Privacy and Cookie Policy
Last updated September 2023The basics
Who are we? We are Treatwell Limited (we, our, us) and in these Terms we are described in different ways depending on the activity we engage with concerning your data. We process your personal data if you are a business, and we have a lawful and reasonable basis to do so. We process your personal data if you are a customer of our App or Website and we have a lawful and reasonable basis to do so. When we process your data in these instances we are regarded as a "data controller". In certain situations, you may provide your data to a partner and in this instance, they are "data controller's" and we are "data processors".
If you have any questions about how we collect, use or share your data, please contact us at support.treatwell.com/hc/en-nl or dpo@treatwell.com, or write to us at Treatwell Limited, Fairfax House, 15 Fulwood Place, London WC1V 6HU.
What is the purpose of this policy?
We are committed to protecting the privacy of our customers and business partners. We have written this Privacy Policy (policy) to ensure you have all the information you need about how we collect and process your personal data, and how we make sure it is kept safe. When we collect and process your personal data, we are regulated under the General Data Protection Regulation (EU) 2016/679 (the GDPR) which applies across the EEA (including in the UK) and the Data Protection Act 2018.
Who does this policy apply to?
This policy applies to anyone who uses:
-
- our Websites (www.treatwell.com, www.treatwell.nl),
- Connect, our salon diary and management tool app and website (www.connect.treatwell.co.uk),
- our Apps (which means the marketplace booking application and Connect app on Android or iOS),
- customised websites powered by Connect and hosted on www.mytreatwell.co.uk (Partner Sites), and
- Widgets to make bookings with our salon partners (Partners) whose websites are powered by Connect and that may embed these Widgets on their Partner Site, their own websites and/or social media pages.
(together, the Platform).
How can you complain?
You can complain to us at any time using the details above. You also have the right to make a complaint to the ICO, or any supervisory authority in the EU Member State where you live. We would, however, appreciate the chance to deal with your concerns before you approach any supervisory authority, so please contact us first.
How do we update this policy?
We understand that things change, so we will continue to review the effectiveness of this policy and make sure it is achieving its goals. We might update the policy from time to time and will post the most recent version on this page. If we make a change to this policy that we consider material, we will notify you via the Platform.
If you have any questions about this policy or how it works, please get in touch and we would be happy to chat!
The details - how we are collecting and using your data, and why
What personal data do we collect and why?
We use a few different methods to collect your personal data. Sometimes you provide us with this data and other times it will be collected automatically when you visit and/or use the Platform.
We collect personal data for a number of reasons, including to meet our legal obligations, manage our operations, improve our organisation and deliver our services to you. Under data protection law we can only use your personal data where we have a legal basis to do so (e.g., legal duty, contract, legitimate interest, consent, etc).
The legal basis, the purpose and the retention period which we apply to our main processing activities are set out below:
Purpose 1: To set up and administer your requested account.
-
- Lawful Basis: Fulfilling our contract with you.
- Retention period: 5 years in the event of inactivity of the account.
Purpose 2: Processing your comments, reviews or survey responses.
-
- Lawful Basis: When it is our legitimate interest to provide good customer service.
- Retention period: Until the deletion of your account in accordance with the applicable law.
Purpose 3: Delivering any emails, surveys, newsletters and alerts that you have signed up to.
-
- Lawful Basis: Your consent.
- Retention period: Until consent is withdrawn.
Purpose 4: Delivering our services to you.
-
- Lawful Basis: Fulfilling our contract with you.
- Retention period: 10 years from performance of the contract, or at least until the expiry of the statutory period of limitation that applies to the subject matter of the contract.
Purpose 5: Delivering our services to you.
-
- Lawful Basis: Your consent.
- Retention period: Until consent is withdrawn.
Purpose 6: Facilitating your booking and delivering the services to you.
-
- Lawful Basis: Fulfilling our contract with you.
- Retention period: Maximum 10 years after the end of each tax year in which the transaction occurs.
Purpose 7: Responding to complaints, questions and feedback and providing information about your requested service.
-
- Lawful Basis: Fulfilling our contract with you.
- Retention period: 90 days from the date of call recording.
Purpose 8: Responding to complaints, questions and feedback and providing information about your requested service.
-
- Lawful Basis: Fulfilling our contract with you.
