Haṃsa Free School of Hatha Yoga

Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

This information on the processing of personal data (the “Information” or “Policy”), provided pursuant to Articles 13 and 14 of Regulation (EU) No. 2016/679 General Data Protection Regulation (GDPR), describes how Maurizio Morelli, founder and manager of the Libera Scuola di Hatha Yoga Hamsa, as independent data controller (hereinafter the “Data Controller”), processes the personal data (“Personal Data” or “Data“) of users of the website thisisyoga.org (the “Website“) and of customers/students within the scope of the activities of the Libera Scuola di Hatha Yoga Hamsa. This Policy is also adopted by the teachers listed in the “Teachers” section of the Website, each acting as an independent data controller for the processing operations under their responsibility; contact details for privacy rights and updates are available on the Website.

  1. HOW DATA IS PROCESSED:

The following paragraphs describe the various types of personal data processing carried out by the Data Controller in the context of the respective activities indicated from time to time.

 1.1 Management of relationships with users, customers, students, suppliers

  1. Categories of data subjects:
  • natural persons to whom the Data refer (website users, students, customers, suppliers who are natural persons);
  1. Data processed:
  • Personal details (name, surname, date of birth, tax code, residential address);
  • contact details (landline and/or mobile telephone number, e-mail address, postal address);
  • billing/payment data;
  • any suitability or minimum health information strictly necessary for safe practice;
  • images/audio/video collected during lessons or events.
  1. Purpose of processing:

The data collected and/or received are used by the Data Controller to fulfil purposes that are instrumental and functional to the relationship with the data subjects and in compliance with the legal and regulatory obligations to which the Data Controller is bound in relation to the activity carried out, as well as to send information communications regarding the activities of the Libera Scuola di Hatha Yoga Hamsa.

  1. Legal basis:

Necessity to perform a contract or related pre-contractual measures – Art. 6, para. 1, letter b) GDPR; fulfilment of legal obligations – Art. 6, para. 1, letter c) GDPR) for tax/accounting purposes. For health-related data: explicit consent of the data subject (Art. 9, para. 2, letter a) GDPR) or processing necessary to fulfil legal obligations in the health/sports field where required (Art. 9, para. 11, letters h/i, GDPR and applicable legislation). For photos/videos: consent (Art. 6.1.a GDPR; Arts. 10 of the Italian Civil Code and 96–97 of Law 633/1941). Withdrawal of consent is valid for the future.

  1. Consequences of failure to provide data

Inability to establish/manage the relationship and allow participation in the activities of the Libera Scuola di Hatha Yoga Hamsa. In the absence of consent for photos/videos, the data subject will not be filmed or will be appropriately obscured.

  1. Data retention period:

10 (ten) years after the conclusion of the contract or from when the rights arising from it can be enforced (pursuant to Articles 2935 and 2947 of the Italian Civil Code); as well as for the fulfilment of obligations (e.g. tax and accounting obligations) that remain even after the conclusion of the contract (Article 2220 of the Italian Civil Code), for which purposes the Data Controller retains only the data necessary for their pursuit. With reference to health data, for the duration of the relationship and, where required by law, for the time required by law. This is without prejudice to the need to comply with legal obligations or protect rights.

1.2 Marketing activities (newsletters, promotions for courses/activities at the Libera Scuola di Hatha Yoga Hamsa)

  1. Categories of data subjects:

students/customers who are natural persons; users subscribed to the newsletter or contacts who have requested information.

  1. Data processed:
  • Personal information (e.g. name, surname, tax code, date of birth);
  • Contact details (telephone number, e-mail address, postal address);
  • Data and information relating to services, events and activities offered by the Data Controller and to which the data subject has subscribed and/or requested information and/or in which they have expressed an interest.
  1. Purpose of processing: sending promotional and informational communications about courses, seminars, treatments, and initiatives of the Libera Scuola di Hatha Yoga Hamsa.
    Communications may be sent by e-mail, post or telephone (including text messages or other instant messaging systems such as WhatsApp).
  1. Legal basis:
  • Consent of the data subject – Art. 6, para. 1, letter a) GDPR
  • Legitimate interest of the Data Controller with regard to e-mail communications addressed to customers about services and courses similar to those already used – Art. 6, para. 1, letter f) GDPR and Art. 130, paragraph 4 of the Privacy Code.
  1. Consequences of failure to provide data: the provision of data, as well as the related consent to processing, is optional and failure to provide it will not affect the proper conclusion and execution of the relationship with the Libera Scuola di Hatha Yoga Hamsa.
  2. Retention period: 24 (twenty-four) months from the provision of consent or from the termination of the contractual relationship with the data subject in the case of processing based on legitimate interest. This is without prejudice to the need to comply with legal obligations or protect rights.

1.3 Management of requests submitted through the Website

    1. Categories of data subjects: individuals who contact us through the forms or contact channels on the Website.
    2. Data processed:
    • Personal details (e.g. first name and surname);
    • Contact details (telephone number, e-mail address, fax number, postal address);
    • Other personal data that data subjects provide us with when they contact us (e.g. information and/or multimedia content contained in their messages).
    1. Purpose of processing: management of requests submitted by data subjects.
    2. Legal basis for processing: consent* of data subjects – Art. 6, para. 1, letter a) GDPR
      * The fact that a data subject decides to contact the Data Controller to request information will be considered an unequivocal positive action equivalent to a written declaration of consent pursuant to Art. 4, no. 11 of the GDPR.
    1. Consequences of failure to provide data: inability to provide a response.
    2. Retention period: the data will be retained for the period of time strictly necessary to respond to requests from data subjects. In any case, the data will be removed from the Data Controller’s systems after 2 (two) years from the last interaction. This is without prejudice to the need to comply with legal obligations or protect rights.

