Privacy Policy

At Shanghai Spa ("we", "our", or "us"), we respect your privacy and are committed to protecting the personal information you share with us when using our in-room hotel massage services and visiting our website https://www.shanghaispa.org/. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you engage our services, contact us via WhatsApp, Telegram, phone, or browse our website.

1. Information We Collect

To deliver our premium in-room massage services across Shanghai hotels, we may collect the following categories of personal information:

• Contact Information: Your full name, phone number (including WhatsApp/Telegram contact), and email address (if provided).
• Service Details: Hotel name, hotel address, room number, preferred appointment time, and any special massage requests or health considerations you voluntarily share.
• Communication Data: Records of our conversations via WhatsApp, Telegram, SMS, or phone calls for booking coordination and customer support.
• Technical Data: When you visit our website, we may automatically collect your IP address, browser type, device information, and referring pages through cookies and similar technologies (see Section 8).
• Payment Information: We currently accept cash or bank transfer upon service delivery; we do not process online card payments through our website. Any payment details you share directly with our staff are not stored electronically by us.

2. How We Use Your Information

We use the information we collect for the following legitimate business purposes:

• To schedule and confirm in-room massage appointments at your hotel in Shanghai.
• To communicate with you regarding booking status, therapist assignment, or any service modifications.
• To ensure therapist safety and service quality (e.g., verifying hotel address/room number).
• To respond to your inquiries, feedback, or complaints.
• To improve our website user experience, analyze trends, and optimize our marketing efforts.
• To comply with applicable legal obligations (e.g., local business regulations in China).

We will never use your personal data for purposes incompatible with those listed above without obtaining your prior consent.

3. Legal Basis for Processing (GDPR Compliance)

If you are a resident of the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contractual necessity: To perform the massage service you requested (e.g., using your hotel details to dispatch a therapist).
• Legitimate interests: To manage bookings, improve service quality, and prevent fraud.
• Consent: For optional data collection (e.g., marketing communications, non-essential cookies). You may withdraw consent at any time.
• Legal compliance: When required by law or regulatory authorities.

4. Sharing Your Information

We do not sell, rent, or trade your personal information to third parties. However, we may share limited data in the following circumstances:

• Service Providers: We may engage trusted third-party platforms (e.g., messaging apps, calendar tools) to coordinate appointments. These parties are contractually bound to maintain confidentiality and use data solely for the services they provide to us.
• Legal Obligations: If required by law, court order, or governmental regulation (e.g., to comply with Chinese public security regulations for hotel visitor registration).
• Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred as part of the transaction. We will notify you of any such change.
• With Your Consent: We will ask for your explicit permission before sharing information for any other purpose.

All therapists and staff sign confidentiality agreements to protect your privacy.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental loss, unauthorized access, alteration, or disclosure. These include:

• Secure storage of booking records with access limited to authorized personnel.
• Encrypted communication channels when possible (WhatsApp offers end-to-end encryption).
• Regular internal reviews of data collection and storage practices.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for keeping any communication with us confidential (e.g., not sharing sensitive health information unless necessary).

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law (e.g., for tax, legal, or accounting obligations).

• Booking records: Typically retained for 24 months after your last service to manage potential inquiries or repeat bookings.
• Communication logs: Deleted after 12 months unless needed for dispute resolution.
• Technical/analytics data: Aggregated or anonymized after 26 months.

Upon request, we will delete personal data that is no longer required, subject to legal exceptions.

7. Your Privacy Rights

Depending on your location (including under GDPR, CCPA, or China’s Personal Information Protection Law), you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Rectification: Correct any inaccurate or incomplete data.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data under certain conditions.
• Right to Restrict Processing: Limit how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw any previously given consent without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us using the details in Section 12. We will respond within 30 days (or as required by applicable law).

8. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and remember preferences. Cookies are small text files stored on your device. We use:

• Essential Cookies: Necessary for website functionality (e.g., mobile menu state).
• Analytics Cookies: To understand how visitors interact with our site (e.g., page views, time on site) – we may use services like Google Fonts or Tailwind CDN that may collect anonymized IP addresses.

You can control or disable cookies through your browser settings. However, disabling certain cookies may affect website performance. By continuing to use our site, you consent to the placement of essential cookies.

We do not currently use third-party advertising cookies or tracking for cross-site behavioral advertising.

9. Third-Party Links & Services

Our website may contain links to third-party websites (e.g., WhatsApp Web, external review platforms). This Privacy Policy does not apply to those external sites. We are not responsible for the privacy practices or content of such third parties. We encourage you to read their privacy policies before providing any personal information.

10. Children’s Privacy

Our services are directed exclusively to adults (age 18 and above) seeking professional massage therapy. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately, and we will delete it.

11. International Data Transfers

Shanghai Spa operates primarily within Shanghai, China. If you are accessing our services from outside China, please be aware that your information may be transferred to, stored, and processed in China, where data protection laws may differ from those in your jurisdiction. By using our services, you consent to such transfer. We take appropriate safeguards to ensure an adequate level of data protection.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please reach out to our Data Protection Officer (DPO):

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The revised version will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically. Material changes will be notified via a notice on our website or direct communication where appropriate.

Your continued use of our services after any modifications constitutes acceptance of the updated Privacy Policy.