- Retention period: 30 days after the end of the Live Chat Session.
Purpose 9: Receiving feedback about our services.
-
- Lawful Basis: Fulfilling our contract with you and our partners.
- Retention period: 30 days after submission.
Purpose 10: Resolving the litigation and investigation.
-
- Lawful Basis: Fulfilling our contract with you/our legal duty.
- Retention period: 10 years from the end of the investigation/litigation (unless there are grounds to keep for longer).
Purpose 11: Administering the Platform and other systems and protecting them.
-
- Lawful Basis: Legitimate interest.
- Retention period: Maximum 1 year from entry.
Purpose 12:To improve the Platform and services, using data analytics.
-
- Lawful Basis: Legitimate interest.
- Retention period: Up to 2 years .
Purpose 13: Showing you content and features that are personal to you and your interests.
-
- Lawful Basis: Your consent.
- Retention period: Until consent is withdrawn.
Purpose 14: Understanding your preferences for marketing, automated decision-making, profiling, cookies and any other processing activities that you can opt-out of.
-
- Lawful Basis:Your consent.
- Retention period:Until consent is withdrawn.
Purpose 15: Developing and carrying out marketing activities.
-
- Lawful Basis: Legitimate interest.
- Retention period: Until consent is withdrawn.
Personal Data
Type of personal data: Contact information
-
- Description: Name, addresses, e-mail address, phone number, date of birth and other contact details.
- Purpose: To set up and administer your requested account.
-
Delivering our services to you.
-
Processing your comments and reviews.
-
Delivering any emails, surveys, newsletters and alerts that you have signed up to.
- Lawful basis: Fulfilling our contract with you.
-
When it is our legal duty.
-
When you consent to it.
-
When it is in our legitimate interest to:
-
- collate and publish reviews of our Partner’s products/services
- notify you about new services and special offers we think you would be interested in
- send you information about competitions, surveys and Partner's promotional offers
- enable Partners and other third parties to send information about their goods and services
- publish reviews of Partner products or services and use these for ads
-
Type of personal data: Sensitive information
-
- Description: Details about your race or ethnicity, health, sex or other sensitive data that you voluntarily give when making a booking or submitting a review.
- Purpose: Delivering our services to you.
- Lawful basis: When you provide your explicit consent.
:Type of personal data: Financial information
-
- Description: Payment details (i.e., your card details when paying for our services).
- Purpose: Facilitating your booking and delivering the services to you.
- Lawful basis: Fulfilling our contract with you.
-
When it is in our legitimate interest to:
-
- keep our records up to date
-
Type of personal data: Communications
-
- Description: Emails, calls, live chats or other methods of communications you choose to use
- Purpose: Investigating and responding to complaints, questions and feedback.
-
Providing information about your requested service.
- Lawful basis: Fulfilling our contract with you.
-
When you consent to it.
-
When it is in our legitimate interest to:
-
- resolve issues and improve our services to you
- improve our user communications
- develop our training programmes
-
Type of personal data: Data that identifies you
-
- Description: Details about the devices and technology you use (e.g., your website browser settings, IP address, location, etc).
- Purpose: Administering the Platform and other systems and protecting them. This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting.
- Lawful basis:
-
When it is in our legitimate interest to:
-
- ensure our organisation runs properly
- keep the Platform and systems secure
- protect our systems and software, including your personal data
- improve our services
- conduct internal research and analysis on the use and performance of the Platform and services
-
Type of personal data: Data on how you use the Platform
-
- Description: Information about how you use the Platform and services.
- Purpose: Understanding how we can improve the Platform and services, using data analytics.
-
Showing you content and features that are personal to you and your interests.
- Lawful basis: Fulfilling our contract with you.
-
When you consent to it.
-
When it is in our legitimate interest to:
-
- verify your compliance with our agreements and for defending legal claims
- monitor, improve and protect the Platform, products and services, and personalise these based on your use
- develop our business
- improve our service offering
-
Type of personal data: Preferences and consents
-
- Description: Your marketing and communication preferences.
- Purpose: Understanding your preferences for marketing, automated decision-making, profiling, cookies and any other processing activities that you can opt-out of.
-
To send information about your requested services (i.e., appointment reminders).
-
Developing and carrying out marketing activities.
- Lawful basis: When you consent to it.