    1.4 Statistical analysis

    1. Categories of data subjects: all of the above categories.
    2. Data processed:
    • aggregated/anonymised data (e.g. number of students enrolled per course, attendance rates, general statistics).
    1. Purpose of processing: analysis and improvement of services, planning of activities.
    2. Legal basis for processing: further processing for statistical purposes on aggregated data (Art. 5, para. 1, letter e) and Art. 89 GDPR); where non-anonymous personal data is used, legitimate interest of the Data Controller with minimisation and balancing assessments (Art. 6, para. 1, letter f) GDPR)
    3. Retention period: personal data used to generate statistics in accordance with the terms of the original purpose; statistics stored in aggregate form without time limits. This is without prejudice to the need to comply with legal obligations or protect rights.

    1.5 Browsing data

    Browsing data is used exclusively for the proper functioning, security and maintenance of the Website, as well as for internal statistics in aggregate form that cannot be traced back to the user. The Website only uses technical/necessary cookies; profiling cookies or cookies for marketing purposes are not used.

    1.6 Social network plug-ins and interactions with third-party sites

      The Website contains only external links to third-party pages (e.g. social networks or other websites). By clicking on the link, you will be redirected to the third-party website, where the relevant privacy and cookie policy applies.

      1.7 Cross-cutting purposes – legal obligations and protection of rights

        In addition to the above, the Data may be processed, where necessary, to:
        (a) comply with legal obligations incumbent on the Data Controller (Art. 6.1.c GDPR);
        (b) establish, exercise or defend a right in court, administrative or extrajudicial proceedings (Art. 6.1.f GDPR – legitimate interest of the Data Controller).
        Retention: for the time necessary to fulfil the specific obligation or for the entire duration of the proceedings and until the related rights expire.

        1. METHOD OF PROCESSING AND DATA PROTECTION

        The personal data of data subjects will be processed using IT, telematic and/or paper-based tools in accordance with the principles of fairness, lawfulness, transparency, accuracy, integrity, data minimisation and purpose and storage limitation, as well as in accordance with the provisions of the GDPR and current legislation on the protection of personal data, and with the adoption of appropriate security measures.
        Once all the purposes that justify the storage of your personal data have been fulfilled, the Data Controller will take care to delete them or make them anonymous.

        1. TO WHOM THE PERSONAL DATA OF DATA SUBJECTS IS COMMUNICATED

        If necessary for the purposes set out in this Policy, the personal data of data subjects may be disclosed to the following parties:

        1. Service providers such as website managers, webmasters, IT consultants, cloud data storage service providers;
        2. Professionals such as solicitors, accountants, accounting and tax consultants;
        3. Certification/training bodies (if relevant): yoga federations/associations or bodies that issue certificates (only if required by the training course);
        4. Teaching staff who will process the data as independent data controllers for their own courses or, depending on the case, as authorised persons and/or data processors pursuant to Article 28 in accordance with the Data Controller’s instructions;
        5. Course booking/management platforms: if used (apps or software for planning, check-in, subscriptions);
        6. entities that provide spaces and logistical services for activities;
        7. Insurance companies: companies and brokers for civil liability/accident policies related to courses, internships, retreats;
        8. Competent judicial and/or administrative authorities, law enforcement agencies where necessary to comply with a legal obligation or a legitimate order from a competent authority.

        The entities belonging to the above categories may process the personal data of data subjects as independent data controllers, joint data controllers or data processors, depending on the specific agreements in place between these entities and the Data Controller.
        The precise identity of the subjects to whom the personal data of the data subjects may be disclosed can be requested by contacting us through the channels indicated in the paragraph “How to contact us”.

        1. TRANSFER OF DATA OUTSIDE THE EEA

        As a rule, personal data is not transferred to countries outside the European Economic Area (“EEA”). Should it become necessary to make transfers outside the EEA in the future, the Data Controller will adopt the safeguards provided for in Articles 45-49 of the GDPR (e.g. adequacy decisions, standard contractual clauses) and will update this Policy.

        1. THE RIGHTS OF DATA SUBJECTS AND HOW TO EXERCISE THEM

        In accordance with applicable legislation, data subjects may, at any time, exercise the following rights pursuant to Articles 15–22 of the GDPR: i) access to data and a copy thereof; ii) rectification/updating; iii) erasure (“right to be forgotten”) in cases provided for by law; iv) restriction of processing; vportability of the data provided; vi) objection to processing based on legitimate interest, with absolute objection to direct marketing; vii) withdrawal of consent (including health and images), without prejudice to processing already carried out.
        Your rights are guaranteed without any particular charges or formalities for their exercise, which is essentially free of charge.

        1. HOW TO CONTACT AND THE DATA CONTROLLER

        To exercise your rights and for any questions or clarifications on how personal data is processed and used in accordance with this Policy, each data subject may contact the Data Controller at the following email address: maurimorelli@gmail.com.
        All data you provide will be processed exclusively for the purpose of providing you with a prompt response and ensuring the proper management of your requests.

        1. PROTECTION OF DATA SUBJECTS’ RIGHTS

        Without prejudice to any other administrative or judicial action, each data subject, in order to protect their rights and personal data, may, at any time, decide to lodge a complaint with the competent supervisory authority or take legal action before the competent national courts. In Italy, the competent supervisory authority is the Garante per la Protezione dei Dati Personali (Personal Data Protection Authority) (tel. +39 06.696771, e-mail address: protocollo@gpdp.it or urp@gpdp.it ; certified e-mail address:protocollo@pec.gpdp.it ).

        14. November 2025