Data and Privacy Agreement

In efforts to be transparent in how I handle information given to me by readers, students, and supporters around the world, the following statement outlines my policy in terms of managing personal data, security, and privacy related to this website——online interactions, and subscription services.

By using this website and/or my other services, you are agreeing to my Data and Privacy Agreement.

(Last updated: 3/15/2021)

Reason for this Data and Privacy Agreement

Governments around the world are increasingly concerned about protecting the privacy and security of their citizens, and this agreement is an effort to maintain transparency and comply with any policies and jurisdictions that this website and my other offerings fall within.

Primarily, governments are concerned with identifiable personal data. For those who are simply passive readers of this website, I have no identifiable personal data of which I am aware. I do use web tools to track site usage metrics to support my work. However, none of them give me any identifiable personal data. It’s all non-identifiable/anonymous.

Additionally, at NO TIME do I or anyone involved in my spiritual teaching work sell personal data that is given to me.

For full details, you can read the following data and privacy agreement.

Core Promise

I—Jim Tolles; possible future employees; possible future contractors; future mentees; past, present, and future volunteers; other possible associates, and the business organization—James Tolles Consulting--as a whole are committed to maintaining appropriate data and privacy protection for any personal data in our possession to the best of our abilities.


Organization Definition

At this time my business, James Tolles Consulting, consists of just me—Jim Tolles. It may include future employees or other associates (like volunteers or mentees) who support this work. It is possible contractors may also be used in the future.

For the sake of this document, “I,” “me,” “my,” and other personal references refer to James Tolles Consulting, Jim Tolles, and any person officially associated with this spiritual teaching organization (volunteers, contractors, employees, mentees, and other associates).

Spiritual Student Definition

A spiritual student is defined as having had at least one session, group discussion, or class with me within the last year. One-on-one and group students must have filled out the Disclaimers, Mental Health, and Student Data Privacy Agreement forms. Class students must have filled out the Disclaimers and Student Data Privacy Agreement forms.

While many people consider themselves my students—for the sake of legal purposes—the above definition is used for those to be considered a spiritual student of Jim Tolles.

Personal Data Definition

What is personal data? Here is a definition from the European Union.

“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This definition can be found under Article 4 in the below link, and it is the first definition:

For a longer definition, you can review this link:

Okay. Now let me make this more accessible. Personal data is stuff like:
  • Your full legal name
  • Email address
  • Social security/local country’s ID number
  • Driver’s license
  • Credit card numbers
  • Date of birth
  • Physical home address
  • Phone number
  • IP address for your computer
Some of it like your name needs to be in combination with other data to be considered “identifiable.” For example, John Smith isn’t identifiable by itself because there are a lot of people with that name.

Other than the IP address and the information cookies track, this site does not collect any of the above personal information for those who ONLY read the blog posts.

Passive Data Collection

Part of running this website involves getting data on what pages are read, slow loading pages, what websites people come from, and other important data metrics that help me to run the business and better support people around the world. At this time, and Google Analytics are the main two data tracking tools that I use. They offer me only non-identifiable data, thereby safeguarding user privacy. The blog publishing platform I use is Blogger, and it offers minimal non-identifiable data on site usage.

These services and some others I use (such as MailChimp) or will use in the future use cookies to track and tailor a person's web experience. However, all three ONLY offer me non-identifiable data. To the best of my knowledge, I do not see or have access to any IP addresses or cookies that these tools may see/use.


Cookies used on this site are part of making this site work. Google Analytics, PayPal, Mailchimp,, and a few others are necessary to render all the objects on this website, provide services (like my newsletter), and offer important analytics.

None of the cookies are part of me actively advertising third-party services.

You can see a full regularly updated list of cookies here:

Complete Cookie Declaration

You can also change your choices at the above link.

To learn more about cookies, you can view this website:

Google Analytics

Run by Google, this tool is afforded the benefits of a robust Google data and security protection.

Google Analytics is set to store user and event data for 26 months before deleting it.

For more information about how Google Analytics is protected and what info is gathered, you can read this link:

This is Google’s general privacy statement:

This tool is my current social sharing tool for the website. It tracks shares of blog posts as well as offering some site usage data.

For more information on how handles data, you can read this link:

This link will take you to Oracle's Privacy Policy page because is owned by Oracle.

This is the blog publishing platform that I use. It is also owned by Google, governed by the same policies, and benefits from Google’s web security, as far as I understand.

Voluntary Personally Identifiable Data Sharing

The only way I have personally identifiable information is if someone voluntarily shares it with me. That could mean sharing data (like name and email) in an email for a session request, by subscribing to one of my offerings, or another form of messaging.

Many of these services allow the user to maintain significant control of their user data. The handling of personal data and security is explained below.

Subscription Services

I have two subscription services at this time. They are only used for direct marketing purposes. This means that the email that is shared is used to send the requested subscription service to the person. Any other use of data is via the person’s permission or prompted by the individual’s direct request of service, like sending an email from a newsletter asking for a session.

