Privacy
- Home
- >
- Privacy
Privacy
Welcome to Indian Yoga School (“we”, “our”, “us”), operating at https://indianyogaschool.com, a digital platform built on the Laravel Framework dedicated to connecting yoga centres and students in India and beyond. Our platform allows the registration and creation of profiles for both yoga students and centres, and enables the booking and management of yoga teacher training programs, retreats, and related events.
As a responsible data fiduciary and digital business, we are committed to upholding the highest standards of data privacy, security, and transparency, as required by Indian laws such as the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and global privacy frameworks including the General Data Protection Regulation (GDPR).
This Privacy Policy outlines how we collect, process, store, use, disclose, share, and protect your personal information and data across our website and integrated applications, including but not limited to booking, profile management, and payment transactions facilitated through third-party Payment Partners. We are dedicated to safeguarding your privacy rights and providing clear information about our data practices in a manner accessible and comprehensible to all users.
By accessing or using Indian Yoga School, you consent to the practices described in this Privacy Policy. We encourage you to read this policy thoroughly and contact us with any questions or concerns.
We collect several categories of information from users, including but not limited to:
Basic Personal Details: Name, age, gender, date of birth, nationality, contact address, email address, phone number.
Identity and Account Information: Usernames, hashed passwords, and identifiers linked with third-party login providers (such as Google).
Yoga-Centre and Program Data: Information supplied by yoga centres about their facilities, programs, staff, and accreditations; as well as program details, schedules, pricing, and availability.
Health and Sensitive Information: (With explicit consent) Health declarations, medical conditions, dietary requirements, emergency contact details, any disabilities relevant to program participation. We do not solicit religious or philosophical belief data unless volunteered by you as part of your profile or program registration.
Transactional Data: Booking records, payment history, transaction reference IDs, and financial instrument details (collected and processed via secure third-party payment gateways, not directly by us).
Profile and Content Data: User profile images, biographies, uploaded certificates, reviews, testimonials, communications exchanged via the platform, and any other media or materials voluntarily submitted.
Technical and Usage Data: Device and connection information (IP address, browser type, device model, operating system), log data, website interaction data, booking history, time of access, search queries, and referral URLs.
Cookie and Analytics Data: Cookies, web beacons, local storage, and similar online identifiers (see Section 8).
Marketing Data: Preferences for receiving notifications or promotional materials.
We only collect and process sensitive personal data if it is necessary for providing services and after obtaining your explicit consent, as required by relevant privacy laws.
Direct Provision by User: Through online registration forms, profile updates, booking and program applications, communications with support, and feedback.
Automatic Collection: Via cookies, device fingerprinting, and site analytics as you navigate the website.
Third-Party Sources: If you login with a social account or authorize a third-party integration, relevant data is collected from those providers, subject to your privacy settings on those services.
Payment Processors: When making payments, your data may be collected directly by our third-party Payment Gateways, subject to their privacy policies. We do not store full payment card or account details on our servers.
Performance of a Contract: For fulfilment of user registration, profile management, booking yoga programs, and facilitating payment.
Legal Obligation: To comply with applicable Indian laws, tax regulations, and law enforcement requests.
Legitimate Interests: To monitor, improve, and secure our services, protect users from fraud, maintain service quality, and provide customer support. Data minimization principles are applied here.
Consent: For marketing communications, newsletters, use of certain cookies, and processing of sensitive health data.
Explicit Consent: Required for processing children’s data or certain categories of sensitive information.
Your personal data may be used for the following purposes:
Managing your account and profile, enabling you to interact with the platform.
Enabling the registration and accreditation of yoga centres and managing program listings.
Processing bookings, payments, cancellations, and refunds.
Sending administrative and transactional communications (confirmation emails, reminders, event changes, support notifications).
Providing tailored content, program recommendations, or features based on your profile and preferences.
Responding to user support requests, complaints, or queries.
Sending newsletters, promotions, and relevant content (with your consent).
Analyzing website traffic, usage, and program trends to improve user experience.
Preventing fraud, ensuring security, and maintaining system integrity.
Complying with legal and regulatory obligations, audits, and maintaining required records.
Facilitating social/community interaction (user reviews, testimonials, Q&A) as part of the listing platform.
We do not sell your personal data to third parties. All data use is limited to the purpose for which it was collected and is updated should purposes change, in accordance with applicable notification and consent requirements.
All digital data is stored on secure, access-controlled servers located in India or other jurisdictions permitted by Indian law for cross-border transfer (see Section 9). Backup and redundancy practices comply with best industry standards.
