• No products in the cart.
  • No products in the cart.

Privacy Policy

Privacy Policy

for the website https://katathanispa.pl, dated 09.04.2026

I. Personal Data Controller

The controller of personal data is KATATHANI WAW THAI SPA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office at ul. Garbary 12/6, 85-229 Bydgoszcz, Poland, entered into the Register of Entrepreneurs of the National Court Register under KRS number 0001221246, NIP 9671495588, REGON 54395326000000.

You may contact the Controller:

  1. by e-mail at: kontakt@katathanispa.pl,
  2. by phone at: +48 510 191 585,
  3. in writing to the registered office address indicated above.

The Controller is the owner of the website https://katathanispa.pl and administers the personal data of website users, online store customers, persons contacting the Controller, and customers using in-person services.

II. Purposes, legal bases, and scope of data processing

The Controller processes personal data to the extent necessary for the implementation of specific purposes, in particular:

  1. for the purpose of concluding and performing a sales agreement or processing an order placed through the website, including the purchase of vouchers or other products.
    Legal basis: Article 6(1)(b) GDPR.
  2. for the purpose of handling inquiries submitted via the contact form, e-mail, phone, or other means of communication.
    Legal basis: Article 6(1)(f) GDPR, namely the legitimate interest of the Controller in responding and conducting communication.
  3. for the purpose of fulfilling legal obligations imposed on the Controller, in particular accounting, tax, and complaint-handling obligations.
    Legal basis: Article 6(1)(c) GDPR.
  4. for the purpose of establishing, pursuing, or defending claims.
    Legal basis: Article 6(1)(f) GDPR, namely the legitimate interest of the Controller in protecting its rights.
  5. for the purpose of carrying out analytical, statistical, and security-related activities concerning the website.
    Legal basis: Article 6(1)(f) GDPR, namely the legitimate interest of the Controller in developing the website, analysing its performance, and protecting it against abuse.
  6. for the purpose of carrying out marketing activities, including remarketing or reminders about incomplete purchases, if the user has given the relevant consent where required.
    Legal basis: Article 6(1)(a) GDPR or Article 6(1)(f) GDPR, depending on the nature of the activity and applicable regulations.
  7. for the purpose of preparing and safely performing an in-person service at the salon, the Controller may process data provided by the customer before the visit or immediately before the massage, in particular data included in the initial questionnaire.
    Legal basis: Article 6(1)(b) GDPR, with regard to data necessary for the performance of the service, and in the case of health-related data, including information about contraindications for massage, the relevant basis under Article 9 GDPR, in particular the explicit consent of the data subject.

The scope of processed data may include in particular:

  • first and last name or company name,
  • e-mail address,
  • phone number,
  • delivery address, residential address, or business address,
  • payment details,
  • NIP, if applicable,
  • data included in questionnaires completed before a massage, including phone number, date, signature, massage preferences, indication of body areas to be massaged or excluded from massage, preferred massage pressure, confirmation of having read the service information, and information necessary for the safe performance of the treatment.

Providing personal data is voluntary, but in some cases necessary to place an order, conclude an agreement, receive a response, perform a service, or handle a complaint.

III. Data recipients

The Controller may transfer personal data to entities cooperating with the Controller, exclusively to the extent necessary for the implementation of the indicated purposes, in particular to:

  • hosting and IT support providers,
  • payment operators,
  • courier companies and delivery operators,
  • providers of software used for store operation, customer communication, analytics, or marketing,
  • entities providing accounting, legal, or advisory services,
  • entities authorised to receive data under applicable law.

The Controller does not sell users’ personal data.

IV. Data retention period

Personal data is stored for no longer than necessary to achieve the purpose for which it was collected, and then for the period required by law or necessary to protect against possible claims.

In particular:

  • data related to orders and sales documentation, for the period required by tax and accounting laws,
  • data related to contact or inquiries, for the time necessary to handle the matter and then for the period needed to defend against possible claims,
  • data processed on the basis of consent, until the consent is withdrawn,
  • data processed for marketing purposes based on legitimate interest, until an effective objection is raised,
  • data related to claims, until the expiry of the limitation period for claims,
  • data contained in questionnaires and forms completed before the performance of a service, for up to 6 months from the date of the visit, and then permanently destroyed in a manner ensuring the security of personal data.

V. Source of data

As a rule, the Controller obtains personal data directly from the data subject.

For certain services or external tools, data may also be obtained from technical operators or partners used by the user when placing an order, making a payment, or moving to an external booking system.

If the user is redirected from our website to external services, such as the Booksy booking system or other partner tools, further data processing is carried out in accordance with the privacy rules of those service operators.

VI. Cookies and similar technologies

The website uses cookies and similar technologies.

Cookies may be used for the following purposes:

  • proper operation of the website,
  • maintaining the user session,
  • implementation of online store functions,
  • traffic analysis,
  • marketing and remarketing activities,
  • improving security and performance of the website.

To the extent that cookies are not necessary for the functioning of the website, they are used on the basis of the user’s consent expressed through the cookie banner or browser settings, in accordance with applicable regulations.

The user may change cookie settings at any time in their browser or through the consent management mechanism available on the website, if implemented.

Disabling certain cookies may affect the proper functioning of some website features.

VII. Profiling

The Controller may use profiling to a limited extent, in particular for analytical or marketing purposes, such as tailoring content, reminding users about incomplete purchases, or presenting more relevant offers.

Profiling does not lead to decisions producing legal effects concerning the user or similarly significantly affecting the user.

VIII. Rights of data subjects

Each data subject has the right to:

  • access their data,
  • rectify their data,
  • erase their data,
  • restrict processing,
  • data portability,
  • object to the processing of data where the legal basis is the legitimate interest of the Controller,
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal,
  • lodge a complaint with the President of the Personal Data Protection Office.

To exercise your rights, you may contact the Controller at: kontakt@katathanispa.pl

IX. Transfers of data outside the EEA

As a rule, the Controller processes personal data within the European Economic Area.

However, if, in connection with the use of certain technological, analytical, marketing, or communication tools, data were to be transferred outside the European Economic Area, the Controller shall ensure the application of appropriate legal mechanisms required by the GDPR, in particular standard contractual clauses, where required.

X. Data security

The Controller applies appropriate technical and organisational measures to ensure the protection of processed personal data, appropriate to the nature, scope, context, and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons.

XI. Changes to the Privacy Policy

This Privacy Policy may be updated in the event of changes in legal regulations, technological changes, changes in website functionality, or changes in the manner of personal data processing.

The current version of the Privacy Policy is published on the Controller’s website.