The glossary for GDPR is the same as that in the General Terms and Conditions. We have added the terms Controller and Processor, which are specific to GDPR.

Within Zenamu, Service Providers, which are usually yoga studios or individual instructors, can manage their clients.

We distinguish between the operator of the Zenamu Platform when acting as a data controller (user or studio profile) and when it acts as a data processor (storing data on servers for the Service Provider).

Fyooga s.r.o. acts as a data controller when you are logged in as a User to the application, and the application requires this to function correctly. This includes email, first and last name, cookies, and user preferences agreed by you.

Fyooga s.r.o. acts as a data processor when you are a Service Provider within the Zenamu Platform. Remember, in this case, you legally become the data controller of your clients' personal data.

The Processing Agreement governs the protection of the User's personal data provided to Service Providers.

The Operator of the Zenamu Platform is the Data Controller, also referred to as the "Controller", for its users. The Controller informs you about the processing of your personal data and your rights under Regulation (EU) 2016/679 of the European Parliament and of the Council, Act No. 110/2019 Coll., on the processing of personal data.

We respect and follow data protection standards when processing personal data, and we adhere to the following principles:

We collect users' personal data to the extent necessary and do not share it with third parties, except those directly involved in the necessary processing within the application.

Zenamu is responsible for its employees and subcontractors who come into contact with personal data in the performance of their authorized duties. They are obliged to maintain the confidentiality of personal data and security measures in accordance with the GDPR.

Users have the right to be informed about the extent to which and for what purpose their personal data is processed, who will process the data and how, and to whom the data may be disclosed.

Given the scale and nature of our processing, we have not appointed a Data Protection Officer (DPO) under Art. 37 GDPR. All privacy-related inquiries, data subject rights requests, and security incident reports should be directed via our contact form or to the Operator's registered address listed in the General Terms and Conditions.

The Zenamu Platform is not intended for direct registration by persons under 16 years of age. Where a Service Provider manages personal data of their own clients who are under 16 (e.g. children's classes) via the Platform, the Service Provider is fully responsible for obtaining the consent of the holder of parental responsibility in accordance with Art. 8 GDPR. This responsibility is set out in the Data Processing Agreement concluded with each Service Provider.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (typically within 72 hours of becoming aware of the incident) and will also notify the Czech Data Protection Authority in accordance with Art. 33 and 34 GDPR.

The personal data processed by the Zenamu application includes:

*Optional data is only collected if available or if you are filling in for a legal entity.

When you register or sign in via Facebook or Google, we process the following data:

For Google Sign-In, this means we access the following Google user data via Google APIs:

We use this information to:

We do not access the contents of your Gmail, Google Drive, Google Calendar, Google Photos, or any other Google services or files.

For Facebook Login, we access the following Facebook user data via Facebook APIs:

- your Facebook account email address (if available)

- your name / display name

- your profile photo (if available)

- your Facebook app-scoped user ID

- authentication tokens, token expiry times, and related technical authentication data

We use this information to:

We do not access or read the content of your private messages or other private content on Facebook.

We use cookies to ensure the proper functioning of our website and measure its performance. Cookies are small data files stored on your device, which can remember text data for a specified time period.

Our cookies are categorized into:

For a comprehensive list of all cookies, visit the cookie bar in the Platform footer, where you can grant, remove, or configure your consent to their use.

In connection with social sign-in, provider scripts/SDKs (Facebook/Google) may be loaded, which use their own cookies and identifiers for secure authentication.

The Controller performs the following data processing operations on the User's personal data:

For Google user data obtained through Google Sign-In, these operations are limited to what is necessary to:

This includes mainly cookies necessary for the error-free operation of the application and email, which is required to log in to the application.

Legal basis: Art. 6(1)(b) GDPR — processing necessary for the performance of the contract between you and the Operator (providing the user account and related Platform functions).

Enabling registration/sign-in, creating or linking a user account, performing security verification, and maintaining audit logs.

When you choose to sign in with Google, we use the Google user data described in section 2.1.1 to:

We do not use Google user data to build marketing or advertising profiles for third parties, we do not read the content of any Google services (such as Gmail, Drive, or Calendar), and we do not use Google user data for personalised or interest-based advertising.

