PranaPath Logo
PranaPath

Privacy Policy

Effective May 17, 2026

This policy explains what personal data we collect when you use PranaPath, why we collect it, who we share it with, and the rights you have over it. It applies to our marketing and knowledge site at pranapath.app and to our school management platform at flow.pranapath.app (the “Platform”). Most of the personal data we process relates to the Platform, where yoga schools manage their teacher training cohorts, students, teachers, attendance and payment records.

1. Who is responsible

The data controller responsible for personal data processed through PranaPath is:

Hemant Kumar, sole proprietor

Berlin, Germany

Email: [email protected]

For all privacy-related questions, requests or complaints, please use the email above.

2. Who this policy is for

The Platform is used by several different kinds of people, and the data we hold about you depends on which one you are:

  • School administrators who set up cohorts, invite students and teachers, record attendance, and track payment installments.
  • Teachers who are assigned to cohort sessions and can view the students they teach.
  • Students who join a cohort through an invitation from their school and use the Platform to follow their training, mark attendance, and view payment status.
  • Visitors to pranapath.app who read our public knowledge pages or sign up for an account.

Where a yoga school uploads information about its students or teachers, the school is the controller of that data and we act as a processor on its behalf. The school is responsible for telling those individuals that their information has been added to PranaPath and for having a lawful basis to do so.

3. What we collect

Account information

Your name, email address, role (school admin, teacher, student, practitioner), password (stored as a salted hash by our authentication provider), and optional profile photo.

Information your school adds about you

If a school invites you as a student or teacher, they may add your name, email, phone number, the cohort you belong to, attendance status for each session, and payment installment amounts and due dates. We do not collect or store card or bank details — payment installments on the Platform are records of amounts owed and received, entered manually by the school.

Content you create

Yoga sequences you build, notes, and messages you send through any chat or AI feature on the Platform.

AI conversations

When you use PranaChat or any AI feature, the messages you send (and any context the feature attaches, such as a sequence you are editing or knowledge base content) are processed by the AI providers listed in section 8.

Technical and usage data

IP address, browser and device type, pages visited, actions taken, approximate location derived from IP, and crash or error reports. On the Platform we also capture session recordings (see section 11).

Communications

Emails you send us and our replies, plus delivery and open status of transactional emails we send you (account invitations, password resets, assignment notifications).

4. How we use your data

  • To provide the service: create and manage your account, run cohorts, record attendance, track payments, send transactional emails.
  • To operate AI features you use, such as pose lookup, sequence suggestions and knowledge search.
  • To understand how PranaPath is used so we can improve it — this includes product analytics and session recordings on the Platform.
  • To keep the service secure: detect abuse, debug errors, prevent unauthorised access.
  • To comply with legal obligations, in particular German tax and commercial law for records relating to paid invoices.
  • To respond to you when you contact us.

We do not sell personal data, and we do not use your content to train AI models — see section 8.

5. Legal basis (GDPR Art. 6)

  • Performance of a contract — for everything required to give you access to the Platform and run the cohort you are part of.
  • Legitimate interest — for product analytics, security monitoring, and basic crash reporting. You can object to these at any time using the contact details in section 1.
  • Consent — for session recording and any non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation — for retaining payment and invoice records as required by German tax and commercial law (HGB §257, AO §147).

6. AI features and your messages

PranaPath uses third-party AI providers to power features like PranaChat, sequence suggestions, knowledge search and pose image generation. When you use one of these features, the relevant input (your message, the sequence you are editing, the search query) is sent to the provider over an encrypted connection.

We use these providers under API agreements where your data is not used to train their models. Providers may retain inputs and outputs for a limited period for safety and abuse-prevention purposes (typically up to 30 days), after which they are deleted.

The AI providers we use are listed in section 8.

7. Who we share data with

We use the following third parties (“sub-processors”) to operate PranaPath. Each one is bound by a data processing agreement.

ProviderPurposeRegion
SupabaseDatabase and authenticationEU
AnthropicClaude AI — chat, sequence toolsUSA
OpenAIText embeddings for knowledge searchUSA
Google (Gemini)Pose image generationUSA
BrevoTransactional email (invitations, password resets)EU (France)
RailwayApplication hostingUSA
PostHog (EU Cloud)Product analytics and session recording (Platform only)EU
CloudflareCDN and DNSGlobal

8. International data transfers

Some of the providers in section 7 are based outside the European Economic Area, primarily in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework as the legal mechanism for the transfer.

9. Cookies and analytics

We use a small number of cookies and similar technologies:

  • Essential cookies — required to keep you signed in and to remember your preferences. These cannot be switched off.
  • Analytics cookies — set by PostHog to understand how the Platform is used and to improve it. These run on the Platform (flow.pranapath.app), not on our marketing site.

PostHog is configured in the EU region, so analytics data stays within the EU.

10. Session recording

On the Platform (flow.pranapath.app) we use PostHog session recording to capture how people interact with the interface — mouse movement, clicks, scrolling and page navigation — so we can fix usability problems and bugs. Input fields are masked by default, so we do not see what you type into form fields such as passwords, names, or notes.

Session recording is not used on pranapath.app. You can opt out of session recording by contacting us at [email protected].

11. How long we keep data

  • Account data — for as long as your account is active. We delete it within 30 days of you closing your account or asking us to.
  • Cohort, attendance and content data — kept for as long as the school using the Platform requires it. When a school ends its use of PranaPath, we delete its data within 90 days unless we are legally required to keep it for longer.
  • Payment and invoice records — retained for 10 years as required by German tax and commercial law.
  • AI conversation history — up to 12 months, then deleted.
  • Session recordings — retained by PostHog for up to 30 days, then deleted.
  • Backups — rolling backups are retained for up to 30 days before being overwritten.

12. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Have inaccurate data corrected (Art. 16).
  • Have your data deleted, subject to legal retention requirements (Art. 17).
  • Restrict our processing of your data (Art. 18).
  • Receive your data in a portable, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where consent is the legal basis (Art. 7).

To exercise any of these rights, email [email protected]. We respond within 30 days.

If you believe your data has been handled unlawfully, you have the right to lodge a complaint with a supervisory authority. In Germany this is the data protection authority of the federal state in which the controller is established.

13. Security

All traffic to and from PranaPath is encrypted in transit (TLS). Data at rest in our database is encrypted by Supabase. Access to production data is limited to the controller named in section 1. Passwords are stored as salted hashes by our authentication provider and are never visible to us.

No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify the relevant authority within 72 hours as required by Art. 33 GDPR, and we will notify you if there is a high risk to your rights.

14. Children

PranaPath is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please email us and we will delete it.

15. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify account holders by email at least 14 days before the changes take effect. The effective date at the top of this page always reflects the current version.

16. Contact

Questions about this policy, or about your data: [email protected].

Return to PranaPath