Privacy Policy

Last updated: January 01, 2026

This Privacy Policy describes how Swasthya with Nehal (“we”, “us”, or “our”) collects, uses, processes, and protects your personal information when you use our website and services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the Dutch implementation thereof (Algemene Verordening Gegevensbescherming - AVG).

1. Data Controller Information

Data Controller:
Swasthya with Nehal
KVK Number: 97796964
Location: Rotterdam, the Netherlands
Email: fitphysio.nehal@gmail.com

For any questions regarding your personal data or this Privacy Policy, please contact us using the details above.

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance (Article 6(1)(b)): Processing necessary for the performance of our service contract with you
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our services, maintaining customer relationships, and ensuring service quality
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations (e.g., tax and accounting requirements)
  • Consent (Article 6(1)(a)): Where we have obtained your explicit consent for specific processing activities

For special category data (health information), we rely on GDPR Article 9:

  • Explicit Consent (Article 9(2)(a)): Your explicit consent to process health data for service delivery
  • Healthcare Provision (Article 9(2)(h)): Processing necessary for the provision of health or wellness services

3. Personal Data We Collect

3.1 Information You Provide Directly

When you use our services, we may collect:

Contact Information:

  • Full name
  • Email address
  • Phone number (if provided)
  • Program interest (e.g., Power Mama, Therapeutic PhysioYoga)
  • Inquiry type or question category
  • Optional message content

Account Information:

  • Username and password (if you create an account)
  • Profile information
  • Communication preferences

Health and Wellness Information (Special Category Data):

We do not require you to provide health information through our contact forms. However, you may voluntarily choose to share health-related information with us in the optional message field of our contact form, or during subsequent consultations and communications (via email, WhatsApp, phone calls, or video sessions) to help us provide safe and personalized services. This may include:

  • Medical history relevant to yoga/physiotherapy
  • Current health conditions, injuries, or limitations
  • Pregnancy status and trimester (for pre/post-natal services)
  • Chronic conditions (e.g., back pain, PCOS, stress levels)
  • Physical fitness level and goals
  • Medications that may affect physical activity
  • Previous injuries or surgeries
  • Any other health information you choose to share for safe service delivery

By voluntarily sharing this information with us, you provide explicit consent for us to use it to personalize your sessions and ensure your safety.

Payment Information:

  • Billing name and address
  • Payment method details (processed securely by our payment processor)
  • Transaction history

Session Information:

  • Booking details and session attendance
  • Session notes and progress tracking
  • Instructor observations on form, progress, and modifications
  • Goals and achievements

Communication Records:

  • Email correspondence
  • WhatsApp messages (for packages including support)
  • Consultation notes
  • Feedback and reviews

3.2 Information Collected Automatically

Website Usage Data:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on pages
  • Referral source
  • Date and time of visits

Cookies and Similar Technologies:

  • We use cookies to enhance your website experience
  • See Section 10 for detailed cookie information

4. How We Use Your Personal Data

We use your personal data for the following purposes:

4.1 Service Delivery

  • Scheduling and conducting yoga/physiotherapy sessions
  • Personalizing sessions to your health needs and goals
  • Ensuring safe practice by understanding contraindications
  • Tracking your progress over time
  • Providing session recordings or materials (where applicable)

4.2 Communication

  • Sending booking confirmations and reminders
  • Responding to your inquiries and support requests
  • Providing WhatsApp/email support (for applicable packages)
  • Sending important service updates or changes

4.3 Payment Processing

  • Processing package purchases
  • Maintaining payment records
  • Sending receipts and invoices
  • Complying with accounting and tax obligations

4.4 Service Improvement

  • Analyzing usage patterns to improve our services
  • Gathering feedback to enhance customer experience
  • Developing new programs and offerings
  • Sending newsletters and promotional offers (only with your explicit consent)
  • Informing you about new services or packages
  • You may unsubscribe at any time
  • Maintaining records as required by Dutch law
  • Responding to legal requests or court orders
  • Protecting our legal rights and preventing fraud

5. Special Category Data (Health Information)

5.1 Why We Process Health Data

Health information is classified as “special category data” under GDPR Article 9 and receives enhanced protection. We process your health data because:

  • It is essential for providing safe and effective yoga and physiotherapy services
  • It allows us to tailor sessions to your individual needs
  • It helps us identify contraindications and necessary modifications
  • It enables us to track your progress and adjust your program

By providing health information and using our services, you give explicit consent for us to process your health data for the purposes described in this Privacy Policy.

