Privacy Policy

1. Who we are Shruti Turner is the controller of the personal data described in this Privacy Policy. If you have questions about privacy or want to exercise your data rights, email privacy@shrutiturner.com. 2. Scope of this policy This policy explains how we collect, use, store, share and protect personal data when you: - visit the website - create an account - subscribe to emails - book classes, memberships, credits, programmes, retreats or 1:1 services - complete health, 1:1, retreat or support forms - contact us directly 3. Personal data we collect Depending on how you use the website or services, we may collect: - name, email address, phone numberand account details - date of birth, timezone and account preferences - booking, attendance, membership, credit-pack and billing history - referral and promotion activity - contact and support messages - newsletter and marketing preferences - 1:1, retreat or application form responses - device, browser, IP and security information - cookie, localStorage and sessionStorage related information described in the Cookie Policy 4. Special category and health data Some services require health-related information so we can deliver them safely and appropriately. This may include information about diagnoses, symptoms, pain, fatigue, hypermobility, injuries, flare patterns, medications, limitations, emergency details and related contextual notes. We treat this as special category personal data. We process health data because: - you explicitly provide it to access health-sensitive services - it is necessary to tailor services safely - it is necessary to protect your vital interests in emergency situations where relevant 5. How we collect data We collect data: - directly from you through account creation, forms, bookings, check-ins, waivers and contact submissions - automatically through site usage, authentication, security and service-delivery events - from payment, authentication, email and video vendors where needed to operate the service 6. Why we use personal data We use personal data to: - create and manage accounts - deliver memberships, bookings, credits, classes, coaching, retreats and related support - personalise programming and class adaptations - manage attendance, room access, waitlists and no-shows - process payments, invoices, refunds and account actions - send transactional emails and service updates - respond to enquiries and support requests - operate referrals and promotions - improve the service, prevent misuse and keep the platform secure - comply with legal, accounting, tax and consumer-protection obligations 7. Lawful bases We rely on one or more of the following lawful bases: - contract, where processing is necessary to provide the service you requested - legitimate interests, where processing is necessary to run, improve and protect the business and platform - consent, for optional marketing communications and certain health-sensitive data uses - legal obligation, where records must be kept or disclosed by law For special category health data, we rely on explicit consent and, where relevant, the conditions that allow processing for health, safety and service delivery in line with applicable law. 8. Payments, video, email and other providers We use third-party processors and service providers to operate the business. These may include: - Stripe for payments and checkout - Postmark for transactional email delivery - Google where sign-in or related account services are used - Daily for live class and live-room service delivery - Contentful for website and content management - Cloudflare Turnstile for spam prevention and security checks - hosting, infrastructure, analytics and support vendors needed to run the site These providers process data only to the extent needed for their service and under their own contractual and security obligations. 9. Attendance, live rooms and operational records When you book or join live services, we may record operational information such as booking status, room joins, room leaves, attendance events, moderation actions and connected service metadata. This helps us deliver live services, manage attendance, resolve support issues and operate the platform safely. 10. International transfers Some service providers may process personal data outside the UK. Where this happens, we take reasonable steps to ensure appropriate safeguards are in place, such as approved contractual protections or equivalent transfer mechanisms. 11. Retention We keep personal data only for as long as necessary for the purposes described in this policy, including to comply with legal, tax, accounting, safety and dispute-resolution obligations. Retention periods vary by data type. For example: - account and transactional records may be kept for several years to meet tax and accounting obligations - if you request account deletion, the account is first soft-deleted so access stops immediately while certain health declarations and legal acceptance records are retained for up to 6 months for safety, dispute handling and legal protection - legal hold may extend that retention where there is an active dispute, complaint or claim - marketing preferences are kept until you unsubscribe or ask us to stop - security and operational logs are retained for a limited period appropriate to fraud prevention and service reliability 12. Your rights Subject to applicable law, you may have the right to: - access a copy of your personal data - correct inaccurate or incomplete data - request deletion of data in some circumstances - restrict or object to some processing - withdraw consent where processing depends on consent - receive a portable copy of certain data - complain to the Information Commissioner's Office To exercise these rights, contact privacy@shrutiturner.com. 13. Security We use reasonable technical and organisational measures to protect personal data, including access controls, authentication, secure vendor tooling and environment-based security measures. No system is completely secure, so we cannot guarantee absolute security. 14. Changes to this policy We may update this Privacy Policy from time to time. The latest version is always published on this page with its effective date and version number. Where changes materially affect how your data is handled, we may also notify users through the platform or by email.