GDPR for US-Based Spiritual Practitioners with EU Clients: 2026 Compliance Guide
GDPR applies if you hold EU client birth data. Article 27 EU rep ~50-100 EUR/year. Lawful basis, 30-day rights, DPF transfers. Practical minimum steps.
GDPR reaches beyond EU borders. If you are a US-based astrologer, tarot reader, or spiritual coach who accepts EU clients, holds their birth data, or advertises to EU-located audiences - GDPR applies to you. The legal test is whether you are "offering goods or services to data subjects in the EU" under GDPR Article 3(2). Accepting EUR payments, publishing content in French or German, or running Facebook ads geo-targeted to Germany qualifies.
Birth date, birth time, and birth location - the core inputs for an astrology reading - are personal data under GDPR Article 4(1). You are a data controller the moment a client gives you their birth data.
This guide covers the five obligations that matter most for a solo US practitioner, the costs involved, and the minimum practical setup.
Does GDPR Apply to You?
GDPR applies if you meet at least one of these:
- You accept EU clients for paid or free services
- You collect EU residents' personal data (email, birth data, name) via a website
- You run advertising campaigns targeted to EU locations
- You publish content in EU languages to attract EU audiences
If your client list is entirely US-based and your marketing targets only the US, GDPR does not apply. The moment you serve an EU client - even one - you process their personal data under GDPR's reach.
The Five Obligations
1. Lawful Basis (Article 6)
Before collecting any personal data, you must have a documented lawful basis. For client readings:
Lawful basis | What it means | Best for |
|---|---|---|
Contractual necessity (Art. 6(1)(b)) | Processing is necessary to deliver the service the client booked | Booked readings where birth data is required |
Consent (Art. 6(1)(a)) | Freely given, specific, informed, unambiguous agreement | Newsletter sign-up, optional data collection |
For a reading booking where birth data is required to provide the service, contractual necessity is the cleaner basis - you do not need a separate consent checkbox because the data is necessary to fulfill the contract the client entered. For collecting email addresses for a mailing list, consent (a clear checkbox at sign-up) is required.
Consent under GDPR cannot be pre-ticked. It cannot be buried in terms and conditions. It must be a clear affirmative action.
2. EU Representative (Article 27)
Non-EU businesses that regularly process EU personal data must appoint a representative in an EU member state. "Regularly" is not defined in the regulation; EDPB guidance indicates that ongoing client work constitutes regular processing, not occasional.
Representatives can be appointed through services such as GDPR Local (gdprlocal.com) for approximately EUR 50-100/year. The representative receives data subject requests and regulatory correspondence on your behalf - they do not take any legal liability for your compliance failures.
Who is exempt: If your processing is occasional, involves no high-risk data, and is unlikely to create risk for individual rights, you may qualify for the Article 27 exemption. A US practitioner who took one EU client inquiry and declined to work further with EU clients is a different situation from one who actively markets to and serves EU clients regularly.
For practitioners actively serving EU clients, appoint a representative.
3. Data Subject Rights (Articles 15-22)
EU clients have rights you must be able to honor within 30 days of a request:
Right | What the client can demand | Your obligation |
|---|---|---|
Access (Art. 15) | A copy of all data you hold about them | Locate and compile all data within 30 days |
Erasure (Art. 17) | Deletion of their data ("right to be forgotten") | Delete from CRM, email platform, booking system, notes |
Portability (Art. 20) | Their data in a machine-readable format | Export in CSV or similar |
Rectification (Art. 16) | Correct inaccurate data | Update your records |
For a solo practitioner, this means having a process - even a simple one - to locate and delete a client's data from every system you use: your booking tool, your email platform, any spreadsheets or notes. The 30-day deadline runs from the date of the request.
4. International Data Transfer Mechanism
If you store EU client data on US servers (a US-based CRM, Google Workspace, Calendly, Notion), you are transferring EU personal data to a third country. You need a valid transfer mechanism.
The EU-US Data Privacy Framework (DPF), effective July 2023, covers certified US companies. Check whether your software providers are DPF-certified at dataprivacyframework.gov.
