1. Introduction

This Privacy Policy explains how we collect, use, store and protect your personal data.

This policy applies to all personal data processed by:

• Soulshine by Soulla Ltd (company number 13718169), which delivers retreats, in-person events and residential experiences, and

• The Soulshine Way Ltd (company number 12529537), which delivers online programmes, courses, coaching, digital products and educational experiences.

Together referred to as “we”, “us” or “our”.

We are committed to protecting your privacy and complying with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who we are and how to contact us

Data Controllers:
Soulshine by Soulla Ltd and The Soulshine Way Ltd

Registered office:
7 The Ridge, Ridgemount Road, Sunningdale, SL5 9LN, United Kingdom

Email: soulla@soulshineretreats.com

You have the right to contact us at any time regarding your personal data.

3. What personal data we collect

We may collect and process the following categories of personal data:

3.1 Identity and contact data

• Name

• Email address

• Telephone number

• Billing address

• Country of residence

3.2 Booking and transaction data

• Details of retreats, events, programmes or services booked

• Payment status and transaction references

• Invoices and receipts

We do not store full card details. Payments are processed securely by third-party providers.

3.3 Health, wellbeing and accessibility data (special category data)

Where relevant to retreats, events or coaching, we may collect:

• injuries or physical limitations

• health conditions relevant to participation

• allergies and dietary requirements

• accessibility or support needs

This information is collected solely to support safety, inclusion and appropriate facilitation.

3.4 Identification documents

For some retreats, we may collect:

• passport details required by venues or accommodation providers

This is only collected where strictly necessary and shared securely.

3.5 Communications

• emails, messages and enquiry forms

• communications via Typeform, email or website forms

3.6 Website and usage data

• IP address

• browser type and version

• pages visited and interaction data

This data is collected via cookies and Google Analytics.

4. How we collect your data

We collect data when you:

• book a retreat, event or programme

• complete a Typeform or ThriveCart checkout

• subscribe to our mailing list

• contact us by email or website form

• visit our website

5. Lawful bases for processing

Under UK GDPR, we must have a lawful basis for processing your data.We rely on the following:

5.1 Contract

To:

• process bookings and payments

• deliver retreats, programmes and services

• communicate essential service information

5.2 Legitimate interests

To:

• run and improve our business

• ensure safety and safeguarding

• manage logistics with venues, facilitators and chefs

• respond to enquiries and feedback

• prevent fraud and misuse

We always balance our interests against your rights.

5.3 Consent

To:

• send newsletters and marketing emails

• collect optional information

• publish testimonials where identifiable

You can withdraw consent at any time.

5.4 Legal obligation

To:

• meet accounting, tax and regulatory requirements

• respond to lawful requests from authorities

5.5 Special category data condition

Health and wellbeing data is processed:

• for reasons of health and safety

• to make reasonable adjustments

• with appropriate safeguards in place

6. How we use your data

We use personal data to:

• deliver retreats, programmes and services

• process payments and manage bookings

• communicate essential information

• provide customer support

• send newsletters and updates where consented

• manage safety and wellbeing

• improve our website and offerings

7. Sharing your data

We only share your data where necessary and proportionate.

7.1 Service providers

We use trusted third parties including:

• Stripe for payments

• ThriveCart for checkout and digital product delivery

• Typeform for booking and intake forms

• Squarespace for website hosting

• ActiveCampaign for email communications

• Google Analytics for website analytics

These providers process data under their own privacy policies and appropriate safeguards.

7.2 Retreat-specific sharing

Where necessary, we may share limited data with:

• venues and accommodation providers (for example passport details)

• chefs (dietary requirements and allergies)

• facilitators or support staff (relevant health or accessibility information only)

Data is shared on a need-to-know basis only.

7.3 Legal and regulatory

We may disclose data:

• where required by law

• in connection with legal proceedings

• to protect our legal rights

8. International data transfers

Some of our service providers are based outside the UK.

Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• UK adequacy regulations

• standard contractual clauses

9. Data retention

We retain personal data only for as long as necessary.

Typically:

• booking and financial records are retained for legal and accounting purposes

• health and dietary information is deleted after the relevant retreat or event unless legally required

• marketing data is retained until you unsubscribe

10. Your rights

Under UK GDPR, you have the right to:

• access your personal data

• correct inaccurate data

• request erasure

• restrict processing

• object to processing

• data portability

• withdraw consent at any time

• lodge a complaint with the Information Commissioner’s Office (ICO)

You can exercise these rights by contacting us.

11. Cookies and analytics

Our website uses cookies and Google Analytics to understand how visitors use our site.

You can manage cookie preferences through your browser or any cookie banner provided on our website.

Blocking cookies may affect website functionality.

12. Security

We use appropriate technical and organisational measures to protect your data.

However, no internet transmission is completely secure and you provide data at your own risk.

13. Changes to this policy

We may update this policy from time to time.

The latest version will always be published on our website.

14. Regulator

We are registered with the UK Information Commissioner’s Office.