dd-La-Casa-Shambala-ROBOTO

La Casa Shambala

Privacy Policy

Last updated: February 2026

 

A note on GDPR

La Casa Shambala operates programmes in Spain and Portugal, which are EU member states. Where we collect personal data from individuals in the EU or EEA, we do so in compliance with the General Data Protection Regulation (GDPR). This policy reflects those obligations and applies to all students, staff, and website visitors globally.

 

1. Who We Are

La Casa Shambala is a global yoga teacher training organisation. Our registered address is Moo 4 63/2 Koh Phangan, Surat Thani, 84280 Thailand. We also operate programmes in Spain, Portugal, and other international locations.

For the purposes of data protection law, La Casa Shambala is the data controller responsible for your personal data. If you have any questions about how we handle your information, please contact us at: [email protected]

 

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

 

2.1 Booking & Enrolment

  • Full name, date of birth, nationality
  • Email address, phone number, postal address
  • Payment information (processed securely via our payment providers — we do not store full card details)
  • Health and medical information disclosed as part of the course suitability process (see Section 3)
  • Emergency contact details

 

2.2 Website & Communications

  • IP address, browser type, and pages visited (via cookies — see our Cookie Policy)
  • Email correspondence and enquiry form submissions
  • Social media interactions where you contact us through those channels

 

2.3 During a Course

  • Photographs and video footage (with your consent — see Section 5.4 of our Terms of Booking)
  • Feedback, self-evaluations, and practicum assessments
  • Notes relevant to your participation, welfare, or any complaints or incidents

 

3. Sensitive Personal Data

Certain categories of personal data are treated with additional care under data protection law. These include health and medical information, and information about mental health conditions.

We collect this type of data only where you have voluntarily provided it to us as part of the course suitability and booking process, and only to the extent necessary to ensure your safety and the safety of other participants. We will never use sensitive personal data for marketing or share it without your explicit consent, except where required by law.

 

4. Why We Process Your Data and Our Legal Basis

The table below summarises how and why we use your personal data:

 

Type of Data

Purpose

Legal Basis

Booking & payment details

To process your reservation and course enrolment

Contract performance

Health & medical information

To assess suitability and ensure your safety during the course

Vital interests / Explicit consent

Emergency contact details

To contact someone on your behalf in an emergency

Vital interests

Course participation records

To issue Yoga Alliance certification and maintain training records

Contract performance / Legitimate interests

Photographs & video

Marketing and promotional use on our website and social media

Consent

Website usage data

To improve our website and understand how visitors use it

Legitimate interests

Complaint & incident records

To investigate and resolve complaints fairly and in compliance with our policies

Legal obligation / Legitimate interests

Email correspondence

To respond to enquiries and manage the student relationship

Contract performance / Legitimate interests

 

5. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

  • Booking and enrolment records: 7 years (for tax and legal compliance purposes)
  • Certification records: Indefinitely, as these may be needed to verify your qualification with Yoga Alliance
  • Health disclosures: Deleted within 2 years of your course completing, unless a legal obligation requires longer retention
  • Complaint and incident records: 5 years from the date of resolution
  • Marketing photographs/video: Until you withdraw consent or request deletion
  • Website usage data: As set out in our Cookie Policy

 

6. Who We Share Your Data With

We do not sell your personal data. We may share it with the following parties:

 

6.1 Yoga Alliance

When you successfully complete a course, we submit your name and relevant details to Yoga Alliance to register your certification. This is a necessary part of the certification process you have enrolled for.

 

6.2 Service Providers

We use trusted third-party providers to operate our business, including payment processors, our online learning platform, and email communication tools. These providers act as data processors on our behalf and are contractually required to handle your data securely and only as instructed by us.

 

6.3 Venue Partners

Where courses are held at third-party venues, we may share limited information (such as dietary requirements or room allocation preferences) with the venue operator as necessary to deliver the course. We do not share sensitive medical data with venues without your explicit consent.

 

6.4 Legal & Regulatory Authorities

We may disclose your data to law enforcement, regulatory authorities, or legal advisors where required to do so by law, or where necessary to protect the safety of any person.

 

7. International Data Transfers

La Casa Shambala operates globally, which means your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including Thailand. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with applicable data protection law — for example, by using standard contractual clauses approved by the European Commission, or by relying on an adequacy decision where one exists.

If you would like more information about the safeguards we use for international transfers, please contact us at [email protected].

 

8. Your Rights

Depending on where you are located, you may have the following rights in relation to your personal data:

 

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct any inaccurate or incomplete data.
  • Right to erasure: You can ask us to delete your data in certain circumstances (for example, where it is no longer necessary for the purpose it was collected).
  • Right to restriction: You can ask us to pause processing of your data in certain circumstances.
  • Right to data portability: You can ask us to provide your data in a structured, commonly used format so you can transfer it to another organisation.
  • Right to object: You can object to processing based on legitimate interests, or to direct marketing at any time.
  • Right to withdraw consent: Where we rely on your consent to process data (such as for marketing photographs), you can withdraw that consent at any time without affecting the lawfulness of prior processing.

 

To exercise any of these rights, please email us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

 

If you are based in the EU or EEA and are not satisfied with how we handle your request, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

 

9. Cookies

Our website uses cookies to improve your browsing experience and help us understand how visitors use our site. For full details of the cookies we use and how to manage your preferences, please refer to our Cookie Policy, available on our website.

 

10. Data Security

We take the security of your personal data seriously. We use appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include secure email systems, access controls, and encrypted payment processing.

No method of data transmission or storage is 100% secure. While we do our best to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

 

11. Minimum Age

Our courses and website are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will take steps to delete it.

 

12. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this page shows when it was last revised. We encourage you to review this policy periodically. Where changes are material, we will notify you by email or by a prominent notice on our website.

 

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

 

Email: [email protected]

Address: Moo 4 63/2 Koh Phangan, Surat Thani, 84280 Thailand

 

Note for EU/EEA residents

Given that La Casa Shambala does not have a formal EU establishment, EU residents may wish to contact their national data protection authority if they have unresolved concerns. We recommend seeking independent legal advice if you require clarity on your GDPR rights in your specific jurisdiction.


This policy has been drafted in good faith to reflect GDPR principles. We strongly recommend having it reviewed by a qualified data protection lawyer before publication, particularly given your operations in Spain and Portugal.