Roya Yoga · Legal

Privacy Policy

Last updated: May 22, 2026

Roya Yoga ("Roya", "we", "us") is a studio software product for yoga teachers. We build sequences, attach music, and run live classes. This policy explains what data we collect, why, and how we protect it. We collect the minimum needed to make the product work — no advertising, no resale, no third-party trackers.

1. Data we collect

Account information

Username, hashed password, display name, email — created when you sign up. Used only to sign you in and address you in the product.
Studio & role — which workspace you belong to and your permissions (owner, admin, teacher, student).

Product data you create

Class plans, pose sequences, soundtracks, class schedules, attendance/roster entries.
Anything you type into the composer or settings.

Spotify integration data (only if you Connect Spotify)

When you tap Connect on the Spotify card, Roya uses Spotify's OAuth 2.0 Authorization Code flow. Spotify shows you the consent screen and only after you approve does any data flow to us.

Access & refresh tokens — encrypted with AES-256-GCM before being written to our database. Keys never leave the server.
Spotify user ID, display name, account type (free/premium), country, profile image URL — shown in the Settings page so you can see which account is connected.
Your playlists, playlist tracks, and audio features (tempo, energy) — read on-demand when you build a class soundtrack. We do not store playlist contents permanently; results are cached briefly for performance.
Playback state — read in real time during a live class to sync transitions. Not persisted.

What we never do with Spotify data: we never sell or share it, never use it for advertising, never analyse it across users, never copy or download audio, and never use it for any purpose other than powering your own class.

Permissions (scopes) we request from Spotify

user-read-private, user-read-email — identify your Spotify account so we can show "Connected as you".
playlist-read-private, playlist-read-collaborative — read playlists you choose to attach to a class.
streaming — play tracks in-browser via Spotify's Web Playback SDK (Premium required).
user-read-playback-state, user-modify-playback-state, user-read-currently-playing — control playback (skip, crossfade, duck) and read what's live so the timeline indicator works.

2. How we store and protect data

Encryption in transit: TLS 1.2+ for every request (HTTPS-only, HSTS enabled).
Encryption at rest: Spotify access & refresh tokens are encrypted with AES-256-GCM. The master key is stored as a server-side environment variable, never in source control.
Passwords: hashed with bcrypt. We never see your plaintext password.
Session cookies: HTTP-only, Secure, SameSite=Strict. CSRF tokens required on every state-changing request.
Hosting: EU/US-based VPS, single tenant for the database, daily snapshots.

3. How long we keep your data

Spotify tokens: deleted from our database the moment you tap Disconnect on the Settings page. You can also revoke our access directly from spotify.com/account/apps at any time.
Account data: kept while your account is active. Deleted within 30 days of you closing the account or emailing us at hello@roya.yoga to request deletion.
Audit logs: 90 days, then purged.

4. Your rights

You can:

Access, export, or delete your data at any time — email hello@roya.yoga and we will action it within 30 days.
Disconnect Spotify with one tap from the Settings page; the tokens are deleted immediately.
Revoke Roya's Spotify access from spotify.com/account/apps.
Object to processing or lodge a complaint with your local data-protection authority (GDPR Art. 77 / CCPA equivalents).

5. Third parties

Roya only shares data with the providers strictly necessary to run the product:

Spotify AB — when you use the Spotify integration. Their privacy policy: spotify.com/legal/privacy-policy.
Our hosting provider for compute and storage.

We do not use analytics trackers, advertising pixels, or session replay tools.

6. Children

Roya is not directed to children under 13. If you believe a child has signed up, email us and we'll delete the account.

7. Changes to this policy

Material changes will be announced in-app at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

8. Contact

Email: hello@roya.yoga
Controller: Roya Yoga, Prospect, Kentucky, USA.

Spotify is a trademark of Spotify AB. Roya Yoga is an independent product and is not affiliated with, endorsed, or sponsored by Spotify AB.