Privacy Policy

Last updated: January 1, 2026

Data Controller Information

Grandvectorora GmbH is the data controller responsible for your personal data. If you have any questions about this privacy policy or our data practices, please contact us using the information provided in the contact section below.

Data Collection

We collect personal data that you provide to us directly and information that is automatically collected when you use our website and services. The data we collect includes:

• Contact Information: Name, email address, phone number, and mailing address when you book appointments or contact us
• Appointment Data: Service preferences, appointment history, and special requests or health considerations
• Payment Information: Billing details and payment method information (processed securely through our payment processors)
• Website Usage Data: IP address, browser type, device information, pages visited, and time spent on our website
• Communication Records: Records of our communications with you, including emails and phone calls

How We Use Your Information

We use the personal data we collect for the following purposes, based on legitimate business interests, contractual necessity, or your consent:

• To provide and deliver our spa and wellness services
• To process and manage your appointments and bookings
• To communicate with you about your appointments, services, and account
• To process payments and maintain financial records
• To improve our services and customer experience
• To send you marketing communications (with your consent)
• To comply with legal obligations and protect our rights
• To analyze website usage and improve our online presence

Cookies and Tracking Technologies

We may use cookies and tracking technologies for analytics, advertising, and remarketing purposes, including Google Ads. These technologies help us measure campaign effectiveness, deliver relevant advertisements, and improve our services. You can manage your cookie preferences at any time through our cookie consent banner. For detailed information about our use of cookies, please refer to our Cookie Policy.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

• Service Providers: With trusted third-party service providers who assist us in operating our business (payment processors, appointment scheduling systems, email services)
• Legal Requirements: When required by law, court order, or government regulations
• Business Protection: To protect our rights, property, or safety, or that of our clients or others
• Business Transfers: In connection with a merger, acquisition, or sale of business assets

Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, secure servers, access controls, and regular security assessments. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy, comply with legal obligations, resolve disputes, and enforce our agreements. Generally, we retain client records for up to 7 years after your last appointment for business and legal purposes. Website analytics data is typically retained for 26 months.

Your Rights

Under GDPR and applicable privacy laws, you have the following rights regarding your personal data:

• Right of Access: Request information about the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data under certain circumstances
• Right to Restrict Processing: Request limitation of how we process your personal data
• Right to Data Portability: Request transfer of your data to another service provider
• Right to Object: Object to processing of your personal data for direct marketing or legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing where we rely on consent

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) where our service providers are located. We ensure that such transfers are protected by appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

Children's Privacy

Our services are intended for adults, and we do not knowingly collect personal information from children under 16 years of age. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this privacy policy periodically.

Contact Information

If you have any questions about this privacy policy, wish to exercise your rights, or have concerns about how we handle your personal data, please contact us:

Supervisory Authority

If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with the relevant supervisory authority. In Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde).