Privacy Policy

Orchard Sauna Privacy Policy

Last updated: 12/20/2025

This Privacy Policy explains how Orchard Sauna collects and uses your personal data.
It also explains your rights under the GDPR and Irish data protection law.

By using our website or booking a session, you agree to this policy.

---

1. Who we are

Orchard Sauna
Castleblaney, Co. Monaghan, Ireland

Email: [your contact email]
Phone: [your phone number, if any]

For data protection law, Orchard Sauna is the “data controller” for the personal data we collect about you.

---

2. What this policy covers

This policy applies when you:

• visit our website
• make a booking or buy a package or gift voucher
• contact us by email, phone, social media or contact form
• visit Orchard Sauna for a session

It does not cover third-party websites or services we link to (for example, booking or payment providers). They have their own privacy policies.

---

3. What personal data we collect

We only collect what we need to run the business and provide our services.

We may collect:

Identity and contact details

• name
• email address
• phone number (if provided)

Booking and purchase information

• session date and time
• booking history
• package and voucher purchases
• basic notes related to your booking (for example, if you tell us you are bringing a guest)

Payment information

• we receive payment confirmations and transaction IDs from our payment provider
• we do not store or see your full card details; these go directly to the payment provider

Health information (special category data)

• any health information you choose to share with us (for example, that you have a heart condition, are pregnant, or have blood pressure issues) so we can judge if the session is suitable or needs to be adjusted

We only ask for this when it is relevant to your safe use of the sauna and ice bath.

Communication and feedback

• messages you send us by email, social media or contact form
• feedback or complaints you give us

Website and technical data

• IP address
• device and browser type
• pages visited and time spent on the site

This may be collected through cookies or similar tools, depending on how the site is set up.

---

4. How we collect your data

We collect personal data:

• directly from you when you book online, buy a package or voucher, fill in a form or contact us
• from our booking system and payment provider when they process your booking or payment
• automatically when you use our website (through cookies and similar technologies, if enabled)

---

5. Why we use your data and legal bases

Under GDPR we must have a legal reason (“legal basis”) to use your data.
We use your data for the following purposes:

To manage bookings and provide our services

• to process your booking and payment
• to send booking confirmations, reminders and updates
• to manage your packages and gift vouchers

Legal basis:

• performance of a contract (Art. 6(1)(b) GDPR)
• our legitimate interests in running the business and managing bookings (Art. 6(1)(f))

To keep you and others safe

• to understand if sauna and ice bath use may not be suitable for you
• to record any important health notes you choose to share that affect your session
• to respond if there is an incident on site

Legal basis:

• our legitimate interests in health and safety (Art. 6(1)(f))
• your explicit consent for any special category health data you share (Art. 9(2)(a))

You can withdraw this consent at any time (see Section 11).
If you do, it may affect how or whether you can safely use our services.

To communicate with you

• to respond to questions, requests or complaints
• to send important service messages about your booking (for example, changes or cancellations)

Legal basis:

• performance of a contract
• our legitimate interests in customer service

Direct marketing (if we ever send it)

• to send occasional updates or offers by email, if you have opted in

Legal basis:

• your consent (Art. 6(1)(a))

You can unsubscribe at any time by using the link in the email or contacting us.

To run and improve our website

• to monitor site performance and prevent abuse
• to understand how people use the site (for example, which pages are visited most)

Legal basis:

• our legitimate interests in maintaining and improving the site (for strictly necessary cookies/technical data)
• your consent for non-essential cookies and analytics (where used)

To meet legal and tax obligations

• to keep records required by Irish tax and company law
• to respond to legal requests from public authorities where required

Legal basis:

• legal obligation (Art. 6(1)(c))

---

6. Special category data (health information)

Health information is “special category” data under GDPR.
We only process it when:

• you give it to us yourself, and
• we need it to help keep you safe using heat and cold exposure, and
• you give explicit consent for us to record and use it for that purpose.

You can ask us not to record health details; however, this may mean we cannot provide some or all services if we believe it would be unsafe.

We do not use your health data for marketing.

---

7. Cookies and website tracking

Our website may use cookies or similar technologies to:

• make the site work (for example, security, session cookies)
• remember your preferences
• collect basic usage statistics

If we use non-essential or analytics cookies, we will:

• tell you about them in a cookie banner or notice, and
• ask for your consent where required.

You can change your browser settings to block cookies, but some parts of the site may not work properly if you do.

---

8. Who we share your data with

We do not sell your personal data.

We may share your data with trusted third parties who help us run the business, such as:

• our booking and scheduling provider
• our payment provider
• our website host and IT service providers
• our email and communication tools
• professional advisers (for example, accountant, legal adviser), where needed
• public authorities or regulators, where we are legally required to do so

These third parties act as data processors in most cases and can only use your data as instructed by us. We have agreements in place with them where required by law.

---

9. International transfers

Some of our service providers may be based outside the European Economic Area (EEA), for example large online booking, payment or email services.

If your personal data is transferred outside the EEA, we will ensure that:

• the country has an EU adequacy decision, or
• standard contractual clauses (SCCs) or other approved safeguards are in place.

You can contact us if you want more information about international transfers and safeguards.

---

10. How long we keep your data

We keep personal data only for as long as needed for the purposes described in this policy, and to meet legal and tax requirements.

As a guide:

• booking and payment records: usually kept for up to 7 years to meet tax and accounting obligations
• health information linked to your sessions: kept only for as long as needed for safety and legal purposes; we review this regularly and delete or anonymise when no longer needed
• email and contact messages: kept while we deal with your request and for a reasonable time afterwards, in case of follow-up or disputes
• mailing list data: kept until you unsubscribe or we no longer use the list

We may keep anonymised information (which no longer identifies you) for statistics or planning.

---

11. Your data protection rights

Under GDPR, you have several rights about your personal data.

You can:

1. Access your data
   Ask us for a copy of the personal data we hold about you.
2. Rectify your data
   Ask us to correct inaccurate or incomplete data.
3. Erase your data (“right to be forgotten”)
   Ask us to delete your data where we no longer need it, you withdraw consent, or you successfully object to processing.
   We may not be able to delete data we must keep for legal reasons.
4. Restrict processing
   Ask us to limit how we use your data in certain situations (for example, while we check its accuracy).
5. Data portability
   Ask us to give you certain data in a structured, commonly used format, or transfer it to another provider, where the processing is based on consent or contract and done by automated means.
6. Object to processing
   Object to processing based on our legitimate interests, including profiling, and we will stop unless we have strong lawful reasons to continue.
   You can always object to direct marketing.
7. Withdraw consent
   Where we rely on consent (for example, health information and marketing), you can withdraw it at any time.
   This does not affect past processing already carried out, but it may affect how we provide services going forward.

To exercise any of these rights, contact us at:
Email: [your contact email]
We may need to verify your identity before we act on your request.

---

12. Complaints

If you are unhappy with how we use your personal data, please contact us first.
We will try to resolve the issue.

You also have the right to make a complaint to the Data Protection Commission (DPC) in Ireland.

Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963
Ireland

Website: dataprotection.ie Homepage | Data Protection Commission+1

---

13. Security

We take appropriate technical and organisational measures to protect your personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction.

No system is 100% secure. But we aim to keep access to your data limited to people who need it and to reduce risk as far as reasonably possible.

---

14. Changes to this policy

We may update this Privacy Policy from time to time.
The latest version will always be on our website with the “last updated” date at the top.

If we make major changes, we may also notify you by email or through the website.