Privacy Policy
- Introduction
This privacy notice for Sen Sutra Ltd (company number 16922312), registered in England and Wales, trading as Sen Wellness Sanctuary, describes how and why we collect, store, use, and share your personal information when you use our services — including when you visit our website, make an enquiry or booking, attend our sanctuary in Sri Lanka, or receive health consultations and wellness programmes from us.
Why UK GDPR and EU GDPR apply to us
Sen Sutra Ltd is incorporated in England and Wales. UK GDPR (Data Protection Act 2018) applies directly to us. EU GDPR (Regulation 2016/679) also applies under its extraterritorial scope (Article 3(2)) because we actively offer services to guests based in the European Economic Area (EEA). Our website servers are located in the United Kingdom, which holds EU adequacy status (EC Decision 2021/1772).
Governing law
This policy is governed by the laws of England and Wales. UK GDPR (Data Protection Act 2018) and EU GDPR (Regulation 2016/679) apply to their respective scopes. Our Sri Lankan operations are additionally subject to the Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA).
Questions? Contact us at [email protected] or +94 77 390 4800.
- What information do we collect?
1.1 Information you give us directly
- Full name, email address, phone number, and postal address
- Billing address and payment details (settled by direct bank transfer or on-site cash/card payment — we do not store payment card details)
- Retreat booking details, dietary preferences, and special requirements
- Passport or identity document details where required
- Emergency contact name and telephone number
- Records of communications — emails, enquiry forms, and call notes
- Feedback, reviews, or survey responses you choose to provide
1.2 Health and special category data
Important: We process health data. Your explicit written consent is required before any health information is collected.
Because we provide Ayurvedic medical consultations, Panchakarma programmes, and personalised treatment plans, we collect health information about guests. Health data is special category data under Article 9 of both UK GDPR and EU GDPR and is subject to stricter rules. We only process health data with your explicit written consent, obtained before or at your first consultation. You may withdraw consent at any time by emailing [email protected]. Withdrawal must be recorded on your intake file and communicated to your treating doctor.
- Medical history, current health conditions, and medications
- Dietary requirements, food allergies, and intolerances with health implications
- Physical limitations or contraindications relevant to treatment or yoga practice
- Treatment notes, progress records, and clinical observations during your stay
- Any other health information you share with our doctors or therapists
1.3 Who handles your data — access by role
Role
Data they can access
Health data?
Administrative team
Contact details, booking records, correspondence, dietary preferences (non-medical)
No
Sanctuary managers
Booking details, guest preferences, scheduling, dietary and allergy flags for catering
Allergy flags only
Doctors / Ayurvedic practitioners
Full health records, medical history, treatment notes, medications, clinical observations
Full access
Yoga teachers
Guest name and physical limitations — shared by doctors only where essential for safety
Limitations only
All staff with access to personal data receive data protection and confidentiality training, reviewed annually.
1.4 Information collected automatically
When you visit our website, we automatically collect technical data including IP address, browser type, device type, pages visited, and visit timestamps. We also collect data through cookies — see Section 5.
1.5 What happens if you choose not to provide information?
- Without contact or booking details, we cannot process your reservation.
- Without health information, our doctors may be unable to design a safe treatment plan. Some programmes — particularly Panchakarma — cannot be safely delivered without this information.
- Without dietary or allergy information, we may be unable to accommodate your needs safely.
We will always tell you at the point of collection whether information is required or optional.
- How do we process your information?
- To respond to enquiries and provide customer support
- To process bookings, administer your retreat, and arrange payment
- To safely deliver health consultations, Ayurvedic treatments, and wellness programmes
- To send important administrative information about your booking or our policies
- To send marketing communications — only where you have given prior consent
- To improve our services through analysis of website and programme usage
- To protect our website and services from fraud and security threats
- To comply with applicable legal and regulatory obligations under UK, EU, and Sri Lankan law
- What legal bases do we rely on?
3.1 For ordinary personal data (Article 6)
- Consent (Art. 6(1)(a)) — Email marketing, non-essential cookies. You may withdraw at any time.
- Performance of a contract (Art. 6(1)(b)) — Managing your booking and delivering your stay.
- Legitimate interests (Art. 6(1)(f)) — Website security, service improvement, guest communications.
- Legal obligation (Art. 6(1)(c)) — Financial records, healthcare records, employment law compliance.
3.2 For health and special category data (Article 9)
- Explicit consent (Art. 9(2)(a)) — Written consent obtained before or at first consultation.
- Healthcare provision (Art. 9(2)(h)) — Processing necessary for the provision of healthcare and treatment.
- Vital interests (Art. 9(2)(c)) — In a genuine medical emergency to protect your life.
3.3 Withdrawing consent
You may withdraw any consent at any time, without penalty, by emailing [email protected]. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Withdrawal of health data consent will be recorded on your clinical file.
- With whom do we share your information?
Health data: Special category health data is handled exclusively within the Sen Wellness Sanctuary team and is never shared with any external third party, except in a genuine medical emergency.
4.1 Breath of Life Lanka Ltd — Sri Lankan processor
Breath of Life Lanka Ltd (PV 87421), our Sri Lankan operational entity, employs all doctors, sanctuary managers, therapists, yoga teachers, and administrative staff who deliver your retreat. They process personal data on behalf of Sen Sutra Ltd under a formal Data Processing Agreement. Breath of Life Lanka Ltd acts solely as a data processor and does not determine the purposes or means of processing independently. Website analytics, payroll processing, and internal administration are all handled within Breath of Life Lanka Ltd as part of this arrangement.
4.2 Third-party service providers
For general personal data (not health data), we use the following external providers under written Data Processing Agreements:
Category
Provider
Purpose
Data shared
Health data?
CRM / guest records
Zoho CRM
Managing guest records, booking history, and communications
Name, contact details, booking information, preferences
No
Email marketing
Mailchimp
Newsletters and marketing emails to guests who have consented
Name and email address only
No
Website hosting
Hostinger
Hosting the senwellnesssanctuary.com website and enquiry forms
IP address, website enquiry data
No
DSAR portal
Termly
Managing data subject access requests and cookie consent
Name, email (if submitted via DSAR form)
No
Payment settlement
Direct bank transfer / on-site payment
Guests pay by direct bank transfer before arrival, or by cash/card on site. No third-party payment processor is used.
Bank reference details only — no card data stored
No
Internally managed: Website analytics (Google Analytics), payroll processing, and general administrative data processing are handled internally by Breath of Life Lanka Ltd staff as part of their role as data processor — no external third-party provider is used for these functions.
4.3 Business transfers and legal requirements
In the event of a merger, acquisition, or restructuring of Sen Sutra Ltd, personal data may be transferred as part of that transaction and you will be notified in advance. We may also disclose data to law enforcement or regulatory authorities where required by law.
- Cookies and tracking technologies
We use cookies and similar technologies on our website. A consent banner appears on your first visit, allowing you to accept or decline non-essential cookies. Essential cookies required for the website to function do not require consent. Website analytics are managed internally using Google Analytics, accessed by Breath of Life Lanka Ltd staff. Full details are in our Cookie Policy at senwellnesssanctuary.com/cookie-policy.
- Where is your data stored and transferred?
6.1 Data storage — United Kingdom servers
Personal data collected through our website and booking systems is stored on servers provided by Hostinger, located in the United Kingdom. The UK holds EU adequacy status (EC Decision 2021/1772), so transfers of EU personal data to our UK servers are lawful without additional safeguards.
6.2 Data processed in Sri Lanka by Breath of Life Lanka Ltd
Breath of Life Lanka Ltd, our Sri Lankan processor, employs the staff who deliver your retreat and access personal data to do so. Sri Lanka does not currently hold a UK or EU adequacy decision. Accordingly:
- EU guests: Data access by Breath of Life Lanka Ltd is governed by the European Commission’s Standard Contractual Clauses (SCCs, Decision 2021/914). A copy is available on request.
- UK guests: Data access by Breath of Life Lanka Ltd is governed by the UK International Data Transfer Agreement (IDTA). A copy is available on request.
Breath of Life Lanka Ltd also complies with the Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA) in respect of its processing operations within Sri Lanka.
6.3 Third-party providers outside the EEA/UK
Zoho CRM and Mailchimp may store data on servers outside the EEA or UK. Both providers maintain EU GDPR-compliant data transfer mechanisms (including SCCs). To request copies of applicable transfer documents, email [email protected].
- How long do we keep your information?
