Privacy Policy for Perpetuity Skin + Spa

SCOPE OF THIS POLICY

(Last Update: August, 2024)

This Privacy Policy outlines how Perpetuity Skin + Spa collects, uses, and protects your Personal Data through our Services, which include:

• Our Offline Services – Services you use when you visit our spa location.
• Our Digital Services – Our websites, mobile applications, and other online services, including data collected when you interact with or reference our products/services or advertisements online.

Please note that certain third parties may be able to identify you across sites and services using the information they process; however, any such processing not done at the direction of Perpetuity Skin + Spa is outside the scope of this Privacy Policy. This Privacy Policy does not apply to Personal Data collected in the employment context or for other HR purposes, which is covered by our HR Privacy Notice.

WHO WE ARE
Perpetuity Skin + Spa is a Boise-based day spa dedicated to providing exceptional beauty and wellness services. We are committed to protecting your privacy and ensuring that your Personal Data is handled responsibly.

Sources of Personal Data We Process
We collect Personal Data from various sources, which include:

• Data you provide us: We receive your Personal Data when you provide it to us, purchase our products or services, complete a transaction via our Services, or use our Services in other ways.
• Data we collect automatically: We collect Personal Data about or generated by any device you have used to access our Services, including websites of any service providers used to purchase accommodations or when you use Wi-Fi at any of our locations.
• Service Providers & Agents: We receive Personal Data from service providers, such as booking platforms, who transfer Personal Data to us when you purchase services from them in connection with the Services we provide.
• Aggregators and advertisers: We receive Personal Data from ad networks, behavioral advertising vendors, market research companies, data brokers, and social media companies that provide us with additional Personal Data such as Inference Data.
• Social media companies: We receive Personal Data from social media companies, like Meta (e.g., Facebook and Instagram), who may transfer Personal Data to us when you register for one of our Services or interact with those companies in connection with our services or locations.

DATA PROCESSING CONTEXTS / NOTICE AT COLLECTION
Purchases and Transactions

We process Identity Data, Transaction Data, Payment Data, Inference Data, Device/Network Data, and Contact Data when you engage in a purchase and sale transaction, whether through our Digital Services or in person. This includes our products, services, and gift cards. If provided, we also process Health Data (such as your requests for health-related accommodations, or as otherwise necessary in connection with your visit) and Government ID Data.

We process this Personal Data as necessary to perform or initiate a contract with you, process your order and payment, fulfill your order, track the use and balance of gift cards, and for our Business Purposes. We may process Identity Data, Transaction Data, Preference Data, Contact Data, and Device/Network Data for Commercial Purposes (which may include data sales/sharing). We do not sell or “share” (for behavioral advertising purposes) Payment Data, Government ID Data, or Health Data or use it for Business Purposes not permitted under applicable law.

Third-party businesses/controllers may receive your information. Third-party data controllers/businesses (such as service providers) provide many products and services you purchase through our Services. We may disclose Identity Data, Transaction Data, Contact Data, and Device/Network Data to those third parties. You may also direct us to disclose this data to or interact with these third parties as part of visiting our locations or making a purchase (which does not involve a data sale by us).

Marketing Communications
We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with marketing communications, push notifications, telemarketing, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a purchase.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may use this data for our Commercial Purposes (which may include data sales/sharing). Marketing communications may also be personalized as permitted by applicable law, but will not involve Targeted Advertising where users have opted out or not provided necessary consents. See your Rights & Choices to limit or opt out of this processing.

Digital Services
Generally

We process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data when you use our Digital Services. You may also be able to complete purchases, sign up for our newsletter, or enroll in marketing communications through our Digital Services. We may process Precise Location Data through certain Digital Services if you consent. Location Data may be required to use certain features of our Digital Services.

We use this Personal Data as necessary to operate our Digital Services, such as keeping you logged in and delivering pages, for our Business Purposes, and for other legitimate interests, such as:

• Enhancing the security of our websites, mobile applications, and other technology systems.
• Analyzing the use of our Services, including navigation patterns and clicks, to help understand and make improvements to the Services, provide directions and contextual information to you, and offer other features that require the use of location. This may include using “session capture” or “session replay” software, which helps us understand how users interact with our websites and make decisions regarding design and functionality. Third-party service providers operating this software may capture this data on our behalf.
• Creating aggregate information about users’ locations and patterns, which we use to help improve our Services.