You have the right to withdraw this consent at any time, though this may impact our ability to provide services safely.

5.3 How We Protect Health Data

We take extra precautions with health information:

  • Access is restricted to authorized personnel only
  • Data is stored securely with encryption
  • We maintain strict confidentiality policies
  • Health data is only shared with your explicit consent or when legally required

6. How We Share Your Personal Data

We do not sell your personal data to third parties. We may share your information in the following limited circumstances:

6.1 Service Providers (Data Processors)

We work with trusted third-party service providers who process data on our behalf:

Video Conferencing Platforms (e.g., Zoom):

  • For conducting online sessions
  • Subject to their privacy policies
  • We use only reputable, GDPR-compliant providers where possible

Payment Processors:

  • For secure payment processing
  • They have access only to payment information necessary for transaction processing

Email and Communication Services:

  • For sending emails, newsletters, and communications
  • Subject to data processing agreements

Cloud Storage Providers:

  • For secure data storage
  • Preferably EU-based or with adequate safeguards

All service providers are required to:

  • Process data only as instructed by us
  • Maintain appropriate security measures
  • Comply with GDPR requirements
  • Enter into data processing agreements with us

We may disclose your information if required by law, regulation, legal process, or governmental request, including:

  • Responding to court orders or subpoenas
  • Complying with tax and accounting regulations
  • Cooperating with law enforcement when legally obligated

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

We may share your information with third parties when you have given explicit consent for such sharing.

7. International Data Transfers

7.1 EU/EEA Preference

We strive to store and process your data within the European Union/European Economic Area (EU/EEA) where possible.

7.2 Transfers Outside EU/EEA

Some of our service providers (such as Zoom, which is US-based) may process data outside the EU/EEA. When this occurs, we ensure:

  • Adequacy Decisions: We transfer data only to countries deemed to provide adequate protection by the European Commission, OR
  • Standard Contractual Clauses: We use EU-approved Standard Contractual Clauses (SCCs) with providers, OR
  • Other Safeguards: We implement other approved transfer mechanisms under GDPR Chapter V

7.3 Your Rights

Even when data is transferred outside the EU/EEA, you retain all your rights under GDPR as described in Section 8.

8. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

8.1 Right to Access (GDPR Article 15)

You have the right to request:

  • Confirmation of whether we process your personal data
  • Access to your personal data
  • Information about how we use your data

How to exercise: Contact us via email with a clear description of the information you seek.

8.2 Right to Rectification (GDPR Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data

How to exercise: Contact us with the corrected information.

8.3 Right to Erasure / “Right to be Forgotten” (GDPR Article 17)

You have the right to request deletion of your personal data when:

  • It is no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • Deletion is required for legal compliance

Limitations: We may retain certain data to comply with legal obligations (e.g., tax records for 7 years under Dutch Tax Law).

How to exercise: Submit a deletion request via email.

8.4 Right to Restriction of Processing (GDPR Article 18)

You have the right to limit how we use your data in certain circumstances, such as:

  • When you contest the accuracy of data (while we verify)
  • When processing is unlawful but you don’t want erasure
  • When you need the data for legal claims

How to exercise: Contact us explaining which processing you wish to restrict.

8.5 Right to Data Portability (GDPR Article 20)

You have the right to:

  • Receive your personal data in a structured, commonly used, machine-readable format
  • Transmit this data to another controller (where technically feasible)

Applies to: Data you provided to us and data processed based on consent or contract.

How to exercise: Request a data export via email.

8.6 Right to Object (GDPR Article 21)

You have the right to object to processing based on:

  • Legitimate interests (we must stop unless we demonstrate compelling legitimate grounds)
  • Direct marketing (we must stop immediately)

How to exercise: Contact us specifying the processing you object to.

8.7 Right to Withdraw Consent (GDPR Article 7(3))

Where we process data based on your consent:

  • You have the right to withdraw consent at any time
  • Withdrawal does not affect the lawfulness of prior processing
  • Note: Withdrawal of consent for health data processing may affect our ability to provide services safely

How to exercise: Contact us stating you wish to withdraw consent.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant supervisory authority:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens - AP):
Website: autoriteitpersoonsgegevens.nl
Email: info@autoriteitpersoonsgegevens.nl
Phone: (+31) - (0)70 - 888 85 00

If you reside in another EU country, you may contact your local data protection authority.

