Privacy Policy

Yoga Journaling (referred to as "we" or "Yoga Journaling") takes the protection of your personal data seriously. This Privacy Policy explains what personal information we collect when you use our platform yoga-journaling.com, how we use it, and what rights you have.

This policy follows the Swiss Federal Act on Data Protection (FADP) and — for users in the European Economic Area — the EU General Data Protection Regulation (GDPR).

1. Data Controller

2. What Data We Collect

2.1 Data You Provide to Us

• Account data: email address, password (stored as a salted bcrypt hash), display name, optionally an avatar pose or uploaded profile picture, and optionally a studio logo and studio website URL
• Teaching profile (optional): teaching experience, teacher training background, teaching strengths and growth areas — collected via an optional survey to personalise the experience
• Payment data: we do not store your credit card or bank details ourselves; payment information is processed directly by Stripe (see Section 5). We do store the resulting subscription status, customer ID and invoices required for accounting
• Content data: yoga sequences ("flows"), folder structures, calendar entries with dates and times, review submissions sent to your mentor, comments within reviews, notes and other content you create on the platform
• Communications: if you contact us by email, we store your message in order to respond

2.2 Data Collected Automatically

• Server logs: IP address, browser type, operating system, time of access, pages visited — used solely for technical operation, security and abuse prevention. Stored for up to 30 days
• Audience measurement (page_views): we measure the reach of our landing page through an anonymous, cookie-less first-party method. For each page view, a random browser-local session identifier is generated (stored in sessionStorage, deleted when the tab is closed). No personal data, no IP addresses and no device identifiers are stored. Evaluation is solely aggregated. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR)
• Error and crash reports: if our application encounters an error, we use Sentry (see Section 5) to collect anonymised technical data — browser type, error message, stack trace and masked UI interactions via Session Replay. Personal data such as email addresses and text inputs are masked by default and not transmitted

3. Legal Bases for Processing

Depending on the data, we rely on the following legal bases under Art. 6 (1) GDPR:

• Performance of a contract (lit. b): creating and managing your account, your subscription, your flows, your reviews
• Legitimate interest (lit. f): error tracking via Sentry (to keep the platform working), aggregated audience measurement, payment processing security via Stripe
• Consent (lit. a): receiving our newsletter via Klaviyo, sending Bring-a-Friend invites to people you choose
• Legal obligation (lit. c): retaining payment records for tax purposes (ten years under Swiss commercial law), retaining audit logs

4. How We Use Your Data

• To provide and operate the platform, including your personal account
• To handle your subscription (Creator, Pro, Mentor) including payments, invoices and reminders
• To send transactional emails (confirmations, invoices, technical notices)
• To enable mentor reviews — your flow submission and message are visible to your assigned mentor
• To send our newsletter — only if you have actively opted in; you can unsubscribe at any time using the link in every email or by writing to us
• To monitor application errors and improve reliability (Sentry)
• To measure aggregate reach of the public landing page (page_views, no personal identifiers)
• To improve and develop the platform
• To meet legal obligations (accounting, tax)

5. Third-Party Services and Data Processors

We use carefully selected service providers to operate the platform. Data processing agreements under Art. 28 GDPR are in place with all of them where required by law:

• Hosting and serverless functions: Vercel Inc. (USA), with EU region (Frankfurt) selected where supported — provides web server infrastructure and short-lived function execution logs
• Database and authentication: Supabase Inc. (USA), with EU region (Frankfurt) — stores account data, content data and handles authentication (bcrypt-hashed passwords)
• Payment processing: Stripe Payments Europe Ltd. (Ireland) with parent Stripe Inc. (USA) — processes credit card and SEPA payments; we receive only payment status and customer reference
• Email delivery (transactional): 1&1 IONOS SE (Germany) — sends transactional notifications such as account confirmation, mentor review notifications and invite emails
• Email delivery (newsletter): Klaviyo Inc. (USA), with EU storage option enabled where available — sends our newsletter only to subscribers who have actively opted in
• Server-side PDF generation: Browserless.io (USA) — renders your flow HTML into downloadable PDF documents on demand. The rendered HTML is processed transiently and not stored after rendering
• Public file delivery (Flow of the Month): Shopify CDN (USA, global CDN) — hosts public JSON files for the monthly Flow of the Month feature. No user data is sent to Shopify
• Embedded video: YouTube (Google LLC, USA) — used to embed tutorial and hero videos. When such a video is loaded, your browser connects directly to YouTube and Google may set cookies and collect IP and browser information
• Web fonts: Google Fonts (Google LLC, USA) — delivers the Nunito font; your browser's IP address is transmitted when loading the font
• JavaScript library CDN: jsDelivr (Cloudflare CDN) — delivers the Supabase JavaScript client library and the driver.js tour library; your browser's IP address is transmitted when loading the scripts
• Error tracking and Session Replay: Sentry (Functional Software Inc., USA), with EU hosting in Frankfurt (de.sentry.io) — collects anonymised technical data on application errors. Session Replay records masked UI interactions; personal data such as email addresses, passwords and text content are masked by default and not transmitted. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR) to ensure platform reliability
• Preview deployments (non-production): Vercel.live — used only for our staging/preview environments, not on the production site. May set Vercel authentication cookies on preview URLs

6. International Data Transfers

Some of the providers listed in Section 5 are based in the United States (Vercel, Supabase parent, Stripe parent, Klaviyo, Browserless.io, Shopify, Google LLC, Sentry parent). Where personal data is transferred to the United States, we rely on:

• The EU-U.S. Data Privacy Framework for providers that are certified under it
• The EU Standard Contractual Clauses (SCCs) for providers that are not certified, supplemented by technical and organisational measures where appropriate

For Swiss users, the equivalent Swiss-U.S. Data Privacy Framework and the Swiss Standard Contractual Clauses apply.

7. Cookies and Local Storage

We use the following technologies in your browser:

• Supabase authentication token (localStorage): keeps you signed in across sessions. Strictly necessary for the service. No consent banner required
• visit_id (sessionStorage): ephemeral session identifier for anonymous audience measurement of the landing page; deleted automatically when the tab is closed
• yj_currency_override (localStorage): remembers your manually chosen display currency (EUR / USD / CHF / GBP) so that prices are shown consistently across visits
• Vercel authentication cookie: only set on preview deployments, not on the production site

We do not use tracking cookies. There is no Google Analytics, no Meta Pixel, no Facebook Login and no advertising-related identifier. A cookie banner is therefore not legally required, but this section informs you transparently about all client-side storage we use.

8. Data Retention

We store your data only for as long as necessary for the purposes set out above, or as required by law:

• Account and content data: until you delete your account; you may request deletion at any time. After cancellation, content is deleted within 30 days
• Payment records: ten years under Swiss commercial law and tax law (CO Art. 958f, DBG Art. 126)
• Server logs: up to 30 days
• Sentry error reports: 30 days (Sentry default retention)
• Newsletter subscription: until you unsubscribe

9. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (where no legal retention obligation applies)
• Restrict processing
• Receive your data in a structured, portable format — you can export your flows as JSON from within the platform
• Object to processing based on legitimate interest (particularly Sentry and audience measurement)
• Withdraw consent previously given, with effect for the future
• Lodge a complaint with the competent supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, your local data protection authority

To exercise any of these rights, please contact us at membership@yoga-journaling.com.

10. Data Security

We take appropriate technical and organisational measures to protect your data against unauthorised access, loss and tampering, including:

• End-to-end transport encryption via HTTPS with HSTS
• Content Security Policy (CSP), X-Frame-Options and other modern HTTP security headers
• Row Level Security (RLS) on all database tables, with separate policies per role
• Encrypted password storage via bcrypt; multi-factor authentication available
• Database triggers preventing privilege escalation by users
• API endpoints authenticated via Bearer tokens
• Stripe webhook signature verification
• Daily database backups with 7-day retention
• Email authentication: SPF and DMARC are configured; DKIM is in preparation

Despite all due care, complete security on the internet cannot be guaranteed.

11. Changes to This Policy

We may update this Privacy Policy from time to time, for example when we add new features or when legal requirements change. The current version is always available on this page. We will notify you by email of any material changes.