Treatwell: Beauty Salon Booking & Appointment App
The simple way to book beauty anywhere.
Download our free app.
Hair
Hair Removal
Massage
Nails
Face
Body
Men's
Gift Card
Lookbook
The Treatment Files
Logging you in, please wait...
You are logged in
Log in to your account

Privacy and Cookie Policy and Partner Data Processing Agreement

Last updated September 2023

The Basics

Who are we? We are Treatwell Limited (we, our, us) and in these Terms we are described in different ways depending on the activity we engage with concerning your data. We process your personal data if you are a business, and we have a lawful and reasonable basis to do so. We process your personal data if you are a customer of our App or Website and we have a lawful and reasonable basis to do so. When we process your data in these instances we are regarded as a "data controller". In certain situations, you may provide your data to a partner and in this instance, they are "data controller's" and we are "data processors".

If you have any questions about how we collect, use or share your data, please contact us at support.treatwell.com/hc/en-gb or dpo@treatwell.com, or write to us at Treatwell Limited, 1st Floor, 6 St Andrew Street, London EC4A 3AE.

What is the purpose of this policy?

We are committed to protecting the privacy of our customers and business partners. We have written this Privacy Policy (policy) to ensure you have all the information you need about how we collect and process your personal data, and how we make sure it is kept safe. When we collect and process your personal data, we are regulated under the General Data Protection Regulation (EU) 2016/679 (the GDPR) which applies across the EEA (including in the UK) and the Data Protection Act 2018.

Who does this policy apply to?

This policy applies to anyone who uses:

  • our Websites (www.treatwell.com, www.treatwell.co.uk),
  • Connect, our salon diary and management tool app and website (www.connect.treatwell.co.uk),
  • our Apps (which means the marketplace booking application and Connect app on Android or iOS),
  • customised websites powered by Connect and hosted on www.mytreatwell.co.uk (Partner Sites), and
  • Widgets to make bookings with our salon partners (Partners) whose websites are powered by Connect and that may embed these Widgets on their Partner Site, their own websites and/or social media pages.

(together, the Platform).

How can you complain?

You can complain to us at any time using the details above. You also have the right to make a complaint to the ICO, or any supervisory authority in the EU Member State where you live. We would, however, appreciate the chance to deal with your concerns before you approach any supervisory authority, so please contact us first.

How do we update this policy?

We understand that things change, so we will continue to review the effectiveness of this policy and make sure it is achieving its goals. We might update the policy from time to time and will post the most recent version on this page. If we make a change to this policy that we consider material, we will notify you via the Platform.

If you have any questions about this policy or how it works, please get in touch and we would be happy to chat!

The details - how we are collecting and using your data, and why

What personal data do we collect and why?

We use a few different methods to collect your personal data. Sometimes you provide us with this data and other times it will be collected automatically when you visit and/or use the Platform.

We collect personal data for a number of reasons, including to meet our legal obligations, manage our operations, improve our organisation and deliver our services to you. Under data protection law we can only use your personal data where we have a legal basis to do so (e.g., legal duty, contract, legitimate interest, consent, etc).

The legal basis, the purpose and the retention period which we apply to our main processing activities are set out below:

Purpose 1: To set up and administer your requested account.

  • Lawful Basis: Fulfilling our contract with you.
  • Retention period: 5 years in the event of inactivity of the account.


Purpose 2: Processing your comments, reviews or survey responses.

  • Lawful Basis: When it is our legitimate interest to provide good customer service.
  • Retention period: Until the deletion of your account in accordance with the applicable law.


Purpose 3: Delivering any emails, surveys, newsletters and alerts that you have signed up to.

  • Lawful Basis: Your consent.
  • Retention period: Until consent is withdrawn.


Purpose 4: Delivering our services to you.

  • Lawful Basis: Fulfilling our contract with you.
  • Retention period: 10 years from performance of the contract, or at least until the expiry of the statutory period of limitation that applies to the subject matter of the contract.


Purpose 5: Delivering our services to you.

  • Lawful Basis: Your consent.
  • Retention period: Until consent is withdrawn.


Purpose 6: Facilitating your booking and delivering the services to you.

  • Lawful Basis: Fulfilling our contract with you.
  • Retention period: Maximum 10 years after the end of each tax year in which the transaction occurs.


