PRIVACY POLICY

EMPRA Pty Ltd ATF The EMPRA Trust trading as Zama Yoga | zamayoga.com.au

Last updated: March 2026

1. Introduction

This Privacy Policy is published by EMPRA Pty Ltd ATF The EMPRA Trust, trading as Zama Yoga (“the Company”, “we”, “us”, “our”), operator of the website at zamayoga.com.au (the “Site”) and provider of online teacher training courses under the Zama Yoga and Zama Institute brands.

The Company is committed to protecting the privacy of individuals whose personal information it collects, holds, uses, and discloses in the course of operating its business. This Privacy Policy sets out the manner in which the Company handles personal information, in accordance with the Privacy Act 1988 (Cth) (the “Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of that Act.

A copy of the Australian Privacy Principles may be obtained from the website of the Office of the Australian Information Commissioner (“OAIC”) at www.oaic.gov.au.

This Policy applies to all personal information collected by the Company through the Site, its course delivery platform, email communications, and any other means by which the Company interacts with individuals.

By accessing or using the Site, or by providing personal information to the Company in any context, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, storage, and disclosure of your personal information as described herein.

2. Definitions

In this Privacy Policy, unless the context otherwise requires:

  • “Personal information” has the meaning given in the Privacy Act 1988 (Cth), and includes any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
  • “Sensitive information” has the meaning given in the Privacy Act 1988 (Cth), and includes information or an opinion about an individual’s health, racial or ethnic origin, political opinions, membership of political, professional or trade associations, religious or philosophical beliefs, sexual orientation or practices, or criminal record.
  • “Student” means any individual who has enrolled in, or applied to enrol in, a course offered by the Company.
  • “Third-party service provider” means any entity engaged by the Company to provide services in connection with the operation of the Site or delivery of courses, including but not limited to payment processors, email marketing platforms, analytics providers, and cloud hosting services.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

3. Personal Information Collected

3.1 Information Provided Directly

The Company collects personal information that individuals voluntarily provide in the course of interacting with the Site or communicating with the Company. This may include, but is not limited to:

  • Full name and contact details, including email address, telephone number, and postal address;
  • Account credentials, including username and password, created upon enrolment in a course;
  • Billing and payment information submitted at the time of purchase, which is processed by third-party payment service providers engaged by the Company;
  • Course enrolment details and any stated study preferences or requirements;
  • Communications directed to the Company, including enquiries, complaints, and support requests;
  • Responses to surveys, feedback forms, or research conducted by the Company.

3.2 Information Collected Automatically

When you access the Site, certain technical and behavioural information is collected automatically by means of cookies, web analytics tools, session monitoring technology, and similar technologies. This may include:

  • Internet Protocol (IP) address and approximate geolocation derived therefrom;
  • Browser type, version, language settings, and operating system;
  • Device type, screen resolution, and hardware identifiers;
  • Pages visited on the Site, duration of visit, and navigation paths between pages;
  • Referring URL or search engine query used to access the Site;
  • User interactions with page elements, including clicks, scrolls, and form interactions;
  • Session recordings capturing a visitor’s interactions with a page during a single browsing session, subject to consent as described in clause 7 below.

Automatically collected information is used to improve the performance, design, and functionality of the Site, to monitor the effectiveness of marketing activities, and to detect and prevent fraudulent or malicious behaviour.

3.3 Information Received from Third Parties

The Company may, from time to time, receive personal information about you from third-party sources, including advertising platforms, payment processors, or referral partners, where you have authorised those third parties to share such information with the Company or where such disclosure is otherwise permitted by law.

3.4 Sensitive Information

The Company does not seek to collect sensitive information as a matter of course. In limited circumstances, sensitive information (such as health information relevant to course participation) may be voluntarily provided by a student. Where sensitive information is collected, it will be used only for the primary purpose for which it was provided, or a directly related secondary purpose, or with the individual’s express consent, or as required or authorised by law.

4. Means of Collection

The Company collects personal information by lawful and fair means, and will, where reasonably practicable, collect personal information directly from the individual concerned. Personal information may be collected through the following means:

  • Online forms, including course enquiry forms, enrolment and checkout processes, and newsletter subscription forms on the Site;
  • Electronic communications, including email correspondence initiated by or directed to the Company;
  • Automated collection through cookies and tracking technologies deployed on the Site, subject to the individual’s cookie consent preferences;
  • Payment processing at the time of course purchase;
  • Social media platforms and online advertising tools, where the individual has interacted with the Company’s content or advertising.

