Privacy Policy

§ 1 General provisions

1. Concerning the protection of the privacy of customers using the website www.nusaspa.pl, owned by NUSA SPA limited liability company with its registered office in Warsaw (02-508) at ul. Puławska 39/40, entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000990609, NIP: 5213983070, share capital: PLN 50,000.00, this Privacy and Cookie Policy is hereby introduced.

2. The terms used in the Privacy and Cookie Policy shall have the following meanings:

a. Policy – this privacy and cookie policy;
b. Administrator or Seller – the NUSA SPA and Hati Massage brands are managed by NUSA SPA limited liability company with its registered office in Warsaw (02-508) at ul. Puławska 39/40, entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000990609, NIP: 5213983070, share capital: PLN 50,000.00;
c. Online store – a store operated by the Seller, available at the website address www.nusaspa.pl;
d. Nusa Spa – a brand owned by NUSA SPA sp. z o.o. (trademark protected), which also includes the Hati Massage brand;
e. Customer – a natural person, legal person, or organizational unit without legal personality but with legal capacity, using the Online Store;
f. Order – a declaration of will by the Customer aimed directly at concluding a Sales Agreement with the Seller;
g. Newsletter – a service provided by the Seller to the Customer consisting of sending commercial information by electronic means of communication in accordance with the Act on the provision of electronic services on goods offered by the Seller and on promotions and other marketing campaigns organized by the Seller;
h. Sales Agreement – an agreement for the sale of goods or services concluded or entered into between the Customer and the Seller via the Online Store;
i. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
j. Act of Services – Act of July 18, 2002, on the provision of electronic services (i.e., Journal of Laws of 2017, item 1219).

3. This Policy contains information on the processing of personal data in connection with Customers’ use of the Online Store.

4. The Administrator processes the personal data of Online Store Customers in accordance with the GDPR and other currently applicable laws on the protection of personal data. The Administrator takes precautions, including technical and organizational measures, to ensure the protection of the personal data being processed, appropriate to the risks and categories of data covered by the protection, and in particular protects the data against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of the GDPR or other regulations, and alteration, loss, damage, or destruction.

5. The Administrator takes measures in accordance with industry standards to protect the confidentiality of Customers’ personal data. The Administrator has implemented reasonable organizational, technical, and physical control mechanisms to protect personal data from loss, misuse, or modification.

6. The provisions of this Policy apply to all persons using the Online Store functionalities available on the website www.nusaspa.pl.

§ 2 Scope, purpose, and period of processing Customers’ personal data

1. The personal data of Online Store Customers is processed by the Administrator:

a. to provide electronic services in the scope of making content collected in the Online Store available to Customers (i.e., processing necessary for the performance of a contract – Article 6(1)(b) of the GDPR);
b. in connection with the performance of the Sales Agreement, including in connection with the consideration of complaints/warranties (Article 6(1)(b) of the GDPR),
c. data processing may be necessary for purposes other than those indicated above, and essential in connection with the performance of financial settlement obligations, including tax obligations (Article 6(1)(c) of the GDPR),
d. in certain situations, it is or may be necessary to process the indicated data for purposes other than those indicated above, which are required for the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), i.e. consideration of complaints/warranties, limitation of claims under the Sales Agreement,
e. for statistical purposes (Article 6(1)(f) of the GDPR),
f. in other cases, personal data will be processed only based on prior consent, within the scope and for the purpose specified in the consent (Article 6(1)(a) of the GDPR).

Placing order

2. The scope of personal data processed when a Customer places an Order in the Online Store is limited to the minimum necessary for the Seller to fulfill the Order, i.e., for the purpose of accepting and processing the Order. In this regard, the Administrator processes the following personal data:

a. first and last name and/or company name,
b. mailing address (delivery address),
c. Customer’s Tax Identification Number and registered address if an invoice needs to be issued for the Order;
d. contact details in the form of a telephone number and email address.

3. The Customer’s personal data is processed by the Administrator:

a. in connection with the performance of the Sales Agreement, including in connection with the processing of complaints (Article 6(1)(b) of the GDPR),
b. in addition, data processing may be necessary for purposes other than those indicated above, and necessary in connection with the performance of financial settlement obligations, including tax obligations (Article 6(1)(c) of the GDPR),
c. in certain situations, it is or may be necessary to process the indicated data for purposes other than those indicated above, which are necessary for the purposes of the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), i.e. consideration of complaints/warranties, limitation of claims under the Sales Agreement,
d. for statistical purposes (Article 6(1)(f) of the GDPR),

4. Providing the data marked as mandatory in the Order is required for the acceptance and fulfillment of the Order. Failure to provide this data will prevent the Seller from processing and fulfilling the Order.