Purpose 7: Responding to complaints, questions and feedback and providing information about your requested service.

  • Lawful Basis: Fulfilling our contract with you.
  • Retention period: 90 days from the date of call recording.


Purpose 8: Responding to complaints, questions and feedback and providing information about your requested service.

  • Lawful Basis: Fulfilling our contract with you.
  • Retention period: 30 days after the end of the Live Chat Session.


Purpose 9: Receiving feedback about our services.

  • Lawful Basis: Fulfilling our contract with you and our partners.
  • Retention period: 30 days after submission.


Purpose 10: Resolving the litigation and investigation.

  • Lawful Basis: Fulfilling our contract with you/our legal duty.
  • Retention period: 10 years from the end of the investigation/litigation (unless there are grounds to keep for longer).


Purpose 11: Administering the Platform and other systems and protecting them.

  • Lawful Basis: Legitimate interest.
  • Retention period: Maximum 1 year from entry.


Purpose 12:To improve the Platform and services, using data analytics.

  • Lawful Basis: Legitimate interest.
  • Retention period: Up to 2 years .


Purpose 13: Showing you content and features that are personal to you and your interests.

  • Lawful Basis: Your consent.
  • Retention period: Until consent is withdrawn.


Purpose 14: Understanding your preferences for marketing, automated decision-making, profiling, cookies and any other processing activities that you can opt-out of.

  • Lawful Basis:Your consent.
  • Retention period:Until consent is withdrawn.


Purpose 15: Developing and carrying out marketing activities.

  • Lawful Basis: Legitimate interest.
  • Retention period: Until consent is withdrawn.


Personal Data


Type of personal data: Contact information

  • Description: Name, addresses, e-mail address, phone number, date of birth and other contact details.
  • Purpose: To set up and administer your requested account.

Delivering our services to you.

Processing your comments and reviews.

Delivering any emails, surveys, newsletters and alerts that you have signed up to.

  • Lawful basis: Fulfilling our contract with you.

When it is our legal duty.

When you consent to it.

When it is in our legitimate interest to:

  • collate and publish reviews of our Partner’s products/services
  • notify you about new services and special offers we think you would be interested in
  • send you information about competitions, surveys and Partner's promotional offers
  • enable Partners and other third parties to send information about their goods and services
  • publish reviews of Partner products or services and use these for ads


Type of personal data: Sensitive information

  • Description: Details about your race or ethnicity, health, sex or other sensitive data that you voluntarily give when making a booking or submitting a review.
  • Purpose: Delivering our services to you.
  • Lawful basis: When you provide your explicit consent.


Type of personal data: Financial information

  • Description: Payment details (i.e., your card details when paying for our services).
  • Purpose: Facilitating your booking and delivering the services to you.
  • Lawful basis: Fulfilling our contract with you.

When it is in our legitimate interest to:

  • keep our records up to date


Type of personal data: Communications

  • Description: Emails, calls, live chats or other methods of communications you choose to use
  • Purpose: Investigating and responding to complaints, questions and feedback.

Providing information about your requested service.

  • Lawful basis: Fulfilling our contract with you.

When you consent to it.

When it is in our legitimate interest to:

  • resolve issues and improve our services to you
  • improve our user communications
  • develop our training programmes


Type of personal data: Data that identifies you

  • Description: Details about the devices and technology you use (e.g., your website browser settings, IP address, location, etc).
  • Purpose: Administering the Platform and other systems and protecting them. This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting.
  • Lawful basis:

When it is in our legitimate interest to:

  • ensure our organisation runs properly
  • keep the Platform and systems secure
  • protect our systems and software, including your personal data
  • improve our services
  • conduct internal research and analysis on the use and performance of the Platform and services


Type of personal data: Data on how you use the Platform

  • Description: Information about how you use the Platform and services.
  • Purpose: Understanding how we can improve the Platform and services, using data analytics.

Showing you content and features that are personal to you and your interests.

  • Lawful basis: Fulfilling our contract with you.

When you consent to it.

When it is in our legitimate interest to:

  • verify your compliance with our agreements and for defending legal claims
  • monitor, improve and protect the Platform, products and services, and personalise these based on your use
  • develop our business
  • improve our service offering


Type of personal data: Preferences and consents

  • Description: Your marketing and communication preferences.
  • Purpose: Understanding your preferences for marketing, automated decision-making, profiling, cookies and any other processing activities that you can opt-out of.

To send information about your requested services (i.e., appointment reminders).

Developing and carrying out marketing activities.

  • Lawful basis: When you consent to it.

When it is in our legitimate interest to:

  • notify you about our services and special offers we think you would be interested in
  • tailor and personalise ads based on the information you provide and your use of the Platform
  • conduct market research and consumer surveys
  • use cookies and similar technology



What about the information I give when I make a booking for someone else?

If you plan to give us someone else’s personal data (e.g., when making a booking for them), they must have access to this policy and you must get their consent before sharing any information with us.

How long do we keep your data for?

When we decide how long we need to keep your data for, we take into account the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes we use your data for and whether we can achieve those purposes another way.

The retention period which we apply to your personal data is defined in the table above.

You can contact us for more details on our data retention policy.

Do we use cookies and other tracking technologies?

A cookie is a small file of letters and numbers that is stored on your browser or the hard drive of your computer. As with other commercial websites and apps, the Platform uses standard technologies including cookies and similar tools to enhance your user experience, improve our systems and provide tailored offers to you. You cannot actually see cookies as they sit in the background of our systems, but they are probably present on most sites you visit.

For more information on the cookies we use, please take a look at our Cookie Policy.

What marketing activities do we conduct?

We want you to know all about us, our Partners and the services available. To do this, we undertake marketing activities which sometimes involve using your personal data - such as sending you newsletters via email or showing you online adverts.

You will not receive marketing from us by email or text unless you have given us permission, or unless you have used our services before. These messages might contain information about our services, offers, competitions and other important information.

Third parties

We may disclose your personal data to a select group of third parties. But we treat the security and method of processing your personal data very seriously, and we will never sell your personal data.

We have outlined below who those third parties are:

Type of third party: Other Treatwell companies

  • Description: Treatwell Limited is part of the Treatwell Group, so we might need to share and collect personal data with other companies in the group to provide and administer our products and services.
  • Collect: ✓
  • Share: ✓

Type of third party: IT and hosting providers

  • Description: If you place an order or engage with us via a website or app that is powered by a third party, we will share your contact and order details (e.g., lastminute.com when you make a booking via spa.lastminute.com). If you give a third party the relevant consents (which we collect on their behalf), they may also send you marketing communications.
  • Collect: ✓
  • Share: ✓

Type of third party: Our Partners

  • Description: When you book services with one of our Partners through us, we will share your information so Partners can: (i) facilitate bookings and, if necessary, contact you before your booking, (ii) deliver marketing emails you have opted in to, and (iii) improve their service offerings and business operations.
  • Collect: ✕
  • Share: ✓

Type of third party: Business support tools

  • Description: We may share your personal data with service providers to: (i) perform functions on our behalf related to the Platform, the running of our business and the provision of our services (e.g., processing payment details, analytics, etc), and (ii) facilitate our business and improve our services.
  • Collect: ✕
  • Share: ✓

Type of third party: Partner’s IT and hosting service providers

  • Description: When our Partners use thirty party software providers, we may share your personal data with them to ensure the software solution and Connect display up to date and accurate information.
  • Collect: ✕
  • Share: ✓

Type of third party: Competitions

  • Description: We may share your personal data with brands that we are looking to collaborate with on products, services, competitions and campaigns, and we will get your consent before we do this.
  • Collect: ✕
  • Share: ✓

Type of third party: Third parties involved in business reorganisation

  • Description: If we, or the Treatwell Group, decide to sell, transfer or merge part of our organisation or if we become insolvent, we may need to share your personal data with other organisations as part of the process.
  • Collect: ✕
  • Share: ✓

Type of third party: Government and regulatory organisations

  • Description: We might be required to share your personal data with official bodies to fulfil our legal and regulatory obligations. We might also need to disclose your data for court proceedings, to enforce our agreements or to protect customers (including by sharing data with companies for fraud protection and credit risk reduction).
  • Collect: ✕
  • Share: ✓

Type of third party: Marketing, business development and sales partners

  • Description: To provide you with personalised adverts, we may need to share your personal data with any media agencies and advertising partners we engage with.
  • Collect: ✕
  • Share: ✓


How will my reviews be used?

