Privacy Policy
This Privacy Policy explains how Ann Thai Massage ("we", "us", "our") collects, uses, shares and protects your personal data when you visit our website or use our services. We are based in Slovenia and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2).
1) Who we are (Data Controller)
Ann Thai Massage, Alexander Grigoryants s.p.
Cankarjeva cesta 4, 1000 Ljubljana, Slovenija
Email: annthaimassageljubljana@gmail.com
Phone: +386 68 151 525
If you have questions about this Policy or your rights, contact us at the email above.
2) What data we collect and why
A. Website visits (automatic collection)
Technical data: IP address, device type, browser, operating system, pages viewed, time and date, referral URL.
Purpose & legal basis: website security and performance (Legitimate Interests, Art. 6(1)(f) GDPR); compliance with legal obligations (Art. 6(1)(c)).
B. Contact & booking
Data: name, phone, email, preferred date/time, service type, notes you provide.
Purpose & legal basis: respond to enquiries and make/confirm bookings (Contract, Art. 6(1)(b)); service reminders and operational messages (Legitimate Interests, Art. 6(1)(f)).
Optional special notes: If you share health-related information (e.g., pregnancy, injuries), we only use it to tailor treatment with your explicit consent (Art. 6(1)(a) & Art. 9(2)(a)). Please share only what is necessary.
C. Payments (on site or online)
Data: payment confirmations, partial card/payment tokens (handled by the processor), transaction amount/date.
Purpose & legal basis: process payments, prevent fraud, keep accounting records (Contract/Legal Obligation).
D. Marketing (optional)
Data: name, email/phone, marketing consents, campaign interactions.
Purpose & legal basis: send newsletters, promotions or satisfaction surveys only with your consent (Art. 6(1)(a)). You can withdraw consent at any time.
E. Employment
Data: CV/resume, contact details, employment history, references.
Purpose & legal basis: recruitment and hiring (Legitimate Interests/Pre-contractual steps).
3) Cookies & similar technologies
We use necessary cookies to operate the site and (if enabled) analytics/marketing cookies to improve services.
| Cookie Type | Examples | Purpose | Legal basis / lifespan |
|---|---|---|---|
| Strictly necessary | session_id, cookie_consent | Core site functions, security | Legitimate Interests; expires at session/end dates |
| Analytics (optional) | _ga, _gid (Google Analytics 4) | Understand site usage to improve content | Consent; 1 day – 24 months |
| Functionality (optional) | remembered_service, locale | Save preferences (language, booking details) | Consent/Legitimate Interests; up to 12 months |
You can change or withdraw cookie consent at any time via our cookie banner or your browser settings. Blocking some cookies may affect site functionality.
4) How we share your data
We only share personal data with:
- IT/hosting & security providers that keep our website running.
- Booking & scheduling tools when you book online.
- Payment processors for secure transactions.
- Email/SMS providers to send confirmations or reminders.
- Accountants or legal advisors for statutory compliance.
- Public authorities if required by law.
All processors act under contracts that require GDPR compliance. We do not sell your personal data.
International transfers: If any provider stores data outside the EU/EEA, we rely on an adequacy decision (e.g., EU-US Data Privacy Framework) or Standard Contractual Clauses (SCCs) with additional safeguards.
5) Data retention
We keep personal data only as long as necessary for the purposes collected, then delete or anonymise it.
- Booking/enquiry data: up to 24 months after your last appointment/enquiry.
- Client service records/consents: up to 5 years (or longer if required by health & safety rules, insurance, or legal claims).
- Payment/accounting records: 10 years (Slovenian tax law).
- Marketing lists: until you unsubscribe or withdraw consent.
- Job applications: up to 6 months unless you consent to a talent pool.
6) Your rights (GDPR)
You have the right to:
- Access your data and get a copy.
- Rectify inaccurate or incomplete data.
- Erase data ("right to be forgotten") where applicable.
- Restrict or object to certain processing (including direct marketing).
- Data portability for data you provided to us based on consent or contract.
- Withdraw consent at any time (does not affect prior processing).
- Lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec): https://www.ip-rs.si/
To exercise your rights, contact us at annthaimassageljubljana@gmail.com. We may need to verify your identity.
7) Children
Our services and website are not directed to children under 16. We do not knowingly collect children's data without parental/guardian consent.
8) Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS), access controls, least-privilege policies for staff, and regular updates/patching. However, no method of transmission or storage is 100% secure.
9) Links to third-party sites
Our website may contain links to other websites. Those sites have their own privacy policies; we are not responsible for their practices.
10) CCTV (if used at the salon)
If CCTV is in use on the premises, it is for security and safety. Footage is retained for up to 30 days unless longer is required for an investigation and may be shared with authorities if legally required. Signs are displayed where CCTV operates.
11) Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top shows the current version. Significant changes will be highlighted on our website.