CPD recordsClaim submission60 monthsReview, then delete
Advanced-tier / peer-review governanceFinal decision60 monthsReview, then anonymize or delete minimized data
Institution authorization governanceRelationship ended84 monthsReview accountability, complaint, and legal needs, then minimize/anonymize
Service delivery governanceRelationship ended84 monthsReview consent, order, delivery, refund, complaint, and legal needs, then minimize/anonymize
Institution-publication governancePublication ended84 monthsReview brand versions, team consent, case decisions, complaint, and legal needs, then minimize/anonymize
Complaint/discipline governanceCase closure84 monthsReview appeal, safety, and legal needs, then anonymize
Privacy requests and decisionsRequest completion60 monthsReview accountability and recourse needs, then delete
Administrator auditEvent24 monthsReview security and case linkage, then delete

Information no longer needed and not subject to a hold is deleted, erased, or anonymized. A legal/governance hold records its category, reason, masked authority reference, review date, and release history.

6. Your choices and request process

  • Self-service copy: signed-in members can download JSON for records linked directly by MemberID. It includes their own advanced-tier application, decision, and minimized event timeline, but excludes passwords, reset secrets, peer-reviewer identities, confidential assessments, internal notes, third-party complaint evidence, and unlinked contact correspondence.
  • Formal access: request a human search, exception review, and understandable access response.
  • Correction: edit available fields or request correction of controlled records.
  • Withdrawal of optional consent: stop new profile publication (including the advanced-tier public indicator and the member's institution-team display), verification, CPD, or optional communications processing. Withdrawal does not retroactively erase records lawfully retained and does not automatically republish stopped content.
  • Restriction, deletion, or anonymization: identify the scope. Deletion requests require current-password confirmation and human review.

Where Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies, our target is to respond within 30 days of receiving a written request. A permitted extension is recorded with reasons, and a refusal or inability to disclose is explained with available recourse. Third-party information, legal privilege, safety, peer-review, complaint/discipline, and appeal records may require redaction, retention, or partial completion.

Open the Privacy & Data Rights Centre

7. Safeguards and incidents

The website uses HTTPS, parameterized database operations, role permissions, live administrator revalidation, CSRF protection, output encoding, password hashing, expiring reset tokens, audit events, and controlled human review. No network or storage system can guarantee absolute security. We investigate suspected incidents proportionately, contain impact, and notify affected people or regulators when applicable law requires it.

8. Cookies, children, and external links

Member and administrator sign-in uses necessary session cookies and security tokens. The website is not directed primarily to children. Do not submit unnecessary child, client, health, financial, or other sensitive third-party information in profiles, CPD, contact, or complaint forms. External registries, research sources, and social links have their own practices.

9. Contact, complaints, and changes

To exercise a right, challenge a decision, or report an incident, use the contact form or email info@globalfengshui.org with “Privacy and data request” in the subject. Do not email full document numbers, passwords, or unnecessary third-party sensitive data.

A material change receives a new version and effective date and is presented through the privacy centre or another appropriate notice. Where PIPEDA applies, you may also complain to the Office of the Privacy Commissioner of Canada. Contacting the Association first can help define the scope but does not remove statutory recourse.

References: PIPEDA section 8; OPC access guidance.