Privacy Policy

Data we collect

We collect the following categories of personal data:

• Identity & contact data — name, phone number, email address and communication preferences.
• Appointment & service data — treatment history, booking preferences and gift voucher records.
• Special category data (Art. 9 GDPR) — skin conditions, health information, contraindications and sensitivities you share in connection with your treatments. Processed only with your explicit consent.
• Financial records — payment records retained for accounting purposes.
• Communications — messages, feedback and correspondence you share with us.
• Website usage data — anonymised analytics, device information and cookie data (with your consent).

How we use your data

To manage and fulfil your appointments and deliver the treatments you book. To record and respect your health information, sensitivities and treatment preferences for your safety. To respond to your enquiries and communications. To send essential service-related updates. To improve our website and studio operations through anonymised analytics. To conduct marketing and retargeting where you have given explicit consent, using services including Meta Pixel (see Cookie Policy).

Legal basis for processing

We process your personal data on the following legal bases under GDPR:

• Contract (Art. 6(1)(b)) — to manage and fulfil your bookings and deliver services.
• Explicit consent (Art. 9(2)(a)) — for health and skin condition data (special category).
• Consent (Art. 6(1)(a)) — for marketing emails and analytics or tracking cookies.
• Legitimate interests (Art. 6(1)(f)) — to operate and improve our website, prevent fraud and ensure security.
• Legal obligation (Art. 6(1)(c)) — to maintain accounting and invoicing records as required by Luxembourg law.

Third-party data processors

We share personal data only with trusted service providers, each operating under a data processing agreement. We do not sell your data to any third party.

• Salonkee (Luxembourg) — appointment booking and scheduling platform.
• Webflow Inc. (USA) — website hosting and content management. Data transferred to the USA under Standard Contractual Clauses.
• Meta Platforms Ireland Ltd. (Ireland/USA) — marketing analytics via Facebook Pixel (ID: 4316884068625718). Used only with your marketing consent. Transfers protected by SCCs.
• Google Ireland Ltd. (Ireland/USA) — website analytics and tag management (GTM). Used only with your analytics consent. Transfers protected by SCCs.

Cookies

We use cookies and similar tracking technologies on our website, including analytics and marketing pixels. Please see our Cookie Policy for a full list of cookies used, their purposes, and how to manage your preferences.

Your rights (GDPR)

Under GDPR, you have rights over your personal data. To exercise any right, contact our Data Protection Officer at DPO@gdor.lu. We aim to respond within 30 days.

• Right of access (Art. 15) — request a copy of your personal data and information about how it is used.
• Right to rectification (Art. 16) — ask us to correct inaccurate or complete incomplete data.
• Right to erasure (Art. 17) — request deletion of your data in certain circumstances.
• Right to restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
• Right to portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to withdraw consent (Art. 7(3)) — withdraw at any time for consent-based processing, without affecting prior processing.
• Automated decision-making — we do not use automated decision-making or profiling that produces legal or significant effects.

Retention periods

We retain your personal data only as long as necessary for its stated purpose:

• Appointment and service records — 3 years from your last visit.
• Health and skin condition data — for the duration of our client relationship, then deleted.
• Accounting and invoicing records — 10 years, as required by Luxembourg law.
• Marketing consent records — until you withdraw consent.
• Website analytics data — 13 months.

International transfers

Where personal data is transferred outside the European Economic Area (EEA) — including to Webflow (USA), Meta Platforms (USA), and Google (USA) — we ensure appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) approved by the European Commission. You may request a copy of applicable SCCs by contacting DPO@gdor.lu.