Tool | DPF-certified (as of 2026) |
|---|---|
Google Workspace | Yes |
Calendly | Yes - verify at dataprivacyframework.gov |
Cal.com | Open-source, self-hosted option available (no transfer issue) |
If a tool you use is not DPF-certified and you store EU client data in it, you need an alternative transfer mechanism (Standard Contractual Clauses - SCCs) or a different tool.
5. Privacy Policy
You must publish a GDPR-compliant privacy policy on your website. It must cover:
- What data you collect
- Lawful basis for each type of processing
- How long you retain data
- EU data subject rights and how to exercise them
- Contact information for data requests
- Your EU representative's name and contact (if applicable)
A cookie consent banner is separately required if your website uses any analytics, tracking pixels, or third-party scripts (Google Analytics, Meta Pixel, etc.).
Minimum Practical Setup (Solo Practitioner)
Step | Tool or action | Cost |
|---|---|---|
Privacy policy | Termly or Iubenda (template generators) | $0-$29/month |
Cookie consent banner | Same tools, or Cookiebot | $0-$14/month |
EU representative | GDPR Local or similar service | ~EUR 50-100/year |
Booking tool | Calendly or Cal.com (both DPF-certified or self-hosted) | $0-$20/month |
Data retention policy | Define a retention period (e.g., delete birth data 2 years after last session) | Internal process |
The EU representative is the most overlooked requirement. The annual cost - EUR 50-100 - is low relative to the fine risk.
Fine Structure
Violation tier | Maximum fine |
|---|---|
Tier 1 (e.g., unlawful data transfers, no legal basis) | EUR 20 million or 4% of global annual turnover |
Tier 2 (e.g., failure to respond to data subject rights) | EUR 10 million or 2% of global annual turnover |
Enforcement against solo practitioners is less common than enforcement against large companies, but EU data protection authorities (DPAs) have become more active against digital businesses regardless of size. The CNIL (France) and DPC (Ireland) are the most active against digital service providers.
Related Articles on Birth Data and GDPR
For birth-data-specific privacy requirements, see birth data privacy and GDPR for spiritual practitioners. For cookie consent implementation specifically, see GDPR cookie consent for spiritual businesses. For data retention schedules, see data retention and GDPR compliance for spiritual practitioners.
Frequently Asked Questions
I am a US practitioner and only one or two of my clients are in Europe. Does GDPR still apply?
Yes, technically. GDPR applies based on the data subject's location at the time of processing, not the volume of EU clients you have. Even processing one EU client's birth data makes GDPR applicable to that processing. The practical enforcement risk is low for occasional non-systematic EU client work, but the legal obligation exists. The Article 27 representative exemption (occasional, low-risk processing) may apply in that narrow case.
Can I just put a statement in my booking form saying clients consent to US data storage?
No. GDPR consent for data transfers must be specific, informed, and freely given - but for international transfers to non-DPF-certified services, a consent tick box is not a valid transfer mechanism under GDPR Chapter V. You need either DPF-certified tools, Standard Contractual Clauses with your US service providers, or client consent under Article 49(1)(a), which requires prominent, specific disclosure and is not valid as a general terms clause.
My booking tool is Acuity Scheduling. Is it GDPR-compliant?
Acuity Scheduling (owned by Squarespace) should be checked at dataprivacyframework.gov for DPF certification status and at Squarespace's own data processing agreement page. DPF certification and tool compliance status can change - verify directly with the provider before relying on it for EU client data.
Does GDPR affect my NowPayments or crypto payment setup?
Crypto payment gateways like NowPayments process transaction data. If that transaction data includes personal information about EU clients (email addresses, names), your privacy policy should reference how payment processor data is handled. NowPayments has its own privacy policy and processes data as a separate controller. Your GDPR obligations cover your own collection and use of client data, not the payment processor's independent obligations.
See also: accept crypto payments and invoicing for spiritual businesses - accept international payments as a spiritual practitioner - birth data privacy and GDPR for spiritual practitioners
