We value your trust and your privacy. This policy explains what personal data we process about you, why, on what legal basis, to whom we disclose it, and what rights you have. Processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on personal data processing. In case of any discrepancy, the Czech version of this policy prevails.
1. Data controller
Royal medical service & spa s.r.o., operator of the ESCAPE Thai Massage salon
Company ID (IČO): 05832241 · VAT ID (DIČ): CZ05832241
Registered office and premises: Elišky Krásnohorské 133/11, 110 00 Prague 1 – Josefov, Czech Republic
Email: info@escapemassage.cz · Phone: +420 734 331 444
For any data-protection matter, contact us at the email above. We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so.
2. What data we process
Depending on how you use our services, we may process:
- Identification and contact data — name and surname, email, phone number.
- Booking data — chosen treatment, length, date and time, and any notes or preferences.
- Gift voucher data — recipient's name, personal message and delivery address (for courier delivery).
- Escape Club membership data — visit history, club credit balance and redeemed rewards.
- Payment data — amount and payment status. Payments are handled through the secure Stripe gateway; we never see or store card numbers.
- Newsletter data — your email address, if you subscribe.
- Website usage data — IP address, device and browser type, cookies and similar identifiers (see section 9).
- Special category data — optional health information you choose to provide in a booking note (see section 4).
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Handling bookings, providing the massage, selling and redeeming gift vouchers, running Escape Club membership | Performance of a contract (Art. 6(1)(b) GDPR) |
| Bookkeeping and meeting tax obligations | Legal obligation (Art. 6(1)(c)) |
| Improving our services, operational security, fraud and abuse prevention, protecting our legitimate claims | Legitimate interest (Art. 6(1)(f)) |
| Sending the newsletter and marketing offers, marketing cookies | Consent (Art. 6(1)(a)) |
| Processing optional health information | Explicit consent (Art. 9(2)(a)) |
Any consent you give (newsletter, marketing, health notes) can be withdrawn at any time, free of charge — see section 8. Withdrawal does not affect the lawfulness of earlier processing.
4. Health data
The booking note is entirely optional. If you include information about health considerations (e.g. an injury, pregnancy, allergies), it helps us adapt the massage so it is safe and pleasant for you.
Such data falls into the special categories of personal data and we process it solely on the basis of your explicit consent, which you give by voluntarily entering it. You are under no obligation to provide it, and leaving it out has no effect on your ability to book.
5. Recipients and processors
We never sell your data. We disclose it only to vetted processors who help us deliver the service, under data-processing agreements:
- Stripe — card payment processing.
- Supabase — secure database storage (hosted in the EU).
- Resend — sending confirmation and transactional emails.
- Google — website analytics, tag management and map embedding.
- Shipping / courier service — delivery of printed gift vouchers.
- Accounting and invoicing software provider — keeping accounting records.
- Public authorities — only to the extent required by law.
We are happy to provide the current list of processors on request at info@escapemassage.cz.
6. Transfers to third countries
We process your data primarily within the European Union. Some providers (notably Stripe and Google) may process data outside the EU, e.g. in the USA. In such cases the transfer is safeguarded by appropriate measures under the GDPR, typically the Standard Contractual Clauses approved by the European Commission.
7. Retention periods
| Data | Retention period |
|---|---|
| Bookings and records of services provided | For the duration of the relationship and then for the limitation periods (typically 3 years) |
| Accounting and tax documents | For the statutory period (typically 10 years) |
| Escape Club membership and club credit | For the duration of membership, until you request erasure |
| Gift vouchers | For the voucher's validity (12 months) and related periods |
| Newsletter | Until consent is withdrawn |
| Cookies and website usage data | Per cookie type (see section 9), typically up to 26 months |
8. Your rights
In relation to your personal data you have the right to:
- access your data and obtain a copy;
- rectification of inaccurate data and completion of incomplete data;
- erasure ("right to be forgotten"), unless a legal obligation prevents it;
- restriction of processing;
- data portability to another controller;
- object to processing based on legitimate interest;
- withdraw consent where processing is based on consent;
- lodge a complaint with the supervisory authority.
You can exercise your rights by emailing info@escapemassage.cz. We will handle your request without undue delay, at the latest within one month.
Supervisory authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.gov.cz.
10. Security
We take appropriate technical and organisational measures to protect your data against unauthorised access, loss or misuse — in particular encrypted transmission (HTTPS), access controls, storing data with vetted providers, and processing payments through a certified gateway that does not expose card numbers to us.
11. Changes to this policy and contact
We may update this policy from time to time. The current version is always available on this page, with the date of the last change. For any data-protection question, contact us at info@escapemassage.cz or +420 734 331 444.