Privacy Policy

Introduction

shantyhgjk B.V. ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our thermal spa and sauna complex, use our services, or interact with our website at shantyhgjk.top.

As a company operating in the Netherlands and serving customers in the European Union, we comply with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws.

Data Controller

The data controller responsible for your personal data is:

Data Collection

The data we collect includes personal information you provide directly to us, information we collect automatically when you use our services, and information we may receive from third parties. We collect this data through various means including our website, booking systems, and during your visits to our spa facilities.

Information You Provide Directly:

• Name, email address, phone number, and postal address
• Booking and appointment information
• Payment information (processed securely by our payment providers)
• Health information relevant to spa treatments (with your consent)
• Communication preferences and marketing consents
• Feedback, reviews, and correspondence with us

Information We Collect Automatically:

• Website usage data, including IP address, browser type, and pages visited
• Cookies and similar tracking technologies (see our Cookie Policy)
• Device information and technical data
• Access logs and security monitoring data

How We Use Your Information

We explain how we use your information for various legitimate purposes related to operating our thermal spa and sauna complex. The use of your data is always based on a valid legal basis under GDPR, including contract performance, legitimate interests, legal compliance, or your explicit consent.

Service Provision and Contract Performance:

• Processing bookings and managing appointments
• Providing spa treatments and wellness services
• Processing payments and managing billing
• Maintaining customer accounts and service history
• Providing customer support and responding to enquiries

Legitimate Business Interests:

• Improving our services and facilities
• Website analytics and performance monitoring
• Security and fraud prevention
• Business administration and record keeping

With Your Consent:

• Marketing communications and promotional offers
• Processing sensitive health information for treatments
• Non-essential cookies and tracking technologies

Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: To provide spa services you have booked
• Legitimate Interests: For business operations, security, and service improvement
• Legal Compliance: To meet tax, accounting, and regulatory requirements
• Consent: For marketing communications and non-essential processing
• Vital Interests: In emergency situations to protect health and safety

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following limited circumstances:

• Service Providers: Trusted third parties who assist with payment processing, booking systems, and website hosting
• Legal Requirements: When required by law, court order, or regulatory authority
• Business Transfers: In the event of a merger, acquisition, or sale of business assets
• Emergency Situations: To protect the safety and health of individuals

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, comply with legal obligations, and resolve disputes. Our retention periods are based on the nature of the data and legal requirements:

• Customer Records: 7 years after last service (tax and accounting requirements)
• Marketing Data: Until you withdraw consent or 3 years of inactivity
• Website Analytics: 26 months maximum
• Health Information: As required by medical record regulations
• CCTV Recordings: 30 days maximum unless required for legal proceedings

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

• Right of Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data in certain circumstances
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing or other voluntary processing

To exercise these rights, please contact us at privacy@shantyhgjk.top. We will respond to your request within one month.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and staff training
• Secure payment processing through certified providers
• Regular data backups and disaster recovery procedures

International Data Transfers

We primarily process data within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure adequate protection through appropriate safeguards such as Standard Contractual Clauses or adequacy decisions by the European Commission.

Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we have collected data from a child without proper consent, please contact us immediately.

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your website experience. For detailed information about our cookie usage, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by posting the updated policy on our website and updating the "Last updated" date. For material changes, we may provide additional notice through email or other communications.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

Supervisory Authority

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your EU member state.