Privacy policy

Effective Date: July 15, 2025

Last Updated: July 15, 2025

This Privacy Policy ("Policy") describes how KayaStudio OÜ, registration number 16620779, registered under the laws of the Republic of Estonia, with registered address at Pärnu mnt 388b, Tallinn, 11612, Estonia ("Kaya," "Company," "we," "us," or "our") collects, uses, processes, stores, shares, and protects your personal information when you access or use our website at www.kaya.studio ("Website") and our mobile applications ("App") (collectively, the "Services").

This Policy forms an integral part of our Terms of Service. Capitalized terms not defined herein have the meanings set forth in our Terms of Service.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy and consent to our collection, use, and disclosure of your personal information as described herein.

1. Data Controller and Contact Information

KayaStudio OÜ is the data controller responsible for your personal data under applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Contact Information:

  • Email: Please contact us here

  • Address: Pärnu mnt 388b, Tallinn, 11612, Estonia

2. Information We Collect

2.1 Information You Provide Directly

When you register for, access, or use our Services, we may collect:

  • Account Information: Full name, email address, username, password (encrypted), phone number (optional)

  • Profile Information: Age range, fitness level, movement preferences, wellness goals

  • Health and Wellness Data: Any personal wellness notes, movement preferences, injury history, or health conditions you voluntarily provide

  • Payment Information: Billing address, payment method details (processed by secure third-party payment processors)

  • Communications: Content of messages you send to us, including customer support inquiries, feedback, and survey responses

  • User-Generated Content: Comments, reviews, photos, videos, or other content you submit through our Services

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

  • Device Information: Device type, operating system, browser type and version, mobile device identifiers, IP address

  • Usage Data: Pages viewed, time spent on pages, click-through rates, referral URLs, search terms, session duration

  • Location Data: General geographic location based on IP address (not precise location unless explicitly consented)

  • Technical Data: Log files, error reports, performance metrics, crash data

2.3 Information from Third Parties

We may receive information about you from:

  • Social Media Platforms: If you connect your social media accounts to our Services

  • Payment Processors: Transaction information and payment status

  • Analytics Providers: Aggregated usage statistics and performance metrics

  • Marketing Partners: If you interact with our advertisements or promotional content

3. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to enhance your experience and collect information about how you use our Services.

3.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for basic functionality and security

  • Performance Cookies: Help us understand how visitors interact with our Services

  • Functional Cookies: Remember your preferences and settings

  • Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

3.2 Cookie Management

You can manage cookie preferences through:

  • Our cookie consent banner when you first visit our Services

  • Your browser settings to block or delete cookies

  • Opt-out tools provided by third-party analytics providers

Note: Disabling certain cookies may limit functionality of our Services.

4. Legal Basis for Processing

Under GDPR and applicable data protection laws, we process your personal data based on:

  • Contract Performance: To provide Services you've requested and fulfill our contractual obligations

  • Legitimate Interests: To improve our Services, ensure security, prevent fraud, and conduct business operations

  • Consent: For marketing communications, non-essential cookies, and certain data processing activities

  • Legal Obligations: To comply with applicable laws, regulations, and legal processes

  • Vital Interests: To protect health, safety, or fundamental rights in emergency situations

5. How We Use Your Information

We use your personal information for the following purposes:

5.1 Service Provision

  • Providing access to movement classes, yoga sessions, and wellness content

  • Creating and managing your user account

  • Processing payments and maintaining billing records

  • Delivering customer support and responding to inquiries

5.2 Service Improvement

  • Analyzing usage patterns to enhance user experience

  • Developing new features and content

  • Conducting research and analytics

  • Testing and optimizing our Services

5.3 Communications

  • Sending service-related notifications and updates

  • Providing customer support responses

  • Delivering marketing communications (with your consent)

  • Sending newsletters and promotional content (with opt-in consent)

5.4 Security and Compliance

  • Detecting and preventing fraud, abuse, and security threats

  • Enforcing our Terms of Service and policies

  • Complying with legal obligations and regulatory requirements

  • Protecting our rights and interests

6. Health and Wellness Disclaimer

IMPORTANT: Our Services provide general fitness, movement, and wellness information for educational purposes only. WE DO NOT PROVIDE MEDICAL ADVICE, DIAGNOSIS, OR TREATMENT.

