Privacy and Cookies Policy
YOU Sauna Hitchin Limited
Effective date: 22 June 2026 | Version 1.0
This Privacy and Cookies Policy (“Policy”) explains how YOU Sauna Hitchin Limited collects, uses, shares and protects your personal data when you visit our Website, make a booking, attend our Premises, purchase a Membership or Pack, complete the Participant Waiver, sign up to our newsletter or otherwise interact with us. It also describes the cookies and similar technologies we use on www.yousaunahitchin.co.uk.
We are committed to handling your personal data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
1. About Us – Data Controller Identity
The data controller responsible for your personal data is YOU Sauna Hitchin Limited, a company incorporated in England and Wales with company number 16729493 and VAT registration number 502 1481 40, whose registered office is at First Floor, 28 Whitehorse Street, Baldock, Hertfordshire, SG7 6QQ and whose principal place of business is Unit 12, 45 Knowl Piece, Wilbury Way, Hitchin, SG4 0TY (“we”, “us”, “our”).
If you have any questions about this Policy or wish to exercise your data protection rights, please contact us at info@yousaunahitchin.co.uk or by post at our registered office address.
2. Scope of this Policy
This Policy applies to all personal data we process about: visitors to our Website; individuals who make a booking or purchase a Membership, Pack or other product; Members and Guests attending our Premises; participants in wellness classes, workshops and events; recipients of our marketing communications; individuals captured on our CCTV system; and individuals who contact us by any means.
It does not apply to third-party websites you may reach through links on our Website. Those third parties operate their own privacy policies, and we encourage you to read them.
3. Key Definitions
“Personal data” means any information relating to an identified or identifiable living individual. “Special category data” means data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation. “Processing” means any operation performed on personal data, including collection, recording, storage, use and disclosure. “Data controller” and “data processor” have the meanings given in the UK GDPR.
4. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
• Identity and contact data: full name, date of birth (for age verification), email address, postal address and telephone number.
• Account data: username, password (hashed), profile information, Membership type and history.
• Booking and transaction data: sessions booked, attendance records, Credit balance, Pack details, purchase history.
• Payment data: payment card information, billing address and transaction reference (handled by our payment processor; we do not store full card numbers).
• Health and emergency contact data: information you provide in the Waiver about medical conditions, medications, pregnancy and any emergency contact you nominate.
• Marketing and communications data: your preferences for receiving marketing, newsletter subscription status, responses to surveys and feedback.
• Technical data: IP address, browser type and version, time zone, operating system, device identifiers and approximate location derived from IP.
• Usage data: pages visited on our Website, content viewed, time on page, referral source and similar analytics.
• CCTV data: images captured in communal, entrance and external areas of the Premises.
• Photography and video: images taken at promotional shoots or events, where consent has been provided.
5. Special Category (Health) Data
Information you provide in the Waiver about medical conditions, pregnancy, medications, recent surgery or other health matters is special category data under Article 9 UK GDPR. We process this data only with your explicit consent, given at the point of completing the Waiver, and only for the purposes of assessing your suitability to use our facilities safely, responding to emergencies and complying with our duty of care.
You may withdraw your consent at any time by emailing us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and may mean we are unable to continue providing access to our facilities.
6. How We Collect Your Data
We collect personal data: (a) directly from you when you register for an account, make a booking, complete the Waiver, contact us or attend the Premises; (b) automatically when you use the Website, through cookies and similar technologies described in clauses 14 to 17; (c) from third parties such as our Booking Platform provider (Go Kenko), payment processor and analytics providers; and (d) from CCTV cameras at the Premises.
7. Purposes of Processing
We process your personal data for the following purposes: (a) to provide and administer your account, Bookings, Memberships, Packs, classes, events and private hire; (b) to take payment and manage refunds; (c) to assess your suitability to use our facilities safely (the Waiver); (d) to respond to enquiries and complaints; (e) to send service messages (e.g. booking confirmations, schedule changes, important safety notices); (f) to send marketing communications, where you have consented; (g) to operate, secure and improve the Website; (h) to keep accounting and tax records; (i) to investigate incidents, prevent fraud and protect the safety and security of staff and Guests; and (j) to comply with our legal and regulatory obligations.
8. Lawful Bases under UK GDPR
We rely on the following lawful bases depending on the purpose of processing:
• Contract: to perform the contract for services we have with you, including processing Bookings, Memberships and Packs.