We may process this Personal Data for our Commercial Purposes (which may include data sales/sharing). You have the right to limit our use of Precise Location Data by withdrawing consent to or disabling the collection of Precise Location Data.

Cookies, Pixels, and Other Tracking Technologies
We process Identity Data, Device/Network Data, Contact Data, Inference Data, and General Location Data in connection with our use of cookies and similar technologies on our Digital Services. We may collect this data automatically.

We and authorized third parties may use cookies and similar technologies for the following purposes:

• For “essential” purposes necessary for our Digital Services to operate (such as maintaining user sessions and CDNs).
• For “functional” purposes, such as enabling certain features of our Digital Services (e.g., allowing customers to maintain a shopping cart).
• For “analytics” purposes and to improve our Digital Services, such as analyzing traffic on our Digital Services to understand user behaviors and improve design and functionality.
• For “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that process Inference Data or other data to deliver, buy, or target advertisements more likely to interest you.
• For “social media,” e.g., via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or engage with our content on or through a social networking website such as Facebook or Instagram.

We may also process this Personal Data for our Business Purposes and Commercial Purposes (which may include data sales/sharing). See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.

Third parties may view, edit, or set their own cookies or place web beacons on our websites. We or third-party providers may use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Third parties have their privacy policies, and their processing is not subject to this Policy.

Contests and Promotions
We collect and process Identity Data, Contact Data, and User Content as necessary to process your contest or promotion entry, notify you if you have won, deliver a prize, and for our Business Purposes or other legitimate purposes, such as:

• Verifying your identity for authentication and security purposes (we may process Government ID Data to complete verification).
• Improving our Services and creating a personalized user experience.
• Ensuring entries are genuine and preventing fraud.

We may process Identity Data, Contact Data, and User Content information for our Commercial Purposes (which may include data sales/sharing).

Some programs and offers are operated/controlled by our third-party partners or their affiliates or partners. We may receive this data from third parties to the extent allowed by the applicable partner; otherwise, this Privacy Policy will not apply to data processed by third parties.

Your Personal Data may be public. If you win a contest or sweepstakes, we may publicly post some of your data. We do not post Personal Information without consent where required by law. See any program agreements or terms and conditions for additional details and terms.

Contact Us: Support
We collect and process Identity Data, Contact Data, and User Content when you contact us, e.g., through a contact form or for support. If you call us via phone, we may collect Audio/Visual data from the call recording. We will also collect Health Data if you provide it within a “contact us” email or a support call or email.

We process this Personal Data to respond to your request and for our Business Purposes. If you consent or if permitted by law, we may use Identity Data and Contact Data to send you marketing communications and for our Commercial Purposes (which may include data sales/sharing).

Posts and Social Media
We process Identity Data, Inference Data, Contact Data, and User Content you post (e.g., comments, forum and social media posts, etc.) on our Digital Services. We also process Identity Data, Contact Data, and User Content if you interact with or identify us, our day spa, or partners on social media platforms (e.g., if you post User Content that engages with or tags our official accounts).

We process this Personal Data for our Business Purposes and Commercial Purposes (which may include data sales/sharing).

Posts may be public or reposted on our Services. Content you provide may be publicly available when you post it on our Services or if you reference, engage, or tag our official accounts.

PROCESSING PURPOSES
Business Purposes
We and our Service Providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your Rights & Choices, and our legitimate interests. We generally process Personal Data for the following “Business Purposes”:

• Service Provision and Contractual Obligations: We process Personal Data as necessary to provide our products and Services, authenticate users and their rights to access the Services, and as otherwise necessary to fulfill our contractual obligations to you. Similarly, we may use Personal Data as necessary to audit compliance and log or measure aspects of service delivery (e.g., to document ad impressions).
• Internal Processing and Service Improvement: We may use any Personal Data we process through our Services as necessary in connection with our legitimate interests in improving the design of our Services, understanding how our Services are used, for customer service purposes, for internal research, technical or feature development, to track service use, quality assurance and debugging, audits, and similar purposes.
• Personalization: We process certain Personal Data as necessary in connection with our legitimate business interest in personalizing our Digital Services. For example, aspects of the Digital Services may be customized to you so that it displays your name and other preferences, displays content you have interacted with, or displays content we think may interest you based on your interactions with our Digital Services. This processing may involve creating and using Inference Data relating to your preferences.
• Aggregated Data: We process Personal Data about our customers and users to identify trends and create aggregated and anonymized data about our customers, buying habits, use of our Services, and other similar information (“Aggregated Data”). We may pass Aggregated Data to the third parties referred to in the section below to give them a better understanding of our business and bring you better service. Aggregated Data that does not contain Personal Data is not subject to this Privacy Policy.
• Compliance, Health, Safety, Public Interest: We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals or on certain public interest grounds, each to the extent allowed under applicable law. Please see the How We Share Personal Data section for more information about how we disclose Personal Data in extraordinary circumstances.
• Other Business Purposes: If we process Personal Data in connection with our Services in a way not described in this Privacy Notice, this Privacy Notice will still apply generally (e.g., with respect to your rights and choices) unless otherwise stated at collection. We will process such information in accordance with the notice provided at the time of collection or in a manner necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose compatible with the context in which the personal information was collected.

Consumer Profiles

To understand our customers’ preferences and better recommend products and services personalized to our customers, we may create a “Consumer Profile” by linking and analyzing Personal Data collected in the following contexts:

• Purchases and transactions
• Visiting our day spa
• Digital Services
• Contests and promotions
• Contact us; support
• Feedback and surveys

We may also augment Consumer Profiles with Personal Data that we create (such as Inference Data) or receive from third parties and may include Personal Data such as information about Services you have used or purchased previously and demographic data.

We use Consumer Profiles to better understand our customers and for our legitimate interests in market research and statistical analysis in connection with improving our Services. For example, we may analyze the Personal Data of customers who have made a reservation for a particular service in the past and compare them with other people in our database. If we identify customers in the database who have similar Personal Data to other guests, we may target marketing about a similar offering to the new customer we have identified, for example, by sending marketing emails. We may conduct the profiling and send the direct marketing emails automatically. We may also use this information for other Commercial Purposes. Consumer Profiles involve processing that is automated, in whole or in part.

Personalized Marketing Communications
We may personalize Marketing Communications based on your Consumer Profile. If consent to Consumer Profiling or Targeted Advertising is required by law, we will seek your consent.

Targeted Advertising
In some jurisdictions, Perpetuity Skin + Spa and certain third parties operating on or through our Services may engage in advertising targeted to your interests based on Personal Data that we or those third parties obtain or infer from your activities across non-affiliated websites, applications, or services to predict your preferences or interests (“Targeted Advertising”). This form of advertising includes various parties and service providers, including third-party data controllers, engaged in processing Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.

The parties that control the processing of Personal Data for Targeted Advertising purposes may create or leverage information derived from Personalization, Consumer Profiles, and Marketing Communications. In some cases, these parties may also develop and assess aspects of a Consumer Profile about you to determine whether you are a type of person a company wants to advertise to and determine whether and how ads you see are effective. These third parties may augment your profile with demographic and other Inference Data, and may track whether you view, interact with, or how often you have seen an ad, or whether you purchased advertised goods or services.

We generally use Targeted Advertising to market our Services and third-party goods and services, to send marketing communications, including by creating custom marketing audiences on third-party websites or social media platforms. This may involve sharing limited data regarding our customers with social media platforms or other websites to determine which of their users appear to have interests or traits like our existing customers.

Data “Sales” and “Sharing”
We may engage in “sales” or “sharing” of data as defined by applicable law. For example, we may “sell” certain Personal Data when we engage in marketing campaigns with or on behalf of third-party partners, or we may sell, “share” for behavioral advertising purposes, or grant access to Personal Data to our marketing partners and other advertisers in relation to Targeted Advertising, joint promotions, and other marketing initiatives.