Google user data is not used for any purposes other than those explicitly described in this Privacy Policy.

When you choose to sign in with Facebook, we use the Facebook user data described in section 2.1.1 to:

We do not use Facebook user data to build marketing or advertising profiles for third parties, and we do not use Facebook user data for personalised or interest-based advertising.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract) for creating/linking the account and enabling sign-in; Art. 6(1)(f) GDPR (legitimate interest) for security and audit logs and fraud prevention.

This includes conclusion of the contract, communication with the Service Provider, issuing and recording of tax documents.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract); for invoicing and tax records also Art. 6(1)(c) GDPR (compliance with a legal obligation under Czech VAT and accounting laws).

This includes informative email and telephone communications related to the operation of the Platform, such as notifications of expiration of credits and entries, subscription expiration, information about changes to the terms and conditions, information about system upgrades, as well as other information about emergencies not related to marketing communications.

These messages can be sent to the contact email you provided directly in Zenamu or via social sign-in providers (Facebook/Google).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in proper customer communications regarding the operation of the Platform and material changes); to the extent of contract performance also Art. 6(1)(b) GDPR.

This includes cookies, IP address, and other online technical identifiers, as well as traffic information used for analytical processing in order to improve the Platform itself.

During the trial period (TRIAL plan), we additionally record interface sessions (so-called session recordings) within the Platform admin to understand where users get stuck and to improve the Platform. Sensitive fields (client names, email addresses, phone numbers, passwords, payment details) are always masked in recordings. Recording can be disabled at any time within the app under Account Settings → Privacy and analytics. Recording stops automatically once the trial period ends or the account is upgraded to a paid plan.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the security and stability of the Platform) for technical logs, IP addresses and anonymised traffic data; Art. 6(1)(a) GDPR (consent) for analytical and marketing cookies and for session recordings. Consent is collected via the cookie bar in the Platform footer.

Users who have given their explicit consent to receive marketing communications in the Platform are sent marketing content, such as newsletters. These communications can be sent to the email address you provided directly in Zenamu or to the email address obtained via social sign-in (Facebook/Google).

You can opt out of receiving marketing communications directly in the app or via our contact form.

Legal basis: Art. 6(1)(a) GDPR — your explicit and separable consent, which you may withdraw at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

We do not carry out automated individual decision-making within the meaning of Art. 22 GDPR that would produce legal effects concerning you or similarly significantly affect you. All substantive decisions about your account (e.g. restriction or termination) are made by our staff.

The User acknowledges that the Zenamu Platform is operated on servers located in a hosting center, and that the processing of personal data involves companies registered at the web address of subcontractors.

Meta Platforms (Facebook) and Google act as independent controllers with respect to the data you provide to them. Processing may involve transfers outside the EEA; in such cases, we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards.

PostHog Inc. (registered at 2261 Market Street #4008, San Francisco, CA, USA) acts as a data processor for product analytics and session recording purposes as described in section 3.4. Data is hosted exclusively within the European Union (Frankfurt) and is not transferred outside the EEA.

The Controller is entitled, even without the User's prior consent, to involve another supplier of hosting, cloud, or other services as a so-called additional processor in the processing of personal data or to replace the existing companies with another supplier.

In such cases, the User will be informed of this change on the relevant website or, for Users who are themselves Service Providers under a Processing Agreement, also by email.

We do not sell or rent social sign-in data (Google or Facebook user data) to any third parties.

We do not share this data with third parties except in the following limited situations:

This may include sharing your email address and name (including where obtained via Google Sign-In or Facebook Login) with our email service providers to deliver the communications described in sections 3.3 and 3.6.

We do not disclose social sign-in data to advertisers and do not use it for targeted advertising, ad measurement, or audience building.

Personal data is primarily processed within the European Union Member States. In certain cases, we transfer selected data to our processors or independent controllers established outside the European Economic Area (in particular to the United States — Stripe, Sentry, Grafana Labs and Mailchimp; Meta and Google act as independent controllers). For such transfers, we rely on appropriate safeguards under Art. 46 GDPR:

PostHog Inc. processes our data exclusively on servers located in the European Union (Frankfurt); no transfer outside the EEA takes place.