6.1 Your Acknowledgments

By using our Services, you acknowledge and agree that:

  • All movement and exercise content is for informational and educational purposes only

  • You must consult qualified healthcare professionals before beginning any exercise program

  • You are solely responsible for determining your fitness level and limitations

  • You participate in all activities at your own risk

  • Individual results may vary, and we make no guarantees about outcomes

6.2 Limitation of Liability

To the maximum extent permitted by law, KayaStudio OÜ, its officers, directors, employees, and affiliates shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to personal injury, disability, death, property damage, mental health conditions, psychological distress, emotional harm, or exacerbation of pre-existing mental health conditions arising from or related to your use of our Services or participation in any movement, exercise, or wellness activities.

7. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

7.1 Service Providers

We share information with trusted third-party service providers who assist us in:

  • Payment processing (e.g., Stripe, PayPal)

  • Email communications (e.g., MailerLite, Customer.io)

  • Analytics and performance monitoring (e.g., Google Analytics)

  • Cloud storage and hosting services

  • Customer support platforms

All service providers are contractually obligated to protect your information and use it only for specified purposes.

7.2 Business Transfers

In connection with any merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to successor entities, subject to appropriate data protection safeguards.

7.3 Legal Requirements

We may disclose your information when required by law or in good faith belief that disclosure is necessary to:

  • Comply with legal obligations, court orders, or government requests

  • Protect our rights, property, or safety, or that of our users or the public

  • Investigate potential violations of our Terms of Service

  • Prevent fraud or security threats

7.4 Consent-Based Sharing

We may share information with your explicit consent for specific purposes not covered in this Policy.

8. International Data Transfers

Your personal data may be processed and stored outside the European Union. When we transfer data internationally, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate data protection levels as determined by the European Commission

  • Standard Contractual Clauses: EU-approved contractual safeguards for data transfers

  • Binding Corporate Rules: Internal data protection standards for multinational organizations

  • Certification Schemes: Industry-recognized data protection certifications

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.

9.1 Retention Periods

  • Account Data: Retained while your account is active and for up to 3 years after deletion

  • Transaction Records: Retained for up to 7 years for tax and accounting purposes

  • Marketing Data: Retained until you opt out or for up to 2 years of inactivity

  • Legal Compliance: Retained as required by applicable laws and regulations

9.2 Data Deletion

You may request deletion of your personal data at any time. We will promptly delete your information unless retention is required for legal compliance, dispute resolution, or legitimate business purposes.

10. Your Privacy Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

10.1 Access Rights

  • Right to Access: Request copies of your personal data and information about how we process it

  • Right to Portability: Receive your data in a structured, commonly used format

10.2 Correction and Deletion Rights

  • Right to Rectification: Request correction of inaccurate or incomplete data

  • Right to Erasure: Request deletion of your personal data under certain circumstances

10.3 Control Rights

  • Right to Restrict Processing: Limit how we use your data under certain conditions

  • Right to Object: Object to processing based on legitimate interests or for marketing purposes

  • Right to Withdraw Consent: Withdraw previously given consent at any time

10.4 Exercising Your Rights

To exercise your rights, contact us here. We will respond within 30 days and may request identity verification to protect your privacy.

You also have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

11. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your personal information, including:

  • Encryption: Data encryption in transit and at rest using industry-standard protocols

  • Access Controls: Role-based access limitations and multi-factor authentication

  • Network Security: Firewalls, intrusion detection, and secure network architecture

  • Regular Audits: Periodic security assessments and vulnerability testing

  • Employee Training: Regular privacy and security training for all personnel

However, no security system is impenetrable. We cannot guarantee absolute security of your information.

12. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16 without verified parental consent.

If we discover that we have collected information from a child under 16 without proper consent, we will promptly delete such information. If you believe a child has provided us with personal information, please contact us here immediately.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Policy does not apply to third-party services.

We encourage you to review the privacy policies of any third-party services before providing them with your personal information. We are not responsible for the privacy practices or content of third-party services.

14. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

  • Right to know what personal information is collected and how it's used

  • Right to delete personal information

  • Right to opt-out of the sale of personal information (note: we do not sell personal information)

  • Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us here.

15. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Post the updated Policy on our Website and App

  • Update the "Last Updated" date at the top of this Policy

  • Notify you via email or in-app notification if changes significantly affect your rights

  • Obtain your consent for material changes if required by law

Your continued use of our Services after the effective date of changes constitutes acceptance of the revised Policy.

16. Governing Law and Jurisdiction

This Policy is governed by the laws of the Republic of Estonia. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Estonia.

For users in the European Union, nothing in this clause affects your rights under applicable consumer protection laws.

17. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

KayaStudio OÜ

  • Email: Please contact us here

  • Address: Pärnu mnt 388b, Tallinn, 11612, Estonia

We are committed to resolving privacy concerns promptly and transparently.