• Legitimate interests: to operate, secure and develop our business, manage our records, prevent fraud, protect our Premises, respond to enquiries and conduct limited direct marketing to existing customers in accordance with the “soft opt-in” under PECR.
• Consent: for marketing emails to prospective customers, non-essential cookies, photography and processing of health data in the Waiver.
• Legal obligation: to comply with accounting, tax, health and safety, and other statutory requirements.
• Vital interests: to protect the life or physical safety of an individual in an emergency.
9. Consent and Withdrawal
Where we rely on consent, you may withdraw it at any time by contacting us at info@yousaunahitchin.co.uk or by using the unsubscribe link in any marketing email. Withdrawal will not affect the lawfulness of processing carried out before withdrawal, and may not be possible where we have another lawful basis (for example, the contract or a legal obligation) for continuing to process the data.
10. Children’s Data
Our services are not directed at children. Access to our facilities is restricted to individuals aged eighteen (18) or over. We do not knowingly collect personal data from anyone under sixteen (16). If you believe we hold data about a child, please contact us and we will delete it.
11. Marketing Communications and PECR
We will only send marketing emails to a prospective customer where we have your prior consent. Where you are an existing customer, we may send you marketing about similar services to those you have purchased on the basis of the “soft opt-in” permitted by PECR, provided that you were given an opportunity to refuse such communications at the point of collection and in each subsequent email.
You can opt out at any time by clicking the unsubscribe link in any marketing email or contacting us. Service messages (such as Booking confirmations and important operational notices) are not marketing and you cannot opt out of these while your Membership or Booking is active.
12. Newsletter Sign-Up
If you sign up to our newsletter through the Website, we will use your email address to send you news, offers and updates about YOU Sauna. You can unsubscribe at any time. We do not sell your details to third parties.
13. Sharing Your Data – Recipients and Processors
We share personal data with the following categories of recipient, only to the extent necessary and under appropriate contractual safeguards:
• Squarespace, Inc. – our Website hosting and content management platform.
• Go Kenko – our Booking Platform, which handles account registration, scheduling, Waiver acceptance, Credit tracking and customer communications.
• Our payment processor (e.g. Stripe) – which handles card payments. We do not store full card details on our systems.
• Email marketing provider – used to deliver newsletters and marketing communications.
• Analytics providers – to understand how the Website is used (see clauses 14 to 17).
• Our professional advisers – including accountants, auditors, insurers and legal advisers, under duties of confidence.
• Law enforcement, regulators and other public authorities – where we are legally required to disclose data or where disclosure is necessary to protect our rights or the safety of others.
• A successor entity – in connection with any sale, merger or restructuring of our business, subject to appropriate confidentiality undertakings.
We do not sell your personal data and we do not share it for the marketing purposes of third parties without your consent.
14. Cookies and Similar Technologies – Overview
Our Website uses cookies and similar tracking technologies (such as pixels and local storage) to make the site work properly, to understand how it is used and, with your consent, to support marketing. A cookie is a small text file placed on your device when you visit a website.
On your first visit you will see a cookie banner allowing you to accept all cookies, reject all non-essential cookies, or set granular preferences. You can change your preferences at any time through the cookie settings link in the Website footer. Essential cookies cannot be turned off as the Website cannot function properly without them.
15. Cookie Categories We Use
We classify cookies into the following categories:
• Strictly necessary cookies: required for the Website and Booking Platform to operate (e.g. session management, security, load balancing, remembering items in your basket). Lawful basis: legitimate interests / necessary for the service you have requested.
• Functional cookies: remember choices you make (e.g. language preference, login state) to enhance your experience. Lawful basis: consent.
• Analytics and performance cookies: collect aggregated information about how visitors use the Website (e.g. pages viewed, time on site) to help us improve it. Where we use Google Analytics or similar, IP addresses are truncated and used in line with the provider’s privacy controls. Lawful basis: consent.
• Marketing and advertising cookies: used to deliver relevant advertising on third-party platforms and to measure the effectiveness of our campaigns. Lawful basis: consent.
16. Specific Cookies and Third-Party Tools
Our Website is built on Squarespace and embeds tools from Go Kenko, our payment processor and (where deployed) Google Analytics, Meta Pixel and similar marketing platforms. Each of these may set its own cookies subject to its own privacy policy. A current, detailed list of the specific cookies in use, their purpose and retention period is available via the cookie preferences panel on the Website.
