Privacy Policy
This Policy aims to give you information on how Nirvana Spa collects and processes your personal data, including any data you may provide through our website located at https://nirvanaspa.co.uk, when you sign up to receive our marketing newsletter and updates, when you make a booking, visit us and/or otherwise communicate with us.
It is important that you read this Policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
Our Website uses cookies. Please refer to our Cookie Policy for more information about the cookies we use and the purposes for which we use them.
Amendments and updates to this Policy may be made from time to time. Any revisions will be posted on this page, so you will always be aware of what information we collect and how we use that information. Please review this page regularly so that you are aware of any changes.
Who we are and how to contact us
For the purposes of data protection laws, Nirvana Spa and Leisure Limited a company registered in England and Wales with Company No 01016625 and whose registered office address is at Nirvana Spa, Mole Road, Sindlesham, Wokingham, Berkshire, RG41 5DJ is the data controller.
We have a data protection officer who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the data protection officer using the details set out below:
Telephone: 0118 989 7506
Email: [email protected]
Nirvana Spa & Leisure Limited is registered with the UK Information Commissioner’s Office (Z526644X).
Changes to your information
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information (eg. name or address) changes during your relationship with us so that we can update our records.
What is personal information and how can it be used
“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We will only process your personal data when the law allows us to and for the purposes set out in this Policy. The lawful bases upon which we will process your personal data are:
- when you give your consent;
- when necessary for the performance of a contract we have entered into or are entering into with you;
- when necessary to comply with a legal or regulatory obligation
- for our legitimate interests or those of a third party, provided that your interests and fundamental rights and freedoms do not override those interests.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). We will notify you if this is the case at the time.
We may also use your personal data to meet our legal obligations, to deal with any complaints and for the enforcement of our terms and conditions.
We may use your personal data for our legitimate business interests which include security purposes and for the prevention and detection of crime, improvements to our Website, improvements to our facilities, products and services and for general marketing purposes. We will not do so though where our interests are outweighed by your interests, rights and freedoms.
We have set out below a description of the types of personal data we may collect and how we will use it.
What personal information do we process?
Members and spa visitors
When you become a member, make a booking with us or visit the Spa we will collect personal information from you and use it as further described below.
Customer Records
Your Customer Record includes personal information, visit information and financial data. This information is only used for our own operational purposes and for the purposes of providing you with the goods and/or services requested. If you provide an email address you will be asked if you consent to receiving emails from Nirvana Spa for marketing purposes. For further information regarding marketing emails, please see the section below headed “Marketing Communications”.
Staff with access to your Customer Record have all been DBS checked and have signed our data protection policy. If any information requires updating please inform a member of staff at Reception. Information in your Customer Record is kept for seven years from the date of your last interaction with Nirvana Spa.
We store personal information for identification purposes. Personal information may include your name, address, email address, contact number, date of birth, age, gender, log in data.
We record data relating to your visits to the Spa including date and time of visit, treatment bookings, guest bookings.
We record financial data relating to your customer account including bank account and payment card details. In the event you complete a Health and Safety form or Treatment Disclaimer we will make a note against on your Customer Record.
Finally we may record notes regarding a conversation with you if this is relevant to your account.
Medical Information
When you visit us or become a member, we may collect certain types of Special Categories of personal data (also known as sensitive personal data) which might include health and medical information. We will only collect such information where you give it to us and where it is directly relevant to your visit or your use of our facilities, such as the spa and treatment area or the restaurant. If you have any allergies or intolerances we will note those on your Customer Record for your wellbeing.
Health and Safety Record
If you are involved in a health and safety incident we will record this information on a Health and Safety Record Form and on a spreadsheet. We are required to do so in order to comply with our legal obligations and as necessary for the establishment, exercise or defence of legal claims. This information may include Special Categories of data (also known as sensitive personal data)
This information is accessible only by the Health and Safety Team and the Operations Managers, all of whom have been DBS checked. In the event of a serious incident the information will be shared with our insurers and may also be shared with our legal advisors and other professional advisors. The information recorded will be kept for three years after the date of the incident or if the incident involves a child for three years after the child turns 18 years old.
Treatment Disclaimer
If you are required to complete a Treatment Disclaimer Form we will record this information on your Customer Record and store the form for three years.
This information is accessible only by the Treatment Team and the Operations Managers, all of whom have been DBS checked and is used for the purpose of providing your treatment and for your wellbeing.
Wellness Orientation Record
If you have a one to one session with one of our Wellness Coaches the information discussed will be recorded on an appointment card which is stored in a cabinet accessible by the Wellness Team. Information relating to the appointment may be added to your Customer Record. The Wellness Coaches have all been DBS checked and have signed our data protection policy.
CCTV
We employ CCTV around the Spa for monitoring and security purposes to ensure a safe environment for our staff and guests. We also use it for evidential purposes in the case of an incident or where there has been a complaint.
