Effective date: 9 May 2026
Last updated: 9 May 2026
This Privacy Policy explains how RetreatsMap ("we", "us", "our") collects, uses and protects your personal data when you visit retreatsmap.com or any of our country-specific domains (retreatsmap.lt, retreatsmap.de, retreatsmap.es, retreatsmap.fr, retreatsmap.it) and use the services we provide.
We process your data in accordance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive as implemented in your country.
1. What personal data we collect
Information you provide directly
Account data — name, email address, password (stored as a one-way hash), and optional profile image. Collected when you sign up.
Content you publish — events, places (venues / studios), teacher profiles, descriptions, schedules, images, and social media handles you choose to add.
Communications — messages sent through the contact form, replies to teachers or event organisers, and any support requests.
Information collected automatically
Technical data — IP address, browser type and version, device type, operating system, language preference, and the page that referred you to us.
Usage data — pages visited, time spent, search queries, and clicks. Collected only if you have granted analytics consent.
Approximate location — derived from your IP address to suggest nearby events. We do not store precise GPS coordinates without your explicit action (e.g. when you publish a place).
Information from third parties
Sign-in providers — if you sign in via a third-party account, we receive your name and email from that provider.
2. How we use your data and our legal basis
We process personal data only for clearly defined purposes and only on a lawful basis under GDPR Article 6:
Creating and managing your account — based on the contract between you and us.
Publishing content you submit (events, places, teacher profiles) — based on the contract between you and us.
Sending transactional emails (sign-up confirmation, password reset, content notifications) — based on the contract between you and us.
Replying to contact form messages — based on our legitimate interest in providing customer support.
Securing the site, preventing fraud, and monitoring errors — based on our legitimate interest in keeping the service safe and reliable.
Audience analytics and improving the site — based on your consent.
Personalised marketing and measuring advertising performance — based on your consent.
Complying with legal obligations — when required by law.
3. Cookies and similar technologies
Cookies are small text files placed on your device when you visit a website. We also use similar technologies such as browser local storage. Throughout this section we refer to them collectively as "cookies".
When you first visit our site you can choose which categories of cookies to allow. You can change your choice at any time via the "Cookie settings" link in the footer. Withdrawing consent does not affect data already processed before withdrawal.
Strictly necessary (always active)
Required for the site to function. They cannot be switched off.
authjs.session-token — keeps you signed in to your account. Provider: retreatsmap.com (NextAuth.js). Duration: session, up to 30 days.
cookie-consent-v1 (stored in browser local storage) — remembers which cookie categories you allowed. Provider: retreatsmap.com. Duration: until you clear your browser storage.
Analytics (optional — require consent)
Help us understand how visitors use the site so we can improve it. Set only if you allow "Analytics" in the consent banner.
_ga — distinguishes unique visitors. Provider: Google Analytics 4 (Google Ireland Ltd.). Duration: 2 years.
_ga_<ID> — persists session state for analytics. Provider: Google Analytics 4. Duration: 2 years.
Sentry session storage — captures error context for debugging. Provider: Functional Software, Inc. (Sentry, EU region). Duration: session.
Marketing (optional — require consent)
Used to measure the effectiveness of our advertising campaigns and to show you relevant ads on third-party platforms. Set only if you allow "Marketing".
_fbp — identifies your browser for Meta Ads measurement and retargeting. Provider: Meta Pixel (Meta Platforms Ireland Ltd.). Duration: 90 days.
Note: marketing cookies are only set when we run active advertising campaigns. If your browser shows none of them, no campaign is currently in flight.
How to manage cookies
Use the "Cookie settings" link in our footer to change your preferences any time.
You can also delete cookies through your browser settings. See your browser's help pages for instructions.
Note that disabling necessary cookies will break sign-in and other core features.
4. Who we share your data with
We do not sell your personal data. We share it only with service providers ("processors") who help us operate the site, under contracts that require them to protect your data and use it only on our instructions:
Hosting and infrastructure — our hosting provider running EU-based servers.
Email delivery — our SMTP provider for sending transactional emails.
Google Analytics 4 (Google Ireland Ltd.) — audience analytics, only with your consent.
Sentry (Functional Software, Inc., EU region) — error monitoring, only with your consent.
Cloudflare (Cloudflare, Inc.) — content delivery, DDoS protection, and bot/CAPTCHA verification (Turnstile).
Meta Platforms Ireland Ltd. — when we run advertising on Facebook or Instagram and you have granted marketing consent.
We may also disclose data when required by law (e.g. court order, valid request from a public authority).
5. International data transfers
Some of our processors are based in the United States or other countries outside the European Economic Area. When data is transferred internationally we rely on the safeguards required by GDPR Articles 44–49:
The European Commission's Standard Contractual Clauses (SCCs);
The EU-US Data Privacy Framework where the recipient is certified;
Equivalent legally recognised safeguards.
6. How long we keep your data
Account data — until you delete your account, then up to 30 days in encrypted backup.
Published content (events, places, teacher profiles) — until you delete it, or up to 24 months after the event has ended.
Contact form messages — 24 months.
Server logs and technical data — 30 days.
Analytics data — 14 months (configured retention in Google Analytics).
7. Your rights
If you are in the EEA, the United Kingdom, or Switzerland, GDPR (and equivalent local law) gives you the following rights:
Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your data, subject to any legal retention obligations.
Restriction — ask us to limit processing in specific cases.
Portability — receive your data in a structured, machine-readable format and transfer it to another service.
Objection — object to processing based on legitimate interest, including direct marketing.
Withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. Children's privacy
RetreatsMap is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. Security
We protect your data with industry-standard measures: HTTPS encryption in transit, password hashing, role-based access controls on our database, and continuous security monitoring. No system is 100% secure, but we work to minimise risk and respond promptly to any incident.
10. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes (e.g. new categories of data, new recipients) we will notify you by email or through a prominent notice on the site before the change takes effect.