-
When it is in our legitimate interest to:
-
- notify you about our services and special offers we think you would be interested in
- tailor and personalise ads based on the information you provide and your use of the Platform
- conduct market research and consumer surveys
- use cookies and similar technology
-
What about the information I give when I make a booking for someone else?
If you plan to give us someone else’s personal data (e.g., when making a booking for them), they must have access to this policy and you must get their consent before sharing any information with us.
How long do we keep your data for?
When we decide how long we need to keep your data for, we take into account the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes we use your data for and whether we can achieve those purposes another way.
The retention period which we apply to your personal data is defined in the table above.
You can contact us for more details on our data retention policy.
Do we use cookies and other tracking technologies?
A cookie is a small file of letters and numbers that is stored on your browser or the hard drive of your computer. As with other commercial websites and apps, the Platform uses standard technologies including cookies and similar tools to enhance your user experience, improve our systems and provide tailored offers to you. You cannot actually see cookies as they sit in the background of our systems, but they are probably present on most sites you visit.
For more information on the cookies we use, please take a look at our Cookie Policy.
What marketing activities do we conduct?
We want you to know all about us, our Partners and the services available. To do this, we undertake marketing activities which sometimes involve using your personal data - such as sending you newsletters via email or showing you online adverts.
You will not receive marketing from us by email or text unless you have given us permission, or unless you have used our services before. These messages might contain information about our services, offers, competitions and other important information.
Third parties
We may disclose your personal data to a select group of third parties. But we treat the security and method of processing your personal data very seriously, and we will never sell your personal data.
We have outlined below who those third parties are:
Type of third party: Other Treatwell companies
-
- Description: Treatwell Limited is part of the Treatwell Group, so we might need to share and collect personal data with other companies in the group to provide and administer our products and services.
- Collect: ✓
- Share: ✓
Type of third party: IT and hosting providers
-
- Description: If you place an order or engage with us via a website or app that is powered by a third party, we will share your contact and order details (e.g., lastminute.com when you make a booking via spa.lastminute.com). If you give a third party the relevant consents (which we collect on their behalf), they may also send you marketing communications.
- Collect: ✓
- Share: ✓
Type of third party: Our Partners
-
- Description: When you book services with one of our Partners through us, we will share your information so Partners can: (i) facilitate bookings and, if necessary, contact you before your booking, (ii) deliver marketing emails you have opted in to, and (iii) improve their service offerings and business operations.
- Collect: ✕
- Share: ✓
Type of third party: Business support tools
-
- Description: We may share your personal data with service providers to: (i) perform functions on our behalf related to the Platform, the running of our business and the provision of our services (e.g., processing payment details, analytics, etc), and (ii) facilitate our business and improve our services.
- Collect: ✕
- Share: ✓
Type of third party: Partner’s IT and hosting service providers
-
- Description: When our Partners use thirty party software providers, we may share your personal data with them to ensure the software solution and Connect display up to date and accurate information.
- Collect: ✕
- Share: ✓
Type of third party: Competitions
-
- Description: We may share your personal data with brands that we are looking to collaborate with on products, services, competitions and campaigns, and we will get your consent before we do this.
- Collect: ✕
- Share: ✓
Type of third party: Third parties involved in business reorganisation
-
- Description: If we, or the Treatwell Group, decide to sell, transfer or merge part of our organisation or if we become insolvent, we may need to share your personal data with other organisations as part of the process.
- Collect: ✕
- Share: ✓
Type of third party: Government and regulatory organisations
-
- Description: We might be required to share your personal data with official bodies to fulfil our legal and regulatory obligations. We might also need to disclose your data for court proceedings, to enforce our agreements or to protect customers (including by sharing data with companies for fraud protection and credit risk reduction).
- Collect: ✕
- Share: ✓
Type of third party: Marketing, business development and sales partners
-
- Description: To provide you with personalised adverts, we may need to share your personal data with any media agencies and advertising partners we engage with.
- Collect: ✕
- Share: ✓
How will my reviews be used?
Any personal data you upload to publicly visible areas of the Platform (such as review sections), may be collected by third parties, and we have no control over this and are not responsible for how they may use this information. We recommend you are careful about the information you disclose in these areas.
What about third-party links on our Site?