We retain personal data only for as long as necessary to fulfil the purposes set out in section 3. Specific retention periods per data category:

After expiry of the applicable retention period, data is either permanently anonymised or irreversibly deleted. In the event of ongoing legal or administrative proceedings, the retention period may be extended until those proceedings have been finally concluded.

We retain the data necessary for social sign-in (e.g., the app-scoped ID and technical tokens) for as long as your account is linked to the social provider, and thereafter delete it or disassociate it from your profile.

For social sign-in data (Google and Facebook), we apply the following retention and deletion rules:

In all cases, data is retained only for as long as necessary for the fulfillment of the purposes described above or to comply with our legal obligations.

We take appropriate technical and organizational measures to protect your personal data, including social sign-in data (Google and Facebook user data), against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, in particular:

While no system can be guaranteed to be 100% secure, we aim to keep your data protected using measures that are appropriate to the nature and sensitivity of the data we process.

Each Application User has the right to access their personal data.

A Platform User has the right to edit their personal data. This can be done through the Platform or via our contact form.

You can disconnect your Facebook/Google link at any time in My Profile. Disconnecting removes only this sign-in method and does not delete your account or data.

When you disconnect your Google or Facebook account, we stop using the respective social sign-in data for sign-in and we delete or invalidate stored authentication tokens. Your contact email and name may remain in your Zenamu profile and continue to be used for application-related communications and, where permitted, marketing emails, until you edit or delete them or request deletion of your account.

If you wish to remove all data, including social sign-in data, you can request full account deletion under section 6.3.

Every User has the right to request the erasure of all personal data. This can be done via our contact form.

The Controller is obligated to delete all User records obtained during the use of the Platform without undue delay.

This right to erasure also applies to social sign-in data (Google and Facebook user data) obtained via sign-in providers. Upon your request for deletion, we will remove such data, subject only to any retention required by applicable law.

You have the right to request that we restrict the processing of your personal data (Art. 18 GDPR), in particular where:

You have the right (Art. 20 GDPR) to receive the personal data you have provided to us in a structured, commonly used and machine-readable format (such as JSON or CSV) and to transmit it to another controller. You can submit a request via our contact form. This right applies only to data processed by automated means on the basis of consent or contract performance.

You have the right (Art. 21 GDPR) to object at any time to processing of your personal data based on the Controller's legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds overriding your interests, or unless we need the data for the establishment, exercise or defence of legal claims.

Against processing for direct marketing purposes (newsletters, marketing communications) you have the right to object at any time and without giving reasons. In that case we will stop processing your data for this purpose. You can unsubscribe directly in the app or via the link in any marketing email.

Where processing is based on your consent (e.g. marketing, analytical and marketing cookies, session recordings), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent as follows:

If you believe that the processing of your personal data by the Operator violates GDPR or the Czech Personal Data Processing Act, you have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů):

Before filing a complaint, we kindly ask you to contact us first via our contact form — most situations can be resolved directly and faster.

We process requests to exercise rights without undue delay and in any case within one month of receipt. This period may be extended by a further two months for complex or numerous requests, in which case we will inform you. To verify your identity, we may request additional information.

All legal relationships related to the processing of personal data are governed by the laws of the Czech Republic, regardless of where the data was accessed.

The Czech courts have the authority to resolve any disputes related to the protection of privacy between the User and the Controller.

Users who provide their personal data for the purpose of concluding a contract with the Controller or provide consent to the processing of personal data do so voluntarily, on their behalf, and the Controller does not control their activities in any way.

The Controller may amend or supplement this Privacy Policy. The current version will always be available within the Platform, where every User has easy access to it. We will notify Users of material changes typically 30 days in advance by email to the address associated with the Zenamu Account.

Changes affecting processing based on your consent (in particular marketing, analytical and marketing cookies, and session recordings) require your new explicit confirmation in the application or via the cookie bar. We will not extend the scope of consent-based processing without that new consent. For changes affecting processing based on performance of the contract, legal obligation, or legitimate interest, by continuing to use the application you acknowledge the changes; if you do not agree, you have the right to delete your account in accordance with the General Terms and Conditions.

The User may withdraw consent at any time (see section 6.7). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

This Privacy Policy takes effect on 25 May 2026 and replaces the previous version of 17 November 2025.