Overview
Welcome. This policy explains how findmyspa handles personal data across our platform.
Quick Summary
- Only essential data for operation & improvement.
- No selling of personal data.
- Privacy‑respecting analytics; no invasive ad pixels.
- You can request access, deletion, correction, objection.
- Layered security & least privilege access.
Read the full sections for details.
Data We Collect
Identity
Name, display name, internal IDs.
Contact
Email, optional phone, region.
Profile
Saved spas, filters, preferences.
Listing
Spa details, amenities, geo, media.
Usage
Searches, clicks, performance.
Technical
IP (truncated), device, browser.
Support
Messages, attachments.
UGC
Reviews, ratings, uploads.
We avoid collecting government IDs or precise geolocation.
Sensitive Data
We do not seek to collect special category data (e.g., health, biometric, racial/ethnic origin). If you inadvertently submit such information in free‑text fields, you consent to our processing solely to handle the request then purge or minimise it.
Sources
- Direct submissions and interactions.
- Device & browser telemetry.
- Partner-provided listing data & updates.
- Public business registries & official sites (validation).
- Infrastructure / security / analytics providers.
Purposes
- Operate core platform & personalisation.
- Surface relevant spa experiences.
- Facilitate enquiries & potential bookings.
- Partner performance dashboards & insights.
- Security, fraud prevention, abuse mitigation.
- Product analytics & roadmap decisions.
- Service communications & notifications.
- Legal & compliance obligations.
Legal Bases
For GDPR regions we rely on contract, legitimate interests (carefully balanced), consent (non‑essential cookies, marketing), and legal obligation. Where consent is withdrawn, we cease related processing unless another lawful basis applies.
Advertising & Analytics
No personalised ads presently. If introduced, we will provide opt‑in controls and limit identifiers. Analytics currently emphasise aggregated, event‑level metrics without cross‑site tracking pixels.
AI & Ranking Logic
Listing ordering uses relevance signals (category match, geography, engagement, quality indicators). We avoid opaque scoring that materially affects rights without transparency. Experimental features undergo privacy & fairness review.
Disclosures
- Vetted processors (infrastructure, analytics, email).
- Partners when you submit an enquiry.
- Authorities when legally compelled or to mitigate risk.
- Corporate transactions (with continuity safeguards).
No sale of personal data. No data brokerage.
International Transfers
Cross‑border transfers use recognized safeguards (SCCs, supplementary technical controls) where adequacy decisions are absent. We assess vendor risk periodically.
Retention
We retain data only so long as needed for explicit purposes or legal requirements, then aggregate, anonymise, or securely delete.
Security
- Least privilege access
- Transport encryption
- Hardened hosting
- Dependency monitoring
- Abuse & anomaly detection
- Regular review & logging
Incident response playbooks define containment, assessment, notification, and post‑mortem improvement.
Children
Not directed to children under 16. We promptly remove inadvertently submitted child data upon notice.
Your Rights
Access
Obtain a copy / overview of data we hold.
Rectification
Correct inaccurate or incomplete data.
Erasure
Request deletion (subject to legal holds).
Restriction
Limit certain processing while a request is assessed.
Portability
Receive machine-readable export where lawful.
Objection
Object to legitimate interests or marketing.
Withdraw Consent
Stop processing based on prior consent.
Complaint
Lodge with supervisory authority.
Exercising Rights
Submit via Support or email privacy@findmyspa.com. We verify identity proportional to the request and respond within applicable statutory periods (typically 30 days, extendable where complexity applies).
Communication Preferences
Use unsubscribe links or in‑app toggles (rolling out) to control marketing. Critical service or security notifications are not optional while an account exists.
Partner / Listing Data
Partners confirm they have rights to provided media and descriptions. We may normalize formatting, tag amenities, and remove prohibited or defamatory content. Data inaccuracies should be reported promptly.
Reviews & User Generated Content
Content you post may become public and indexable. We may moderate for authenticity, relevance, and policy compliance. Removal requests are assessed contextually.
APIs & Integrations
Any future API or booking integration will follow a minimal disclosure principle: only the fields required for the explicit transaction (e.g., referral ID) and subject to processor agreements.
Retention Table
| Category | Typical Retention | Disposition |
|---|---|---|
| Account Profile | Life of account + 90 days | Deletion or anonymization |
| Listings (Partner) | Active + audit period | Archive / purge |
| Reviews | Until removal or policy breach | Delete / pseudonymize |
| Analytics (Aggregated) | Indefinite (non-personal) | Aggregate only |
| Support Tickets | 2 years from closure | Secure delete |
| Security Logs | 12–24 months | Rotate & purge |
Retention may extend where legal obligations or dispute resolution require.
Changes
We will version significant updates and provide conspicuous notice for material alterations. Continued use after effective date signifies acceptance.
Contact
Questions: privacy@findmyspa.com. Additional regional representative or data protection officer details will appear here if appointed.
This document prioritises clarity. If any clause conflicts with mandatory local law, that law prevails to the minimum necessary extent. English version controls.