An internal error has occurred
Logo Logo
0 00:00

Privacy Policy

UAB “BOKŠTO SPA”
PRIVACY POLICY

Effective from 06-05-2024

1. GENERAL PROVISIONS

1.1. In this Privacy Policy (hereinafter referred to as Privacy Policy) of UAB “Bokšto SPA”, legal entity code 304872892, registered office address Bokšto st. 6, Vilnius, (hereinafter referred to as the Company, we, us), we hereby provide you with information on how we process your personal data when you use our services and visit our website.
1.2. Visitors who are under the age of 18 are kindly requested not to register on the Bokšto SPA website and not to provide any personal data.
1.3. In this Privacy Policy, we provide the following information:
1) The definitions used in this Privacy Policy;
2) Purposes, types of personal data we process, legal basis for such processing, and storage period of such data;
3) Automated decisions and profiling;
4) Transfer of personal data to third parties;
5) Social media;
6) Your rights;
7) Changes of Privacy Policy.
1.4. If you have any questions or wish to exercise any of your rights set out in this Privacy Policy, you may contact us at: info@bokstospa.lt.

II. DEFINITIONS

2.1. Bokšto SPA means UAB “Bokšto SPA” swimming pool and sauna areas, SPA treatments and recreation areas, located at Bokšto st. 6, Vilnius.
2.2. Website of Bokšto SPA means the website at www.bokstospa.lt.
2.3. Customer’s Account means a personal account created on the website of Bokšto SPA and protected with the Client’s name and password.
2.4. Data Controller means UAB “Bokšto SPA”, legal entity code 304872892, registered office address Bokšto st. 6, Vilnius, e-mail: www.bokstospa.lt, phone +370 665 00666.
2.5. Customer means a person who has a Customer Account or purchases on the Bokšto SPA’s website without registering or using our services.
2.6. Parties mean the Client and the Data Controller.
2.7. Personal Data means any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
2.8. Data Recipient means a legal or natural person to whom the Company provides personal data and who independently determines the purposes and means of the processing of personal data received.
2.9. Data Processor means a legal or natural person who processes personal data for the purposes and in accordance with the procedure specified by the Data Controller.
2.10. Data Subject means a natural person whose personal data is controlled and / or processed by the Controller.
2.11. Provision of Personal Data means disclosure of personal data by transmitting or otherwise making available personal data (except for the disclosure of such data to the media).
2.12. Processing of Personal Data means any operation (set of operations) which is performed on personal data (sets of data), whether or not by automatic means in structured files, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.13. Direct marketing means the practice of offering goods or services to persons by mail, phone or other direct means and / or seeking their opinion on the goods or services offered.
2.14. Loyalty Programme means a loyalty programme of the Bokšto SPA website, under which a Client who has an account on the Bokšto SPA website and agrees to participate in the Loyalty Programme may receive additional benefits: Bokšto SPA services or other exclusive offers on the Bokšto SPA website in accordance with the procedure set out in the Loyalty Programme Rules.