Any personal data you upload to publicly visible areas of the Platform (such as review sections), may be collected by third parties, and we have no control over this and are not responsible for how they may use this information. We recommend you are careful about the information you disclose in these areas.

What about third-party links on our Site?

The Platform might include links to third party websites, and often these links are solely there as pointers to information on topics that might be useful to you. Clicking on those links might allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy standards. When you leave the Platform, please remember that this policy no longer applies, and we encourage you to read the privacy policy of any website you visit.

What happens to information you provide via social media?

Parts of the Platform may allow you to submit your own content, such as reviews and photos of your experience. It is important to remember that these submissions can be viewed by the public, and we are not responsible for any actions taken by other individuals if you post personal data on one of our social media platforms. We recommend you are cautious about providing certain information (e.g., card details or your address) and that you refer to the privacy and cookie policies of the social media platforms you use.

What information do you need to know about our key third parties?

Stripe. We use a third-party payment processor, Stripe, to process all payments made by you on our Website & App. Treatwell does not store credit card details and instead relies on Stripe for this. We obtain limited information from Stripe such as the last four digits, the country of issuance and the expiration date. The processing of such data by Stripe is covered by their privacy policy which may be viewed here: https://stripe.com/privacy. Stripe’s services in Europe are provided by a Stripe affiliate, Stripe Payments Europe Limited, an entity located in Ireland. In providing its payment processing services, Stripe Payments Europe Limited transfers personal data to Stripe, Inc. in the US. For further information about the safeguards used when your information is transferred outside the European Economic Area, see the section of Stripe’s privacy policy entitled “International Data Transfers.

PayPal. Please note that all PayPal transactions are subject to the PayPal Privacy Policy which can be found here: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full. Please ensure that you are happy with the terms of the PayPal Privacy Policy if you wish to use PayPal to complete any transactions through the Platform.

Spa.lastminute.com. The spa.lastminute.com page is powered by Treatwell. Treatwell performs certain functions as a data controller in partnership with lastminute.com, also a data controller, and as a result Treatwell is required to process your personal information and share some of that information with lastminute.com when you browse and/or book on spa.lastminute.com. The purposes for which Treatwell collects, processes & shares your personal data with spa.lastminute.com are: (i) to fulfil a contract with you, by: (a) processing & managing your bookings; and (b) communicating with you about your booking; and (ii) to fulfil our, or third parties', legitimate interests, by: (a) providing search results; (b) communicating with you, including via Treatwell’s lastminute.com branded customer service function via telephone and email; and (c) on behalf of the relevant venue, collecting your consent (if you choose to provide it) at the checkout page to receive marketing emails from the particular venue with whom you are booking. As well as collecting personal information directly from you during the booking process, Treatwell also uses Cookies (defined below) on spa.lastminute.com in order to ensure spa.lastminute.com works correctly, to enhance and simplify your user experience, to enable us to understand how many users visit our spa.lastminute.com, to establish the source of your booking (channel, location, etc.) and consequently to enable verification of the booking as a lastminute.com booking and to send lastminute.com branded transactional communications to spa.lastminute.com customers. Please see the cookies section of this Privacy Policy for further information on the purposes for which we collect and use this information. For information on retention of your personal data, transfers of your personal data (to third parties and outside the European Economic Area), and your rights in respect of your personal data, please refer to the relevant sections of this Privacy Policy. If you have any queries or wish to exercise any of your rights in respect of the personal data processing described in this paragraph, please contact Treatwell using the details set out in this Privacy Policy.

Treatwell will also, on behalf of and under the instructions of lastminute.com, collect your consent (if you choose to provide it) at the checkout page to receive marketing emails from lastminute.com and pass this to lastminute.com daily via a secure data feed. For the avoidance of doubt, Treatwell does not collect any marketing opt-in for itself on spa.lastminute.com. lastminute.com also use cookies and similar tracking measures on spa.lastminute.com to collect information about your behaviour and for other purposes including personalisation, analytical and advertising and re-marketing. Please see lastminute.com's privacy policy here and cookie policy here for more information on how lastminute.com collects and processes your personal data. If you have any queries or wish to exercise any of your rights in respect of the personal data processing described in this paragraph, please contact lastminute.com using the details set out in their privacy policy.

Do we transfer data outside of the EEA?

The personal data that we hold about you will be held in the UK and the European Economic Area (EEA), but it might also be transferred to or stored outside the UK or EEA, including in the US and Israel.

When we transfer your data to third parties outside the EEA, we make sure your data is safe. We do this by putting one of the following safeguards in place:

  • only transferring it to a country the European Commission has decided has a suitable level of protection, or
  • by putting in place contracts (known as the Standard Contractual Clauses, and the International Data Transfer Agreement/Addendum) that make sure the third party outside of the EEA promises to protect your personal data. We also make sure any other necessary security measures are put in place.

If you are in the EEA, you can contact us at any time and we will let you know exactly what safeguards we have put in place for the transfer of your personal data outside the EEA. You can also contact us at any time at support.treatwell.com/hc/en-gb for a copy of the relevant mechanism.

Your rights

What are your rights and how do you exercise them?

Under the GDPR, you are entitled to the following rights:

  • Asking us for a copy of your data: You can ask us for a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Asking us to delete or erase your data: You can ask us to delete your personal data where there is no good reason for us continuing to process it.

Sometimes we cannot meet your request because of legal reasons. But don’t worry, we will tell you if this applies when you make your request!

  • Asking us to correct your data: You may be able to view or change the data we hold about you by logging in to your online account. If this does not work, you can ask us to correct the data - but we might need to check that the new data you give us is right.
  • Ask us to send your data to another organisation: You can ask us to move, copy or transfer your personal data to a different organisation, where it is reasonable and fair.
  • Ask us how we are using your data: We will tell you how we collect, use and share your personal data.
  • Asking us to restrict the processing of your data: If you have a particular reason (for example the content or how we are using it), you can ask us to limit the ways in which we are using your data.
  • Objecting to our processing activities: For certain types of activities, like direct marketing, you can ask us to stop at any time.

You can also object if we are making decisions that are automated or if we are using your data to profile you (this basically means we are using your data to guess what you are interested in or make decisions about you). If there are circumstances when it is really important for us to use your data, we may be unable to stop the processing. But don’t worry, we will let you know if this is the case - and our reasons.

We might ask you to give us information to verify your identity (especially when you ask for financial information). This is to make sure we keep your and our other customers’ personal data safe.

We try to respond to legitimate requests within 1 month of receiving them. Sometimes it might take us longer if your request is complicated or you have more than 1 request. But don’t worry, we will make sure to let you know if we need more time and will keep you updated.

There are some requests that we will not be able to fulfil, and this can be for many reasons, including when there is a risk that another person's personal data will be disclosed, or if we have a legal requirement or a compelling reason to continue processing your personal data which you have asked us to delete.

If you want to exercise any of these rights, please get in touch with us at support.treatwell.com/hc/en-gb. If you need more information about your rights, including the circumstances in which they apply to you, please see the ICO’s websites or contact us.

How can you withdraw your consent and opt-out of processing?

You can ask us to stop sending you marketing messages that you have previously consented to at any time you want. You can do this by following the instructions in our communication, or by using the details set out below:

  • General. Following the instructions in the communication or contacting us.
  • Emails. Clicking the “unsubscribe” button at the bottom of our email or contacting us at support.treatwell.com/hc/en-gb (please allow 48 business hours for your email to be removed from our system).
  • Partner communications. Contacting the Partner or third party directly. In the case of our Partners, if you need our help, we would be happy to do what we can.
  • Push notifications. Revoking this within your phone’s operating system settings.

When you opt-out or unsubscribe from marketing, we will stop using your personal data in the ways you have asked. However, we will not delete your data as we may need it for other reasons. If you want us to delete all your data, please ask us to do that, as well as opting-out of marketing messages.

If you withdraw your consent and/or opt-out, we might not be able to provide certain services to you. If this is the case, we will let you know. You can of course give us your consent again if you want to access our services.

Please note that when you have opted out using the above methods, you may still see our non-targeted ads when you are online as we have no control whether these ads are displayed to you.

You have a right to withhold your consent without suffering any adverse effects.