Where we embed content from third parties (for example, Instagram feeds, YouTube videos or Google Maps) those providers may set cookies when you interact with the embedded content. We have no control over those cookies and recommend you review the relevant third-party privacy policy.
17. Managing Cookies and Browser Controls
In addition to our on-site cookie preference tool, most browsers allow you to view, manage, delete and block cookies. You can also opt out of certain analytics and advertising cookies via industry tools such as Your Online Choices (www.youronlinechoices.com). Blocking cookies may affect the functionality of the Website, particularly the Booking Platform.
18. International Transfers
Some of our service providers (including Squarespace and certain analytics or marketing tools) are based outside the United Kingdom, including in the United States. Where personal data is transferred outside the UK we ensure an appropriate level of protection by relying on: (a) UK adequacy regulations; (b) the UK International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses; or (c) other lawful transfer mechanisms recognised under UK data protection law. You may request a copy of the safeguards in place by contacting us.
19. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected and to comply with our legal and regulatory obligations. Our standard retention periods are:
• Account, Membership and Booking records: for the duration of your relationship with us and for six (6) years following the end of the relationship, to comply with HMRC and contractual record-keeping requirements.
• Waiver and health declarations: for six (6) years from the date of your last visit, to address any potential personal injury claim within the applicable limitation period.
• Marketing data: until you withdraw consent or unsubscribe.
• CCTV footage: typically thirty (30) days, unless required for a specific incident investigation or legal claim.
• Website analytics: as configured in our analytics tool, typically no longer than twenty-six (26) months.
At the end of the applicable retention period, we will securely delete or anonymise the data.
20. Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access controls, encryption in transit, secure password storage, regular review of supplier security, staff training and incident response procedures.
Despite these measures, no transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within seventy-two (72) hours where required, and will notify affected individuals without undue delay where the breach is likely to result in a high risk.
21. Your Rights under UK GDPR
Subject to the conditions and exemptions set out in UK data protection law, you have the right to:
• Be informed about how we process your personal data (this Policy).
• Access a copy of your personal data and information about how it is processed (subject access).
• Have inaccurate personal data corrected without undue delay (rectification).
• Have your personal data erased in certain circumstances (the “right to be forgotten”).
• Restrict our processing of your data in certain circumstances.
• Object to processing carried out on the basis of legitimate interests, including profiling, and to direct marketing.
• Receive your personal data in a structured, commonly used and machine-readable format and have it transmitted to another controller (data portability).
• Withdraw any consent you have given, at any time.
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
22. How to Exercise Your Rights
To exercise any of your rights, contact us at info@yousaunahitchin.co.uk. We may need to verify your identity before responding. We will respond within one (1) calendar month of receiving a valid request, which may be extended by up to two further months for complex or numerous requests (in which case we will inform you within the first month).
There is normally no fee, but we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.
23. CCTV at the Premises
CCTV operates in communal, entrance and external areas of the Premises and is signposted accordingly. The purposes of the CCTV system are safety, security, crime prevention and incident investigation. The lawful basis for processing is our legitimate interests in protecting our staff, Guests, property and business. CCTV is not used in changing rooms, sauna cabins, plunge areas or any private space.
Footage is typically retained for thirty (30) days and is accessed only by authorised personnel. Footage may be disclosed to law enforcement or insurers where lawful and necessary.
24. Automated Decision-Making and Profiling
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you. We may carry out limited profiling for marketing optimisation purposes (such as segmenting our newsletter audience), but this does not produce legal effects and you may opt out at any time.
25. Complaints, Changes to this Policy and Contact
If you are unhappy with how we have handled your personal data, please contact us first at info@yousaunahitchin.co.uk so that we have the opportunity to put things right. You also have the right to lodge a complaint at any time with the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection. The ICO’s contact details are available at www.ico.org.uk.
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. Where changes are material, we will notify you by email or by a prominent notice on the Website at least fourteen (14) days before they take effect.
Questions, comments and requests regarding this Policy are welcomed and should be addressed to YOU Sauna Hitchin Limited, First Floor, 28 Whitehorse Street, Baldock, Hertfordshire, SG7 6QQ, or by email to info@yousaunahitchin.co.uk.