Skip to content

Privacy Policy

This is a courtesy English translation. The binding version is the German original.

Last updated: 18 June 2026

Controller

The controller for data processing on this website within the meaning of the GDPR is:

PASSION4IT GmbH represented by Christian Kirsch Postackerweg 9 94234 Viechtach, Germany

info@riverroom-yoga.de

All further mandatory disclosures (commercial register, management, professional liability) can be found in the Legal Notice.

Data protection officer

We have appointed an external data protection officer. You can reach them directly:

Stefan Köster eConsulting Stefan Köster Op de Elg 13a 22393 Hamburg, Germany

stefan@koester-eConsulting.com · koester-eConsulting.com

What we collect in principle

We process personal data only where there is a legal basis — typically your consent (Art. 6(1)(a) GDPR), pre-contractual steps (b), a legal obligation (c) or our legitimate interest in a functioning, secure website (f). Personal data means data that can identify you — such as name, email address, phone number, IP address or the content of an enquiry.

We aim for data minimisation: standard technical data on page access, plus the data you actively provide via the contact form, by email or when booking a class. Nothing more.

Hosting & delivery — Cloudflare Pages

This website is operated on Cloudflare Pages and delivered via the Cloudflare CDN. The provider is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. On page access, Cloudflare processes technical connection data (in particular your IP address, browser/device information, referrer, date and time of the request) to ensure content delivery, load balancing, DDoS protection and encryption.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure, performant delivery of the website). A data processing agreement (DPA) including EU standard contractual clauses is in place with Cloudflare. Cloudflare is certified under the EU-U.S. Data Privacy Framework. Details can be found in the Cloudflare privacy policy.

Cookies & consent

We use cookies and comparable technologies only where they are technically necessary or where you have actively consented. On your first visit, a consent banner appears with two categories:

  • Necessary — always active. Stores your consent decision and ensures basic functions (e.g. language selection).
  • Analytics — optional. We currently do not activate any services in this category; it is a placeholder for future reach measurement and remains ineffective without consent. Should we activate analytics services, we will update this privacy policy accordingly.

The consent banner is based on the open-source library vanilla-cookieconsent v3. It runs entirely in your browser, transmits nothing to third parties and stores your decision locally in a first-party cookie. You can adjust or fully withdraw your consent at any time — the lawfulness of processing carried out up to the withdrawal remains unaffected.

The legal basis for storing optional cookies is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (consent). For technically necessary cookies we rely on § 25(2) no. 2 TDDDG.

Server log files

When you access any page, your browser automatically transmits technical data to our host, Cloudflare. The following are recorded in particular:

  • IP address (truncated as soon as no longer needed for delivery)
  • date and time of the request
  • requested URL and HTTP status
  • browser type, browser version and operating system
  • referrer URL (the page you came from)

This data is technically necessary to deliver the website, detect security attacks (e.g. DDoS) and fix errors. Legal basis: Art. 6(1)(f) GDPR. We do not merge the server logs with other data sources and do not create personal profiles on their basis.

Fonts — self-hosted

We use the “Mulish” font family. The fonts are served directly from our servers (or the Cloudflare CDN) — there is no connection to third-party providers such as Google Fonts or Adobe Fonts.

Contact form

On our contact page you can send us your name, email address and message via a form. When you submit the form, this information is transmitted to our server (a function on Cloudflare Pages) and delivered from there as an email to our mailbox. For the technical delivery of the email we use the service Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France). Brevo processes the transmitted data solely to deliver the email and not for its own purposes; a data processing agreement is in place with Brevo and processing takes place within the EU. We process the data solely to answer your enquiry and do not pass it on to further third parties. The legal basis is Art. 6(1)(b) GDPR where your enquiry aims at concluding a contract (e.g. a class booking), otherwise Art. 6(1)(f) GDPR (legitimate interest in answering your enquiry). We store your enquiry until it has been fully processed.

Spam protection — Cloudflare Turnstile

To protect our contact form against automated requests (spam), Cloudflare Turnstile may be used. The provider is Cloudflare, Inc. Without a classic CAPTCHA, Turnstile checks whether the input comes from a human and processes technical information from your browser for this purpose. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in preventing misuse).

Online classes via Zoom

Yoga classes can take place live online via Zoom on request. The provider is Zoom Video Communications, Inc. If you take part in an online class, Zoom typically processes: display name, email address, meeting metadata (date, time, meeting ID) and, during the class, audio/video content. On request we make a recording of the class available to you for a limited time; a recording is only made by prior arrangement. Legal basis: Art. 6(1)(b) GDPR (performance of the booked service) or Art. 6(1)(a) GDPR (consent to a recording).

Enquiries by email or phone

If you contact us by email or phone, we process your contact details and the content of your enquiry in order to answer it. The legal basis is Art. 6(1)(b) GDPR where your enquiry aims at concluding a contract (e.g. a class booking), otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient handling). We store this data until the purpose has been fulfilled or statutory retention periods (e.g. § 257 HGB, § 147 AO) require longer storage.

Data transfers to third countries

Some of the services mentioned above (Cloudflare, Zoom) transfer data to group companies outside the EU/EEA — in particular to the USA. We base these transfers on:

  • the EU standard contractual clauses under Art. 46(2)(c) GDPR (anchored in the respective data processing agreements),
  • the EU-U.S. Data Privacy Framework, where the respective provider is certified (Art. 45 GDPR),
  • where applicable, your explicit consent under Art. 49(1)(a) GDPR for services loaded solely on a consent basis.

We point out that a level of data protection comparable to that in the EU cannot be guaranteed in third countries. Access by state authorities (e.g. US security agencies) to personal data cannot be entirely ruled out.

Storage period

We store personal data only for as long as is necessary for the respective purpose. We delete contact enquiries after they have been processed; we retain contract and booking data in accordance with commercial and tax retention periods (6–10 years under § 257 HGB, § 147 AO).

Your rights

You have the right at any time to:

  • access the data stored about you (Art. 15 GDPR),
  • rectification of inaccurate data (Art. 16 GDPR),
  • erasure, where no retention obligation stands in the way (Art. 17 GDPR),
  • restriction of processing (Art. 18 GDPR),
  • data portability in a machine-readable format (Art. 20 GDPR),
  • objection to processing based on Art. 6(1)(f) GDPR, as well as to direct marketing (Art. 21 GDPR),
  • withdrawal of consent once given, with effect for the future (Art. 7(3) GDPR).

To do so, send us an informal message at info@riverroom-yoga.de or contact our data protection officer directly. Independently of this, you have a right to lodge a complaint with the competent data protection supervisory authority (for PASSION4IT GmbH: Bavarian State Office for Data Protection Supervision, BayLDA, Promenade 18, 91522 Ansbach).

SSL/TLS encryption

The entire website is delivered exclusively via HTTPS (TLS). Your browser shows this with the padlock symbol and the https:// prefix in the address bar. Transfers from your browser to our server are thus encrypted and cannot be read by third parties.

Advertising emails

We hereby object to the use of contact data published in the legal notice for sending advertising and information material not expressly requested. We reserve the right to take legal action should we receive unsolicited advertising — for example by spam email.

Changes to this privacy policy

We adapt this privacy policy as soon as we introduce new services, legal requirements change or existing processing operations cease. The version available on this page applies at any given time. We mark material changes with an updated “last updated” date at the top.