Where personal information is collected by automated means or through third-party technologies, the Company will endeavour to notify individuals of such collection at or before the time the information is collected, including through the cookie consent mechanism described in clause 7 of this Policy.

5. Purposes of Collection and Use

The Company collects, holds, uses, and discloses personal information for the following primary purposes and directly related secondary purposes:

5.1 Provision of Services

  • Processing and administering course enrolments and associated payments;
  • Creating and managing student accounts and providing access to course materials;
  • Delivering course content and issuing certificates or other records of completion;
  • Communicating with students regarding their enrolment, course progress, and any changes to courses or services;
  • Providing customer support and responding to enquiries and complaints;
  • Maintaining student records as required by the Company’s accreditation obligations.

5.2 Marketing and Communications

  • Sending marketing communications, including promotional emails and course updates, where the individual has consented to receive such communications or where the Company is otherwise permitted to do so under the Spam Act 2003 (Cth);
  • Serving targeted online advertising to current and prospective students through third-party advertising platforms, where the individual has consented to marketing cookies;
  • Personalising the content, offers, and user experience presented to individuals on the Site.

5.3 Analytics and Site Improvement

  • Analysing user behaviour on the Site for the purpose of improving content, navigation, and functionality;
  • Monitoring and optimising Site performance and identifying and resolving technical issues;
  • Evaluating the effectiveness of marketing campaigns and advertising expenditure;
  • Generating aggregated, anonymised statistical reports for internal business purposes.

5.4 Legal and Regulatory Compliance

  • Complying with applicable laws and regulatory obligations, including obligations under the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and any applicable taxation legislation;
  • Maintaining records as required by the Company’s accreditation bodies, including Yoga Australia, Meditation Australia, and Physical Activity Australia;
  • Detecting and preventing fraud, security breaches, and other unlawful activity;
  • Establishing, exercising, or defending legal claims.

The Company will not use or disclose personal information for a purpose other than a purpose described in this Policy, a directly related secondary purpose, or a purpose to which the individual has consented, except as required or permitted by law.

6. Cookies

6.1 What Are Cookies

A cookie is a small text file placed on a user’s device by a website server when the user accesses the website. Cookies enable the website to recognise the user’s device on subsequent visits and perform various functions, including maintaining session state, retaining user preferences, and facilitating analytics and advertising activities.

The use of cookies by the Company is governed by this Policy and, where applicable, by the Company’s cookie consent mechanism. By accepting cookies through the consent mechanism provided on the Site, you consent to the Company’s use of cookies in accordance with this Policy.

6.2 Categories of Cookies Used

The Company uses the following categories of cookies on the Site:

  • Strictly Necessary Cookies: cookies that are essential to the operation of the Site and cannot be disabled, including session management cookies, shopping cart functionality cookies, and security cookies. No consent is required for these cookies.
  • Analytics Cookies: cookies used to collect information about how visitors use the Site, including pages visited, time on site, and navigation behaviour. This information is used in aggregate form to improve the Site’s design and functionality.
  • Functional Cookies: cookies used to remember user preferences and settings in order to provide a more personalised experience on the Site.
  • Marketing and Advertising Cookies: cookies used to track user activity across websites for the purpose of delivering targeted advertising. These cookies are only activated following the user’s affirmative consent through the Site’s cookie consent mechanism.

6.3 Management of Cookies

Upon your first visit to the Site, a cookie consent banner will be displayed enabling you to accept or decline non-essential cookies by category. Your preferences will be stored and applied on subsequent visits. You may update or withdraw your cookie preferences at any time using the cookie settings tool accessible from the Site’s footer.

You may also configure your browser settings to refuse or delete cookies. Please note that disabling strictly necessary cookies may impair or prevent your ability to use certain functions of the Site, including course access and the checkout process. Information on managing cookies in common browsers is available at www.allaboutcookies.org.

7. Website Analytics and Behavioural Monitoring

The Company uses web analytics and behavioural monitoring technologies to collect information about how individuals interact with the Site. Such technologies may collect the following categories of information:

  • Pages visited and time spent on each page;
  • Scroll depth and areas of the page that attract user attention;
  • User interactions with page elements, including clicks, taps, and cursor movements;
  • Navigation paths through the Site;
  • Recordings of individual browsing sessions, capturing how a user interacts with a particular page during a single visit (“session recordings”).