Security

What security measures do we have in place?

We use strict procedures and security features to protect personal data we receive from you.

Last updated version: 2023-01-08

COOKIE POLICY

What is the purpose of this policy?

Here at Treatwell we respect your privacy and want to make sure you understand how we collect and use your data. This cookie policy sets out how, what and why we use cookies on our site, as well as your rights and how to exercise them.

What are cookies?

A cookie is a small file of letters and numbers that is stored on your browser or the hard drive of your computer. You cannot actually see cookies as they sit in the background of sites, and they are probably present on most sites that you visit.

Why do we use cookies?

Cookies help us provide you with a better user experience, to understand how to improve our systems and enable us to provide tailored services and offers to you.

What information do we collect about you in cookies?

Our cookies collect different types of information about you, most of which we cannot use to identify you. For example, we collect information about where you are accessing our site from and the device you are using.

Whether or not the data collected within our cookies is personal in nature, you still have the right to understand why and how we collect the information, and how you can stop us doing so.

How can you manage cookies?

You can manage what cookies on our site collect your data using the Cookie Settings section at the bottom of our site.

You can also block cookies using your browser settings, including those cookies we have deemed to be ‘strictly necessary’ (cookies we need to run our site properly). If you do use your browser setting to block all cookies, you might not be able to get access to all of our site or at least parts of it.

What cookies do we use?

Cookies: Strictly necessary

  • Why do we use these cookies? We need these cookies to make sure our site works properly and they cannot be switched off in our systems. You can set your browser to block or alert you about these cookies, but some parts of our site will not then work.
  • Optional? Always active

Cookies: Functional

  • Why do we use these cookies? These cookies help us know that it is you when you return to our site. This means we can show you personalised content and other things that we remember you liked last time you visited our site. If you do not allow these cookies then some or all of these services may not function properly.
  • Optional? Optional

Cookies: Performance

  • Why do we use these cookies? These cookies help us count site visits and see what pages are most popular, so we can measure and improve the performance of the site. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
  • Optional? Optional

Cookies: Targeting

  • Why do we use these cookies? These cookies may be set on our site by our advertising partners. They may be used by those partners to find out what you like on our site and then show relevant adverts for you on other sites. If you do not allow these cookies, you will experience less targeted advertising. These partners have their own privacy policies which you should read in detail.
  • Optional? Optional

Partner Data Processing Agreement

DATA PROTECTION AGREEMENT (c.d. “DPA”)

Appointment of the data processor ex art. 28 of the Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR")

This deed of appointment of the Data Processor and the related contractual regulation (hereinafter the "DPA") is entered into between

You, (hereinafter referred to for convenience as the “Salon”, “Data Controller” or “Controller”) and

Treatwell Limited, having its registered office in the United Kingdom, at address : 1st Floor, 6 St Andrew Street, London EC4A 3AE, VAT number 928047219 in the person of its legal representative p.t., (hereinafter referred to for convenience as “Treatwell”, “Data Processor” or “Processor”),

The Salon and Treatwell are hereinafter collectively referred to as the "Parties".

PREMISES

  • The Parties entered into an agreement (hereinafter the “Agreement") whereby Treatwell provides the Salon with the following services: i) the Treatwell platform, Site and App, for the promotion of the Salon and to receive bookings/purchases of beauty services from users; ii) the software, called “Treatwell Connect” or “Treatwell Pro”, to manage the booking diary and marketing and service communications (hereinafter, collectively, only “Services”).
  • The Parties are subject to the provisions of Regulation EU 679/2016 on the protection of natural persons with regard to the processing of personal data (hereinafter, for convenience, referred to as the "GDPR") and the relevant national implementing legislation (hereinafter collectively referred to as the "Data Protection Legislation").
  • In the execution of the Agreement, the Salon assumes the role of Data Controller pursuant to art. 4, par. 1, no. 7, GDPR and processes the personal data of the individuals who book/purchase the beauty services offered/promoted at its business premises or through the Treatwell website and app (hereinafter, for convenience, "Data Subjects").

In view of all the above, it is hereby agreed and stipulated as follows.