III. PURPOSES, TYPES OF PERSONAL DATA WE PROCESS, LEGAL BASIS FOR SUCH PROCESSING, AND STORAGE PERIOD OF SUCH DATA

3.1. For the purposes of contractual obligations to order and provide services:
1) The data for ordering and providing services may include: name, surname, email address, phone number, information about the services ordered, payment information and any information related to the provision of services that you provide yourself.
2) The legal basis for processing this data: performance of a contract between you and us (or, at your request, taking steps to conclude such a contract).
3) We will retain your data for this purpose for 10 years from the end of the service contract.
3.2. For the purpose of creating (registering) and subsequently accessing a Customer’s Account:
1) We process the following data: name, surname, email address, encrypted password. All personal data provided at the time of registration on the Bokšto SPA website are required in order for us to be able to create a Customer’s Account and process your orders. If you do not provide these data, you will not be able to register on the Bokšto SPA website.
2) The legal basis for such data processing: the Terms of Use of the UAB “Bokšto SPA” website and the Internal Rules of Procedure to which you have agreed by creating a Customer’s Account (during registration), i.e. the contract concluded between you and us for the use of our services.
3) We will retain your data for this purpose for the duration of the use of Customer’s Account and for a period of 2 years from the date on which you logged in to your account for the last time or the date on which the last transaction was executed (whichever is the later), or for a shorter period if you delete your account, until the deletion of the Customer’s Account.
3.3. In order to enable you to access information in your Customer’s Account:
1) We process and provide you with the following data: service order history and other data related to the use of services and / or the performance of service contracts.
2) The legal basis for such data processing: the Terms of Use of the UAB “Bokšto SPA” website and the Internal Rules of Procedure to which you have agreed by creating a Customer’s Account (during registration), i.e. the contract concluded between you and us for the use of our services.
3) We will retain your data for this purpose for the duration of the use of Customer’s Account and for a period of 2 years from the date on which you logged in to your account for the last time or the date on which the last transaction was executed (whichever is the later), or for a shorter period if you delete your account, until the deletion of the Customer’s Account.
3.4. For the purpose of making general direct marketing offers, sending you newsletters (notifications) about the services we offer or asking for your opinion on the quality of our services:
1) We process the following data: email and / or phone number.
2) The legal basis for such data processing: your consent; moreover, if we have already provided services to you and you have not consented to the processing of your personal data for direct marketing purposes, we will process your personal data on the basis of legitimate interest, namely to maintain and improve our relationship with our existing customers.
3) If you have not objected to the processing of your data for the purpose of general direct marketing offers, we will process your data until the date of full provision of the services under the contract or the date of termination of the service contract, and if you are not our Client and you have simply consented to receive general direct marketing offers, we will retain your data for 3 years from the date of consent, or for a shorter period of time, or, in the event that you withdraw consent, until the date of your withdrawal of consent. You have the right to withdraw your consent at any time by clicking on the relevant link in any general direct marketing notification you receive and you can also do so in your account, if you have one, or by contacting us at info@bokstospa.lt.
3.5. For the purpose of personalised direct marketing offers based on your order history and for the purpose of participating in a Loyalty Programme, so that you can take advantage of the benefits of Loyalty Programmes:
1) We process the following data: name, surname, email address, service order history.
2) The legal basis for such data processing: Your consent.
3) We will retain your data for this purpose the date of consent until the Customer’s account is used and for a period of 2 years from the date on which you logged in to your account for the last time or the date on which the last transaction was executed (whichever is the later), or for a shorter period of time if you withdraw your consent, until the date of withdrawal of consent. You have the right to withdraw your consent at any time by clicking on the relevant link in any personalised direct marketing notification you receive and you can also do so in your account or by contacting us at info@bokstospa.lt.
3.6. For the purpose of employment:
1) We process the following data: candidates’ data, which includes all the information a person provides in his / her CV, cover letter and / or reference letter.
2) The legal basis for such data processing: your consent, which you express to the Company by sending your CV, cover letter and / or reference letter. If you do not submit your CV and / or cover letter, we will not be able to assess your suitability for the position offered.
3) We delete this data as soon as the contract is signed with the selected candidate. If you wish, we may keep this information for the purpose of offering you another job offer if you give your prior consent. In this case, your personal data will be stored for 3 years after the date of such consent.
3.7. For the purpose of ensuring the safety of people and property, we use video surveillance in the premises (Bokšto SPA reception, corridors and pool area):
1) We process the following data: your video data.
2) The legal basis for such data processing: legitimate interest.
3) We will retain your data for this purpose for 14 days from the date of the video recording. In exceptional cases, where the video recordings are or may be used as evidence in pre-trial and judicial proceedings, the retention period is extended for as long as is necessary for the investigation of the video recordings as evidence. 3.8. In order to improve the quality of customer service over the phone call, we record phone call conversations (by calling the Company’s phone +370 665 00666 or by a Company employee calling from the aforementioned phone number): 1) We process the following data: the phone number of the person making the call or the phone number of the person to whom the Company’s employee is calling, the date, time and duration of the call, an audio recording of the conversation, which records the data provided by the person and the Company’s employee during the conversation; 2) The legal basis for such data processing|: your consent. You have the right to object to the recording of the phone call conversation and not to continue the conversation. You will be informed of this right at the time of the call, i.e. individuals will be informed of the recording of the phone conversation (processing of the personal data) and its purposes before the start of the call and, after having listened to the information message, will have the choice to consent to the recording of the conversation and to continue with the conversation, or they may refuse to continue with the conversation, i. e. to terminate the call and to contact the Company in another way; 3) Phone call recordings shall be kept for 14 days.
3.9. We may process your personal data referred to in this Privacy Policy where it is necessary to make, exercise or defend legal claims. For this purpose, we process your personal data on the basis of legitimate interest, namely to protect and secure our rights and your rights and those of others.
3.10. We may process your personal data referred to in this Privacy Policy where it is necessary for the purposes of obtaining or maintaining insurance cover, risk management or professional advice. For this purpose, we process your personal data on the basis of legitimate interest, namely to adequately protect our activities against risks.
3.11. In addition to the specific purposes set out in this part of the notification, we may also process your personal data where such processing is necessary to comply with our legal obligations and to protect your vital interests or those of other natural persons.
3.12. Your personal data shall be stored for no longer than it is necessary to achieve the purposes of the processing of personal data set by the Company. After the expiry of the specified storage period, we will securely and irretrievably destroy or alter your personal data in such a way that they can no longer be directly or indirectly identified.

