Privacy Policy
Last updated: 22 May 2026
Shivoham Retreat ("we", "our", "us") respects your privacy and is committed to protecting personal information you share with us when you visit shivohamretreat.com, submit an enquiry, make a booking, subscribe to our newsletter, or stay with us as a guest. This policy explains what we collect, why we collect it, how long we keep it, and the choices you have. It is written to comply with India's Digital Personal Data Protection Act 2023 (DPDP) and the EU General Data Protection Regulation (GDPR) for international guests.
1. Who we are
Shivoham Retreat is a boutique luxury homestay and yoga retreat located at Kuthal Wali, Jodhi, Jakhan Jodi Road, Malsi, Sinola, Dehradun, Uttarakhand 248003, India. We are the data fiduciary (DPDP) and the data controller (GDPR) for personal data collected through this website and our hospitality operations.
To exercise any privacy right, or for any data-related question, contact us at info@shivohamretreat.com or call +91 94102 85437.
2. Information we collect
- Enquiry & booking data: name, email, phone, city, preferred check-in / check-out dates, number of guests, room preference, any notes you include.
- Contact messages: name, email, phone, subject and message body.
- Newsletter subscriptions: email address only.
- Technical data: IP address, browser type, device, referring URL, pages viewed, time on page — collected via Google Analytics 4 and our server access logs.
- On-premises data (guests only): identity-document scan (Aadhaar, passport or driving licence) as required by Indian hospitality regulations for guest registration, plus any preferences you share at check-in.
3. Why we collect it (legal basis)
- To respond to enquiries and confirm bookings — contract performance.
- To comply with Form-C / hospitality guest-register obligations under Indian law — legal obligation.
- To send newsletters and promotional emails — consent (you can unsubscribe at any time).
- To improve the website, prevent fraud and protect against abuse — legitimate interest.
4. How long we keep it
- Enquiries and contact messages — 24 months from last contact.
- Booking and guest-register records — 5 years (legal requirement).
- Newsletter subscribers — until you unsubscribe.
- Web analytics (Google Analytics) — 14 months (default retention).
5. Who we share it with
We do not sell or rent your personal information. We share it only with:
- Payment processors (Razorpay / bank) when you pay for a booking.
- Google (Analytics 4) for anonymised website usage data.
- Hostinger (our hosting provider) which stores the database and backups.
- Indian government authorities when legally required (police verification, Form-C, tax notices).
6. Cookies
We use minimal first-party cookies for session management on admin and booking pages. Google Analytics 4 sets first-party cookies (`_ga`, `_ga_*`) for visit measurement. You can block cookies in your browser settings without losing core site functionality.
7. Your rights
Under DPDP and GDPR you can request to:
- Access a copy of the personal data we hold about you.
- Correct any inaccurate data.
- Delete your data ("right to be forgotten"), subject to legal retention requirements.
- Withdraw consent for newsletters at any time.
- Lodge a complaint with the Data Protection Board of India (or your local EU supervisory authority).
To exercise any right, email info@shivohamretreat.com. We respond within 30 days.
8. Security
Our website is served exclusively over HTTPS with strict transport security (HSTS). Admin access is protected by two-factor authentication. Database credentials live outside the web root. Daily file-integrity monitoring alerts us to unauthorised changes. We do not store payment card numbers — those are handled by our payment processor.
9. International transfers
Our hosting and analytics partners may process data outside India. Where this happens, transfers are protected by standard contractual clauses or equivalent safeguards.
10. Children
We do not knowingly collect personal data from anyone under 18. If a parent or guardian believes a child has shared data with us, please contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects the most recent revision. Material changes will be announced via a banner on the site for at least 30 days.