Privacy Policy


In efforts to be transparent in how I handle information given to me by readers, students, and supporters around the world, the following statement outlines my policy in terms of managing personal data, security, and privacy related to this website——and the direct online interactions and subscription services involved with it.

By using this website and/or my other services, you are agreeing to my Data and Privacy Agreement.

(Last updated: 5/2/2023) V.2.1

Reason for this Data and Privacy Agreement

Governments and people around the world are increasingly concerned about protecting the privacy and security of their citizens. This privacy agreement is an effort to maintain transparency and comply with any policies and jurisdictions that this website and my other offerings fall within.

Primarily, governments are concerned with identifiable personal data. For those who are simply passive readers of this website, I have no identifiable personal data of which I am aware. I do use web tools to track site usage metrics to support my work. However, none of them give me any identifiable personal data. It is all non-identifiable/anonymous.

Additionally, at NO TIME do I or anyone involved in my spiritual teaching work sell personal data that is given to me.

For full details, you can read the following data and privacy agreement.

Core Promise

I—Jim Tolles; possible future employees; possible future contractors; future mentees; past, present, and future volunteers; other possible associates, and the business organization—James Tolles Consulting–as a whole are committed to maintaining appropriate data and privacy protection for any personal data in our possession to the best of our abilities.


Organization Definition

At this time my business, James Tolles Consulting, primarily consists of just me—Jim Tolles. It may include future employees or other associates (like volunteers or mentees) who support this work. It is possible contractors may also be used in the future.

For the sake of this document, “I,” “me,” “my,” and other personal references refer to James Tolles Consulting, Jim Tolles, and any person officially associated with this spiritual teaching organization (volunteers, contractors, employees, mentees, and other associates).

Spiritual Student Definition

A spiritual student is defined as having had at least one session, group discussion, or class with me within the last year. One-on-one and group students must have filled out the Disclaimers, Mental Health, and Student Data Privacy Agreement forms. Class students must have filled out the Disclaimers and Student Data Privacy Agreement forms.

While many people consider themselves my students—for the sake of legal purposes—the above definition is used for those to be considered a spiritual student of Jim Tolles.

Personal Data Definition

What is personal data? Here is a definition from the European Union.

“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This definition can be found under Article 4 in the below link, and it is the first definition:

For a longer definition, you can review this link:

Okay. Now let me make this more accessible. Personal data is stuff like:

Your full legal name

Email address

Social security/local country’s ID number

Driver’s license

Credit card numbers

Date of birth

Physical home address

Phone number

IP address for your computer

Some of it like your name needs to be in combination with other data to be considered “identifiable.” For example, John Smith isn’t identifiable by itself because there are a lot of people with that name.

Other than the IP address and the information cookies track, this site does not collect any of the above personal information for those who ONLY read the blog posts.

Passive Data Collection

Part of running this website involves receiving data on what pages are read, slow loading pages, what websites people come from, and other important data metrics that help me to run the business and better support people around the world. At this time, Google Analytics is the main data tracking tool that I use. It offers me only non-identifiable data, thereby safeguarding user privacy. The blog publishing platform I use is WordPress. I used to use Blogger (an Alphabet, Inc. company), and it offered minimal non-identifiable data on site usage.

These services and some others I use (such as MailChimp) or will use in the future use cookies to track and tailor a person’s web experience. However, they ONLY offer me non-identifiable data. To the best of my knowledge, I do not see or have access to any IP addresses or cookies that these tools may see/use.


Cookies used on this site are part of making this site work. Google Analytics, PayPal, Mailchimp, and a few others are necessary to render all the objects on this website, provide services (like my newsletter), and offer important analytics.

This website currently uses a cookie blocker run by OneTrust.

You can learn more about what cookies are on my website on this page:

You can learn more about OneTrust’s privacy policy here:

To learn more about cookies, you can view this website:

Google Analytics

Run by Google—an Alphabet, Inc. company–this tool is afforded the benefits of a robust Google data and security protection.

Google Analytics is set to store user and event data for 26 months before deleting it.