Data category
Retention period
Legal basis / reason
Health and treatment records
8 years from last treatment
Legal obligation — UK clinical records standard; Art. 6(1)(c)
Financial and booking records
7 years from transaction
Legal obligation — Companies Act / tax law; Art. 6(1)(c)
Guest contact and marketing data
2 years from last contact, or until consent withdrawn
Legitimate interest / consent; Art. 6(1)(a) & (f)
Enquiry forms (no stay booked)
12 months from enquiry date
Legitimate interest; Art. 6(1)(f)
Website analytics / logs
26 months
Legitimate interest; Art. 6(1)(f)
Staff and employment records
6 years after employment ends
Legal obligation — employment law; Art. 6(1)(c)
Data breach records
5 years from breach date
ICO / EDPB accountability
Consent records
Duration of relationship + 3 years
Accountability — evidence of lawful basis
When data is no longer required, we securely delete or anonymise it.
- How do we keep your information safe?
- SSL/TLS encryption for all data transmitted via our website (Hostinger)
- Encrypted storage for health and sensitive personal data
- Role-based access controls — staff access only the data needed for their role
- Regular data protection and confidentiality training for all staff with data access
- Secure disposal procedures for paper records containing personal information
- Written Data Processing Agreements with all third-party processors
- A Record of Processing Activities (ROPA) documenting all internal data flows, reviewed annually
- No card or payment data is stored — payments are made by direct bank transfer or on-site
No electronic transmission or storage is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security.
- Data breaches
In the event of a personal data breach, we will:
- Assess the likely risk to the rights and freedoms of affected individuals
- Notify the ICO within 72 hours where required — Article 33 UK GDPR
- Notify the relevant EU supervisory authority within 72 hours where required — Article 33 EU GDPR
- Notify affected individuals directly and without undue delay where there is high risk — Article 34 UK/EU GDPR
- Document all breaches in our internal breach register, retained for 5 years
Note: Sen Sutra Ltd has had no reportable data breaches in the last three years. Any breach involving health data is treated as the highest priority. Contact [email protected] immediately if you believe your data has been compromised.
- Minors
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have done so, we will delete the data promptly. Contact [email protected] with any concerns.
- Your privacy rights
Under UK GDPR and EU GDPR you have the following rights. We will respond within one calendar month (extendable by two months for complex requests, with notice). There is no charge in most circumstances.
Your right
What it means
Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Ask us to correct inaccurate or incomplete personal data.
Right to erasure (Art. 17)
Ask us to delete your data where it is no longer necessary. Note: some data must be retained by law.
Right to restrict processing (Art. 18)
Ask us to pause processing while a dispute is resolved.
Right to data portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to object (Art. 21)
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent
Withdraw consent for health data or marketing at any time with no penalty.
Right to complain
Lodge a complaint with your local supervisory authority — see Section 15.
To exercise any right, email [email protected]. We may ask you to verify your identity before fulfilling a request.
- Automated decision-making and profiling
We do not use any automated decision-making or profiling in relation to your personal data. All decisions relating to your health treatment plan, retreat programme, and personal care are made by our qualified doctors and sanctuary staff. If this changes in future, we will notify you before changes take effect, in accordance with Article 22 UK/EU GDPR.
- Intellectual property
All content on the Sen Wellness Sanctuary website — including text, images, photographs, videos, logos, brand names, and design elements — is the intellectual property of Sen Sutra Ltd or its licensors and is protected by UK copyright law (Copyright, Designs and Patents Act 1988), EU copyright directives, and international intellectual property conventions.
The Sen Wellness Sanctuary name, logo, and brand identity are the property of Sen Sutra Ltd. Nothing in your use of this website or our services transfers any intellectual property rights to you.
- You may view and print content from this website for personal, non-commercial use only.
- You may not reproduce, distribute, modify, create derivative works from, publicly display, or commercially exploit any content without the prior written consent of Sen Sutra Ltd.
- Guest-submitted content (reviews, feedback, photographs shared with us) may be used by Sen Sutra Ltd for marketing purposes, subject to your consent at the time of submission.
- Unauthorised use of our intellectual property may give rise to a claim for damages and/or be a criminal offence under the Copyright, Designs and Patents Act 1988.
To request permission to use our content, or to report an intellectual property concern, contact [email protected].
- Do-Not-Track signals
Most web browsers include a Do-Not-Track (‘DNT’) setting. No legally binding uniform standard for recognising DNT signals currently exists. We do not currently respond to DNT signals. If such a standard is adopted, we will update this notice.
- Contact, representatives & supervisory authorities
15.1 Data Controller — Sen Sutra Ltd
Field
Details
Legal entity
Sen Sutra Ltd
Registered in
England and Wales
Company number
16922312
ICO Registration No.