IV. AUTOMATED DECISIONS AND PROFILING

4.1. For the purpose of personalised direct marketing offers and for the purpose of participating in a Loyalty Programme, so that you can take advantage of the benefits of Loyalty Programmes, we may use your personal data to assess certain aspects relating to you, such as your service order history in your Customer’s Account, etc., but this will not result in any legal consequences or similar significant effects for you.

V. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

5.1. The Company may transfer your personal data to the following categories of recipients:
1) to our parent company of which we are a subsidiary;
2) personal data processors providing various services to the Company: personal data processors providing various services to the Company: providers of maintenance and hosting services for the Bokšto SPA website, email service providers, providers of newsletters, surveys, administration of social media accounts, customer service centres, data protection officer service providers, call centre rental or similar services providers, insurers, lawyers, consultants, auditors, bailiffs, other recipients with confidentiality obligations;
3) to the extent necessary for the provision of services or the payment for services (e.g. to make a payment for a service you have chosen), to payment service providers that you designate or that will be involved in making the payment;
4) law enforcement authorities, the courts and other public authorities, but only to the extent necessary for the proper enforcement of applicable legislation.
5.2. We only use Data Processors that use appropriate technical and organizational measures to ensure the protection of personal data in compliance with the GDPR and to ensure the exercise of your rights as the Data Subject.
5.3. We do not transfer your personal data outside the European Economic Area unless the country to which your personal data is transferred ensures an adequate level of protection or you consent to such transfer of your personal data.
5.4. The Data Processors engaged by the Company will process your personal data only in accordance with the Company’s instructions. The Data Processor shall have the right to engage a sub-processor only with the prior written consent of the Company.

VI. SOCIAL MEDIA

6.1. We currently have the following social media accounts:
1) Facebook – @Bokšto-SPA. Facebook Privacy Policy is available here;
2) Instagram – @boksto_spa. Instagram Privacy Policy is available here.
3) LinkedIn – @boksto-spa. LinkedIn Privacy Policy is available here.
6.2. We encourage you to read third-party privacy notices and contact service providers directly if you have any questions about how they use your personal data.