Sensitive data (such as health or payment data) is stored with enhanced encryption and access restrictions. Payment instrument details are processed and stored only by certified payment gateways and not by Indian Yoga School directly.
We employ a comprehensive set of technical and organizational safeguards, including:
SSL/TLS encryption for data in transit and storage.
Regular software and security updates on our Laravel platform.
Role-based access controls, strong authentication policies, and regular password salting and hashing.
Firewalls, intrusion detection, and automated vulnerability scanning.
Data masking and anonymization for analytics and reporting when feasible.
Regular security audits and incident response plans in line with DPDP Act requirements.
Logging and monitoring of data access, with logs retained for at least one year.
Employees and contractors have access only to the specific data necessary for their role, and all staff are trained on data privacy obligations.
Personal data is retained only as long as necessary for the purposes described, or as required by law (tax, accounting, and contractual obligations).
Booking and payment records are generally retained for up to seven years following transaction, unless a longer retention period is mandated.
Health and sensitive data is deleted or fully anonymized once the provision of service is complete and the lawful retention period expires.
Marketing preference data is retained until you unsubscribe or opt out.
Account and profile data: If you request account deletion, all associated data is promptly and securely erased, except where retention is required for legitimate business or legal purposes.
We apply strict deletion and disposal procedures to ensure no recoverable copies of deleted personal information remain, as per data minimization and accountability requirements found in both GDPR and DPDP Act5.
Indian Yoga School is designed for users aged 18 years or above. If enrolling minors, parental or guardian consent is strictly required prior to any collection or processing of children’s personal or sensitive data. We do not permit the creation of student or centre profiles for individuals under 18 without verified guardian consent.
Where children's data is collected (for children’s yoga programs, etc.), we implement:
Simplified notices and tailored consent mechanisms for parents/guardians;
Technical measures to verify age and legal status of guardians;
No profiling, tracking, or behavioral advertising for children’s profiles;
Complete erasure of personal data upon withdrawal of consent or program completion.
These requirements are aligned with DPDP Act provisions as well as applicable international regulations.
We may share or disclose your personal data in the following circumstances:
With Partner Organizations: Yoga centres and event organizers will receive the information necessary to process bookings and manage attendance (name, contact details, specific program information).
With Service Providers: We engage trusted third-party service providers for payment processing, email/SMS delivery, hosting, analytics, IT maintenance, and customer support. Each provider is contractually obligated to maintain confidentiality, security, and compliance with relevant data protection regulations.
Legal and Regulatory Disclosure: Where required by Indian law, order of courts, or to defend legal rights; in event of legal investigations, fraud or risk detection, or imminent harm prevention.
Corporate Transactions: In case of mergers, acquisitions, transfers, or any change in control, with appropriate notice and as provided under law.
We do not sell or rent your personal data for marketing purposes. All third-party service providers are subject to Data Sharing Agreements or Standard Contractual Clauses, as mandated by the DPDP Act and analogous international standards.
Personal data may be transferred and processed outside of India if:
Required for performance of a contract with you (e.g., where a program is delivered abroad or with an international yoga centre).
The destination country offers an adequate level of data protection, or a government notification so permits (jurisdictions not on the 'negative list' as per the DPDP Act).
Proper safeguards and documented contractual controls are in place, as stipulated by law.
We maintain detailed records of all cross-border data transfers and ensure compliance with Indian and applicable foreign laws. Users can request further details about any such transfer at any time135.
Payments are securely processed through third-party integrations with trusted Indian and International Payment Gateways.
What we store: We record transaction references, payment status, dates, payer’s name, and the last four digits of payment cards strictly for reconciliation and support purposes. We do not store full card numbers or sensitive authentication data.
What third parties store: Payment processors may require your payment instrument details (e.g., card details, PayPal ID). Their treatment of your data is governed by their privacy policies. They are contractually required to ensure stringent security and compliance (PCI DSS, data localization laws, etc.).
Data access: You may request deletion of all payment-related information held by us, subject to statutory retention requirements.
Each transaction is encrypted, and audit logs are maintained. Payment data is never used for marketing or unrelated purposes.
We uphold your legal rights with respect to personal data, including:
Right to Access: Obtain copies of your personal data we hold, including how it is used or shared.
Right to Correction: Request correction or completion of inaccurate or incomplete data.
Right to Erasure ('Right to be Forgotten'): Request deletion of your data where retention is no longer necessary for business or legal purposes.
Right to Withdraw Consent: Revoke your consent at any time (for marketing activities, cookies, sensitive information), after which we will cease the processing.
Right to Portability: Receive your data in a machine-readable format and transfer it to another provider.