ZC146926
Trading as
Sen Wellness Sanctuary
Registered address
Flat 1, No. 66 Wimpole Street, London W1G 8AW, England
Retreat address
Rekawa Road, Netolpitiya, Sri Lanka
Email
Phone
+94 77 390 4800
Website
senwellnesssanctuary.com
15.2 UK Contact Person
The UK contact for data protection matters is Sameera Kankanamge (Director), reachable at [email protected]. Per the DataRep questionnaire dated 05/06/2026, Sen Sutra Ltd has elected not to appoint DataRep as UK representative. UK residents and the ICO should contact Sen Sutra Ltd directly at the registered address above.
15.3 EU Representative (Article 27 EU GDPR)
Sen Sutra Ltd has appointed Data Protection Representative Limited (trading as DataRep) as its Data Protection Representative in the European Union for the purposes of EU GDPR (Regulation 2016/679). This appointment is effective as of June 2026 and covers all 27 EU member states plus Norway and Iceland in the European Economic Area.
EU residents who wish to raise a question with Sen Wellness Sanctuary, or exercise their data protection rights under GDPR, may contact DataRep directly:
EU Representative: Data Protection Representative Limited (trading as DataRep) Registered address: The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland Registered in Ireland: Company number 616588 Email: [email protected] Web form: www.datarep.com/data-request Website: www.datarep.com
Important – when contacting DataRep: Please quote “Sen Wellness Sanctuary” in the subject line of any email or written correspondence. If contacting by post, ensure your letter is addressed to DataRep and not to Sen Wellness Sanctuary, or your enquiry may not be directed to the correct team. Sen Wellness Sanctuary may request evidence of your identity before fulfilling any data subject request, to ensure your personal data is not disclosed to anyone other than you.
For further information on your rights under EU GDPR, please refer to the European Commission at https://ec.europa.eu/info/law/law-topic/data-protection or the national Data Protection Authority in your country.
15.4 Sri Lankan processor — Breath of Life Lanka Ltd
Field
Details
Entity
Breath of Life Lanka Ltd
Role
Data processor — processes data on behalf of Sen Sutra Ltd under a Data Processing Agreement
Registration No.
PV 87421
Address
Rekawa Road, Netolpitiya, Sri Lanka
Sri Lankan law
Complies with Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA)
15.5 Supervisory authorities
Your location
Supervisory Authority
Contact
United Kingdom
Information Commissioner’s Office (ICO)
ico.org.uk · 0303 123 1113
European Union / EEA
Your local EU data protection authority
edpb.europa.eu
Switzerland
Federal Data Protection & Information Commissioner
edoeb.admin.ch
Sri Lanka
Data Protection Authority of Sri Lanka (PDPA 2022)
pdpa.gov.lk (when operational)
- Updates to this policy
We may update this notice from time to time. The ‘last updated’ date at the top always reflects the most recent revision. If we make material changes — particularly to how we process health data, who we share information with, or our legal bases — we will notify you by email or via a prominent notice on our website before changes take effect.
Please review this policy periodically at senwellnesssanctuary.com/privacy-policy.
The place, the architecture, the interior, the location are just magical.
I initially intended to stay 4 days but ended up extending.
It‘s beautifully nestled in between wildlife, we had monkeys, chipmunks and peacocks as our neighbors.
However there are a few things I‘d like to highlight for you to judge whether this is for you:
1) the approach is more wellness centered. The doctor will ask you questions like „what would you like?“ and „do you have questions for me“, rather than a check-up when it comes to treatments and accupuncture. Perhaps I‘m coming from a TCM point of view, but the doctor usually knows what the patient needs.
2) if you come here with serious health issues and the hope to recover: it is about wellness. Staff is not trained enough to understand injury informed trauma in the body and can not take care of it.
Staff usually gets trained there and has no prior education on these matters.
3) the food is not tailored to your needs. The approach is quite beautifully freeing: a little bit of everything is ok, and all flavours should be on each plate.
4) your food preferences are not noted initally, sometimes the dinners were fish-based and vegetarian or vegan people had to let kitchen staff know the situation. Once that had been done they quickly fried up some eggs and remembered for the rest of the stay, so all is well. However I would have liked to see a thoughtfully substituted meal for all dietary requirements by the doctors.
My vegan friend got no substitute, the day after she got some steamed cabbage offered to replace the protein.
4) there are a lot of mosquitos due to the location. So if you are sensitive to this, it‘s best to bring a lot of mosquito repellent.
6) the Yoga varies. It’s young volunteer Yoga Teachers — although we had one amazing one called Gil, who took care of everyone properly.
Considering people come here with health issues and of different ages and fitness levels, a lot more props, adjustments an modifications are needed than currently offered. I witnessed a few injuries and at this price point would expect a paid Yoga Teacher with experience and suitable expertise.
7) the place itself is magical. But there is a dark side to it: some, especially young staff, appear to be paid >below< national minimum wage (which as of Jan 2026 is 30 000 LKR a month, which equals 81€). That‘s less than half of what I paid in a single day here.
Considering every guest leaves a couple of thousand dollars there at a time and there are always 10+ guests, I would expect them all to get paid very decently.
If the philosophy of the place shall be matched with it‘s reality, for energetic balance of this place, wages need to be increased urgently to an amount so all staff can suffice on one full time job.
I am expecting a throw back in the response, as I have seen for many other reviews that pointed this out. Bit I just know it‘s true.
It can be felt. And no words can undo the energetic essence of underpaid staff in a luxury wellness resort.
Any guest will feel it until it is fixed.
I want to see staff empowered. Both in salary and voice.
I think it would be a misuse of power, which doesn‘t match the philosophy of the place, to disallow staff to speak about their salaries.
8) it is luxury in the service: nicely assembled food, expensive furniture and design. But it is also at a remote beach in between nature: sometimes there is power outage, there‘s moisture, the natural elements and animals do their thing.
I can understand this and am not too fuzzy, but wanted to share that it‘s an interesting mix between glamping and a 5 star resort — so be prepared and don‘t expect everything to be neat, clean and always working.
My room for example, the cheapest one at 130$ a night was dark with no real window and moist and smelled like drain.
After all: I would stay again, but not at this price point.
I still want to thank all staff for their welcoming energy, their smiles and their service. 🌟
The staff are incredibly kind and attentive, the treatments are varied and tailored to your needs, and the Ayurvedic food is delicious. Daily yoga, meditation, breathwork, and chanting make the whole experience deeply nourishing.
An incredible retreat that I would love to return to.
💛💛💛💛💛
The beach nearby is one of the most beautiful I have ever seen. Because of the strong waves and currents, swimming in the ocean isn’t really possible, but that honestly doesn’t matter at all because the pool is fantastic and perfect for relaxing. If you’re lucky, you can even watch turtles coming to the beach at night, which is a truly special experience.
Everyone in the Sen Wellness team is incredibly kind, attentive, and welcoming. They truly care about the guests and are always there whenever you need something.
The treatments were outstanding — from wonderful massages to acupuncture and relaxing flower baths. There were also beautiful experiences such as Kundalini yoga with a monk, meditation sessions, and even a cacao ceremony, all of which made the stay feel very special and deeply nourishing.
The food was delicious, and the entire experience felt rejuvenating and thoughtfully curated. I can highly recommend Sen Wellness Sanctuary to anyone looking for a peaceful, restorative, and truly unique retreat.
It is a place full of beautiful impressions, kind-hearted people, highly skilled therapists (I work myself as an Ayurveda body practitioner), and excellent doctors. The atmosphere and the interior of the Sanctuary are something I would love to take home with me to Hamburg.
The surrounding nature, with all its facets, colors, and sounds, completely enchanted me. The food is prepared with so much love, the yoga practice is exactly right, and the 1:1 gong sessions and coaching with the monk were truly special.
I feel stronger, more balanced, and more content than I have in years. And along the way, beautiful friendships were formed as well.
I will take the rituals I learned here back home with me—and I am certain that I will return again very soon.
Thank you💝
What makes the place special is its setting. On one side you have the wide open beach, and on the other side a serene lagoon, so you feel like you are floating between two worlds rather than choosing just one.
The wellness sessions were grounding, the food was clean and comforting, and everything about the space makes it easy to slow down without even trying. I may not have reached enlightenment, but I definitely reached a very pleasant level of “life is good”.
Sam, the founder, is a warm and thoughtful host who clearly cares about the experience of every guest. You can feel that Sen is built from intention, not just aesthetics.
I left feeling lighter, calmer, and genuinely refreshed. If you are looking for a serene, well designed retreat that feels soulful without trying too hard, Sen is absolutely worth it.