Privacy policy

Last updated: 19 May 2026

This Privacy Policy governs the processing of personal data carried out by Abel Santos Correia Unipessoal Lda, a legal entity with tax identification number (NIF) 516891472, hereinafter referred to as "SpaTreats" or the "Data Controller", in connection with the use of the website and the services made available, including treatment bookings, the purchase of services, customer contact, and marketing activities.

Personal data is processed in strict compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), with Law no. 58/2019, and with the applicable legislation on electronic communications, namely the ePrivacy Directive and Law no. 41/2004.

In the course of providing its services, SpaTreats collects and processes personal data supplied directly by the data subject, in particular when making bookings, completing forms, contacting us by email or WhatsApp, or using the website. This data may include identifying details such as name, email address, and telephone number, as well as data relating to the services engaged, booking history and, where applicable, information relevant to the safe provision of wellness treatments, including health data.

Personal data is processed for the purpose of ensuring the performance of the services engaged, including booking management, the provision of treatments, payment processing, and customer support. It may also be used to comply with legal and tax obligations, to improve the quality of the services and, where consent has been given, for marketing communications relating to SpaTreats' activity.

Data processing is based on different legal grounds depending on the purpose concerned, including the performance of a contract, compliance with legal obligations, the company's legitimate interest in the continuous improvement of its services and, where applicable, the consent of the data subject. In the specific case of health data, regarded as a special category of data under Article 9 of the GDPR, processing takes place only with the data subject's explicit consent and solely to ensure the suitability and safety of the services provided.

Personal data may be shared with third parties acting as processors, in particular technology service providers, booking management platforms, payment processing entities such as Stripe or IfThenPay, and digital analytics or marketing tools. Whenever such sharing occurs, SpaTreats ensures that these entities comply with the applicable legal obligations regarding data protection.

In certain situations, data may be transferred to countries outside the European Economic Area, in which case SpaTreats guarantees that such transfers are carried out on the basis of appropriate legal mechanisms, including standard contractual clauses approved by the European Commission or other legally recognised instruments.

Personal data is retained only for the period necessary to fulfil the purposes for which it was collected, in accordance with the applicable legal time limits. Data relating to tax obligations may be retained for up to ten years, while data processed on the basis of consent will be kept until such consent is withdrawn.

The data subject has a number of rights, including the right of access, rectification, erasure, restriction of processing, objection, and data portability. These rights may be exercised by contacting us at info@spatreats.me. The data subject also has the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD), the Portuguese data protection supervisory authority.

SpaTreats undertakes to implement appropriate technical and organisational measures to ensure the security of personal data, including access control mechanisms, protection against unauthorised access, and internal data management procedures.

This Policy may be updated at any time, and any changes will be duly published on the website.