Session recordings are used solely to identify usability issues and improve the design and functionality of the Site. Session recording technology is configured to mask all fields containing personal or sensitive information, including payment details, passwords, and personally identifiable form inputs, such that such information is not captured in recordings.

Behavioural monitoring and analytics tools are deployed by third-party service providers. Data collected by these tools may be processed and stored on servers located outside of Australia, including in the United States and the European Union. Where this occurs, the Company takes reasonable steps to ensure that such data is handled consistently with the Australian Privacy Principles.

Analytics and session recording technologies that constitute non-essential cookies are only activated following the user’s affirmative consent through the Site’s cookie consent mechanism. Users may withdraw consent at any time by updating their cookie preferences.

Analytics data is retained for the periods specified in clause 11 of this Policy. Session recordings are automatically deleted after a maximum of 90 days.

8. Website Caching Technology

The Site uses server-side and browser-based caching technology to improve page load times and overall performance. Caching systems temporarily store copies of web pages and associated assets to enable faster delivery to returning visitors.

Caching technology processes non-personal technical data only, including cached page content, static assets such as images and style files, and browser cache headers. Caching systems do not store personally identifiable information.

Where an individual is authenticated as a logged-in student, caching is disabled for that user’s session to ensure that current account and course information is always delivered.

9. Payment Processing

Course fees and associated charges are collected through an online checkout process on the Site. Payment transactions are processed by reputable third-party payment service providers. The Company does not store, process, or transmit full payment card numbers, security codes, or other sensitive payment credentials on its own systems. All payment card data is handled directly by the relevant payment service provider in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

By completing a purchase on the Site, you acknowledge and agree that your payment information will be processed by the Company’s payment service provider(s) in accordance with their respective terms of service and privacy policies. The Company recommends that you review those policies before completing a purchase.

The Company retains records of completed transactions, including the date, amount, and nature of each purchase, for accounting, taxation, and dispute resolution purposes. Such records are retained for a minimum period of seven (7) years, in accordance with the requirements of applicable Australian taxation legislation.

10. Online Advertising and Tracking Pixels

The Company may engage third-party digital advertising platforms to promote its courses to current and prospective students. Such platforms may utilise tracking technologies, including tracking pixels (small pieces of code embedded in web pages), to collect information about users’ visits to and interactions with the Site.

Tracking pixels and associated advertising technologies may be used for the following purposes:

  • Delivering targeted advertising to individuals on third-party platforms, based on their prior interactions with the Site;
  • Building custom audience segments comprising individuals who have previously visited the Site or engaged with the Company’s content;
  • Constructing lookalike audience segments on advertising platforms, based on the characteristics of existing students;
  • Measuring the reach, frequency, and effectiveness of advertising campaigns.

Advertising tracking pixels constitute marketing cookies and are only activated following the user’s affirmative consent through the Site’s cookie consent mechanism, in accordance with the Company’s obligations under the APPs and, where applicable, the GDPR.

In accordance with guidance issued by the Office of the Australian Information Commissioner in November 2024, tracking pixels are treated as personal information collection tools under the Privacy Act 1988 (Cth). The Company handles data collected through tracking pixels in accordance with this Policy and the Australian Privacy Principles.

Users may withdraw consent to marketing cookies at any time by updating their cookie preferences through the cookie settings tool on the Site. Users may also manage their advertising preferences directly through the relevant advertising platform.

11. Email Marketing

The Company may send marketing communications by electronic means, including email, to individuals who have subscribed to receive such communications or who are existing customers of the Company, in each case only where permitted to do so under the Spam Act 2003 (Cth) and the APPs.

Every marketing email sent by the Company will:

  • Clearly identify the Company as the sender;
  • Include a functioning unsubscribe mechanism enabling the recipient to opt out of future marketing communications; and
  • Honour all unsubscribe requests promptly and without charge.

The Company engages third-party email service providers to manage subscriber lists and deliver email communications. Subscriber data, including name and email address, is stored on the service provider’s systems, which may be located outside of Australia. The Company selects service providers that maintain appropriate data protection standards.