New Blog Post Email Notifications

When someone subscribes using the subscribe option that is currently at the top right of the website next to the search function, they are added to a list of people who are emailed when a new blog post is published. I may use the email if someone has not completed the second step of verification to email them to see if they are still interested in receiving email notifications before deleting the inactive subscription.

The list is managed by Feedburner, which is a Google product. Google’s main privacy policy can be found on this link:

People can unsubscribe on their own to remove their email from the list at any time.

The Newsletter

MailChimp is my current newsletter service. Someone who signed up for it has the control to unsubscribe from the newsletter at any time.

At this time, the primary data I receive from people fits 3 main categories:
  • First Name 
  • Last Name
  • Email
MailChimp also collects a person’s:
  • Favorite email client info
  • Generalized location data
  • Date when the profile was last updated
  • Time zone
  • Language
  • GDPR Opt-In
It also collects information like if a newsletter emailed to the individual was opened and what links someone clicked on.

I primarily use this information to send personalized newsletter emails about spirituality to people. It is possible I may collect more personal information in the future, but that information is only ever used in context of spiritual teaching work. As mentioned earlier, the individual can unsubscribe from the list or lists they are signed up to at any time.

When someone unsubscribes, MailChimp maintains key information like someone's email for legal purposes. For example, if their service was hacked in 2016, I would need to be able to email someone who has unsubscribed but who was active in 2016 to let them know of the data breach.

Here’s more info on MailChimp’s privacy statement:

Blog Commenting

Any comments put on this blog are public. If a user wants to remove them, they have the ability to do so. Comments remain on the blog for the existence of the blog. I generally do not remove legitimate comments.

Comments that are deemed to be harassment, copyright infringement, spam, hate speech, or otherwise inappropriate will be removed.

Commenting is currently a function provided by Blogger (It was Google Plus, but that service was shutdown). All Google Plus comments were deleted when I switched back to Blogger's commenting service.

A user must be logged in to Blogger to add, change, or delete comments. For other security and privacy issues with Blogger, please see Google’s security statement:

Correspondence and Records

Emails sent to me give me access to a person’s email address. Often, I’m given a name, but sometimes, people don’t even give me that. 

What additional data people choose to divulge in their emails is entirely at their discretion, and it is kept confidential within James Tolles Consulting.

I keep almost all correspondence as part of recordkeeping. I may delete duplicate emails, spam emails, unsolicited business requests, and other messages at my discretion.

Most correspondence is kept for 7 years from the date of the last correspondence with someone. If someone first corresponded with me in 2011 and it is 2018, but we’re still talking in 2018, then the target for record deletion would be 2025. If someone corresponded with me in 2011 and never again, the target for record deletion would be 2018.

Important correspondence regarding taxation, involving threats, involving business contracts, or other critically important correspondence may be kept for the lifetime of James Tolles Consulting or a directly-related spiritual venture. What I mean by this is if I close James Tolles Consulting and create another organization to do the same or related spiritual teaching work, I would maintain all these documents.

In the event of some terrible misunderstanding, the correspondence could be used for legal proceedings.

If I want to keep non-critical correspondence longer than 7 years—such as keeping a compliment emailed to me—I’ll send a request to the individual to keep it longer. I will only keep it if I receive clear consent in a written reply. If I do not get consent and/or do not hear back, the email will be deleted.

For any non-critical correspondence mentioned above, you have the right to have your correspondence deleted and can request that I do so.

You also have the right to request copies of past correspondence with me.

A process for requesting deletion or copies of correspondence is mentioned further below.

All correspondence is in a Gmail account, and Gmail is a Google product. Therefore, it benefits from all the online security Google offers. For more about how Google protects its products, see earlier Google Privacy links.

Online Talks

Currently my online talks are run through Wirecast and shown through YouTube Livestreaming on this link:

YouTube Livestreaming

Talks are published through YouTube Livestreaming, and people are permitted to comment there. Comments are public, but the user retains the ability to remove their own comments. They must be logged in to a YouTube account to add, modify, or remove their comments.

Comments that are deemed to be harassment, copyright infringement, spam, hate speech, or otherwise inappropriate will be removed.

Here are YouTube’s community guidelines:

For more about YouTube security, see the above Google policy links because YouTube is a Google product.

Surveys on

In the past and possibly in the future, I have used/may use for surveys. Information collected includes:
  • name, (optional how specific someone is in what they enter) 
  • city,
  • state/region, 
  • country, 
  • if they’re interested in information about sessions with me
  • date of filling out the form, 
  • where the data was collected (in an embedded form or from a link),
  • agreement to this data and privacy policy
  • time spent filling out the form, and 
  • email address.
I typically delete information on after a year. I may hold survey information for longer as part of business analysis.

Here's's privacy policy statement:

Other Places a Person May Interact with Me

There are other sites with which a person can have interactions with me, and they are governed by those sites' privacy and security policies.

Users control their comments on any post or message they share with me through these other websites. Direct messages are generally archived several times a year if the site offers that ability. The user also can unfollow, unsubscribe, and unfriend me on these services at their own discretion.

Any website where I have a presence but is not listed below is also governed by this general policy. The specific website should give people the ability to control their personal data and is governed by their privacy policy.

I am not responsible for any privacy or security issues from the following websites or any others. I am only responsible for my other websites that I may own and operate in the future.

For more on the privacy and data policies of other social networks where I maintain an active presence, you can find them below:





I have a profile where I post publicly and a page where I share as well. Facebook offers some minimal, non-identifiable data concerning the usage of my page:

For full information about privacy on Facebook, you can read this link:


YouTube offers non-identifiable data on the usage of my channel.

See Google privacy and security links shared earlier


I occasionally advertise on Twitter, Facebook, and Google AdWords. To my best knowledge, I have only anonymous/non-identifiable data from these avenues of interaction.

I will do my best to comply with data and privacy standards for any advertising I do on these and any other sites in the future.

Data Protection Measures

The security tools used to protect personal data are constantly evolving and changing, and I do my best to stay current with the best security via my security choices and the choices in which online services I use in relationship to this business. For example, I use a lot of Google products because of Google and parent company Alphabet Inc.’s deep investment in web security.

Currently, my data protection measures include:
  1. Having password protection on my computer
  2. Using and maintaining the most up-to-date anti-virus software that protects Internet browsing, offers a firewall to my computer, and more
  3. Receiving the latest OS updates and security patches automatically to my computer
  4. Receiving automatic updates to my web browsers
  5. Using a 99% of the time air-gapped back-up, external hard drive (This means that the hard drive which backs up all my info is not plugged into the computer 99% of the time. It is only plugged in when I am actively backing up data, and then it is unplugged. That makes it harder for hackers to access it.)
  6. Using passwords for any online services associated with spiritual teaching work (aka Gmail, MailChimp, PayPal, Skype, and so forth)
  7. Updating business passwords at least twice a year
  8. Using different passwords for each device and service used in relationship to the spiritual teaching work
  9. Using strong passwords, meaning that they are combinations of upper and lower case letters, numbers, and special characters 
  10. Using two-factor authentication for some of the service sites that offer that level of security
  11. Using https web security for my website (meaning I have a Web security certificate)

Payment Methods

I maintain records of how I receive funds. I do not maintain any records of bank accounts or credit card numbers.


Those who use PayPal to donate to James Tolles Consulting are governed by PayPal’s privacy and data protection standards. I do not receive any credit card or bank account numbers from PayPal. The financial data I do receive from PayPal is used entirely for tax purposes, and therefore, that information is necessary to the running of this business.

When I receive money, I only see the information that a donor allows. If they don’t want to show a physical address for example, they can change the settings in PayPal.

Any concerns a donor has with the security of PayPal or questions about changing the personal data shown in their donations should be directed to PayPal. For learning more about PayPal’s security, this link has more information:

Checks or Money Order

Any time a donor sends a check or money order, those funds are deposited. No record of the account number is kept. A record of the name and amount of the donation is kept for taxation purposes.

Permission to Share Data

If there is a time when I want to share personal data with someone else and it’s not due to a legal necessity or someone who is at risk of harming themselves or others, I’d request permission in writing from the person whose data will be shared.

For instance, if there was an email with something of educational use to developing a mentee, I’d ask the person who sent the email for permission to share it along with sending a copy of the email for review.

Compliance with Legal Systems

When necessary and compelled to comply, the data I have may be used in a court of law. I will do my best to comply with any lawful legal request.

Requesting Removal of Personal Data

For any identifiable personal data given to me that is non-critical to business and legal recordkeeping, you can send me a written email via my email address asking me to delete the information from my system.

You can request that your personal data in non-critical correspondence that has been shared with me is deleted.

Please allow for 30 business days for the request to be processed.

Acknowledgement emails will be sent to confirm the request and that the request has been processed.

Requesting Records of Personal Data

If I have correspondence of which you'd like a copy, you can request that I send a copy to you.

Please allow for 30 business days for the request to be processed.

You can make a request through my email or contact form.

Notification of a Data Breach

In the event of a data breach, I or a sanctioned member of James Tolles Consulting or current spiritual teaching organization will contact those who are affected or possibly affected within 30 business days.

Annual Review

Once a year, I review the personal data I have to determine if anything needs to be modified, deleted, or otherwise addressed.

Best Effort

I always intend to offer my best efforts in maintaining data and privacy protection. However, technology is constantly changing, so I can’t be perfect. Even organizations with hundreds of security professionals have data breaches. But I give my promise to do my best in maintaining the security and privacy standards set forth in this document and required of me by law. I also will offer my best effort for any future services that get used or services in use that aren’t explicitly mentioned to maintain appropriate security and privacy.

Unintentional Omissions

No statement or agreement can account for any and every possible issue. Thus, if there are omissions, they are unintentional, and significant security and privacy concerns will be fixed once I know about them.

If there is an issue that has been omitted, please contact me.


By using this website, you indemnify Jim Tolles and James Tolles Consulting of any possible wrong-doing regarding personal data.

Questions and Concerns

If someone has any questions or concerns about this policy, please contact me here:


Popular Posts