Updated: October 30, 2025
Scope:This Policy applies tohttps://vanitasespai.es/andhttps://shop.vanitasespai.es/(online store).

1) Data Controller

• Responsible: VANITAS ESPAI, S.L. (CIF B66851791)
• Address: C/ París, 204 – 08008 Barcelona (Spain)
• Contact email (privacy): info@vanitasespai.com
• Telephone: +34 933 682 555

2) Treatments

2.1.Appointment and Booking Request Management(“Booking” form at vanitasespai.es)

• Data: Name and surname, telephone number, email address, date/time preferences, desired service, first visit, how you heard about us, professional preferences, and comments.
• Purpose: To manage your appointment request and respond to your request; coordinate and confirm availability; manage changes/cancellations and provide related support.
• Legal basis: execution of pre-contractual measures and/or contract (Art. 6.1.b GDPR).
• Retention: for the duration of the appointment management and, where applicable, incorporated into the customer recordup to 6 years (commercial obligations) and 4 years (tax obligations) if it results in a purchase/service; Otherwise, up to 12 months for communication traceability and duplication prevention.

  Recipients: Hosting tools, email, form provider, and messaging/WhatsApp when the user chooses this channel; Nodata is not transferred to third parties except where legally required/with consent.

2.2.Customer Service and Communications(email, phone, and WhatsApp)

• Data:identifying and contact information, content of inquiries, communication metadata.
• Purpose: to handle inquiries, incidents, complaints, and after-sales service; traceability of communications.
• Legal basis: legitimate interest in serving you and managing the relationship (Art. 6.1.f GDPR) and/or contract if it is linked to an order/appointment (Art. 6.1.b GDPR).
• Retention:during the relationship andup to 3 yearsfor potential liabilities; legal claims according to applicable time limits.
• Recipients:mail/telephone provider andWhatsApp(when used).
• Recipients: Notes about WhatsApp:By contacting us via WhatsApp, you agree to the terms and conditions of this service; we recommend that you do not share sensitive information through this channel.

• Data:identification and contact information, shipping/billing address, tax ID/national ID (if invoicing), purchased products, payment methods (token/transaction ID, without full card details), order status, returns, and warranties.
• Purpose: to process orders, collections, invoicing, delivery, returns/warranties, and after-sales service.
• Legal basis: contract (Art. 6.1.b GDPR) and legal obligation in invoicing/tax matters (Art. 6.1.c).
• style=”font-weight: 400;”>
• Retention: Commercial/tax documentation6 years (Commercial Code) and4 years (Tax regulations); purchase history while you are an active customer and, thereafter, blocked by statute of limitations.
• Recipients: Payment gateways (Bank POS and PayPal),Logistics operators/courier services,Hosting/platform provider (WordPress/WooCommerce), technical support, and tax authorities where applicable.

2.4.Gift cards and redemption

• Data: Buyer (identification/contact), card amount/code, purchase date, recipient when indicated, redemptions made.
• Purpose: Sale, issuance, activation and control of gift cards; redemption management and associated customer service.
• Legal basis: contract(art. 6.1.b GDPR).
• Retention:during the validityof the card and, after its expiration/exchange, for the commercial/tax periods indicated.
• Recipients: Payment gateways, e-commerce provider, and, where applicable, internal redemption systems in the salon.

2.5.Staff Selection(“Work with us” form at vanitasespai.es)

• Data: Identification and contact information, CV (experience, education, references), availability/start date, language skills, and questionnaire responses.
• Purpose: Management of selection processes, evaluation of current and future applications.
• Legal basis:Adoption ofPre-contractual measures(Art. 6.1.b GDPR)
• Retention: 12 monthsfrom the last update or until you withdraw your consent.
• Notes:do not request specially protected data; If included, they will be considered not required and may be removed.

• Data: email and, where applicable, name; history of mailings/opens if a mailing tool is used.
• Purpose: sendingpromotions, news and recommendations related to Vanitas Espai products or services.
• Legal basis: Consent (Art. 6.1.a). For clients, we may send communications about similar products/services in accordance with Art. 21.2 LSSI, with the right to object with each communication.
• Retention: as long as you maintain your consent or until you object.
• Recipients: email marketing provider, if used.

• Data:display name/alias, review content, date, and rating (e.g., stars). If the review comes from third-party platforms (Google, Facebook, or others), metadataassociated with the embedded widget (IP address, device identifiers, cookies) may be processed by the corresponding platform.
• Purpose: to display opinions about our products and services on the Site; to moderate or remove illegal, offensive, or rights-infringing content; to handle removal requests; to ensure transparency regarding the origin of reviews.
• Legal basis:
  • Legitimate interest (Art. 6.1.f GDPR) in informing potential customers through product/service reviews and in protecting the community from abuse.
  • Consent (Art. 6.1.a) when the user sends us their review directly through a form on the Site.
• Data Source:Reviews may come from third parties(Google/Facebook or other platforms). In these cases, VANITAS ESPAI, S.L. does not verify the authenticity of the reviews nor guarantee that they were submitted by a real consumer; verification, where applicable, is the responsibility of the platform owner in accordance with their terms. When reviews are collected through our own form, we may carry out checks (e.g., order number) and will indicate this.

  Retention: as long as they are relevant for the purposes described or until the data subject requests their removal for legitimate reasons. Moderation logs will be retained for the applicable statutory limitation periods.

  Recipients: Hosting and platform providers of the Site; When third-party widgets are embedded, the owners of those platforms (e.g., Google/Facebook) process data as independent controllers.

  International Transfers: If the widgets or platforms operate outside the EEA, international transfers may occur in accordance with their policies and safeguards (e.g., Standard Contractual Clauses). Consult the Cookie Policy and the privacy policies of each platform.

• Data:online identifiers, IP address, browsing events, device/OS, pages visited (data pseudonymized/anonymousdepending on settings).
• Purpose:to measure site usage, detect errors, and improve the user experience.
• Legal basis: Consent to analytics/marketing cookies (Art. 6.1.a) via the cookie banner/manager.
• Retention: according to the expiration of each cookie or until consent is revoked.
• More information:seeCookie Policy.

2.9.Security and Fraud Prevention

• Data:technical and access logs, security events, anti-fraud verification in payments.
• Purpose: To preserve the security of the Site and transactions; to prevent misuse or fraudulent activity.
• Legal basis: legitimate interest (Art. 6.1.f GDPR).
• Retention: technical logsup to 12 months except for incidents that require additional retention.

• Technology and Hosting:Web hosting providerweb hosting, maintenance and support (WordPress/WooCommerce).
• Payment: Bank POS terminals and PayPalprocess payments securely (they act as independent controllers of their own operations).
• Logistics:courier/transport companies for delivery and incident management.
• Communications:mail provider and, if used, email marketing service.
• Other:public administration and authorities where there is a legal obligation.