Privacy Notice · YogaPros

Who we are.

YogaPros is the trading name of Yoga Pros Organisation Limited, a private company limited by guarantee without share capital, registered in Scotland (Companies House SC502923) at 10/2 Beaverhall Road, Edinburgh EH7 4JE.

We are the data controller for personal data described in this notice. That means we decide what data is collected, why, and how it's used.

We don't currently have a statutory Data Protection Officer, because we don't meet the thresholds that require one. We do have a designated contact for data inquiries: support@yogaallianceprofessionals.org.

What this notice covers.

This notice covers personal data we handle when you:

Visit any page on theyogapros.com or its subdomains
Submit a contact form, partnership inquiry, or membership application
Become a YogaPros member (Free, Professional, Signature, or Personal Brand tier)
Use the member portal at member.theyogapros.com
Hold a YogaPros-arranged insurance policy (UK, Eire, USA, or Trainee)
Read or subscribe to YogaPros publications, including Amrita
Engage with YogaPros at events, by email, or through our partner programme

It does not cover third-party sites you reach via links from ours. Those have their own notices.

What we collect.

Depending on your relationship with us, we collect:

Identity & contact — name, professional/“yoga” name, postal address, date of birth, email, telephone.
Account & membership — username, membership level/status, membership dates, renewal and payment history, training school and graduation date, CPD/further training information (we do not store copies of certificates by default).
Public profile content — biography, website and social links, photos, videos, listings (workshops, retreats, teacher training, jobs), articles, promotions/coupons you choose to publish.
Communications — emails, secure messages, webchat, support tickets, survey responses.
Transaction & payments — amounts paid, invoice/tax details. We do not store full card numbers or CVV (see Security).
Technical & usage — IP address, device/browser data, pages viewed, referring site, cookie identifiers (see Cookies and tracking).
Enquiry data — information you submit via contact forms to reach members (see Who we share data with).

Data you give us directly

Identity data — name, professional title, training-provider name, qualification dates, certificate evidence
Contact data — email, postal address, phone number where you provide it
Membership data — tier, status, payment history. Payments are processed by our PCI-DSS compliant payment provider(s) (e.g., Stripe / PayPal / BACS). We do not store full card numbers or security codes on our systems. We retain a token and the last four digits/expiry for recognition, recurring payments you authorise, and chargeback handling.
Insurance data — region, policy type, activation date, claims history (where applicable)
Communications — emails to us, support requests, partnership inquiries, content of forms you submit

Data we collect automatically when you visit our site

Technical data — IP address, approximate country (from Cloudflare's GEO-IP — country only, no city or postcode), device type, browser, operating system
Usage data — pages visited, time on page, referring source, click patterns (via Cloudflare Web Analytics by default — privacy-first, no cookies)
Cookies and similar — see Cookies and tracking
Optional analytics — if you accept analytics cookies via our consent banner, we collect richer behavioural data through PostHog and HubSpot tracking. You can decline these and use the site fully without them.
Error reports — if your browser hits a JavaScript error on our site, our error-monitoring service (Sentry) records the error, your URL at the time, and approximate location. We use this only to fix bugs.

Data from other sources

Directly from you — applying for or managing membership; creating/updating a profile; posting and sharing content; contacting us; requesting resources; completing forms and surveys.
Training providers — when we verify your qualifications, we contact your training provider directly. They confirm the course, dates, and lead teacher. We record their confirmation.
Insurance underwriters — Balens, Insurance Canopy, ARAG (where applicable) confirm policy status when we activate or renew your cover.
Public sources — for accreditation, we may reference public registers, your training provider's published syllabus, or documents you've made publicly available.

Why we collect it.

We process your data on these lawful bases:

Purpose	Lawful basis
Providing membership services (verifying qualifications, activating insurance, maintaining your Live CV, processing payments)	Contract — performing our agreement with you as a member
Site security, fraud prevention, performance monitoring, debugging	Legitimate interest — running a secure, functional site
Anonymous traffic analytics (Cloudflare Web Analytics)	Legitimate interest — privacy-first by design, no personal identifiers
Behavioural analytics (PostHog), marketing analytics (HubSpot)	Consent — only with your opt-in via the cookie banner
Sending you institutional communications about your membership, insurance renewals, accreditation status, or material changes to YogaPros services	Legitimate interest (where you're a member) or contract (where the communication is required by your membership)
Sending you the Amrita publication or marketing emails	Consent — only if you've subscribed
Compliance with our legal and regulatory obligations (tax, insurance reporting, anti-money-laundering where applicable)	Legal obligation
Defending or pursuing legal claims	Legitimate interest

How long we keep it.

We don't keep data longer than we need to. Retention periods reflect the purpose plus any legal requirement.