For more information about how Google Analytics is protected and what info is gathered, you can read this link:

This is Google’s general privacy statement:

Website Platform and is the platform upon which this website uses. For questions about how they handle privacy, you can read this link:

A2 Hosting

This blog is hosted by A2 Hosting. I’m not aware that they collect any identifiable information as a hosting company.

For questions about their protection of privacy, you can read this link: (No longer in use)

This is the blog publishing platform that I used to use from 2010 to 2022. It is owned by Alphabet Inc. aka Google, governed by the same policies, and benefited from Google’s web security, as far as I understand.

Links to Other Websites

This website contains links to other websites. When you click a link to another website, you are now governed by their privacy policy. and Plug-ins

Like most WordPress sites, this website uses plug-ins to enhance the functionality of the website.

Some plugins in use include:

A2 Optimized WP

Bunyad AMP

Contentberg Core

Sphere Core

Perfect Images, and others

If a complete list of plug-ins is wanted, a person can reach out via my contact page:

Embedded Content from Other Websites

Blog posts on this site include embedded content like YouTube videos. Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about users, use cookies, embed additional third-party tracking, and monitor interactions with that embedded content, including tracking interaction with the embedded content if a person has an account and is logged in to that website.

The embedded videos are all YouTube videos at this time. Here is a link to how YouTube handles privacy:

Voluntary Personally Identifiable Data Sharing

The only way I have personally identifiable information is if someone voluntarily shares it with me. That could mean sharing data (like name and email) in an email for a session request, by subscribing to one of my offerings, or another form of messaging.

Many of these services allow the user to maintain significant control of their user data. The handling of personal data and security is explained below.

Subscription Services

I have one active subscription service at this time. I have emails from another one that is no longer actively in use.

Collected emails are only used for direct marketing purposes. This means that the email that is shared is used to send the requested subscription service to the person. Any other use of data is via the person’s permission or prompted by the individual’s direct request of service, like sending an email from a newsletter asking for a session.

New Blog Post Email Notifications

Currently, the original Feedburner option that sent out emails when new posts went up is no longer available.

Feedburner is a Google product. Google’s main privacy policy can be found on this link:

However, there seems to be a way to subscribe via For those who subscribe to my blog that way, you should be able to control your subscription settings. I don’t get any information from them. You can read’s privacy policy here:

The Newsletter

MailChimp is my current newsletter service. Someone who signed up for it has the control to unsubscribe from the newsletter at any time.

At this time, the primary data I receive from people fits three main categories:

First Name

Last Name


MailChimp also collects a person’s:

Generalized location data

Date when the profile was last updated

Time zone



The service collects information like if a newsletter emailed to the individual was opened and what links someone clicked on.

I primarily use this information to send personalized newsletter emails about spirituality. It is possible I may collect more personal information in the future, but that information is only ever used in context of the James Tolles Consulting spiritual teaching work. As mentioned earlier, the individual can unsubscribe from the list or lists they are signed up to at any time.

When someone unsubscribes, MailChimp maintains key information like someone’s email for legal purposes. For example, if their service was hacked in 2016, I would need to be able to email someone who has unsubscribed but who was active in 2016 to let them know of the data breach.

MailChimp is now owned by Intuit, and so here is more info on MailChimp/Intuit’s privacy statement:

Blog Commenting through WordPress

When visitors leave comments on the site, the data shown in the comments form is collected as well as the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from the email address (also called a hash) may be provided to the Gravatar service to see if the commenter is using it. The Gravatar service privacy policy is available here:

After approval of your comment, your profile picture is visible to the public in the context of your comment. If a user wants to remove comments, they have the ability to do so. Comments remain on the blog for the existence of the blog. I generally do not remove legitimate comments.

Comments may be held for moderation or sent through a spam filter. Comments that are deemed to be harassment, copyright infringement, spam, hate speech, or otherwise inappropriate will be removed.

When leaving a comment, a person can opt-in to saving their name, email address, and website in cookies. These allow a person to not have to fill in their details again when they leave another comment. These cookies will last for one year.

Previously, many comments were posted through Blogger and before that Google Plus (that service was shutdown). All Google Plus comments were deleted when I switched back to Blogger’s commenting service.