In all locations, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for more information about the scheme. We will only disclose CCTV images to others for the purposes stated above. For more information regarding our use of CCTV please contact our Data Protection Officer.
Communications
We will collect personal information when you communicate with us ( whether via email, telephone, post or in person) or interact with us in any other way, including but not limited to social media interactions, attending events, entering competitions, signing up for special offers and/or completing surveys.
Website
When you visit our Website, we will collect certain personal information as further described below.
Personal information collected by our Website
Our website uses Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website. This information does not identify you personally to us.
Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this. Google Analytics makes use of cookies; disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website. Please see our Cookies Policy for more information on the use of cookies across the Website.
Contact forms and email links
Should you choose to contact us using any of our contact forms or email links on our Website, the information you submit will only be used to respond to and deal with your enquiry.
We will not use this information for any other purpose, this includes marketing communications. The information you submit will not be stored by our Website, instead the data will be collated into an email to be actioned by our team. Where relevant, information may be transferred to your Customer Record.
Customer feedback
This includes information that you voluntarily share with us about your experience in using our products and services and is used for our legitimate interests to allow us to develop and improve our products and services. This information is collected via email using Dotmailer. Your personal information is only used if you have asked for a response to your feedback. Details of a response to you will be noted on your Customer Record. Feedback data is anonymised before statistical analysis takes place.
Marketing Communications and Newsletters
We may use your personal information to form a view on what we think you may want or need, or what may be of interest to you. Where we do so it is for our legitimate interests.
You will receive marketing communications from us if you have subscribed to receive them or otherwise requested to receive them from us. We will not send marketing communications to you where you have not consented to or have opted out of receiving these.
If you choose to subscribe to our email list, the email address that you submit to us will be forwarded to Dotmailer who provide us with email marketing services. You will receive our regular newsletter and occasional emails regarding events, special offers and our facilities.
You can ask us to stop sending you marketing emails at any time by following the opt-out links on any marketing email sent to you or by contacting us at any time via [email protected].
Where you opt out of receiving these marketing emails, we may still contact you for other purposes where we have a lawful basis to do so.
Online voucher purchase
Data relating to any purchase you make via our Website will be held within your Customer Records and shared with our suppliers and fulfilment providers. The data will be used for the purpose of providing you with the item requested.
Links
Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of every website you visit.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Disclosures of your personal data
We will not sell your personal data and generally do not give your personal data to third parties but there are some exceptions. We may share your personal data in the following ways (as appropriate):
- in order to provide any services requested by you which may involve us sharing your personal data with our partners, suppliers or third parties we do business with;
- with any actual or prospective seller or buyer of our business and/or any assets. Information held by us about our customers and any users will be one of the transferred assets;
- with our group companies, which means our subsidiaries and holding companies and any subsidiary or holding company of the same;
- in order to comply with any legal obligation or as otherwise permitted by law;
- for debt collection purposes;
- for security purposes or to protect our rights or those of a third party;
- in the conduct or defence of legal claims or in order to enforce our terms and conditions; and
- for the purposes of the prevention or detection of offences, and/or the apprehension or prosecution of offenders, we may share any personal data that we collect with the Police, other public or private sector agencies, governmental or representative bodies in accordance with the relevant legislation. This will include public authorities, insurance companies, finance companies and/or other agencies.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, suppliers and other third parties who have a business need to know and access the same. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We take reasonable steps to ensure that any third parties hosting our Website and our other services have adequate security measures in place to protect personal data.
Our Website is hosted within a UK data centre. Access to the centre is only granted to authorised personnel and is controlled by biometric iris scanners. Our CRM is hosted onsite on our own servers. All servers are owned by Nirvana Spa and managed by Nirvana Spa’s in house IT team who are DBS checked. No third parties have unmonitored access
Data storage – how long?
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Where processing is based on your consent, we shall only process your personal data until such time as you withdraw your consent unless we have another lawful basis on which we can continue to process your personal data.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your legal rights
Under data protection laws you have the following rights in respect of your personal data:
- to request information regarding the personal data that we hold about you and the source(s) of that information. You can request a copy of any personal data we hold about you. This service is usually free of charge, although we have the right to charge a ‘reasonable fee’ in some circumstances;
- to request that we rectify any inaccuracies in relation to the personal data we hold;
- in some circumstances, to request the erasure of your personal data or object to the processing of your data;
- to object to any direct marketing;
- in some circumstances, to request that your personal data be transferred to you or a new provider if the data is processed automatically; and
- to withdraw consent to us processing your personal data. This will not affect the processing already carried out with your consent.
If you wish to exercise any of the rights set out above, please contact our Data Protection Officer using the details set out in this Policy.
- You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to a person who does not have the right to receive it.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.