8.9 How to Exercise Your Rights

To exercise any of these rights:

  1. Send an email to: fitphysio.nehal@gmail.com
  2. Include “Data Subject Request” in the subject line
  3. Clearly describe which right you wish to exercise
  4. Provide sufficient information for us to verify your identity

We will respond to your request within one month (may be extended by two additional months for complex requests).

9. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this Privacy Policy:

9.1 Service Data

  • Active clients: We retain data for the duration of our service relationship
  • Inactive clients: We may retain data for up to 12 months after your last session to facilitate potential re-engagement

9.2 Health Information

  • Session notes and health data: Retained for 7 years after last session (in line with healthcare record-keeping best practices)

9.3 Financial Data

9.4 Communication Records

  • Email and correspondence: Retained for the duration of the relationship plus 2 years
  • WhatsApp support messages: Deleted after 12 months unless needed for ongoing service delivery

9.5 Marketing Data

  • Retained until you unsubscribe or until 3 years of inactivity
  • Data may be retained longer if required for legal proceedings, disputes, or regulatory investigations

After retention periods expire, we will securely delete or anonymize your data.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide a better user experience.

10.2 Types of Cookies We Use

Strictly Necessary Cookies:

  • Required for website functionality
  • Enable basic features like page navigation
  • Cannot be disabled

Functionality/Preference Cookies:

  • Remember your preferences (e.g., dark/light theme)
  • Enhance your user experience
  • Can be disabled via browser settings

Analytics Cookies (if applicable):

  • Help us understand how visitors use our website
  • Used to improve website performance and content
  • May use services like Google Analytics (anonymized where possible)

10.3 Managing Cookies

You can manage cookies through your browser settings:

  • Most browsers allow you to refuse or accept cookies
  • You can delete cookies already stored on your device
  • Disabling cookies may affect website functionality

For more information about cookies, visit: aboutcookies.org

10.4 Third-Party Cookies

Some cookies may be placed by third-party services we use (e.g., video platforms if we embed content). These are governed by the respective third party’s privacy policy.

11. Data Security

11.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Data in transit is encrypted using SSL/TLS technology
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Secure Storage: Use of secure, reputable cloud storage providers
  • Password Protection: Strong password policies for accounts and systems
  • Regular Updates: Keeping software and systems up to date with security patches
  • Data Minimization: Collecting only data necessary for stated purposes

11.2 Limitations

While we take security seriously, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to using commercially reasonable efforts to protect your data.

11.3 Data Breaches

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the Dutch Data Protection Authority (AP) within 72 hours
  • We will inform affected individuals without undue delay
  • We will take immediate steps to mitigate the breach

12. Children’s Privacy

Our services are intended for individuals aged 18 and older.

  • We do not knowingly collect personal data from children under 13
  • For minors aged 13-18, we require parental or guardian consent before collecting personal data
  • If we discover we have collected data from a child under 13 without parental consent, we will delete it promptly

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately.

Our website may contain links to third-party websites, services, or social media platforms (e.g., Instagram, Facebook, YouTube).

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Marketing Communications

We will only send you marketing communications (newsletters, promotional offers, updates) if:

  • You have explicitly opted in, OR
  • You are an existing client and the communication relates to similar services (soft opt-in)

14.2 Unsubscribe

You can unsubscribe from marketing communications at any time:

  • Click the “unsubscribe” link in any marketing email
  • Contact us directly at fitphysio.nehal@gmail.com
  • Adjust your account preferences (if applicable)

14.3 Transactional Communications

Please note: Even if you unsubscribe from marketing, we will still send essential transactional emails related to your bookings, payments, and service delivery.

15. Changes to This Privacy Policy

15.1 Updates

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Legal or regulatory requirements
  • New services or features

15.2 Notification

When we make material changes:

  • We will update the “Last updated” date at the top
  • We will notify you via email (if we have your email address)
  • We may display a prominent notice on our website

15.3 Your Continued Use

Your continued use of our services after changes are posted constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Swasthya with Nehal
Email: fitphysio.nehal@gmail.com
KVK: 97796964
Location: Rotterdam, the Netherlands

For data protection inquiries specifically, please use the subject line: “Privacy Inquiry”

We will respond to your inquiry within a reasonable timeframe, typically within 5 business days.

Your Privacy Matters

We are committed to transparency and protecting your personal information. Thank you for trusting us with your data.