Privacy Policy

Overview

Last updated: 06. May 2025

Hiiu Heals OÜ ("Hiiu Heals", "we", "us" or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use eharetreat.com (the "Site") or our services (wellness retreats, spa treatments, restaurant reservations, online bookings, online store, newsletter sign-ups, and contact forms). It also outlines your rights under the EU General Data Protection Regulation (GDPR) and Estonian law. By using our Site or services, you agree to the terms of this Privacy Policy.

Data Controller and Contact Information

The data controller responsible for your personal data is Hiiu Heals OÜ, a company registered in Estonia (Registry code 14635156). Our registered address is Hiiu maakond, Hiiumaa vald, Hagaste küla, Ristiranna, 92332, Estonia. If you have any questions or requests regarding your personal data, you can contact us by email at [email protected].

Personal Data We Collect

We collect various types of personal data from you when you interact with our website and services:

• Information You Provide Directly: When you make a booking or reservation (for a retreat, spa treatment, or restaurant table), purchase from our online store, sign up for our newsletter, submit an enquiry via our contact form, or apply for a job with us, you may provide personal details. This includes:
• • Identity and Contact Data: Your name, email address, phone number, postal address, and other contact details.
  • Booking and Reservation Data: Information related to your booking such as dates of stay or appointment, number of guests, preferences or special requests (e.g. dietary requirements for retreats or restaurant bookings), and any other details you provide for the reservation.
  • Account Data: If our Site allows account creation, login credentials and profile information.
  • Payment Data: Payment details for bookings or purchases (e.g. credit/debit card information). Note: We do not store full credit card details ourselves; payments are securely processed by third-party payment processors (e.g. Stripe).
  • Enquiry and Correspondence Data: The content of messages you send us via contact forms or email, and records of our communications.
  • Recruitment Data: If you apply for a position, we may collect your CV/resume, employment history, qualifications, and similar personal data for recruitment purposes.
  • Newsletter Sign-up Data: Your email address (and name, if provided) when subscribing to our mailing list.
• Information We Collect Automatically: When you visit our Site, we automatically collect certain data through cookies and similar tracking technologies:
• • Usage Data: Details of your visits to the Site, such as pages viewed, time spent, navigation paths, and the dates/times of access.
  • Device and Technical Data: IP address, browser type and version, device identifiers, operating system, and other technical information from your device.
  • Cookies and Tracking IDs: Unique identifiers or codes (like cookie IDs) that identify your browser or device. For instance, we use Google Analytics cookies and Facebook Pixel to collect information about how users interact with our Site (see our Cookies Policy for more details).

We do not knowingly collect any special categories of personal data (such as health information or sensitive data) through the Site, unless you voluntarily provide it (for example, noting a medical condition or food allergy in a booking form). We ask that you only provide the personal data that is necessary for us to provide our services to you.

Purposes and Legal Bases for Using Your Data

We only collect and process personal data for purposes that are lawful and necessary for our business, in compliance with GDPR and applicable Estonian law. The purposes for which we use your data, and the corresponding legal bases under GDPR, include:

