Alaya Guru Logo

Privacy Policy

Privacy Policy of alaya.guru

This privacy policy describes how personal data is processed through the Alaya Guru platform (hereinafter also "Platform" or "Application").

Data Controller

Alaya Guru S.r.l. Via Vela 42, 10128 Turin (TO), Italy Email: namaste@alaya.guru

This privacy policy is issued pursuant to Regulation (EU) 2016/679 ("GDPR") and applicable Italian regulations on personal data protection.

1. Types of Data Processed and Categories of Data Subjects

This Application processes Personal Data relating to the following categories of data subjects:

  • Users browsing the site (visitors)
  • Holistic professionals/associations registered on the Platform
  • Clients/patients who book or use services through the Platform

Depending on usage, the following may be processed:

  • Contact and account data: name, surname, email, encrypted password, telephone number, role/profile
  • Data related to service provision and features being activated: bookings, calendar, session history, preferences (currently such data is not processed)
  • Billing and payment data: billing data; card data is processed only by the payment provider (e.g., Revolut Bank or other payment providers used by the Controller) and is not stored by Alaya Guru
  • Usage and browsing data: IP address, device identifiers, access logs, visited pages, time, session duration, referral, browser and operating system information
  • Data collected through cookies and tracking tools: as described in the Cookie Policy

Personal Data may be provided directly by the User or, in the case of Usage Data, collected automatically during use of the Platform.

2. Purposes, Legal Bases and Retention Period

User Data is processed for the following purposes:

Platform Provision and Account Management

Purpose: registration, authentication, profile management, provision of Platform features (calendar, bookings, client management, etc.).

Legal basis: performance of a contract or pre-contractual measures (art. 6.1.b GDPR).

Retention: for the entire duration of the contractual relationship and, subsequently, as provided by law (e.g., statute of limitations).

Compliance with Legal and Accounting Obligations

Purpose: invoicing, tax, accounting obligations, response to authority requests.

Legal basis: legal obligation (art. 6.1.c GDPR).

Retention: according to the retention periods provided by law.

Platform Security and Fraud Prevention

Purpose: application security, fraud prevention, log management and security incidents (e.g., via Cloudflare).

Legal basis: legitimate interest of the Controller (art. 6.1.f GDPR).

Retention: for the time necessary to ensure security and protect the Controller's rights.

Aggregate Statistics and Analysis of Platform Usage

Purpose: traffic and usage analysis, feature improvement (e.g., via Google Analytics 4).

Legal basis: User consent through cookie banner (art. 6.1.a GDPR).

Retention: as indicated in the Cookie Policy (e.g., 24–26 months for analytical cookies).

User Experience Enhancement and Behavioral Analysis

Purpose: heat maps, session recordings, UX analysis (e.g., via Hotjar).

Legal basis: User consent through cookie banner (art. 6.1.a GDPR).

Retention: according to the duration of cookies/tools indicated in the Cookie Policy.

Service Communications and Marketing

Purpose: operational service communications (e.g., platform updates, booking messages); possible sending of promotional communications only as provided and permitted.

Legal basis:

  • Service communications: contract performance (art. 6.1.b GDPR)
  • Direct marketing: consent (art. 6.1.a GDPR) or legitimate interest within permitted limits

3. Recipients, Suppliers and Extra-EU Transfers

For pursuing the purposes indicated above, Personal Data may be communicated to subjects operating as data processors (art. 28 GDPR) or as autonomous controllers.

In particular, access to Data may be granted to:

  • Cloud hosting and security service providers: e.g., Cloudflare, Inc.
  • Analytics and tracking service providers: Google Ireland Limited (Google Analytics/Tag Manager); Hotjar Ltd.
  • Payment, invoicing and accounting service providers: e.g., Revolut Bank or other payment providers used by the Controller
  • Consultants and professionals: lawyers, accountants, IT consulting companies

When such suppliers process data on behalf of the Controller, they are appointed as Data Processors pursuant to art. 28 GDPR through specific Data Processing Agreements (DPA) and Standard Contractual Clauses (SCC), where necessary.

Transfers to Extra-EU Countries

Some suppliers (e.g., Google, Hotjar, Cloudflare) may process data outside the European Economic Area.

In such cases, the transfer occurs:

  • To countries subject to an adequacy decision from the European Commission, or
  • Based on Standard Contractual Clauses (SCC) adopted by the European Commission, supplemented by additional security measures where necessary

The User may request further information on the safeguards adopted and obtain a copy of the SCC/DPA by contacting the Controller at the email address indicated.