  1. Appointment of the Data Processor
    1. Treatwell is appointed as a Data Processor pursuant to articles 4, par. 1, no. 8 and 28 GDPR in relation to the provision of the Services under the Agreement.
  2. Subject matter of the DPA
    1. The Agreement and the Premises form an integral and essential part of this DPA and shall be deemed to be incorporated herein by reference in their entirety.
    2. This DPA defines the terms and conditions that Treatwell, in its capacity as data processor and on behalf of the Salon, must comply with when carrying out the personal data processing operations necessary for the provision of the services under the Agreement. This DPA is in fact conditional, in terms of its object and duration, to the Agreement concluded between the Parties. Personal data collected or processed for purposes other than those provided for in the Agreement do not fall within the mandate of the Data Processor.
  3. Processing of personal data assigned to the Data Processor
    1. Treatwell is authorised to process, on behalf of the Data Controller, Data Subjects personal data which are necessary to:

      ● share with the Salon bookings and purchases made by Data Subjects through the Platform;

      ● facilitate bookings and purchases of beauty services offered by the Salon;

      ● share with Data Subjects the results/outcomes of the bookings/purchases made via the Platform;

      ● assisting Data Subjects with complaints and requests for information;

      ● any other processing of the Data Subjects' personal data necessary for the execution of the Agreement.

    2. In execution of the Agreement, Treatwell only provides the Salon with the agenda/booking and activity management Software as well as the marketing communication and service evaluation Software. The manner in which both Software are managed and used, including the sending of communications, also for marketing and service evaluation communications, is entirely at the sole discretion of the Salon, with the result that only the Salon can be held liable.
    3. The personal data that will be processed will be common data (e.g.: name and surname), contact data (e.g.: e-mail, telephone number), data relating to bookings/purchases made by Data Subjects.
    4. The type of operations carried out on personal data are both automated and non-automated. The Data Processor processes personal data in accordance with the provisions of the GDPR.
  4. Obligations of the data Processor
    1. The Data Processor undertakes to comply with the obligations and instructions given by the Controller. In particular:

      Compliance with the applicable Data Protection Legislation. The Processor undertakes, when processing personal data, to comply with the principles on the processing of personal data set out in the GDPR (Article 5, GDPR) and, in accordance with the principle of minimisation, to process data only to the extent necessary to provide the activities or applications specified in the Agreement and in this DPA, ensuring that personal data belonging to the Processor itself or to its other clients are processed separately.

      Respect for purposes. The Data Processor undertakes to process personal data exclusively for the purposes set out in Art. 2 and in compliance with the instructions provided by the Data Controller.

      Duty to cooperate. The Data Processor shall promptly inform the Data Controller i) if it considers that the instructions given by the Data Controller violate the provisions contained in the GDPR or the Data Protection Legislation and ii) of the existence of a legal obligation to proceed with a transfer of personal data to a third country or an international organisation, unless the applicable law prohibits this for important reasons of public interest. The Data Processor also undertakes to assist the Data Controller in ensuring compliance with the obligations set out in articles 32 et seq. of the GDPR, by notifying the Data Controller of any potential personal data breach encountered within 48 hours of becoming aware of the event, and by providing any documentation/information that may be useful to enable the Data Controller to notify the Data Protection Authority pursuant to article 33 of the GDPR or the Data Subjects pursuant to article 34 of the GDPR. Where necessary, the Data Processor also undertakes to assist the Data Controller in the drafting of the Data Processing Impact Assessment (‘DPIA’) pursuant to article 35 of the GDPR or in the prior consultation with the Data Protection Authority pursuant to article 36 of the GDPR.

      Confidentiality. The Data Processor undertakes to ensure the confidentiality of the personal data processed by limiting access i) to persons authorised and specifically instructed to process the data in accordance with article 29 of the GDPR; ii) to sub-processors in accordance with article 28 of the GDPR.

      Sub-processors. The Controller generally authorises the Data Processor, pursuant to article 28, par. 2, of the GDPR, to delegate the processing of personal data under this DPA to sub-processors. Pursuant to article 28, par. 4, of the GDPR, an agreement must be concluded between the Data Processor and the sub-processor to ensure that the sub-processor fulfills its data protection obligations. In any case, the Data Processor remains responsible to the Controller for the processing activities delegated to sub-processors.

      Record of processing activities. Pursuant to article 30 of the GDPR, the Processor undertakes to keep a record of all processing activities carried out on behalf of the Controller.