• Providing and Managing Services: To process your bookings, reservations, and purchases, and to deliver the services or products you requested (such as confirming your retreat reservation, scheduling your spa treatment, processing your online store order, or reserving your restaurant table). Legal basis: Contract performance – we need to process your data to fulfill our contract with you or to take steps at your request before entering into a contract (Art. 6(1)(b) GDPR).
• Processing Payments: To collect payment for bookings and purchases, and to facilitate refunds when applicable. Legal basis: Contract performance. (Payment details are handled by Stripe or Bookinglayer on our behalf; we do not handle your card details directly)
• Communicating with You: To send booking confirmations, receipts, customer support responses, and other service-related communications via email or phone. Also, to respond to your enquiries or requests (such as questions via the contact form). Legal basis: Contract performance (for service messages) or legitimate interests (for general enquiries – it’s in both your and our interests to respond to you).
• Marketing and Newsletters: If you subscribe to our newsletter or have given consent, to send you promotional communications about our retreats, spa offers, products, or events. Legal basis: Consent (Art. 6(1)(a) GDPR) – we will only send you marketing emails if you have opted in. You can withdraw your consent at any time (see section Your Rights Under GDPR). We may also send existing customers offers about similar services, relying on legitimate interests, but will always provide a clear opt-out option in such communications.
• Personalizing Experience: To remember your preferences and customize your experience on our Site (for example, remembering items in your cart or your language preferences). Legal basis: Legitimate interests – improving user experience, or consent via cookies (for non-essential cookies, as described in our Cookies Policy).
• Analytics and Improvement: To analyze usage of our Site, improve our services, and understand customer needs. We use analytics tools (like Google Analytics) to gather insights on website traffic and interactions (e.g. which pages are most visited). Legal basis: Legitimate interests – it is in our interest to improve our services and user experience. Where required by law (for example, placing analytics cookies), we rely on consent.
• Security and Fraud Prevention: To protect our website, business, and users, for example by monitoring for fraudulent bookings or security threats. Legal basis: Legitimate interests – ensuring the security of our systems and preventing misuse.
• Legal Obligations: To comply with laws and regulations that apply to us. For instance, financial and tax laws require us to retain transaction records, and consumer protection laws may require us to handle personal data in certain ways. Legal basis: Legal obligation (Art. 6(1)(c) GDPR) – when processing is necessary for compliance with a law (e.g. accounting rules).
• Recruitment: To process job applications and assess candidates for recruitment purposes. Legal basis: Legitimate interests (evaluating candidates to fill a position) or consent (if you provided data for future opportunities).

We will not use your personal data for any purpose that is incompatible with the original purposes described above without informing you and, if required, obtaining your consent.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as pixels and analytics scripts) on our Site to provide and optimize our services, as well as for marketing purposes. Cookies are small text files placed on your device that help the website function or provide certain features. For example, some cookies are essential to enable you to make a booking or remember items in your shopping cart, while others help us understand how you use our Site or enable advertising.

Types of cookies we use include:

• Essential Cookies: These are necessary for the operation of our Site and enable core functionality (e.g. session cookies to keep you logged in or to remember your booking selections). Without these, the Site may not function properly. These cookies do not require consent under applicable law.
• Analytics Cookies: We use Google Analytics to collect information about how visitors use our Site (e.g. which pages are visited, how long you stay, and what links you click). This helps us improve the website and our services. Google Analytics cookies may collect your IP address and other usage data, but we have configured the service to anonymize IP addresses where possible. These cookies will be used only with your consent, as they are not strictly necessary.
• Advertising Cookies: We use advertising and social media pixels, such as the Facebook Pixel, to track conversions from our ads, build a targeted audience for future ads, and provide you with relevant content and advertisements on third-party platforms (like Facebook/Instagram). These cookies profile your browsing behavior and allow us and our advertising partners to show you tailored ads based on your interests. Advertising cookies will only be set if you consent, and you can opt out at any time (see our Cookies Policy for how to adjust your preferences).

For detailed information about the cookies we use and how to manage your cookie preferences, please see our Cookies Policy. You can control cookies through our cookie consent banner or via your browser settings. The section below (“Data Sharing”) also explains how third-party providers (Google, Facebook) are involved in these tracking technologies.

Data Sharing and Disclosure

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, we do share your data with certain trusted third parties in order to run our business, provide services to you, or as otherwise described below. All such sharing is done in accordance with data protection laws and, where applicable, under data processing agreements to safeguard your information. The parties with whom we may share data include:

• Service Providers and Partners: We use third-party companies to help us operate the Site and deliver our services. These include:
• • Booking Platform: We utilize Bookinglayer as our reservation management system for retreats and activities. When you make an online booking or reservation, your information is processed through Bookinglayer’s platform on our behalf. Bookinglayer acts as our data processor and is contractually bound to handle your data securely and only for our purposes.
  • Payment Processors: For online payments, we use Stripe (integrated via Bookinglayer) to process your credit/debit card transactions. Stripe is a secure, PCI-DSS compliant payment provider. This means that when you enter your payment details, they are transmitted directly to Stripe; we do not store your card details on our own servers. Stripe may process your payment data for fraud prevention and payment authorization. (We may also use the payment functionality of Bookinglayer, which in turn relies on Stripe or similar processors.)
  • Analytics Providers: As noted, we use Google Analytics (provided by Google LLC) to collect website usage statistics. Google acts as a data processor for us, but it may also use the data for its own analytics purposes. We have configured Google Analytics to comply with GDPR to the extent possible (e.g., by anonymizing IP addresses). Google may store collected data on servers in the United States or other countries. We rely on standard contractual clauses or other safeguards for any such transfers (see section International Transfers).
  • Advertising Partners: We use the Facebook Pixel provided by Meta Platforms, which allows us to create targeted advertising campaigns on Facebook and Instagram. This involves sharing some of your browsing actions on our Site with Meta (if you consent to marketing cookies). Similarly, if we run ads via Google Ads or other networks, we may share data for ad targeting or remarketing.
  • Email Service Provider: If we send newsletters or mass emails, we likely use an email marketing service (e.g., Mailchimp or similar). This means your email and name might be stored on their servers to facilitate mail-outs. Such providers are also bound to GDPR compliance.
  • Web Hosting and IT Providers: Our website is hosted on third-party servers, and we use IT service providers for website development, maintenance, and backup. These providers may have incidental access to personal data stored in our website databases (e.g., if troubleshooting an issue), but they operate under confidentiality and data protection agreements.
  • Other Service Providers: We may share data with other vendors such as customer relationship management tools, booking agents or travel agencies (if you book via a third-party who then communicates your details to us), or logistics partners (for delivering store products).
• Within Our Company: Personal data may be shared among internal personnel of Hiiu Heals OÜ who need access to it (such as our reservations team, customer service, spa or retreat staff, or management). All staff are subject to confidentiality obligations.
• Legal and Compliance: We may disclose personal data to courts, law enforcement, regulatory authorities, or other third parties when we believe it is legally required to do so or when necessary to protect our rights, property, or the safety of our customers or others. For example:
• • If required by law or a legal process (such as a subpoena or court order), or to comply with accounting/tax regulations.
  • To enforce our agreements or policies, or to establish or exercise our legal rights.
  • To investigate or help prevent security threats, fraud or other malicious activity.
• Business Transfers: If Hiiu Heals OÜ is involved in a merger, acquisition, sale of assets, or other business reorganization, personal data may be transferred to the acquiring or successor entity as part of that transaction. In such cases, we will ensure your data remains protected and provide notice before any data is transferred or becomes subject to a different privacy policy.

In all cases where third parties process data on our behalf (as “processors”), they are not permitted to use your data for their own purposes and must process it only for specified purposes and according to our instructions. We require all such third parties to implement appropriate security measures to protect your data and to comply with privacy laws.

We do not share your data with any third parties for their own direct marketing purposes unless you have given explicit consent.

International Data Transfers

As a company based in Estonia, we primarily process your data within the European Union/European Economic Area (EU/EEA). However, some of our service providers are located, or may store data, outside of the EEA. For example, Google and Facebook are U.S.-based companies, and data collected via Google Analytics or Facebook Pixel on our Site may be transferred to the United States for processing. Similarly, if we use an email newsletter service or cloud provider based outside the EU, your data might be transferred to that jurisdiction.

When we transfer personal data outside the EU/EEA, we take steps to ensure that appropriate safeguards are in place to protect your information as required by GDPR. These measures may include:

• EU Commission Adequacy Decisions: Only transferring data to countries that the European Commission has deemed to have an adequate level of data protection under Article 45 GDPR, or
• Standard Contractual Clauses (SCCs): Using the European Commission’s approved standard contractual clauses, which contractually bind the recipient to protect your data according to EU standards,
• Additional Safeguards: Implementing supplementary technical and organizational measures (such as encryption in transit and at rest) to ensure transferred data is secure.

