Privacy Policy
Effective date: 09 September 2025
Controller: EKA MAI HOLISTIC YOGA PLATFORM L.L.C. (“Eka Mai”, “we”, “us”, “our”)
Address: R03 La Cote B4, Port de la Mer, Jumeirah 1, Dubai, U.A.E.
Websites: ekamai.online, ekamaiholistic.com
Contact (data requests): contact@ekamaiholistic.com

This Policy explains how we collect, use, disclose, transfer, and retain personal data across our websites, online classes, offline events, and communication channels (including Instagram DM/ManyChat, Telegram, WhatsApp, email, and Zoom). We comply with the UAE Personal Data Protection Law (PDPL) and provide additional notices where GDPR/UK GDPR or CCPA/CPRA apply. 

1) What data we collect

Identity & contact: first/last name, email, phone, usernames/handles.
Account & usage: bookings, attendance, purchases, passes/memberships.
Payments: processed by Stripe and Mindbody; we do not store card numbers on our servers.
Communications: messages you send via email/DM/WhatsApp/Telegram, forms and support requests.
Media & recordings: photos/video from events; recordings of live/online sessions (participants may be visible/audible).
Technical data: device/OS, browser, approximate location (via analytics), cookies—see Cookies section.
Travel/retreat logistics: emergency contacts and dietary preferences (when relevant).
HR & recruitment: CVs and related data when you apply for roles.

Special category data (only when necessary & with explicit consent): limited health information (e.g., pregnancy, injuries/contraindications) for longer trainings/retreats to protect participant safety.


2) Why we process data (purposes & legal bases)

  • Provide our services: account creation, bookings, access to classes/streams/courses (PDPL: contract; GDPR legal bases: Contract, Legitimate Interests).
  • Payments, billing, tax & accounting (PDPL/GDPR: Legal Obligation, Contract).
  • Customer support & communications (PDPL/GDPR: Legitimate Interests, Contract).
  • Marketing (email/SMS/DM) and service updates; you can opt out anytime (GDPR: Consent or Legitimate Interests depending on channel; PDPL: Consent/Legitimate Interests).
  • Analytics & product improvement via Google Analytics 4 (GA4) (GDPR: Consent in EEA/UK; PDPL: Legitimate Interests where appropriate). GA4 does not log or store IP addresses; regional controls (Consent Mode) are applied.
  • Security & fraud prevention (PDPL/GDPR: Legitimate Interests/Legal Obligation).
  • Media/recordings: operational/educational use; identifiable marketing use only with your consent.

GDPR/UK GDPR territorial scope: our processing may be subject to GDPR where we offer services to individuals inthe EEA/UK or monitor behavior there (Art. 3).


3) Cookies & analytics

We use essential cookies (site operation) and analytics cookies (GA4). In the EEA/UK we request consent and honor your choices (and any browser-level global privacy control signals where applicable). GA4 provides regional privacy controls and does not log/store IP addresses. You can change cookie preferences via our banner/settings (where shown) or your browser. 


4) Children & minors

Our services are intended for individuals 16+. Participants under 18 should only register/attend with parental/guardian consent and may be asked to provide a signed consent form. (PDPL does not fix a uniform “child” age; we apply a conservative standard and obtain consent where appropriate.) 


5) Sharing your data (recipients & processors)

We share data only as needed to provide services, comply with law, or with your consent. Typical recipients/processors include:

  • Hosting/Website: Tilda (site hosting/CRM forms).
  • Payments & bookings: Stripe, Mindbody.
  • Teaching & events: Zoom (video sessions/recordings when applicable).
  • Operations/CRM/Email: Zoho (e.g., Books/CRM/Campaigns), Mailchimp (where used), ManyChat(Instagram DM), WhatsApp/Telegram (communications), Zapier (automation).
  • Analytics/Tagging: Google Analytics 4 (and Google Tag Manager if implemented).
  • Trip/retreat partners: hotels/venues, travel/ground partners and guest teachers—only the minimum necessary data and only for logistics/safety.
International transfers. Many vendors store/process data outside the UAE (e.g., EU/US). Where GDPR/UK GDPR applies, we rely on mechanisms such as Standard Contractual Clauses (SCCs) put in place by our vendors; under PDPL, we use permitted transfer bases or exceptions while applying appropriate safeguards. 


6) Retention

We keep data only as long as needed for the stated purposes or as required by law, then delete or anonymize it.

  • Corporate tax records: at least 7 years after the end of the relevant tax period. 
  • VAT records: generally 5 years after the end of the tax period (longer for certain cases, e.g., real estate/capital assets per Executive Regulations). 
  • Bookings/attendance/support comms: typically up to 3 years after last interaction (unless needed longer for legal claims).
  • Marketing contacts: until you unsubscribe/opt out, with a brief suppression period to honor your request.
  • Media/recordings: retained only as long as needed for the program or with your consent for longer/marketing use.
  • HR/recruitment: typically up to 7 years after the process concludes or as required by law.


7) Your rights

Under UAE PDPL, you have rights such as access, correction, deletion, restriction, objection, and data portability, subject to legal limits. Where GDPR/UK GDPR applies, you also have the right to withdraw consent and to lodge a complaint with your local data protection authority. In the UAE, you may contact the UAE Data Office if unresolved. Submit requests to contact@ekamaiholistic.com; we aim to respond within 30 days and may ask to verify your identity. 


8) CCPA/CPRA notice (California, if/when applicable)

We do not “sell” or “share” personal information as defined by CCPA/CPRA, and we honor opt-out rights if the law applies to us. CCPA generally applies to certain businesses meeting statutory thresholds (e.g., revenue/volume or reliance on selling/sharing). If it becomes applicable, we will enable the required disclosures and rights (including “Do Not Sell or Share” and global privacy control signals). 


9) Security

We use technical and organizational measures appropriate to the risk, including TLS encryption in transit, access controls and MFA for staff accounts, least-privilege permissions, vendor due diligence, staff training, and regular backups. No system is perfectly secure; if we suspect a data incident affecting you, we will assess and notify as required by law.


10) Media, recordings & publicity

We may photograph/record classes and events. Operational/educational use (e.g., access for registered participants) is permitted under our legitimate interests. Marketing use of identifiable images/voice will only occur with your explicit consent (e.g., media release). You can opt out of being on camera where feasible (e.g., choosing a non-recorded area or turning off your camera in Zoom).


11) Third-party links & communities

Our websites, channels, or groups may include links to third-party sites/bots/platforms. Their privacy practices are their own; please review their policies before sharing data.


12) Contact

For any question or to exercise your rights, contact:
EKA MAI HOLISTIC YOGA PLATFORM L.L.C.
Email: contact@ekamaiholistic.com


13) Changes to this Policy

We may update this Policy from time to time. We will post changes here and update the “Effective date” above. For material changes, we may provide additional notice (e.g., banner or email).

Contact Us
Copyright © 2024
EKA MAI Holistic Yoga Platform L.L.C.