Opting out of marketing communications will not affect the delivery of transactional communications that are necessary for the administration of your enrolment, account, or purchases, including enrolment confirmations, course access notifications, and payment receipts.

12. Disclosure of Personal Information

12.1 Third-Party Service Providers

The Company may disclose personal information to third-party service providers engaged to assist in the operation of the Site, the delivery of courses, and the administration of the business. Such disclosure is made only to the extent necessary for the service provider to perform the relevant service, and the Company takes reasonable contractual steps to ensure that service providers handle personal information in accordance with the APPs.

Categories of third-party service providers to whom personal information may be disclosed include:

  • Payment processing providers;
  • Online course delivery and learning management platform providers;
  • Email marketing and communications platform providers;
  • Website hosting and cloud infrastructure providers;
  • Web analytics and behavioural monitoring technology providers;
  • Digital advertising platform operators;
  • Professional advisers, including legal, accounting, and IT service providers, subject to confidentiality obligations.

12.2 Accreditation Bodies

Where required for the purpose of verifying or registering course completion, or otherwise fulfilling the Company’s obligations as an accredited training provider, the Company may disclose relevant personal information to its accreditation bodies, including Yoga Australia, Meditation Australia, and Physical Activity Australia.

12.3 Disclosure Required by Law

The Company may disclose personal information to law enforcement agencies, courts, regulatory bodies, or other government authorities where required or authorised to do so by law, or where such disclosure is reasonably necessary to establish, exercise, or defend a legal claim, or to prevent or investigate suspected unlawful activity.

12.4 No Sale of Personal Information

The Company does not sell, rent, or trade personal information to or with third parties for their own commercial purposes.

12.5 Business Transfers

In the event of a merger, acquisition, sale of assets, or other corporate restructure involving the Company, personal information held by the Company may be transferred to the relevant successor entity, subject to that entity assuming the obligations set out in this Policy with respect to the personal information so transferred.

13. Overseas Disclosure

Some of the third-party service providers engaged by the Company operate systems and infrastructure located outside of Australia, including in the United States and the European Union. As a consequence, personal information may be stored, processed, or accessed by such providers on servers located overseas.

Before disclosing personal information to an overseas recipient, the Company takes reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information. By providing personal information to the Company and consenting to this Policy, you consent to the potential disclosure of your personal information to overseas recipients as described herein.

If you are located within the European Union or the European Economic Area, please refer to clause 16 of this Policy regarding your additional rights under the GDPR.

14. Retention of Personal Information

The Company retains personal information for no longer than is reasonably necessary to fulfil the purposes for which it was collected, or as required or permitted by law. The following retention periods apply:

  • Student enrolment records and course completion data: retained for a minimum of seven (7) years following course completion, in accordance with the Company’s accreditation obligations;
  • Financial transaction records: retained for a minimum of seven (7) years in accordance with applicable Australian taxation legislation;
  • Email marketing subscriber data: retained until the subscriber unsubscribes or requests deletion, subject to any overriding legal obligation to retain;
  • Web analytics data: retained for a maximum of fourteen (14) months, after which it is anonymised or deleted; aggregated, anonymised analytics data may be retained indefinitely;
  • Session recording data: retained for a maximum of ninety (90) days, after which recordings are automatically deleted;
  • General enquiry data: retained for a maximum of two (2) years from the date of the enquiry.

Upon the expiry of the applicable retention period, or where personal information is no longer required for any purpose described in this Policy, the Company will take reasonable steps to destroy or permanently de-identify the information in a secure manner.

15. Security of Personal Information

The Company takes reasonable technical and organisational steps to protect personal information in its possession or control against misuse, interference, loss, and unauthorised access, modification, or disclosure. Security measures include, but are not limited to:

  • Encryption of data in transit through Transport Layer Security (TLS/HTTPS) across all pages of the Site;
  • Restricted access controls limiting access to personal information to authorised personnel and contractors with a legitimate need to access such information;
  • Security monitoring and intrusion detection measures on the Site and associated systems;
  • Strong authentication controls for administrative access to the Site and related systems;
  • Contractual obligations imposed on third-party service providers to maintain appropriate security practices.

Notwithstanding the foregoing, no data transmission over the internet or electronic storage system can be guaranteed to be completely secure. The Company cannot warrant the absolute security of personal information transmitted to or from the Site. You transmit personal information to the Company at your own risk.

