Privacy | SPA Around

This Privacy Policy describes how SpaAround.com (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use our website and services. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Important: By using SpaAround.com, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

1. Definitions

Personal Information: Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.
Processing: Any operation or set of operations performed on personal information, whether or not by automated means.
Data Controller: The natural or legal person who determines the purposes and means of processing personal information.
Data Processor: A natural or legal person who processes personal information on behalf of the controller.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes.
Data Subject: The identified or identifiable natural person to whom personal information relates.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, email address, phone number, business name, and professional credentials when creating an account.
Profile Information: Business description, services offered, pricing, hours of operation, photos, and qualifications.
Communication Data: Messages, inquiries, and feedback sent through our platform.
Booking Information: Appointment requests, preferences, and special requirements.
Payment Information: Billing address, payment method details (handled securely by our payment processors).

2.2 Information Collected Automatically

Technical Information: IP address, browser type, device information, operating system.
Usage Data: Pages visited, time spent, features used, search queries.
Location Data: Approximate location based on IP address or precise location with your consent.
Log Data: Server logs, error reports, performance data.

2.3 Information from Third Parties

Social Media: Information from social media platforms when you connect your accounts.
Business Partners: Information from partners who refer you to our platform.
Public Sources: Information from publicly available sources for verification purposes.

3. How We Collect Information

Collection Method	Purpose	Legal Basis
Direct Input (Forms)	Account creation, profile setup, communication	Contractual necessity, Consent
Automated Technologies	Analytics, security, functionality	Legitimate interests, Consent
Cookies & Trackers	Personalization, advertising, analytics	Consent, Legitimate interests
Third-Party Sources	Verification, enrichment, marketing	Legitimate interests, Consent
Communication Tools	Customer support, notifications	Contractual necessity, Legitimate interests

4. How We Use Your Information

Service Provision
To create and manage your account, provide directory services, facilitate connections between providers and clients, and process payments.
Communication
To send service-related announcements, respond to inquiries, provide customer support, and send marketing communications (with consent).
Improvement & Development
To analyze usage patterns, improve our services, develop new features, and conduct research.
Security & Compliance
To protect our platform, prevent fraud, verify identities, and comply with legal obligations.
Personalization
To customize content, show relevant listings, and personalize your experience.
Legal Requirements
To comply with court orders, legal processes, or regulatory requirements.

Note: We do not sell your personal information to third parties for their marketing purposes without your explicit consent.

5. Legal Basis for Processing (GDPR)

Contractual Necessity: Processing necessary for the performance of a contract with you.
Legitimate Interests: Processing necessary for our legitimate business interests, balanced against your rights.
Consent: Processing based on your explicit, informed consent.
Legal Obligation: Processing necessary to comply with legal requirements.
Vital Interests: Processing necessary to protect someone’s life.
Public Interest: Processing necessary for tasks in the public interest.

Legitimate Interests Assessment: We conduct regular assessments to ensure our legitimate interests do not override your fundamental rights and freedoms. These interests include: platform security, fraud prevention, service improvement, and direct marketing.

6. Data Sharing and Disclosure

6.1 With Service Providers

We share information with trusted third-party service providers who assist in:

Payment processing (Stripe, PayPal)
Cloud hosting and infrastructure
Email and communication services
Analytics and marketing tools
Customer support platforms

6.2 With Other Users

As a directory service, certain information is visible to other users:

Wellness professionals: Your profile, services, and contact information
Clients: Your reviews, ratings, and public profile information

6.3 Legal Requirements

We may disclose information when required by law, such as:

Court orders or legal processes
Government requests
Fraud investigation
Protection of rights and safety

6.4 Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred as a business asset.

7. Data Retention

Data Type	Retention Period	Reason
Account Information	While account is active + 3 years after deletion	Legal compliance, dispute resolution
Financial Records	7 years	Tax and accounting requirements
Communication Data	3 years	Customer service improvement
Usage Data	26 months	Analytics and service improvement
Marketing Data	Until consent withdrawal	Marketing purposes

Retention Principles: We retain personal information only as long as necessary for the purposes collected, including to satisfy legal, accounting, or reporting requirements. When no longer needed, we securely delete or anonymize the information.

8. Data Security

We implement comprehensive security measures to protect your information:

8.1 Technical Measures

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Regular security audits and vulnerability assessments
Firewalls, intrusion detection, and prevention systems
Secure development practices and code review
Regular security patches and updates

8.2 Organizational Measures

Employee training on data protection
Access controls and role-based permissions
Data protection impact assessments
Incident response and breach notification procedures
Regular backup and disaster recovery testing

8.3 Your Responsibilities

Keep your account credentials secure
Use strong, unique passwords
Enable two-factor authentication when available
Log out of shared devices
Report suspicious activity immediately

Security Notice: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining appropriate safeguards.

9. Your Rights

Exercise Your Rights: To exercise any of these rights, please contact us using the information in Section 17. We will respond within 30 days and may request additional information to verify your identity.

9.1 GDPR Rights (EU/EEA Residents)

Right to Access: Obtain confirmation and a copy of your personal information.
Right to Rectification: Correct inaccurate or incomplete information.
Right to Erasure: Request deletion of your personal information (“right to be forgotten”).
Right to Restriction: Request restriction of processing in certain circumstances.
Right to Data Portability: Receive your information in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw consent at any time, without affecting prior processing.

9.2 CCPA Rights (California Residents)

Right to Know: Know what personal information is collected and how it’s used.
Right to Delete: Request deletion of personal information.
Right to Opt-Out: Opt-out of the sale of personal information.
Right to Non-Discrimination: Not receive discriminatory treatment for exercising rights.

9.3 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where we operate, including but not limited to:

UK Data Protection Act 2018
Canadian PIPEDA
Australian Privacy Act
Brazil’s LGPD

10. Cookies and Tracking Technologies

10.1 Types of Cookies Used

Cookie Type	Purpose	Duration
Essential Cookies	Core functionality, security, session management	Session or up to 24 hours
Performance Cookies	Analytics, performance measurement	Up to 2 years
Functional Cookies	Preferences, personalization	Up to 1 year
Advertising Cookies	Targeted advertising, remarketing	Up to 1 year
Third-Party Cookies	Social media, embedded content	Varies by provider

10.2 Cookie Management

You can control cookies through:

Browser settings (disable, delete, or block cookies)
Our cookie consent banner
Opt-out tools for advertising cookies
Browser extensions for enhanced privacy

Impact of Disabling Cookies: Some features may not function properly without cookies. Essential cookies cannot be disabled as they are necessary for basic functionality.

11. Third-Party Services

We use the following categories of third-party services:

11.1 Payment Processors

Stripe: Privacy Policy
PayPal: Privacy Policy
Square: Privacy Policy

11.2 Analytics & Marketing

Google Analytics: Privacy Policy
Facebook Pixel: Privacy Policy
Mailchimp: Privacy Policy

11.3 Infrastructure & Hosting

AWS (Amazon Web Services): Privacy Policy
Cloudflare: Privacy Policy

Third-Party Links: Our platform may contain links to third-party websites. We are not responsible for the privacy practices or content of these sites. Please review their privacy policies before providing any information.

12. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your own:

12.1 Transfer Mechanisms

Adequacy Decisions: Transfers to countries with adequate data protection laws
Standard Contractual Clauses: EU-approved contractual safeguards
Binding Corporate Rules: Internal policies for multinational companies
Derogations: Specific situations allowing transfers without safeguards

12.2 Primary Locations

Primary Storage: United Kingdom (GDPR compliant)
Backup Storage: European Union (Ireland, Germany)
Processing Locations: United States (with SCCs), Canada, Australia

UK GDPR and EU GDPR: We comply with both UK GDPR and EU GDPR requirements. Post-Brexit, we maintain separate data protection strategies for UK and EU data subjects, ensuring compliance with both regulatory frameworks.

13. Children’s Privacy

Our services are not directed to individuals under the age of 16 (or higher in some jurisdictions):

We do not knowingly collect personal information from children under 16
If we learn we have collected information from a child, we will delete it promptly
Parents or guardians can contact us to request deletion of children’s information
Age verification mechanisms are implemented where appropriate

COPPA Compliance: We comply with the Children’s Online Privacy Protection Act (COPPA) and similar regulations worldwide. If you believe a child has provided us with personal information, please contact us immediately.

14. Payment Information

14.1 Payment Processing

We do not store full credit card numbers on our servers
Payment information is processed by PCI-DSS compliant third parties
We store only the last four digits and expiration date for verification
All payment transactions are encrypted using TLS 1.2+

14.2 PCI-DSS Compliance

Our payment processors maintain Level 1 PCI-DSS compliance, the highest level of certification available. This includes:

Secure network infrastructure
Regular vulnerability scanning
Strong access control measures
Continuous monitoring and testing
Information security policies

14.3 Fraud Prevention

Real-time transaction monitoring
Machine learning fraud detection
Address verification systems (AVS)
Card verification value (CVV) requirements
3D Secure authentication

15. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets:

Your personal information may be transferred as a business asset
We will notify you of any such transfer via email and platform notice
The receiving entity will be bound by this Privacy Policy
You may have the right to object to certain transfers in some jurisdictions
Data protection agreements will be maintained during transitions

Successor Obligations: Any successor entity will be required to honor the commitments in this Privacy Policy or provide you with the opportunity to opt-out of the new processing arrangements.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time:

Material changes will be notified via email 30 days in advance
Non-material changes will be posted on this page
Continued use after changes constitutes acceptance
Previous versions will be archived and available upon request
We encourage regular review of this policy

Update History:

Current Version:
Previous Update: [Date of previous update]
Significant Changes: [Brief description of recent material changes]

17. Contact Information

Data Protection Officer

SpaAround.com is operated by PLUTUS MEDIA LTD

For privacy-related inquiries, please contact:

Email: [email protected]

Address: #71227, Suite Number 71227, Sheffield, South Yorkshire, S35 2PS, England

Company Number: 13831431

Response Time: We aim to respond to all privacy inquiries within 30 days.

17.1 Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner’s Office (ICO) – ico.org.uk
EU: Your local data protection authority
Other Jurisdictions: Relevant national privacy regulators

Table of Contents