A user must be logged in to WordPress to add, change, or delete comments.

If you want to delete a comment of originally posted via Blogger, I can be contacted here:

Please allow 30 business days for me to do so, and I’ll email an acknowledgement.

Correspondence and Records

Emails sent to me give me access to a person’s email address. Often, I’m given a name, but sometimes, people don’t even give me that.

What additional data people choose to divulge in their emails is entirely at their discretion, and it is kept confidential within James Tolles Consulting.

I keep almost all correspondence as part of recordkeeping. I may delete duplicate emails, spam emails, unsolicited business requests, and other messages at my discretion.

Most correspondence is kept for 7 years from the date of the last correspondence with someone. If someone first corresponded with me in 2011 and it is 2018, but we’re still talking in 2018, then the target for record deletion would be 2025. If someone corresponded with me in 2011 and never again, the target for record deletion would be 2018.

Important correspondence regarding taxation, involving threats, involving business contracts, or other critically important correspondence may be kept for the lifetime of James Tolles Consulting or a directly-related spiritual venture. What I mean by this is if I close James Tolles Consulting and create another organization to do the same or related spiritual teaching work, I would maintain all these documents.

In the event of some terrible misunderstanding, the correspondence could be used for legal proceedings.

If I want to keep non-critical correspondence longer than 7 years—such as keeping a compliment emailed to me—I’ll send a request to the individual to keep it longer. I will only keep it if I receive clear consent in a written reply. If I do not get consent and/or do not hear back, the email will be deleted.

For any non-critical correspondence mentioned above, you have the right to have your correspondence deleted and can request that I do so.

You also have the right to request copies of past correspondence with me.

A process for requesting deletion or copies of correspondence is mentioned further below.

All correspondence is in a Gmail account, and Gmail is a Google product. Therefore, it benefits from all the online security Google offers. For more about how Google protects its products, see earlier Google privacy links.

Online Talks

Currently my online talks are run through Wirecast and shown through YouTube Livestreaming on this link:

YouTube Livestreaming

Talks are published through YouTube Livestreaming, and people are permitted to comment there. Comments are public, but the user retains the ability to remove their own comments. They must be logged in to a YouTube account to add, modify, or remove their comments.

Comments that are deemed to be harassment, copyright infringement, spam, hate speech, or otherwise inappropriate will be removed.

Here are YouTube’s community guidelines:

For more about YouTube security, see the above Google policy links because YouTube is a Google product.

Surveys on

In the past, I used for surveys. Information collected included:

name, (optional how specific someone is in what they enter)




if they’re interested in information about sessions with me

date of filling out the form,

where the data was collected (in an embedded form or from a link),

agreement to this data and privacy policy

time spent filling out the form, and

email address.

I no longer use

Here’s’s privacy policy statement:

Other Places a Person May Interact with Me

There are other sites with which a person can have interactions with me, and they are governed by those sites’ privacy and security policies.

Users control their comments on any post or message they share with me through these other websites. Direct messages are generally archived several times a year if the site offers that ability. The user also can unfollow, unsubscribe, and unfriend me on these services at their own discretion.

Any website where I have a presence but is not listed below is also governed by this general policy. The specific website should give people the ability to control their personal data and is governed by their privacy policy.

I am not responsible for any privacy or security issues from the following websites or any others. I am only responsible for my own––and other websites that I may own and operate in the future.

For more on the privacy and data policies of other social networks where I maintain an active presence, you can find them below:




Facebook & Instagram

These two websites are both own by Meta Platforms Inc. I have a Facebook profile where I post publicly and a page where I share as well. Facebook offers some minimal, non-identifiable data concerning the usage of my page:

Here’s my Instagram account:

For full information about privacy on Facebook and Instagram, you can read this link:


YouTube offers non-identifiable data on the usage of my channel.

See Google privacy and security links shared earlier


I occasionally advertise on Twitter, Facebook, and Google AdWords. To my best knowledge, I have only anonymous/non-identifiable data from these avenues of interaction.

I will do my best to comply with data and privacy standards for any advertising I do on these and any other sites in the future.