4. Cookies and Tracking Tools

The use of cookies and tracking tools (including Google Analytics, Hotjar, Cloudflare, and others) is described in more detail in the Cookie Policy, which is an integral part of this privacy policy.

Through the cookie banner and related preferences panel, the User may:

  • Grant or revoke consent for the use of non-essential cookies
  • Modify preferences at any time
  • Obtain information about individual cookies (name, duration, provider, purpose)

5. Security Measures

The Controller adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of Personal Data.

Processing is carried out using computer and/or electronic tools, with organizational methods and logics strictly correlated to the purposes indicated. In addition to the Controller, in some cases, other subjects involved in the organization of this Application (administrative, commercial, marketing, legal staff, system administrators) or external subjects (such as third-party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) may have access to Data, also appointed as Data Processors by the Controller where necessary.

The updated list of Data Processors may always be requested from the Data Controller.

6. Rights of Data Subjects

The User has the following rights under the General Data Protection Regulation (GDPR):

  • Right to withdraw consent: The User may withdraw consent to the processing of their Personal Data previously expressed at any time.
  • Right to object to processing: The User may object to processing when it is based on a legal basis other than consent.
  • Right of access: The User has the right to obtain information on Data processed by the Controller and receive a copy of the Data processed.
  • Right to rectification: The User may verify the accuracy of their Data and request its update or correction.
  • Right to restriction of processing: The User may request restriction of processing of their Data.
  • Right to erasure: The User may request erasure of their Personal Data.
  • Right to data portability: The User has the right to receive their Data in structured, commonly used and machine-readable format, and to have it transferred to another controller.
  • Right to lodge a complaint: The User may file a complaint with the Data Protection Authority (www.garanteprivacy.it) or the supervisory authority of their member state of residence, pursuant to art. 77 GDPR.

Users also have the right to obtain information regarding the legal basis for Data transfer abroad and the security measures adopted by the Controller to protect their Data.

How to Exercise Rights

Any requests to exercise the User's rights may be addressed to the Controller at the email address namaste@alaya.guru.

The request is free of charge and the Controller will respond as soon as possible, in any case within one month, providing the User with all information required by law.

Any rectifications, erasures, or restrictions of processing will be communicated by the Controller to each recipient, if any, to whom Personal Data has been transmitted, unless this proves impossible or requires disproportionate effort.

7. Additional Information

Defense in Court

The User's Personal Data may be used by the Controller in court or in preparatory stages of potential litigation to defend against misuse of this Application or related Services by the User.

The User acknowledges that the Controller may be required to disclose Data by order of public authorities.

Specific Notices

Upon User request, in addition to the information contained in this privacy policy, this Application may provide the User with additional and contextual information regarding specific Services or the collection and processing of Personal Data.

System Logs and Maintenance

For purposes related to operation and maintenance, this Application and any third-party services used by it may collect system logs, namely files that record interactions and which may also contain Personal Data, such as User IP address.

Modifications to this Privacy Policy

The Data Controller reserves the right to make changes to this privacy policy at any time by notifying Users on this page. Should modifications affect processing whose legal basis is consent, the Controller will collect User consent again if necessary.

8. Definitions and Legal References

Personal Data (or Data):

Any information that, directly or indirectly, even in connection with any other information, identifies or makes identifiable a natural person.

Usage Data:

Information collected automatically through this Application, including IP addresses, domain names, URIs, request times, methods used, file sizes, server status codes, country of origin, browser characteristics and operating system, time specifications of the visit, and details of the route followed within the Application.

User:

The individual who uses this Application.

Data Subject:

The natural person to whom Personal Data refers.

Data Processor (or Processor):

The natural person, legal entity, public administration or other body that processes personal data on behalf of the Controller.

Data Controller (or Controller):

The natural person or legal entity, public authority, service or other body that determines the purposes and means of processing personal data. The Data Controller is Alaya Guru S.r.l.

This Application:

The hardware or software tool through which Personal Data of Users is collected and processed (platform alaya.guru).

Service:

The Service provided by this Application as described in the related terms of service.

Cookie:

Tracking Tools consisting of small portions of data stored within the User's browser.

Tracking Tool:

Any technology (e.g., Cookie, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting) that enables tracking of Users.

European Union (or EU):

Unless otherwise specified, every reference to the European Union is intended to extend to all current member states of the European Union and the European Economic Area.

Last modified: January 8, 2026

For further clarification or requests, contact the Data Controller at the email address:

namaste@alaya.guru

ALAYA GURU

Cookie Consent

We use cookies to enhance your experience and analyze site usage. Essential cookies are always required, but you can customize your preferences.