dōTERRA GDPR FAQ


doTERRA, the Leader in the Global Aromatherapy and Essential Oils Market, has experienced explosive global growth, including in Europe. doTERRA is dedicated to the future progress and stability in Europe and will comply with applicable regulations including the new General Data Protection Regulation (GDPR). Specifically, this regulation requires doTERRA and Wellness Advocates to join in accordance to protect individuals’ personal and private data.

A: The General Data Protection Regulation (GDPR) is the culmination of a four-year project to update current data protection and privacy standards for the 21st century. GDPR aims to harmonise this effort across the European Union (EU). GDPR is also in the process of being adopted by several Europe Economic Area (EEA) countries.
A: The GDPR effective date is 25 May 2018.
A: Personal data is any information related to a natural person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email, bank details, social media posts, medical information etc. Data is found inside of systems, through orders, online, databases etc.
A: GDPR applies to all organisations and individuals who work with personal data. Under GDPR, a ‘DataSubject’ is a natural person whose data is to be protected. Further, GDPR identifies two categories of data users. The two categories are ‘Data Controllers’ and ‘Data Processors’. A data controller states how and why personal data is processed. A data processor is the party doing the actual processing of some or all of the data on behalf of a data controller. doTERRA has identified itself as a data controller. In addition, doTERRA has also identified its Wellness Advocates as data controllers. Accordingly, doTERRA is updating its Wellness Advocate Agreements and Policy Manuals across Europe to contract with its Wellness Advocates as data controllers as well as define their relationship to doTERRA as data controllers.
  • A: Become familiar with the GDPR regulation and doTERRA’s Policy (Section 17).
  • When a new doTERRA Member has been successfully enrolled, proactively delete and/or responsibly discard a Wellness Advocate or Customers personal and private data. Allow it to live online only, so it can easily be removed there when asked. This will also help you in refreshing lists frequently.
  • Consider making a habit of periodically reviewing your email list. Promptly remove individuals who have unsubscribed or requested their name be removed from your mailing list. At least once a month refresh and update your contact lists.

Please note that this is not an all-inclusive list.

A: Yes, doTERRA is committed to following GDPR. doTERRA is taking the necessary steps to ensure personal privacy remains a top priority.
A: doTERRA uses personal data of Wellness Advocates and Customers to, among other things, identify accounts, process orders, complete refunds, answer questions, prepare reporting metrics and to reach out to Wellness Advocates and Customers in the normal course of business. Additionally, doTERRA uses personal information to pay commissions, transfer payments, offer recognition and for reporting purposes.

A: doTERRA stores data in its servers and databases. In addition, in order to fulfil all responsibilities to Wellness Advocates and Customers, doTERRA has contracted with third parties to provide functional services such as payment card processing and order fulfilment. A comprehensive list of data users may be obtained by contacting doTERRA or writing to us at:

doTERRA Attn: Legal Department 389 South 1300 West Pleasant Grove, Utah 84062

A: A controller is the data user that determines the purposes, conditions, and means of processing of personal data, while the processor is the data user that processes personal data on behalf of the controller.
A: As noted above in number 4, Wellness Advocates are Data Controllers.
A: As noted above in number 4, Wellness Advocates are Data Controllers.Wellness Advocates are responsible to abide by GDPR. The below list of responsibilities added to section 17 of the Europe Policy Manuals, as follows:

Data Protection: As self-employed independent contractors, Wellness Advocates are the data controller for any personal data (including customer personal data) they process in the course of their business activities as a Wellness Advocate. Wellness Advocates are responsible to ensure that such personal data are processed, stored, and disposed of fully in accordance with applicable data protection laws, including the EU General Data Protection Regulation 2016/679. This entails, amongst others, the following responsibilities:

  • to perform all of their obligations under applicable data protection laws, including data security and confidentiality obligations;
  • to ensure that data subjects are provided with appropriate information regarding the processing of their personal data, including the sharing of their personal data with the Company;
  • to ensure that they have a legal basis for the processing of personal data, including the sharing of personal data with the Company and obtain the data subjects’ consent for the processing of their personal data, if required by applicable data protection laws;
  • to ensure that data subjects can exercise the data protection rights granted to them under applicable data protection laws;
  • to enter into a written agreement with data processors they rely on to process personal data on their behalf, in accordance with applicable data protection laws;
  • to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with applicable data protection laws;
  • to notify the Company, immediately, of any actual or suspected data breach affecting personal data processed by Wellness Advocates in connection with their activities as a Wellness Advocate;
  • to cooperate fully with the Company in all reasonable and lawful efforts to prevent, mitigate, or rectify such personal data breach; and
  • for implementing and providing adequate protection in the event of transfer of personal data to countries located outside of the EEA, as required under applicable data protection laws.
A: Yes, and starting 25 May 2018, visitors will be able to opt out or select which cookies to subscribe to.
A: As a data controller, doTERRA is responsible to ensure that personal data is processed, stored and disposed of fully in accordance with applicable data protection laws, including GDPR.
A: In general, if a Wellness Advocate only uses personal data within the tools provided in the virtual office, his or her GDPR compliance will be relatively simple, as doTERRA will keep the virtual office updated. If however, a Wellness Advocate downloads lists containing personal data from the virtual office, or creates his or her own tools and or lists of personal data, then the Wellness Advocate must comply with all aspects of GDPR pertaining to a Data Controller. These responsibilities include, among other things, the list provided in number 10 above. Wellness Advocates must keep all known personal data he or she receives from Customers and newly enrolled Wellness Advocates strictly confidential and private. After a Member successfully enrols with doTERRA, and their information is entered into doTERRA’s system, please delete or destroy personal or private data, as it is no longer necessary to keep.
A: Yes, Wellness Advocates who are based outside the EU and deal with EU resident’s personal data need to abide by GDPR.
A: Yes, if a data subject requests to not receive marketing communications, this request must be complied with within 30 days. Personal liability for not adhering to this provision of GDPR can be imposed upon individual Wellness Advocates through personal lawsuits and/or government actions. In addition, doTERRA’s policies prohibit spamming members of your team and others. Therefore, under both GDPR and doTERRA’s policies, Wellness Advocates must always have an option to unsubscribe, or opt out of communication from the Company or other Wellness Advocates. If you believe you are receiving unsolicited correspondence, please feel free to contact compliance@doterra.com to help address the issue.

A: All information can be found on the EU’s official GDPR site. doTERRA is pleased to provide information related to the rights of data subjects. In addition, doTERRA is happy to provide general information, to the extent it is allowed by law, regarding the responsibilities of Wellness Advocates under GDPR. If you would like to exercise your data protection rights, please contact doTERRA or write to us at:

doTERRA Attn: Legal Department 389 South 1300 West Pleasant Grove, Utah 84062

A: If you would like to exercise your data protection rights, please contact doTERRA or write to us at:

doTERRA Attn: Legal Department 389 South 1300 West Pleasant Grove, Utah 84062

A: doTERRA does share personal data with strategic third-party business partners (as seen in FAQ number 7) to fulfil its responsibilities to Wellness Advocates and Customers. Examples of third parties that doTERRA contracts are payment card processors, shipping and fulfilment companies, and database services to provide the virtual office and websites.
A: All changes necessary for doTERRA to comply with GDPR are implemented on doTERRA’s web platforms. As a Data Controller, doTERRA will honour Wellness Advocates request to remove information from our systems, including the back office. Visible contact information in the back office is considered authorised unless a member notifies doTERRA to remove his or her information (see FAQ number 18).

Need Help?

FAQs Contact us

Select Your Continent

Select Your Region

Select Your Location

Select Your Language