The Platform might include links to third party websites, and often these links are solely there as pointers to information on topics that might be useful to you. Clicking on those links might allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible for their privacy standards. When you leave the Platform, please remember that this policy no longer applies, and we encourage you to read the privacy policy of any website you visit.
What happens to information you provide via social media?
Parts of the Platform may allow you to submit your own content, such as reviews and photos of your experience. It is important to remember that these submissions can be viewed by the public, and we are not responsible for any actions taken by other individuals if you post personal data on one of our social media platforms. We recommend you are cautious about providing certain information (e.g., card details or your address) and that you refer to the privacy and cookie policies of the social media platforms you use.
What information do you need to know about our key third parties?
Stripe. We use a third-party payment processor, Stripe, to process all payments made by you on our Website & App. Treatwell does not store credit card details and instead relies on Stripe for this. We obtain limited information from Stripe such as the last four digits, the country of issuance and the expiration date. The processing of such data by Stripe is covered by their privacy policy which may be viewed here: https://stripe.com/privacy. Stripe’s services in Europe are provided by a Stripe affiliate, Stripe Payments Europe Limited, an entity located in Ireland. In providing its payment processing services, Stripe Payments Europe Limited transfers personal data to Stripe, Inc. in the US. For further information about the safeguards used when your information is transferred outside the European Economic Area, see the section of Stripe’s privacy policy entitled “International Data Transfers.
PayPal. Please note that all PayPal transactions are subject to the PayPal Privacy Policy which can be found here: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full. Please ensure that you are happy with the terms of the PayPal Privacy Policy if you wish to use PayPal to complete any transactions through the Platform.
Spa.lastminute.com. The spa.lastminute.com page is powered by Treatwell. Treatwell performs certain functions as a data controller in partnership with lastminute.com, also a data controller, and as a result Treatwell is required to process your personal information and share some of that information with lastminute.com when you browse and/or book on spa.lastminute.com. The purposes for which Treatwell collects, processes & shares your personal data with spa.lastminute.com are: (i) to fulfil a contract with you, by: (a) processing & managing your bookings; and (b) communicating with you about your booking; and (ii) to fulfil our, or third parties', legitimate interests, by: (a) providing search results; (b) communicating with you, including via Treatwell’s lastminute.com branded customer service function via telephone and email; and (c) on behalf of the relevant venue, collecting your consent (if you choose to provide it) at the checkout page to receive marketing emails from the particular venue with whom you are booking. As well as collecting personal information directly from you during the booking process, Treatwell also uses Cookies (defined below) on spa.lastminute.com in order to ensure spa.lastminute.com works correctly, to enhance and simplify your user experience, to enable us to understand how many users visit our spa.lastminute.com, to establish the source of your booking (channel, location, etc.) and consequently to enable verification of the booking as a lastminute.com booking and to send lastminute.com branded transactional communications to spa.lastminute.com customers. Please see the cookies section of this Privacy Policy for further information on the purposes for which we collect and use this information. For information on retention of your personal data, transfers of your personal data (to third parties and outside the European Economic Area), and your rights in respect of your personal data, please refer to the relevant sections of this Privacy Policy. If you have any queries or wish to exercise any of your rights in respect of the personal data processing described in this paragraph, please contact Treatwell using the details set out in this Privacy Policy.
Treatwell will also, on behalf of and under the instructions of lastminute.com, collect your consent (if you choose to provide it) at the checkout page to receive marketing emails from lastminute.com and pass this to lastminute.com daily via a secure data feed. For the avoidance of doubt, Treatwell does not collect any marketing opt-in for itself on spa.lastminute.com. lastminute.com also use cookies and similar tracking measures on spa.lastminute.com to collect information about your behaviour and for other purposes including personalisation, analytical and advertising and re-marketing. Please see lastminute.com's privacy policy here and cookie policy here for more information on how lastminute.com collects and processes your personal data. If you have any queries or wish to exercise any of your rights in respect of the personal data processing described in this paragraph, please contact lastminute.com using the details set out in their privacy policy.
Do we transfer data outside of the EEA?
The personal data that we hold about you will be held in the UK and the European Economic Area (EEA), but it might also be transferred to or stored outside the UK or EEA, including in the US and Israel.
