Privacy Policy

Who We Are

Serene Spa Center (“Serene Spa”, “we”, “us”, or “our”) is a luxury wellness and therapeutic spa located at Bahnhofstrasse 14, 8001 Zürich, Switzerland. We are the data controller responsible for the personal information collected through our website, booking systems, and in-spa services.

This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and the rights you hold in relation to it. It applies to all visitors to our website at serenespa.com, all clients who book treatments or memberships, and all individuals who contact us by any channel.

Data We Collect

We collect personal data through several points of contact:

• Booking information: name, email address, phone number, preferred treatment, date and time, and any special requests or health notes you choose to share.
• Contact form submissions: name, email address, and the content of your message.
• Gift card purchases: purchaser name, email, recipient name, and payment details (processed securely by our payment provider — we do not store card numbers).
• Membership enrolment: full name, address, date of birth, email, and payment details.
• Newsletter subscriptions: email address only.
• In-spa health consultation forms: health history, allergies, contraindications, and therapist notes. This is classified as sensitive health data and handled with additional care under Art. 5 nDSG.
• Website usage data: IP address, browser type, pages visited, and time spent — collected anonymously via our analytics provider.

We only collect data that is necessary for the purpose stated. We do not collect data from children under 16 without verifiable parental consent.

How We Use Your Data

Your personal data is used solely for the following purposes:

• To confirm, manage, and fulfil your appointment or membership booking
• To tailor treatments to your health status and preferences
• To send transactional communications (booking confirmation, reminders, receipts)
• To respond to contact form enquiries and support requests
• To send our newsletter if you have opted in — you may unsubscribe at any time
• To process gift card purchases and deliver certificates
• To comply with Swiss tax, invoicing, and regulatory requirements
• To improve the quality of our website and services through anonymised analytics

We do not use your data for automated decision-making or profiling. We do not sell your data to any third party. We do not use your data for advertising targeting on third-party platforms.

Legal Basis for Processing

Our processing of personal data is grounded in the following legal bases under the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b) GDPR / Art. 31 nDSG): processing necessary to fulfil a booking, membership, or gift card purchase.
• Legitimate interests (Art. 6(1)(f) GDPR): anonymised analytics to improve our website; fraud prevention; security of our systems.
• Consent (Art. 6(1)(a) GDPR): newsletter subscription and optional marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR): retention of invoices and financial records as required by Swiss law.
• Vital interests (Art. 6(1)(d) GDPR): health data shared in consultation forms, processed to protect your safety during treatments.

Data Sharing

We share personal data only where strictly necessary and with appropriate safeguards in place:

• Payment processors: Stripe Inc., for secure handling of card payments. Stripe operates under its own privacy policy and is certified to PCI DSS Level 1.
• Email service provider: used to deliver booking confirmations and newsletters. Data is processed under a data processing agreement.
• Booking system provider: our appointment management software receives booking data necessary to manage your reservation.
• Legal and regulatory authorities: where required by Swiss or EU law, or by a valid court order.

Any third party we work with is contractually bound to process data only as directed by us, to maintain appropriate security measures, and to delete data when the processing relationship ends.

Data Retention

We retain personal data only for as long as necessary:

• Booking and treatment records: 5 years from the date of service, as required by Swiss commercial law (Art. 958f OR).
• Health consultation forms: 10 years, in line with Swiss healthcare data guidelines.
• Invoice and payment records: 10 years under Swiss tax and accounting obligations.
• Newsletter subscriber list: until you unsubscribe or request deletion.
• Contact form messages: 24 months from the date of last correspondence.
• Website analytics: 14 months, anonymised.

After retention periods expire, data is securely deleted or anonymised in a way that prevents re-identification.

Your Rights

Under the Swiss nDSG and the GDPR (where applicable), you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: request deletion of your data where no legal retention obligation applies.
• Right to restriction: ask us to pause processing while a dispute is resolved.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests at any time.
• Right to withdraw consent: for newsletter or marketing communications — unsubscribe at any time via the link in any email.
• Right to lodge a complaint: with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

To exercise any of these rights, email us at privacy@serenespa.com. We will respond within 30 days.

Cookies

Our website uses a minimal set of cookies. We do not deploy advertising or third-party tracking cookies.

• Strictly necessary cookies: session management and security. These cannot be disabled without impairing website function.
• Analytics cookies: anonymised, aggregated data via our analytics provider. IP addresses are masked before storage. You may opt out via the cookie banner on your first visit.

You can manage cookie preferences at any time through your browser settings. Disabling certain cookies may affect the functionality of booking and contact forms.

International Transfers

Serene Spa is based in Switzerland. Some of our third-party service providers (such as cloud hosting and payment processing) may process data outside Switzerland or the European Economic Area. In such cases, we ensure that transfers are covered by adequate safeguards — such as the EU Standard Contractual Clauses or recognition of Switzerland as a jurisdiction providing adequate protection — as required by Art. 16 nDSG.

Security

We implement technical and organisational measures proportionate to the risk involved in processing your data. These include HTTPS encryption across all web pages, access controls limiting who within our team can view client data, encrypted storage for health consultation records, and regular review of our data handling practices.

In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the FDPIC without undue delay in accordance with Art. 24 nDSG.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services or applicable law. The “Last updated” date at the top of this page will always reflect the most recent version. We encourage you to review this page periodically. For material changes, we will notify active clients by email.

Contact & Data Controller

For any questions, requests, or complaints regarding this Privacy Policy: