1) What data we collectIdentity & contact: first/last name, email, phone, usernames/handles.
Account & usage: bookings, attendance, purchases, passes/memberships.
Payments: processed by
Stripe and
Mindbody; we
do not store card numbers on our servers.
Communications: messages you send via email/DM/WhatsApp/Telegram, forms and support requests.
Media & recordings: photos/video from events; recordings of live/online sessions (participants may be visible/audible).
Technical data: device/OS, browser, approximate location (via analytics), cookies—see Cookies section.
Travel/retreat logistics: emergency contacts and dietary preferences (when relevant).
HR & recruitment: CVs and related data when you apply for roles.
Special category data (only when necessary & with explicit consent): limited health information (e.g., pregnancy, injuries/contraindications) for longer trainings/retreats to protect participant safety.
2) Why we process data (purposes & legal bases)- Provide our services: account creation, bookings, access to classes/streams/courses (PDPL: contract; GDPR legal bases: Contract, Legitimate Interests).
- Payments, billing, tax & accounting (PDPL/GDPR: Legal Obligation, Contract).
- Customer support & communications (PDPL/GDPR: Legitimate Interests, Contract).
- Marketing (email/SMS/DM) and service updates; you can opt out anytime (GDPR: Consent or Legitimate Interests depending on channel; PDPL: Consent/Legitimate Interests).
- Analytics & product improvement via Google Analytics 4 (GA4) (GDPR: Consent in EEA/UK; PDPL: Legitimate Interests where appropriate). GA4 does not log or store IP addresses; regional controls (Consent Mode) are applied.
- Security & fraud prevention (PDPL/GDPR: Legitimate Interests/Legal Obligation).
- Media/recordings: operational/educational use; identifiable marketing use only with your consent.
GDPR/UK GDPR territorial scope: our processing may be subject to GDPR where we offer services to individuals
inthe EEA/UK or monitor behavior there (Art. 3).
3) Cookies & analyticsWe use
essential cookies (site operation) and
analytics cookies (
GA4). In the EEA/UK we request consent and honor your choices (and any browser-level global privacy control signals where applicable). GA4 provides regional privacy controls and does not log/store IP addresses. You can change cookie preferences via our banner/settings (where shown) or your browser.
4) Children & minorsOur services are intended for individuals
16+. Participants
under 18 should only register/attend
with parental/guardian consent and may be asked to provide a signed consent form. (PDPL does not fix a uniform “child” age; we apply a conservative standard and obtain consent where appropriate.)
5) Sharing your data (recipients & processors)We share data only as needed to provide services, comply with law, or with your consent. Typical recipients/processors include:
- Hosting/Website: Tilda (site hosting/CRM forms).
- Payments & bookings: Stripe, Mindbody.
- Teaching & events: Zoom (video sessions/recordings when applicable).
- Operations/CRM/Email: Zoho (e.g., Books/CRM/Campaigns), Mailchimp (where used), ManyChat(Instagram DM), WhatsApp/Telegram (communications), Zapier (automation).
- Analytics/Tagging: Google Analytics 4 (and Google Tag Manager if implemented).
- Trip/retreat partners: hotels/venues, travel/ground partners and guest teachers—only the minimum necessary data and only for logistics/safety.
International transfers. Many vendors store/process data outside the UAE (e.g., EU/US). Where GDPR/UK GDPR applies, we rely on mechanisms such as
Standard Contractual Clauses (SCCs) put in place by our vendors; under PDPL, we use permitted transfer bases or exceptions while applying appropriate safeguards.
6) RetentionWe keep data only as long as needed for the stated purposes or as required by law, then delete or anonymize it.
- Corporate tax records: at least 7 years after the end of the relevant tax period.
- VAT records: generally 5 years after the end of the tax period (longer for certain cases, e.g., real estate/capital assets per Executive Regulations).
- Bookings/attendance/support comms: typically up to 3 years after last interaction (unless needed longer for legal claims).
- Marketing contacts: until you unsubscribe/opt out, with a brief suppression period to honor your request.
- Media/recordings: retained only as long as needed for the program or with your consent for longer/marketing use.
- HR/recruitment: typically up to 7 years after the process concludes or as required by law.
7) Your rightsUnder
UAE PDPL, you have rights such as access, correction, deletion, restriction, objection, and data portability, subject to legal limits. Where
GDPR/UK GDPR applies, you also have the right to withdraw consent and to lodge a complaint with your local data protection authority. In the UAE, you may contact the
UAE Data Office if unresolved. Submit requests to
contact@ekamaiholistic.com; we aim to respond within
30 days and may ask to verify your identity.
8) CCPA/CPRA notice (California, if/when applicable)We
do not “sell” or “share” personal information as defined by CCPA/CPRA, and we honor opt-out rights if the law applies to us. CCPA generally applies to certain businesses meeting statutory thresholds (e.g., revenue/volume or reliance on selling/sharing). If it becomes applicable, we will enable the required disclosures and rights (including “Do Not Sell or Share” and global privacy control signals).
9) SecurityWe use technical and organizational measures appropriate to the risk, including TLS encryption in transit, access controls and MFA for staff accounts, least-privilege permissions, vendor due diligence, staff training, and regular backups. No system is perfectly secure; if we suspect a data incident affecting you, we will assess and notify as required by law.
10) Media, recordings & publicityWe may photograph/record classes and events.
Operational/educational use (e.g., access for registered participants) is permitted under our legitimate interests.
Marketing use of identifiable images/voice will only occur
with your explicit consent (e.g., media release). You can opt out of being on camera where feasible (e.g., choosing a non-recorded area or turning off your camera in Zoom).
11) Third-party links & communitiesOur websites, channels, or groups may include links to third-party sites/bots/platforms. Their privacy practices are their own; please review their policies before sharing data.
12) ContactFor any question or to exercise your rights, contact:
EKA MAI HOLISTIC YOGA PLATFORM L.L.C.Email: contact@ekamaiholistic.com
13) Changes to this PolicyWe may update this Policy from time to time. We will post changes here and update the “Effective date” above. For material changes, we may provide additional notice (e.g., banner or email).