When we transfer your data to third parties outside the EEA, we make sure your data is safe. We do this by putting one of the following safeguards in place:
-
- only transferring it to a country the European Commission has decided has a suitable level of protection, or
- by putting in place contracts (known as the Standard Contractual Clauses, and the International Data Transfer Agreement/Addendum) that make sure the third party outside of the EEA promises to protect your personal data. We also make sure any other necessary security measures are put in place.
If you are in the EEA, you can contact us at any time and we will let you know exactly what safeguards we have put in place for the transfer of your personal data outside the EEA. You can also contact us at any time at support.treatwell.com/hc/en-nl for a copy of the relevant mechanism.
Your rights
What are your rights and how do you exercise them?
Under the GDPR, you are entitled to the following rights:
-
- Asking us for a copy of your data: You can ask us for a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Asking us to delete or erase your data: You can ask us to delete your personal data where there is no good reason for us continuing to process it.
Sometimes we cannot meet your request because of legal reasons. But don’t worry, we will tell you if this applies when you make your request!
-
- Asking us to correct your data: You may be able to view or change the data we hold about you by logging in to your online account. If this does not work, you can ask us to correct the data - but we might need to check that the new data you give us is right.
- Ask us to send your data to another organisation: You can ask us to move, copy or transfer your personal data to a different organisation, where it is reasonable and fair.
- Ask us how we are using your data: We will tell you how we collect, use and share your personal data.
- Asking us to restrict the processing of your data: If you have a particular reason (for example the content or how we are using it), you can ask us to limit the ways in which we are using your data.
- Objecting to our processing activities: For certain types of activities, like direct marketing, you can ask us to stop at any time.
You can also object if we are making decisions that are automated or if we are using your data to profile you (this basically means we are using your data to guess what you are interested in or make decisions about you). If there are circumstances when it is really important for us to use your data, we may be unable to stop the processing. But don’t worry, we will let you know if this is the case - and our reasons.
We might ask you to give us information to verify your identity (especially when you ask for financial information). This is to make sure we keep your and our other customers’ personal data safe.
We try to respond to legitimate requests within 1 month of receiving them. Sometimes it might take us longer if your request is complicated or you have more than 1 request. But don’t worry, we will make sure to let you know if we need more time and will keep you updated.
There are some requests that we will not be able to fulfil, and this can be for many reasons, including when there is a risk that another person's personal data will be disclosed, or if we have a legal requirement or a compelling reason to continue processing your personal data which you have asked us to delete.
If you want to exercise any of these rights, please get in touch with us at support.treatwell.com/hc/en-nl. If you need more information about your rights, including the circumstances in which they apply to you, please see the ICO’s websites or contact us.
How can you withdraw your consent and opt-out of processing?
You can ask us to stop sending you marketing messages that you have previously consented to at any time you want. You can do this by following the instructions in our communication, or by using the details set out below:
-
- General. Following the instructions in the communication or contacting us.
- Emails. Clicking the “unsubscribe” button at the bottom of our email or contacting us at support.treatwell.com/hc/en-nl (please allow 48 business hours for your email to be removed from our system).
- Partner communications. Contacting the Partner or third party directly. In the case of our Partners, if you need our help, we would be happy to do what we can.
- Push notifications. Revoking this within your phone’s operating system settings.
When you opt-out or unsubscribe from marketing, we will stop using your personal data in the ways you have asked. However, we will not delete your data as we may need it for other reasons. If you want us to delete all your data, please ask us to do that, as well as opting-out of marketing messages.
If you withdraw your consent and/or opt-out, we might not be able to provide certain services to you. If this is the case, we will let you know. You can of course give us your consent again if you want to access our services.
Please note that when you have opted out using the above methods, you may still see our non-targeted ads when you are online as we have no control whether these ads are displayed to you.
You have a right to withhold your consent without suffering any adverse effects.
Security
What security measures do we have in place?
We use strict procedures and security features to protect personal data we receive from you.
Last updated version: 2023-01-08
…
Our policy on Cookies
In common with other commercial websites and apps, our Platform use standard technologies including cookies and similar tools including web server logs, web beacons, tokens, pixel tags, local storage, device identifiers and tracking IDs (together referred to as “Cookies” in this Privacy Policy) to enhance your user experience, to enhance your user experience, improve our site and provide tailored offers on Treatwell and other sites.
Please see the table below for a live breakdown of the Cookies that are used on our Platform.