Right to Object/Restrict Processing: Object to or request a restriction on the processing of your data in certain situations.
Right to Nominate: Under the DPDP Act, you may nominate another person to exercise your data rights on your behalf in case of incapacity.
All requests will be processed within reasonable timeframes (typically 7–15 days, unless otherwise required). For detailed procedures or to submit a request, please use the contact details supplied below.
If you have concerns or complaints regarding our data practices, you have the right to contact our Grievance Officer or Data Protection Officer (see Section 13) for resolution. If unresolved, you may escalate to the Data Protection Board of India or other competent authority.
Cookies are small text files placed on your device to collect information such as browser type, settings, usage metrics, and navigation behavior. We employ the following types:
Essential/Strictly Necessary Cookies: Required for operation of the site (e.g., user authentication, secure sessions, program bookings).
Analytics/Performance Cookies: Help us understand how users interact with the platform (Google Analytics, etc.); used in anonymized or pseudonymized form.
Functional Cookies: Remember your preferences and enhance functionality (language settings, saved searches).
Marketing/Advertising Cookies: (Only when consented) Used for tailored promotions and remarketing, never for profiling children or processing sensitive data.
Improve user experience by personalizing content and remembering your preferences.
Measure website performance, program popularity, and conversion rates.
Facilitate secure payment processes and protect against fraud.
Never to track children, nor engage in behavioral advertising for users under 18.
Upon visiting our website, you are presented with a cookie consent banner enabling you to accept, reject, or customize settings for non-essential cookies. You can later change your preferences at any time through your account settings or by contacting our support team. Declining cookies may affect certain functionalities.
All cookie-related processing strictly follows the “opt-in” principle mandated by the DPDP Act, and respects guidelines for consent, transparency, and unambiguous user action.
Personal data collected by Indian Yoga School may be transmitted to and processed in countries outside your home jurisdiction, provided that:
The transfer is necessary for the fulfillment of a contract with you, or to provide requested services (e.g., international program bookings).
The destination country is not on the 'negative list'—a government-published list of excluded jurisdictions—or appropriate exemptions (e.g., judicial, enforcement, or contractual purposes) apply.
Explicit records of transfer are maintained, and additional security measures (contractual, technical, organizational) are adopted, as required by DPDP Act Section 16 and sectoral regulations.
We require all overseas recipients and processors to implement data protection measures at least as strong as those stipulated by Indian law (encryption, access controls, incident notification, audit, liability clauses). We regularly audit third party compliance and document all transfers for regulatory inspection.
We strive for data minimization and only retain personal data for as long as necessary:
|
Category |
Retention Period |
Method of Deletion |
| Account/Profile Data | While account is active and for three years after last login or as legally required | Secure deletion from all active databases and backups |
| Booking/Payment Data | Minimum seven years from transaction | Erasure, redaction, anonymization upon expiry |
| Health/Sensitive Data | Until service is delivered, unless required for legal defense; max one year post service | Physical and digital secure erasure |
| Consent Records | Seven years after withdrawal | Purged from consent manager, logs securely deleted |
| Marketing Data | Until unsubscribed or request for erasure | Prompt deletion on opt-out request |
Mandatory notifications are sent to you 48 hours before the deletion of your account and associated data, as per applicable law. Data that is no longer required is securely destroyed in compliance with industry standards (NIST, ISO 27001), and data minimization practices are followed at every step.
Despite our best efforts, no digital platform is completely immune to security risks. We have a robust incident response and breach management protocol aligned with the DPDP Act and GDPR:
All security incidents and breaches are logged and investigated immediately upon detection.
Users and competent authorities (e.g., Data Protection Board of India, affected data principals) are notified of any material breach within 72 hours as mandated by law.
Notifications include the nature, impact, and consequences of breach, recommended mitigation steps, and contact information for further queries.
Remediation measures are implemented to contain harm, restore security, and prevent future incidents.
All breaches, regardless of notification obligation, are fully documented and available to regulatory authorities for audit purposes.
You will be kept informed of developments and may contact our Grievance Officer for further assistance.
Indian Yoga School is built on the Laravel Framework, which provides robust security and privacy features appropriate for modern web applications:
Input Validation and Sanitization: All input is validated both in server-side and client-side forms to prevent injection attacks, with strong data binding and validation rules according to Laravel best practices.
Encryption: Laravel’s native encryption tools are used for sensitive data storage and transmission. All environment variables (API keys, credentials) are securely managed via Laravel’s .env system.
Access Management: Policies and gates are used to enforce user authorization, ensuring that only the relevant users and staff can access or modify data as per their role and permissions.