Data category	Retention
Cloudflare server logs (IP, request metadata)	Up to 30 days
Cloudflare Web Analytics (aggregate, no personal identifiers)	6 months
PostHog event data (with consent)	12 months
HubSpot tracking data (with consent)	13 months default; longer if you become a member
Sentry error logs	90 days
Member data (membership records, insurance, Live CV history)	Lifetime of membership + 6 years after cancellation, for tax, insurance, and accreditation reasons
Marketing email subscriptions	Until you unsubscribe; then suppression list indefinitely so we don't email you again
Inquiry / contact-form submissions (non-members)	2 years from last contact, unless you become a member
Accounting and tax records	7 years (HMRC requirement)

If you wish to have your profile information permanently deleted, please complete the data deletion form.

Who we share data with.

We share personal data only with the third parties we need to operate. Each is bound by a data processing agreement and processes your data on our instructions, not their own.

Service	What they do
Cloudflare, Inc. (USA)	Hosting, content delivery network, security, GEO-IP detection, privacy-first analytics
HubSpot, Inc. (USA)	CRM, member records, contact-form submissions, marketing automation, payment orchestration
Stripe, Inc. (USA, via HubSpot)	Payment processing for membership and insurance fees. Stripe holds card data; we don't.
Brilliant Directories (USA)	Member portal at member.theyogapros.com — directory, Live CV, login
Balens Limited (UK), Balens Europe B.V. (Netherlands)	UK and Eire insurance underwriting, claims handling, ARAG legal helpline
Insurance Canopy (USA)	USA insurance underwriting
PostHog Inc. (USA + EU)	Optional behavioural analytics — only with your consent
Functional Software, Inc. / Sentry (USA)	JavaScript error monitoring
Google LLC (USA)	Search Console (reporting only, no personal data shared from us); Google Fonts
Professional advisors	Accountants, lawyers, insurers — only when needed for the matter at hand
Regulators and authorities	Where required by law, or for the prevention or detection of crime
Corporate events	If we undergo restructuring or a transfer, data may be shared under appropriate safeguards.

Third-Party Administrative Support

We engage a reliable third-party service provider to help with our administrative processes. This provider has undergone extensive due diligence, including checks for compliance with GDPR, and has shown that they have implemented proper safeguards and security measures to protect personal data. We also have a data processing agreement in place to ensure that your information is handled lawfully, transparently, and securely in accordance with data protection regulations.

Aggregate information

Aggregate information refers to data that does not include any personal details and consists of numerical statistics, such as the number of visitors to our website and the most popular features accessed. We may share this information with current and prospective members, as well as third parties. This data can be utilised for business analysis and to develop additional website content and services that we believe our members will find interesting. Furthermore, aggregate information may be used to customise content for your personal membership profile newsfeed.

We do not sell your data, ever. We don't share it for unrelated marketing.

Marketing communications.

We send service and administrative messages (e.g., membership, billing, policy updates) as part of our contract with you.

We send marketing emails about YogaPros services:

Where we have your consent, or
Under the soft opt-in (you purchased or negotiated to buy a similar service and were given a clear opportunity to opt out at collection and in every message).

You can opt out of marketing at any time using the unsubscribe link in each email or by contacting us. Opting out of marketing does not affect service messages.

Security.

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest where appropriate, role-based permissions, logging, staff training, and regular testing. No system is entirely secure; we continually assess and enhance our safeguards.

Third-party websites.

Our site may contain links to third-party websites (e.g., member websites, listings, advertising). Those sites have their own privacy policies, and we are not responsible for their practices. Please review their policies before providing personal data.

Your choices.

You can choose not to provide certain information, which may limit your access to some website features. You can also unsubscribe from commercial or promotional emails when you wish. We may still send transactional emails, like service announcements and renewal notifications, without an unsubscribe option.

International transfers.

Several of the services we use are based in the United States or process data globally. When personal data leaves the UK or EEA, we rely on these legal safeguards:

UK Extension to the EU-US Data Privacy Framework — for transfers to certified US recipients (Cloudflare, HubSpot, Sentry, Stripe, where they participate)
Standard Contractual Clauses (the UK addendum or EU SCCs as appropriate) — where the recipient isn't certified to the framework
Adequacy decisions — for countries the UK Government has assessed as providing essentially equivalent protection

You can request a copy of the safeguards in place for any specific transfer by emailing support@yogaallianceprofessionals.org.

Your rights.

Under UK GDPR (and EU GDPR for residents of Eire and other EEA countries), you have the following rights:

Access — ask what data we hold about you and receive a copy
Rectification — correct data that's inaccurate or incomplete
Erasure — ask us to delete data, where that's compatible with our legal obligations
Restriction — ask us to limit how we process data while a question is being resolved
Portability — receive your data in a structured, machine-readable form, or have it sent to another controller
Objection — object to processing based on legitimate interest, including direct marketing
Withdraw consent — for any processing based on consent, at any time, without affecting prior lawful processing
Not be subject to automated decisions — we don't make decisions about you using automated processing alone

If you're a member of the public from California or another US state with comparable rights, those rights apply to you too. We treat all data subject requests using the strongest applicable framework.

