Privacy Policy

Last updated: December 2024

Introduction

cystopkyay B.V. ("we," "our," or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our thermal spa and sauna complex, use our website at cystopkyay.live, or engage with our services.

This policy applies to all personal data processing activities carried out by cystopkyay in connection with our thermal spa and wellness services. We are the Data Controller for the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller

cystopkyay B.V. is the Data Controller responsible for your personal data. Our contact details are:

Company: cystopkyay B.V.

Address: Kastanjelaan 39, 1315 IG Almere, Flevoland, Netherlands

Email: privacy@cystopkyay.live

Phone: +31 302226674

Registration: M02144532

VAT: NL14536174B06

Data Collection

The data we collect includes personal information that you provide to us directly, information collected automatically through your use of our services, and information we receive from third parties. We collect this information to provide you with the best possible spa and wellness experience at cystopkyay.

Information You Provide Directly

  • Personal details (name, address, phone number, email address, date of birth)
  • Booking and reservation information
  • Payment information and billing details
  • Health information relevant to spa treatments (allergies, medical conditions, preferences)
  • Communication preferences and marketing consent
  • Feedback, reviews, and correspondence
  • Membership information and loyalty program data

Information Collected Automatically

  • Website usage data (IP address, browser type, pages visited, time spent)
  • Device information and technical specifications
  • Location data (with your consent)
  • Cookie and tracking technology data
  • CCTV footage for security purposes in public areas of our facility

How We Use Your Information

We explain how we use your information in this section to ensure transparency about our data processing activities. The use of your data is essential for providing our thermal spa services and ensuring the best possible experience at cystopkyay.

Service Provision

  • Processing bookings and managing your spa appointments
  • Providing personalised wellness treatments and recommendations
  • Managing facility access and membership services
  • Processing payments and maintaining financial records
  • Ensuring health and safety requirements are met

Communication and Marketing

  • Sending booking confirmations and service updates
  • Providing information about new treatments and special offers (with consent)
  • Responding to enquiries and customer service requests
  • Conducting customer satisfaction surveys

Legal and Business Operations

  • Complying with legal obligations and regulatory requirements
  • Maintaining business records and accounts
  • Protecting against fraud and ensuring facility security
  • Improving our services and website functionality

Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: To provide spa services, process bookings, and manage your membership
  • Legitimate Interests: To improve our services, ensure facility security, and conduct business operations
  • Consent: For marketing communications and non-essential cookies
  • Legal Obligation: To comply with health and safety regulations, tax laws, and other legal requirements
  • Vital Interests: To protect health and safety in emergency situations

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your data in the following circumstances:

  • Service Providers: Trusted third parties who assist in operating our business (payment processors, booking systems, cleaning services)
  • Professional Advisors: Lawyers, accountants, and other professional service providers
  • Legal Requirements: When required by law, court order, or regulatory authority
  • Business Transfers: In connection with a merger, acquisition, or sale of business assets
  • Emergency Situations: To protect health, safety, or prevent harm

Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy and to comply with our legal obligations. Our retention periods vary depending on the type of data and the purpose for which it was collected.

  • Customer Records: 7 years after last service for tax and business record purposes
  • Health Information: 10 years after last treatment as required by healthcare regulations
  • Marketing Data: Until consent is withdrawn or 3 years of inactivity
  • Website Data: As specified in our Cookie Policy
  • CCTV Footage: 30 days unless required for investigation purposes
  • Financial Records: 7 years as required by Dutch tax law

Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access: Request copies of your personal data
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data in certain circumstances
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Data Portability: Request transfer of your data to another organisation
  • Right to Object: Object to processing based on legitimate interests or for marketing purposes
  • Right to Withdraw Consent: Withdraw consent for processing that relies on your consent

To exercise any of these rights, please contact us at privacy@cystopkyay.live or +31 302226674. We will respond to your request within one month.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

  • Encryption of sensitive data in transit and at rest
  • Regular security assessments and vulnerability testing
  • Access controls and staff training on data protection
  • Secure backup and disaster recovery procedures
  • Regular software updates and security patches
  • Physical security measures at our Almere facility

International Data Transfers

We primarily process your data within the European Economic Area (EEA). If we need to transfer your data outside the EEA, we will ensure appropriate safeguards are in place, such as:

  • European Commission adequacy decisions
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Certification schemes approved by supervisory authorities

Cookies and Tracking

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyse website usage. For detailed information about our use of cookies, please see our Cookie Policy.

Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16 without parental consent. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@cystopkyay.live.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us using the following contact information:

Privacy Officer: cystopkyay B.V.

Email: privacy@cystopkyay.live

Phone: +31 302226674

Address: Kastanjelaan 39, 1315 IG Almere, Flevoland, Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have not handled your personal data in accordance with applicable laws.