5. The Customer’s personal data will be processed for the period necessary to achieve the purposes mentioned above, i.e. in the scope of concluding or performing the Sales Agreement, for the period until the conclusion of the Sales Agreement or its performance, and after that time for the period and to the extent required by law (until the expiry of the limitation period for claims under the Sales Agreement) or until the expiry of the rights under the complaint/warranty (for the Administrator to pursue the Administrator’s legitimate interest specified above).

Contact form

6. The Administrator provides a contact form in the Online Store to enable the Customer to contact him.

7. To use the “Contact” form, the Customer must provide:

a. first and last name,
b. email address,
c. telephone number,
d. subject and content of the message sent to the Administrator.

8. The basis for the processing of personal data provided in the contact form referred to above is consent to the processing of personal data (Article 6(1)(a) of the GDPR) or the necessity to take action at the request of the data subject (Article 6(1)(a) of the GDPR).

9. Providing personal data by the Customer is voluntary, but necessary to respond to the Customer’s inquiry. Providing the data marked as necessary is required to handle the inquiry and will facilitate the Administrator’s contact with the Customer. Failure to provide mandatory data will prevent the Administrator from handling the inquiry.

10. The Customer’s personal data will be processed for no longer than is necessary to respond or until consent is withdrawn.

Newsletter

11. If the Customer agrees to receive marketing information via email, the Customer’s personal data will be processed by the Administrator for the purpose of sending such information.

12. The basis for the processing of personal data is Article 6(1)(a) of the GDPR (consent) and Article 6(1)(f) of the GDPR (processing is necessary for the legitimate interests pursued by the Controller). The provision of personal data by the Customer is voluntary, but necessary to send the Newsletter.

13. The Administrator will process personal data until consent is withdrawn, and in some situations, for the duration of the Administrator’s legitimate interest.

Social media

14. The Administrator processes the personal data of Customers visiting its public profile on the Facebook social networking site available at: www.facebook.com/Nusa. Spa.Warszawa/ (and in this respect, Facebook Ireland Limited is the joint controller of personal data) and the Instagram portal available at: www.instagram.com/nusaspawarszawa, as well as the Booksy portal available at: nusaspaursynow.booksy.com, nusaspaochota.booksy.com, and nusaspawilanow. booksy.com exclusively in connection with the profiles maintained, pursuant to Article 6(1)(f) of the GDPR (processing is necessary for the legitimate interests pursued by the Administrator, such as: informing about the Administrator’s activities, promoting products offered by the Administrator, informing about promotions, sales, etc.). By visiting the Administrator’s profiles mentioned above, the Customer provides personal data, including account names on the profiles discussed above, comments, likes, and internet identifiers, to enable the Administrator to manage the profiles and communicate with the Customer effectively.

§ 3 Rights of data subjects

1. Customers of the Online Store, in connection with the processing of their personal data by the Seller, have the following rights under the provisions of the GDPR:

a. the right to access the content of the personal data provided,
b. the right to request the supplementation, updating, correction of the personal data provided, temporary or permanent suspension of their processing,
c. the right to delete the data provided if it is incomplete, outdated, untrue, or has been collected in violation of the law, or is no longer necessary for the purpose for which it was collected,
d. the right to be forgotten,
e. the right to restrict the processing of the data provided,
f. the right to transfer the personal data provided, if the data is processed in an automated manner based on consent or based on a contract,
g. the right to object,
h. the right not to be subject to profiling,
i. the right to withdraw consent to the processing of the personal data provided at any time, if the processing of such data is based on consent,
j. the right to complain to a supervisory authority; the supervisory authority for the Administrator in the field of personal data is the President of the Personal Data Protection Office.

2. If you have any questions regarding the processing of personal data and the exercise of your rights, you may contact the Administrator at any time by email: biuro@nusaspa.pl.

§ 4 Disclosure and entrusting of personal data

1. Customers’ personal data will not be disclosed by the Administrator to other entities, except in situations where the Administrator discloses Customers’ personal data based on commissioned services and in accordance with the entrustment agreements concluded.

2. Entities to whom data has been entrusted are obliged to apply appropriate technical and organizational measures to secure the Customers’ personal data.

§ 5 Cookies

1. The Administrator uses cookies, i.e., small text files stored on the Customer’s end device. The Administrator’s ICT system can read cookies. The Administrator obtains access to the information contained in cookies via the ICT system.

2. The administrator stores cookies on the device for the following purposes:

a. to tailor the services offered to the User’s preferences,
b. for the Administrator’s statistical purposes.

3. The Administrator also informs the Customers of the Online Store that it is possible to configure the web browser to prevent the storage of cookies on the Customer’s end device.

4. The Customer may delete cookies after they have been saved by the Administrator, using the appropriate browser functions, programs designed for this purpose, or using the proper tools available for this purpose within the operating system used by the User.

§ 6 Final provisions

1. This Policy may be reviewed on an ongoing basis and amended if necessary.

2. The current version of the Policy is effective as of June 1, 2025.

Nusa Spa
    Cart
    Cart is emptyReturn to the store
    Continue shopping