Data Protection Measures

The security tools used to protect personal data are constantly evolving and changing, and I do my best to stay current with the best security via my security choices and the choices in which online services I use in relationship to this business. For example, I use a lot of Google products because of Google and parent company Alphabet Inc.’s deep investment in web security.

Currently, my data protection measures include:

  • Having password protection on my computer
  • Using and maintaining the most up-to-date anti-virus software that protects Internet browsing, offers a firewall to my computer, and more
  • Receiving the latest OS updates and security patches automatically to my computer
  • Receiving automatic updates to my web browsers
  • Using a 99% of the time air-gapped back-up, external hard drive (This means that the hard drive which backs up all my info is not plugged into the computer 99% of the time. It is only plugged in when I am actively backing up data, and then it is unplugged. That makes it harder for hackers to access it.)
  • Using passwords for any online services associated with spiritual teaching work (aka Gmail, MailChimp, PayPal, Skype, and so forth)
  • Updating business passwords at least twice a year
  • Using different passwords for each device and service used in relationship to the spiritual teaching work
  • Using strong passwords, meaning that they are combinations of upper and lower case letters, numbers, and special characters
  • Using two-factor authentication for some of the service sites that offer that level of security
  • Using https web security for my website (meaning I have a Web security certificate)

Payment Methods

I maintain records of how I receive funds. I do not maintain any records of bank accounts or credit card numbers.


Those who use PayPal to donate to James Tolles Consulting are governed by PayPal’s privacy and data protection standards. I do not receive any credit card or bank account numbers from PayPal. The financial data I do receive from PayPal is used entirely for tax purposes, and therefore, that information is necessary to the running of this business.

When I receive money, I only see the information that a donor allows. If they don’t want to show a physical address for example, they can change the settings in PayPal.

Any concerns a donor has with the security of PayPal or questions about changing the personal data shown in their donations should be directed to PayPal. For learning more about PayPal’s security, this link has more information:

Checks or Money Order

Any time a donor sends a check or money order, those funds are deposited. No record of the account number is kept. A record of the name and amount of the donation is kept for taxation purposes.

Permission to Share Data

If there is a time when I want to share personal data with someone else and it’s not due to a legal necessity or someone who is at risk of harming themselves or others, I’d request permission in writing from the person whose data will be shared.

For instance, if there was an email with something of educational use to developing a mentee, I’d ask the person who sent the email for permission to share it along with sending a copy of the email for review.

Compliance with Legal Systems

When necessary and compelled to comply, the data I have may be used in a court of law. I will do my best to comply with any lawful legal request.

Requesting Removal of Personal Data

For any identifiable personal data given to me that is non-critical to business and legal recordkeeping, you can send me a written email via my email address asking me to delete the information from my system.

Please allow for 30 business days for the request to be processed.

Acknowledgement emails will be sent to confirm the request and that the request has been processed.

Requesting Records of Personal Data

If I have correspondence of which you’d like a copy, you can request that I send a copy to you.

Please allow for 30 business days for the request to be processed.

You can make a request by contacting me here:

Notification of a Data Breach

In the event of a data breach, I or a sanctioned member of James Tolles Consulting or current spiritual teaching organization will contact those who are affected or possibly affected within 30 business days.

Annual Review

Once a year, I review the personal data I have to determine if anything needs to be modified, deleted, or otherwise addressed.

Best Effort

I always intend to offer my best efforts in maintaining data and privacy protection. However, technology is constantly changing, so I can’t be perfect. Even organizations with hundreds of security professionals have data breaches. But I give my promise to do my best in maintaining the security and privacy standards set forth in this document and required of me by law. I also will offer my best effort for any future services that get used or services in use that aren’t explicitly mentioned to maintain appropriate security and privacy.

Unintentional Omissions

No statement or agreement can account for any and every possible issue. Thus, if there are omissions, they are unintentional, and significant security and privacy concerns will be fixed once I know about them.

If there is an issue that has been omitted, please contact me.


By using this website, you indemnify Jim Tolles and James Tolles Consulting of any possible wrong-doing regarding personal data.

Questions and Concerns

If someone has any questions or concerns about this policy, please contact me here: