Privacy Policy

This privacy policy gives you information about how Nirvana Spa & Leisure Limited collects and processes your personal data, including any data you may provide through our website (available at https://nirvanaspa.co.uk/), when you sign up to receive our marketing newsletter and updates, when you make a booking, visit us and/or otherwise communicate with us.

Who are we & how to contact us
Sharing your personal data
Your legal rights & how to exercise them
What personal do we collect & how it is collected?
International transfers & data storage
Complaints
How we use your personal data
Data security
Changes to this privacy policy & your duty to inform us of changes

Who we are & how to contact us

Nirvana Spa and Leisure Limited (collectively referred to as “we”, “us” or “our” in this privacy policy), a company registered in England and Wales with Company No 01016625 whose registered office address is at Nirvana Spa, Mole Road, Sindlesham, Wokingham, Berkshire, RG41 5DJ, is the data controller and responsible for your personal data.

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data protection officer using the details set out below:

Telephone: 0118 989 7506

Email: [email protected]

Nirvana Spa & Leisure Limited is registered with the UK Information Commissioner’s Office (Z526644X).

What personal data we collect & how its collected

What types of personal data we collect about you?

“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you as follows:

  • Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, email address and telephone numbers.
  • Images: pictures or videos relating to you when you visit us or when you register as a member.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID on the other devices you use to access our website.
  • Profile Data includes purchases, bookings or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you interact with and use our website, products and services, including the date and time of your visits, treatment bookings and guest bookings.
  • Market and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Special Category Data includes health and medical information, your allergy and intolerances, and health and safety incidents you are involved in.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Your interactions with us. This includes personal data you provide when you:
    • visit us;
    • make a booking with us;
    • register as a member with us;
    • access our website, products and services;
    • request marketing be sent to you;
    • enter a competition, promotion or survey;
    • give us feedback or contact us; and
    • give us information which may be relevant to your account.
  • Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. Please see our cookie policy [LINK] for further details.
  • CCTV. We employ CCTV at our premises for monitoring and security purposes to ensure a safe environment for our staff and guests. We also use it for evidential purposes in the case of an incident or where there has been a complaint. In all locations throughout our premises, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for more information about the scheme. We will only disclose CCTV images to others for the purposes stated in this privacy policy. For more information regarding the use of CCTV, please contact our Data Protection Officer.

Collection of Children’s Personal Data

  • We do not collect or process the personal data of children under the age of 16.

How we use your personal data

We will only process your personal data when the law allows us to and for the purposes set out in this privacy policy. The lawful bases upon which we will process your personal data are:

  • when you give your consent for us to use your personal data for a specified purpose;
  • when necessary for the performance of a contract we have entered into or are we are about to enter into with you;
  • when necessary to comply with a legal or regulatory obligation that we are subject to. We will identify the relevant legal or regulatory obligation when we rely on this legal basis;
  • for our legitimate interests or those of a third party, provided that your interests and fundamental rights and freedoms do not override those interests.

We process Special Category Data only where:

  • we have your explicit consent;
  • the processing is necessary to protect your vital interests; or
  • for the establishment, exercise or defence of legal claims.

Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have entered or are trying to enter into with you (for example, to provide you with goods or services). We will notify you if this is the case.

We have set out below how we will use the data we collect from you.

Purpose / Use

Type of data

Legal basis

To register you as a new member or register to attend the Spa as a guest.

(a)   Identity

(b)   Contact

(c)   Financial

Performance of a contract with you

When you book to visit the Spa and we provide services and treatment as part of your booking.

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Technical

(e)   Financial

(f)    Special Category

Performance of a contract with you

When you purchase goods from our online store

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Technical

(e)   Financial

Performance of a contract with you

Monitoring and protecting our spa, guests and members

(a)   Images

(b)   Usage

Necessary for our legitimate interests (protecting property, staff and visitors to our premises)

 

Protecting you and us in case of incidents or complaints

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Special Category

Protecting your vital interests

 

Necessary to comply with a legal obligation

 

Necessary for the establishment, exercise or defence of legal claims

 

To manage our relationship with you, which will include:

 

(a)   notifying you about changes to our terms or privacy policy

 

(b)   notifying you about changes to our products or services

 

(c)   dealing with your feedback, requests, complaints and queries

 

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Special Category

(e)   Marketing and Communications

Performance of a contract with you

 

Necessary to comply with a legal obligation

 

Necessary for our legitimate interests (to keep our records updated and improve our products and/or services)

 

Necessary for the establishment, exercise or defence of legal claims

To enable you to partake in a prize draw, competition or complete a survey

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Usage

(e)   Marketing and Communications

Performance of a contract with you

 

Necessary for our legitimate interests (to assess how customers use our products and services, to develop them and expand our business)

To administer and protect our business and website

(a)   Identity

(b)   Contact

(c)   Technical

 

Necessary for our legitimate interests (to improve the online services we provide and user experience)

 

Necessary to comply with a legal obligation

To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you

(a)   Identity

(b)   Contact

(c)   Profile

(d)   Usage

(e)   Marketing and Communications

(f)    Technical

 

Necessary for our legitimate interest

To use data analytics to improve our website, products/services, customer relationships and experiences to measure the effectiveness of our communications and marketing

 

(a)   Technical

(b)   Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

 

To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your Profile Data

(a)   Identity

(b)   Contact

(c)   Technical

(d)   Usage

(e)   Profile

(f)    Marketing and Communications

Consent, having obtained your prior consent to receive direct marketing communications

 

Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business)

Direct marketing

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view of which products, services and offers may be of interest to you so that we can then send you relevant marketing communications. We will not send marketing communications to you where you have not consented or have opted out of receiving these.

If you choose to subscribe to our mailing list, the email address that you submit to us will be provided to Dotmailer who provide us with e-marketing services. You will receive our regular newsletter and occasional emails regarding events, special offers and our facilities. You can ask us to stop sending you marketing emails at any time by following the opt-out links on any of our marketing emails sent to you or by contacting us at any time via [email protected]. Where you opt out of receiving marketing communications, we may still contact you for other purposes where we have a lawful basis to do so.

 

Sharing your personal data

Disclosures of your personal data

We will not sell your personal data and generally do not give your personal data to third parties but there are some exceptions. We may share your personal data in the following ways (as appropriate):

  • in order to provide any services requested by you which may involve us sharing your personal data with our partners, suppliers or third parties we do business with;
  • with any actual or prospective seller or buyer of our business and/or any assets. Information held by us about our customers and any users will be one of the transferred assets;
  • with our group companies, which means our subsidiaries and holding companies and any subsidiary or holding company of the same;
  • in order to comply with any legal obligation or as otherwise permitted by law;
  • for debt collection purposes;
  • for security purposes or to protect our rights or those of a third party;
  • in the conduct or defence of legal claims or in order to enforce our terms and conditions; and
  • for the purposes of the prevention or detection of offences, and/or the apprehension or prosecution of offenders, we may share any personal data that we collect with the Police, other public or private sector agencies, governmental or representative bodies in accordance with the relevant legislation. This will include public authorities, insurance companies, finance companies and/or other agencies.

Third-party Links

  • Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

International transfers & data storage

International transfers

We do not transfer your personal data outside the UK

Data storage – how long?

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is prospect of litigation in respect to our relationship with you. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, suppliers and other third parties who have a business need to know and access the same. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your legal rights & how to exercise them

Your legal rights

Under data protection laws you have the following rights in respect of your personal data:

  • to request information regarding the personal data that we hold about you (commonly known as a “subject access request”).
  • to request that we rectify any inaccuracies in relation to the personal data we hold about you;
  • request restriction of processing of your personal date;
  • in some circumstances, to request the erasure of your personal data or object to the processing of your personal data;
  • to object to the processing of personal data for direct purposes;
  • in some circumstances, to request that your personal data be transferred to you or a third-party if the data process is automated; and
  • to withdraw consent to us processing your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact our Data Protection Officer using the details set out in this privacy policy. You will not have to pay a fee to access your personal data (or to exercise any other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to a person who does not have the right to receive it.

Complaints

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.