How to exercise them.

Email support@yogaallianceprofessionals.org. Tell us:

Which right you want to exercise
Enough information to identify you and locate your data (full name, the email you use with us, and — if you're a member — your YogaPros member identifier)
What you want as the outcome

We'll respond within one calendar month. If your request is complex or you've made several, we may extend this by up to two further months and will tell you why.

There's no fee. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse — and we'll explain why.

Identity verification. We may ask for one further piece of identifying information before we release personal data. This protects you from anyone else trying to access your record.

Cookies and tracking.

We default to privacy-first analytics: Cloudflare Web Analytics measures site traffic without setting cookies and without identifying individual visitors. You can use the entire site this way without any consent action.

The site does set a small number of functional cookies for things that need to remember a state — your region preference (UK / Eire / USA / Rest of World), and your consent choice. These don't track you across sites.

If you accept the optional cookie consent shown when you first visit, we additionally enable:

HubSpot tracking — connects your behaviour on our site to your member or contact record. Lets us send you relevant communications about your membership.
PostHog analytics — anonymous behavioural analytics: which pages get used, where users get stuck, which features convert. Helps us improve the site.

You can change your consent at any time by clearing your browser cookies for theyogapros.com — the consent banner will reappear.

The current cookie schedule

Cookie	Purpose
yp_region · yp_region_source	Functional. Stores your region preference and whether it was auto-detected or manually chosen.
yp_analytics_consent	Functional. Stores your cookie consent choice.
__hstc · hubspotutk · __hssc · __hssrc	HubSpot analytics (with consent only).
ph_*	PostHog analytics (with consent only).
_cfuvid · cf_clearance	Cloudflare security and bot detection.

Children's data.

YogaPros services are designed for adults. Our membership tiers, accreditation programmes, and insurance products are not aimed at people under 16, and we don't knowingly collect personal data from anyone we know to be under 16.

Yoga teacher training programmes occasionally include trainees who teach minors as part of their practical work. The data we hold from training providers and members in those cases is about the qualified or training adult, not the child student. If you become aware that a minor's personal data has been submitted to us, contact support@yogaallianceprofessionals.org and we'll review and delete it promptly.

Changes to this notice.

We update this notice when our practices change or when the law requires it. We track changes in this version log.

Version	Date · Change
1.1	13 May 2026 · Compliance amendments per Professional Protection & Safety review: expanded data-categories list; payment-processor language updated for PCI-DSS / BACS; added Third-Party Administrative Support, Aggregate Information, and Corporate Events to the sharing section; new sections on Marketing communications, Security, Third-party websites, and Your choices; data deletion form referenced; Helpdesk routing (support@yogaallianceprofessionals.org) made the standing contact point for all data-rights requests.
1.0	8 May 2026 · Initial notice covering the new theyogapros.com site, Cloudflare deployment, and current third-party stack.

Version

Date · Change

1.1

13 May 2026 · Compliance amendments per Professional Protection & Safety review: expanded data-categories list; payment-processor language updated for PCI-DSS / BACS; added Third-Party Administrative Support, Aggregate Information, and Corporate Events to the sharing section; new sections on Marketing communications, Security, Third-party websites, and Your choices; data deletion form referenced; Helpdesk routing (support@yogaallianceprofessionals.org) made the standing contact point for all data-rights requests.

1.0

8 May 2026 · Initial notice covering the new theyogapros.com site, Cloudflare deployment, and current third-party stack.

Material changes will be communicated to active members by email before they take effect.

How to complain.

If you have a concern about how we handle your data, we'd rather hear from you first. Email support@yogaallianceprofessionals.org and we'll respond within one calendar month.

If you remain dissatisfied, you have the right to complain to a supervisory authority:

UK — the Information Commissioner's Office (ICO). Online: ico.org.uk/make-a-complaint · Helpline: 0303 123 1113
Eire — the Data Protection Commission (DPC). Online: dataprotection.ie/en/individuals
Other EEA — your local national data protection authority
USA — your state Attorney General's office, where applicable; for California residents, the California Privacy Protection Agency at cppa.ca.gov

You don't have to come to us first. You can complain directly to your supervisory authority at any time.

How we handle your data.

Who we are.

What this notice covers.

What we collect.

Data you give us directly

Data we collect automatically when you visit our site

Data from other sources

Why we collect it.

How long we keep it.

Who we share data with.

Third-Party Administrative Support

Aggregate information

Marketing communications.

Security.

Third-party websites.

Your choices.

International transfers.

Your rights.

How to exercise them.

Cookies and tracking.

The current cookie schedule

Children's data.

Changes to this notice.

How to complain.