Privacy & Data Policy
How we collect, use, and protect your personal data when you reserve your training with us.
This privacy policy explains how shaolinacademy OÜ ("we", "us", "our") collects and uses your personal data when you make a reservation for our Shaolin Kung Fu Academy training program through our website.
We are the data controller for the personal data described in this policy. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).
If you have questions about this policy or want to exercise any of the rights described in section viii, please email the address above.
When you fill in the reservation form, we collect:
- Identity: full name (as on passport), date of birth, gender (as on passport)
- Contact: email address, phone number
- Nationality: country of nationality
- Travel: type of visa for China, planned start date and length of stay, optional flight information
- Training: your stated Kung Fu experience level
- Add-on choices: whether you have selected airport pickup or a private room
When you complete payment, Stripe also collects, on our behalf:
- Billing address (street, city, postal code, country) — required by Stripe to charge the correct VAT
- Payment card details — handled entirely by Stripe; we do not see or store card numbers
- Optional VAT identification number — if you are paying as a business
After payment, we receive a small set of payment-related fields back from Stripe:
- Customer country (the two-letter country code from the billing address)
- Optional VAT ID (if provided)
- Amount paid, VAT rate and amount, Stripe fee
- Stripe session and payment-intent identifiers
We do not store your full billing address or your card details on our systems. The full billing address remains with Stripe.
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Take and confirm your reservation, communicate with you about your stay | Name, email, date of birth, gender, nationality, visa type, training level, dates, flight info, add-on choices | Performance of a contract — Art. 6(1)(b) |
| Process your payment and apply the correct VAT | Billing address (held by Stripe), country, VAT ID, payment data | Performance of a contract — Art. 6(1)(b); legal obligation for VAT — Art. 6(1)(c) |
| Issue a payment receipt and keep accounting records | Name, billing country, amounts, VAT, Stripe identifiers | Legal obligation under Estonian accounting and tax law — Art. 6(1)(c) |
| Manage refunds, disputes and chargebacks | Reservation and payment data | Performance of a contract; legal obligation |
| Improve and secure our service (e.g. server logs, fraud prevention) | Limited technical data such as IP address, request timestamps | Legitimate interest — Art. 6(1)(f) |
We do not use your data for advertising, profiling, or automated decision-making with legal effect. We do not sell your data.
To run the reservation system we use a small number of trusted service providers. They process your data only on our instructions, under written data processing agreements:
- Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA) — payment processing, VAT calculation, billing address collection. stripe.com/privacy
- Cloudflare, Inc. (USA) — hosting of the small backend that connects our reservation form to Stripe and our database. cloudflare.com/privacypolicy
- Formagrid, Inc. (Airtable) (USA) — database where reservation records are stored. airtable.com/company/privacy
We also share specific data with:
- Our Estonian accountant / handler — for VAT (OSS) reporting and bookkeeping
- Tax authorities — when required by law (for example, OSS quarterly reporting includes the country and VAT amount of your transaction, but no personal identifying information about you)
We will only share your data with other parties if we are legally required to do so (for example, in response to a court order or a request from a supervisory authority).
Stripe, Cloudflare and Airtable are based in the United States and may process some of your data there. These transfers are protected by:
- The European Commission's adequacy decision under the EU–US Data Privacy Framework, where the provider is certified, and/or
- The European Commission's Standard Contractual Clauses (SCCs)
You can request a copy of the safeguards by emailing the address in section i.
- Reservation data (name, contact, training and travel details): kept while your reservation is active and for up to 2 years after the end of your stay, after which we anonymise or delete it
- Accounting and payment records (invoice information, amounts, VAT, Stripe identifiers): kept for 7 years as required by Estonian accounting law (Raamatupidamise seadus)
- Server and security logs: kept for up to 90 days, unless needed longer to investigate a security incident
- Records of your privacy-policy consent: kept for as long as we keep the underlying reservation, as evidence that consent was given
After the retention period expires, your data is either permanently deleted or irreversibly anonymised so it can no longer be linked to you.
We take the security of your data seriously. Measures we use include:
- All connections to our website and backend use HTTPS encryption
- Access to our reservation database (Airtable) is restricted to a small number of named team members and protected by two-factor authentication
- Our backend uses cryptographic signatures to verify that payment confirmations actually come from Stripe (and not from a malicious third party)
- API keys, secrets and passwords are stored in Cloudflare's secret store, not in our source code
- Card data is never stored on our systems — Stripe handles all payment information in their PCI-DSS-compliant environment
- We review who has access to personal data periodically and remove access when no longer needed
If a personal data breach occurs that is likely to result in a risk to your rights or freedoms, we will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of it, and we will inform you directly if the breach poses a high risk to you.
Under the GDPR you have the following rights regarding your personal data:
- Right of access — to ask us what data we hold about you and receive a copy
- Right to rectification — to have inaccurate data corrected
- Right to erasure ("right to be forgotten") — to have your data deleted, subject to exceptions where we are legally required to keep it (e.g. accounting records)
- Right to restriction of processing — to ask us to pause processing in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on our legitimate interest
- Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal)
To exercise any of these rights, email the address in section i. We will respond within one month. There is no fee for this, unless your request is clearly unfounded or excessive.
You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
You may also complain to the supervisory authority in the EU country where you live or work.
Our reservation page uses only essential technical cookies needed to make the form work. We do not use advertising or tracking cookies on this page. If we add analytics or marketing cookies in the future, we will ask for your consent first and update this policy.
Stripe's checkout page uses its own cookies; please see Stripe's privacy notice for details.
Our service is intended for adults. We do not knowingly accept reservations from people under 18 without the involvement of a parent or legal guardian. If you believe a child's data has been submitted to us, please contact us and we will delete it.
We may update this policy from time to time, for example if we change service providers or add new features. The "Last updated" date at the top will reflect the latest version. If the changes are significant, we will tell you by email or through a notice on our website.
For any question about this policy or about how we handle your personal data, email info@shimiaohai.com or write to the postal address in section i.