Audit Logging and Monitoring: All access, modification, and deletion events are logged for at least one year, facilitating compliance audits and breach detection.
Session Security: Secure session management, including expiration, tokenization (CSRF tokens), and hijacking protections, is applied server-wide.
Data Deletion and Portability Tools: Mechanisms are in place for users to download their personal data, as well as for primary and backup deletion upon account closure or customer request.
Developers and administrators receive regular security and privacy training to maintain a strong compliance posture.
As a yoga- and wellness-specific digital platform, Indian Yoga School recognizes the unique sensitivities in handling data related to health, wellness preferences, and spiritual pursuits:
Sensitive Health Information: Only collected with explicit informed consent and used exclusively for program suitability evaluations (e.g., health conditions, injuries, dietary or lifestyle needs). Such data is subject to added access controls and is not disclosed for non-service purposes.
Community Features: Reviews, testimonials, and public profiles are displayed only with user’s active consent and can be removed or corrected at your request.
Wellness Data Minimization: Wellness questionnaires are limited to only the questions strictly necessary for safe program participation.
Cultural/Philosophical Beliefs: While yoga often touches on spiritual matters, information about your philosophical or religious beliefs is neither required nor used for profiling unless you voluntarily submit it and consent to its use.
Child and Family Programs: Parental consent is required for children’s participation; no marketing or behavioral analytics are performed for child profiles.
We continuously monitor regulatory changes, industry best practices, and user feedback to ensure our privacy policy remains relevant and robust for the changing needs of our users.
We may update this policy from time to time in response to changes in services, legal requirements, or privacy best practices. When changes are significant, we will notify users through website banners, email, or prominent pop-ups. The updated privacy policy will always display a “last updated” date at the top and is always available on our website for your review.
If you have questions, requests, or concerns about this Privacy Policy or your rights, please contact our designated Grievance Officer and Data Protection Officer at:
Grievance Officer / Data Protection Officer
Email: support@indianyogaschool.com
Redressal Timeline: We aim to respond to all requests or complaints within 15 days, as required by Indian law.
You may also contact the Data Protection Board of India for unresolved complaints.
This policy is written in clear, concise language and is available in English and (where applicable) in other major Indian languages to ensure accessibility as required by the DPDP Act. Accessible versions for the visually impaired are available upon request.
Users may find the Privacy Policy linked prominently in the site footer, during onboarding, and wherever personal data is collected (e.g., registration, booking, cookie banners).
|
Data Practice |
Details & Approach |
| Personal Data Collected | Contact, identity, health (with consent), program, payment, technical/data logs, cookies, content uploads. |
| Purpose of Collection | Registration, bookings, program management, support, analytics, security, compliance. |
| Legal Basis | Contract, legitimate interest, consent, legal obligation. |
| Third-Party Sharing | Service providers (payment, hosting, support), required legal disclosures, partner yoga centres per bookings. |
| Cross-Border Transfers | Permitted where compliant with Indian & international law, with security and contractual safeguards. |
| Data Security | Encryption, access controls, regular audits, secure session management, role-based access, incident management. |
| Data Retention | Data minimization; deletion after service or statutory retention, prior notice. |
| User Rights | Access, correction, deletion, portability, withdrawal of consent, objection/restriction, nomination. |
| Cookies | Consent-based; banner, management tool, detailed policy, opt-in, essential only for children. |
| Children’s Data | Parental consent verification, special notice, no tracking or marketing, complete deletion on request. |
| Data Breach Notification | Prompt notification (within 72 hours), mitigation, and transparency. |
| Contact | Grievance Officer details, policy accessibility, regular updates, notification of changes. |
Privacy By Design and Default: All site features, new program launches, and technical upgrades undergo a privacy impact assessment and are implemented in accordance with “privacy by design” principles.
Regular Audits: Internal and third-party audits are conducted regularly to assess compliance.
Employee Training: Ongoing privacy and security training for all staff handling personal data.
User-Centered Transparency: Privacy notices are provided wherever data is collected, using understandable language, with layered links to detailed explanations as needed.
Grievance Handling: All privacy complaints and requests are tracked, responded to promptly, and reported internally for process improvement.
This privacy policy draws on industry-specific guidelines for yoga and wellness platforms, leading technology law frameworks, and privacy policies from exemplar yoga websites and international organizations. Additional references and ongoing regulatory updates can be provided on request.
Last Updated: 18 August 2025
By maintaining strong privacy practices, Indian Yoga School ensures trust, legal compliance, and a user-centric experience for the yoga community. For additional questions about data privacy and this policy, please contact our Grievance Officer.
Email: support@indianyogaschool.com