⚠️ Placeholder — not legal advice. This document has not been reviewed by counsel and must be replaced with a legally vetted policy before production launch.

Privacy Policy

Effective date: 29 May 2026

1. Introduction

MyYoga.Guru is an all-in-one scheduling and business platform for solopreneurs and small teams. We are operated by Crafted XP Pty Ltd ("we", "us", "our"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it.

By using MyYoga.Guru — whether as a tenant (a business owner who runs their practice on our platform) or as a visitor booking an appointment or interacting with a tenant's public pages — you agree to the practices described in this policy.

2. Information we collect

Account data. When you sign up as a tenant, we collect your name, email address, and a hashed password (managed through AWS Cognito). If you sign in with Google, we receive your Google account name, email, and a profile photo.

Business and booking data. Tenants provide information about their offerings, availability calendars, and customer-facing content. When visitors make bookings, we collect the visitor's name, email address, and the details of the appointment (date, time, service type). This data is stored in DynamoDB on behalf of the tenant and is logically isolated per tenant.

Payment information. Payments are processed entirely by Stripe. MyYoga.Guru does not store full card numbers or CVVs. We receive confirmation of payment outcomes (e.g. successful, failed) and Stripe customer/payment-method identifiers for record-keeping.

Social-platform tokens. When a tenant connects a social media account (e.g. Meta/Facebook, Instagram) through MyYoga.Guru's social publishing feature, we receive and store OAuth access tokens and page/profile identifiers. These tokens are encrypted at rest using AWS KMS and used solely to publish content on the tenant's behalf.

Technical data. We collect standard server and application logs including IP addresses, browser user-agent strings, request timestamps, and error traces. This data helps us diagnose issues and protect the service.

3. How we use information

We use your data to provide the MyYoga.Guru service: creating and managing your account, rendering your public-facing landing page, processing bookings and payments, sending transactional notifications (booking confirmations, reminders, receipts), and hosting your email inbox.

Where you have enabled AI features, your content (e.g. calendar data, customer queries, knowledge-base text) may be passed to third-party AI providers to generate responses. See the Third Parties section for details.

We also use data for security and fraud prevention (detecting abuse, unauthorized access, and spam) and for aggregate, anonymized product analytics to understand how the platform is used and improve it.

4. Third parties we share data with

We share data with the following service providers only to the extent necessary to operate MyYoga.Guru. Each is governed by their own privacy policy.

  • Amazon Web Services (AWS) — cloud hosting, database (DynamoDB), file storage (S3), email delivery (SES), and KMS encryption. Data is hosted in the AWS Sydney (ap-southeast-2) region.
  • Stripe — payment processing, subscription billing, and tenant Connect onboarding. Stripe is the processor of record for card transactions.
  • OpenAI — AI assistant features (chat, content suggestions, brief generation). Prompts may include tenant-supplied knowledge-base text and visitor queries.
  • Meta (Facebook/Instagram) — when a tenant connects a Meta page or Instagram account, we interact with Meta's Graph API to publish content on the tenant's behalf. Access is limited to the scopes the tenant explicitly authorises.
  • Twilio / Amazon SES — transactional email and SMS delivery for booking notifications, reminders, and verification messages.
  • Vercel — application hosting and edge networking for the MyYoga.Guru web application.

We do not sell personal data to third parties, and we do not share data with advertisers.

5. Data retention

Tenant account data and associated business data are retained while the account is active. When an account is closed or deleted, data is marked for deletion and purged within 30 days, except where we are required to retain it for legal or tax purposes.

Social-platform access tokens are encrypted at rest and deleted automatically when the tenant disconnects the integration from their settings. Revocation via the social platform's own settings will also invalidate the token.

Application and server logs are retained for approximately 30 days for security and diagnostic purposes, after which they are automatically purged.

6. Your rights

Depending on your jurisdiction, you may have the following rights in respect of your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Deletion — ask us to delete your data (subject to legal retention obligations).
  • Portability — receive your data in a machine-readable format.
  • Objection / restriction — object to certain processing or ask us to restrict it while a dispute is resolved.

To exercise any of these rights, email us at hi@myyoga.guru. We will respond within 30 days. If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

7. Children

MyYoga.Guru is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us at hi@myyoga.guru and we will delete it promptly.

8. International data transfers

MyYoga.Guru's primary infrastructure is hosted in Australia (AWS Sydney region). If you are accessing MyYoga.Guru from outside Australia, your data may be transferred to and processed in Australia, which may have different data protection laws than your country.

When data is shared with third-party service providers (e.g. OpenAI, Stripe, Meta) those providers may process data in their own regions. We rely on each provider's standard contractual clauses or equivalent transfer mechanisms where applicable.

9. Security

We take reasonable technical and organisational measures to protect your data. All data in transit is encrypted using TLS. Sensitive values (such as social-platform OAuth tokens) are encrypted at rest using AWS KMS. Access to production systems is restricted to authorised personnel.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly by emailing hi@myyoga.guru.

10. Contact us

If you have any questions or concerns about this policy or how we handle your data, please contact us at: hi@myyoga.guru.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify tenants by email or via a notice in the MyYoga.Guru dashboard. Continued use of MyYoga.Guru after a change takes effect constitutes acceptance of the updated policy.

12. Effective date

This policy is effective as of 29 May 2026.