In the event of a data breach that is likely to result in serious harm to affected individuals, the Company will comply with its mandatory data breach notification obligations under the Privacy Act 1988 (Cth) and will notify affected individuals and the OAIC as required.

16. Rights of Individuals

16.1 Rights Under the Privacy Act 1988 (Cth)

Subject to the exceptions set out in the Privacy Act 1988 (Cth), individuals have the following rights with respect to their personal information held by the Company:

  • The right to request access to personal information held about them by the Company;
  • The right to request the correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
  • The right to make a complaint if they believe the Company has contravened the APPs in relation to their personal information.

To exercise the rights set out above, please contact the Company in writing at info@zamayoga.com.au. The Company will respond to access and correction requests within thirty (30) days of receipt. The Company reserves the right to verify your identity before processing a request. The Company does not charge a fee for making an access or correction request, but may charge a reasonable administrative fee for providing access to personal information in appropriate circumstances.

Where the Company declines to provide access to, or to correct, personal information, it will provide written reasons for its decision and, where applicable, advise of the complaint mechanisms available.

16.2 Rights of EU/EEA Residents Under the GDPR

Where the processing of personal information by the Company is subject to the GDPR by reason of the individual’s location within the European Union or the European Economic Area, the individual may additionally have the following rights:

  • The right to erasure of personal data (the ‘right to be forgotten’), subject to applicable legal exceptions;
  • The right to restriction of processing of personal data in prescribed circumstances;
  • The right to data portability, where processing is carried out by automated means and based on consent or contract;
  • The right to object to processing based on the Company’s legitimate interests;
  • The right to withdraw consent to processing at any time, where processing is consent-based, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of the rights set out in this clause, please contact the Company at info@zamayoga.com.au. The Company will respond to requests from EU/EEA residents within the timeframes prescribed by the GDPR. Please note that certain rights are subject to legal exceptions and may not be exercisable in all circumstances.

17. Children

The Site and the Company’s courses are directed to adults aged eighteen (18) years and over. The Company does not knowingly collect personal information from individuals under the age of eighteen (18). If the Company becomes aware that it has collected personal information from a person under the age of eighteen (18) without appropriate parental or guardian consent, the Company will take prompt steps to delete that information from its systems.

If you have reason to believe that a person under the age of eighteen (18) has provided personal information to the Company, please contact us at info@zamayoga.com.au.

18. Third-Party Websites

The Site may contain hyperlinks to websites operated by third parties, including accreditation bodies, payment service providers, and social media platforms. This Privacy Policy does not apply to those websites. The Company makes no representation or warranty regarding the privacy practices of any third-party website, and encourages individuals to review the privacy policy of each website they visit.

19. Complaints

If you have a complaint regarding the manner in which the Company has handled your personal information, or if you believe the Company has contravened the APPs, please contact the Company in the first instance using the contact details set out in clause 20 below.

Please direct your complaint to the Company in writing at info@zamayoga.com.au with the subject line “Privacy Complaint”. The Company will acknowledge receipt of your complaint within five (5) business days and will endeavour to resolve it within thirty (30) days of receipt. In the event that the matter cannot be resolved within that period, the Company will advise you of the expected timeframe for resolution.

If you are not satisfied with the Company’s response to your complaint, you may refer the matter to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Telephone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

Individuals located within the European Union or European Economic Area who are not satisfied with the Company’s response may also refer a complaint to the relevant supervisory authority in their jurisdiction.

20. Amendments to This Policy

The Company reserves the right to amend this Privacy Policy from time to time to reflect changes in its operations, legal obligations, or the technologies it deploys. The current version of this Policy will at all times be published on the Site at zamayoga.com.au/privacy-policy. The date at the top of this document indicates the date on which it was last updated.

Where the Company makes a material change to this Policy, it will take reasonable steps to notify enrolled students of the change, including by email to the address held on file for each student. Continued use of the Site following notification of a material change constitutes acceptance of the amended Policy.

Individuals are encouraged to review this Policy periodically.

21. Contact Details

All enquiries, access requests, correction requests, and complaints relating to this Privacy Policy or the Company’s handling of personal information should be directed to:

EMPRA Pty Ltd ATF The EMPRA Trust trading as Zama Yoga

Website: www.zamayoga.com.au

Email: info@zamayoga.com.au

This Policy was last reviewed and updated in March 2026.