      Transfers outside the European Economic Area. The Data Processor is authorised by the Data Controller to transfer personal data outside the European Economic Area, provided that it is to third countries that have obtained an adequacy decision pursuant to article 45 of the GDPR or that the security measures set out in articles 46 et seq. of the GDPR, including the so-called Standard Contractual Clauses ("SCC").

      Security. In accordance with the provisions of articles 25 and 32 of the GDPR, the Data Processor undertakes to adopt technical and organisational measures to ensure i) an adequate level of security of the personal data of Data Subjects and ii) the confidentiality, integrity, availability and resilience of the processing systems, the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident. The Processor undertakes to implement procedures to regularly test, verify and evaluate the effectiveness of the security measures adopted. If the processing concerns particular data pursuant to article 9 of the GDPR, the Data Processor undertakes to implement technical and organisational measures and/or additional guarantees.

      Rights of Data Subjects. The Data Processor undertakes to assist the Data Controller in responding to requests from Data Subjects to exercise their rights pursuant to artt. 15 ss. GDPR (e.g. right of access, rectification, deletion, etc.). In the event that requests are sent to the Data Processor, the latter will forward them to the Data Controller within 72 hours of receipt. In more complex cases, the assistance provided by the Data Processor shall be adequately remunerated.

      Delation of the Controller's Personal Data. In the event of termination of this DPA or of the Agreement, the Processor undertakes to erase/destroy or return to the Controller any existing copies of the Personal Data, documenting in writing that such erasure/destruction has taken place, unless the retention is necessary under applicable Data Protection Law or to comply with legal obligations or to establish, exercise or defend a legal right.

      Audit. The Data Controller has the right to carry out verification activities ("Audits") on the Data Processor's compliance with the applicable Data Protection Law, at most once a year and with exclusive reference to the processing operations under this DPA, giving at least 90 days' notice and ensuring the maximum protection of the Data Processor's business operations. The Data Processor undertakes, pursuant to article 28, par. 3, lett. h, of the GDPR, to provide the Data Controller with the information necessary to monitor the fulfilment of its obligations under this DPA. The Controller shall bear all costs related to the audit activity.

  5. Obligations of the Data Controller
    1. The Data Controller is obligated to document in writing all instructions given to the Data Processor and to supervise, for the entire duration of this DPA, the processing activities carried out by the latter.
    2. The Data Controller is also responsible for providing Data Subjects with the information referred to in articles 13 and 14 of the GDPR, with reference to the processing delegated to the Data Processor. In any case, the Data Processor provides some information on the division of roles in the Privacy Policy published on the Platform and accessible at the following link https://www.treatwell.co.uk/info/privacy-policy/.
  6. Liability and Indemnity
    1. The Controller undertakes to indemnify the Processor for any communication activities, marketing or otherwise, carried out through the software provided by the Processor.
    2. The Controller undertakes to indemnify the Data Processor for any processing activities delegated to the Data Processor. The Controller shall be solely responsible for the processing of the Data Subjects' personal data, unless the Data Processor acts with intent or gross negligence.
  7. Term, resolution and withdrawal
    1. This DPA comes into force when it is signed by the Parties and has the same duration as the Agreement, following the course of the latter (e.g. termination, expiry, etc.).
    2. In the event that one of the Parties breaches the obligations set forth in the GDPR or in the current Data Protection Legislation, this DPA shall be considered terminated with immediate effect.
    3. The Data Processor has the right to withdraw from the DPA and the Contract if the Data Controller insists on carrying out instructions given in breach of the GDPR and/or the applicable Data Protection Legislation. In this case, the Data Processor shall promptly terminate the processing of personal data and any damages and/or compensation in favour of the Data Controller shall be excluded.
  8. Final dispositions
    1. The Parties undertake to amend this DPA if this becomes necessary as a result of changes to the Data Protection Legislation.
    2. The interpretation and execution of this DPA shall be governed by the law of England and Wales. Any dispute arising out of or in connection with the DPA shall be submitted to the exclusive jurisdiction of the Court of England and Wales.

List of cookies used on our website:

The third party companies that we use for targeting and advertising purposes have their own privacy policies which you should read in detail.

Related information