VII. YOUR RIGHTS

7.1. This Privacy Policy provides an overview of your rights under data protection legislation. Some of the rights cover many aspects, so this Privacy Policy only sets out the main ones. We recommend that you consult the relevant legislation and guidelines from the supervisory authorities so that you have full information about these rights.
7.2. You have the following rights as a Data Subject to the extent that they can be exercised, taking into account the particularities of the processing of data for certain purposes:
1) To be informed about the processing of your personal data. We also exercise this right by providing you with information in this Privacy Policy. You have the right to obtain confirmation from us as to whether we are processing personal data relating to you and, in the case of processing, you have the right to have access to the personal data we are processing as well as to certain additional information. Unless it would infringe the rights and freedoms of others, we will provide you with a copy of your personal data on your request. We will provide the first copy free of charge but we may charge a reasonable fee for additional copies to cover administrative costs.
2) To request the rectification of inaccurate personal data or the completion of incomplete data. You can also exercise this right by logging into your Customer’s Account, if you have one. The data subject’s right to request the rectification of the data contained in the audio recording of the phone call conversation cannot be exercised because the data contained in the audio recording cannot be rectified.
3) To request erasure of your personal data if:
– the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– you withdraw your prior consent and there is no other lawful basis for the processing of your personal data;
– the data are processed for direct marketing purposes;
– the personal data have been processed unlawfully;
– other cases set out in the GDPR exist.
However, please note that in some cases you may not be able to exercise this right due to exceptions. These exceptions include cases where the data are necessary for: exercising freedom of expression and information; bringing, exercising or defending legal claims.
4) To request restriction of the processing of your personal data when:
– you contest the accuracy of the data for a period within which we can verify the accuracy of the personal data;
– we no longer need the personal data but require it for the assertion, exercise or defence of legal claims;
– your personal data is no longer required by the Company but is necessary for you to exercise your right to lodge a complaint or defend your rights;
– You have objected to the data processing on grounds of public interest or legitimate interest, until the validity of your objection is assessed.
In the event of a restriction on the processing of your data, we will continue to retain your data but we will not further process it except: (i) with your consent; (ii) for the assertion, exercise or defence of legal claims; (iii) for the protection of the rights of others; (iv) for the purposes of important public interest.
5) To request the transfer of your personal data. Where the legal basis for the processing of personal data is your consent or the performance of a contract, or actions carried out at your request prior to the conclusion of a contract, you have the right to receive your personal data in a structured, commonly used and computer readable format. You will not be able to exercise this right where it may adversely affect the rights and freedoms of others.
6) To object to the processing of your personal data on the basis of your particular situation, where we process your personal data for public interest purposes or on the basis of our legitimate interest or the legitimate interest of third parties. If you object to such processing of your personal data, we will no longer process your relevant personal data unless we can demonstrate that such processing is carried out for compelling legitimate reasons which override your interests, rights and freedoms. We may also continue to process such data in order to assert, exercise or defend legal claims.
7) The right to object to the processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you object to such processing of your personal data, we will no longer process your relevant personal data for this purpose.
8) In cases where the legal basis for processing is your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of the processing of your data prior to withdrawal.
9) In you believe that we are violating data protection legislation by processing your personal data, you have the right to file a complaint with the State Data Protection Inspectorate, ada.lt.
7.3. You may exercise the Data Subject rights set out in this Privacy Policy by submitting a request and indicating the specific right you wish to exercise. In order to exercise your rights, we will need to verify your identity. Therefore, when applying to exercise your rights (other than your right to know about the processing of your personal data, which is already implemented in this Privacy Policy), you may submit a request by:
1) E-mail to info@bokstospa.lt by submitting a request signed with a qualified e-signature;
2) By submitting a written request directly to Bokšto SPA and providing a document proving your identity;
3) By any other means if we can identify you.
7.4. You will receive a reply on the action taken to implement the request, or the reasons for not implementing the request, no later than 1 month after receipt of the request. The time period for implementing the rights may be extended by two further months taking into account the complexity and number of the requests.
7.5. If you submit your request by electronic means, you will receive a reply in the same way, if possible, unless you request otherwise.

VIII. CHANGES OF PRIVACY POLICY

8.1. Any changes to this Privacy Policy will be posted on the Bokšto SPA website and, in the event of material changes, we will notify you by email.