You can contact us (see section Contact Us) for more information on the specific safeguards in place for transfers of your personal data outside the EEA.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general:

• Bookings and Transaction Data: Information related to your retreat/spa bookings, restaurant reservations, and purchases will be kept for the duration of the contractual relationship (until the service is provided) and thereafter as needed for our legitimate interests or legal obligations. For example, we may retain booking records and invoices for a certain number of years to comply with financial record-keeping laws and to handle any post-service inquiries or disputes. In Estonia, accounting records typically must be kept for 7 years.
• Customer Account Data: If you create an account on our Site, we will retain your account information until you delete your account or it is inactive for an extended period (unless we must keep it longer by law). We may periodically review and purge accounts that have been inactive for a long time.
• Newsletter Subscription: We retain your email address and related info for as long as you remain subscribed to our mailing list. If you unsubscribe or opt out, we will promptly remove or anonymize your contact details from the mailing list (though we may keep a suppression list to ensure we honor opt-out requests).
• Enquiries: Correspondence via contact form or email is typically retained until we have fully addressed your query and for a reasonable period thereafter in case of follow-up questions. We may keep records of customer service communications for a period of time to improve our services and in case of legal claims.
• Recruitment Data: If you applied for a job, we will retain your personal data for the duration of the recruitment process. If you are not hired, we may retain your application for a short period (e.g., 6–12 months) in case of future opportunities or to defend against legal claims, unless you request immediate deletion. If hired, your data will be kept as part of your employee record.
• Analytics Data: Data collected via Google Analytics and other cookies may be retained as per those providers’ policies (e.g., Google Analytics data is generally retained for 14 months by default, but we may configure shorter retention). This data is typically aggregated, but some identifiers may persist unless you clear cookies (see Cookies Policy for managing cookies).

After the applicable retention period, we will securely delete or anonymize personal data. For example, we may anonymize usage data so it no longer can be associated with you, in which case we may use this data without further notice.

Your Rights Under GDPR

As a data subject, you have certain rights regarding your personal data that we hold, in accordance with GDPR and Estonian data protection laws. You may exercise these rights at any time by contacting us (see Section Contact Us for contact details). These rights include:

• Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to receive a copy of the personal data we hold about you, along with supplementary information about how and why it is processed.
• Right to Rectification: If any personal data we have about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay.
• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (also known as the “right to be forgotten”). For example, you can request erasure if the data is no longer necessary for the purposes it was collected, you withdraw consent and no other legal basis exists, or you believe the data has been unlawfully processed. Note that this right is not absolute – we may need to retain certain information where required by law or if we have overriding legitimate grounds (for instance, we cannot delete data needed for active contracts or legal compliance immediately).
• Right to Restrict Processing: You can ask us to suspend or restrict the processing of your personal data in certain scenarios – for example, if you contest the accuracy of the data (until we verify or correct it), or if the processing is unlawful but you prefer restriction over deletion.
• Right to Data Portability: For data you provided to us and which we process by automated means on the legal basis of consent or contract, you have the right to obtain a copy in a structured, commonly used, machine-readable format and to transmit it to another service provider if technically feasible. For instance, you could request that we export your booking history or account data to a CSV file.
• Right to Object: You have the right to object to our processing of your personal data when it is based on our legitimate interests (or those of a third party), if you believe it impacts your fundamental rights and freedoms. You also have an absolute right to object to your personal data being used for direct marketing purposes at any time. This means you can opt out of marketing emails or targeted ads, and we will stop using your data for those purposes.
• Right to Withdraw Consent: If we rely on your consent to process any personal data (for example, for sending newsletters or placing non-essential cookies), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. For example, you can unsubscribe from our newsletter via the “unsubscribe” link in emails or change your cookie settings to revoke consent.
• Right Not to be Subject to Automated Decisions: We do not currently make any decisions about you that are based solely on automated processing (with no human involvement) that produce legal or similarly significant effects. If we ever do, you have the right to request human intervention and to contest the decision.
• Right to Lodge a Complaint: If you believe we have infringed your data protection rights or violated privacy laws, you have the right to lodge a complaint with a supervisory authority. Hiiu Heals OÜ is under the jurisdiction of the Estonian data protection authority, Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate). You can contact the Inspectorate or file a complaint through their website. Alternatively, you may contact the data protection authority in your country of residence within the EU.

We kindly ask that you contact us first with any concerns, so we can address the issue and find a solution. Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on the request as permitted by law.

Data Security

We take the security of your personal data seriously. Hiiu Heals OÜ implements appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include, for example, encryption of our website (HTTPS secure connection), firewalls, access controls to databases, and limiting access to personal data only to personnel and service providers who need it for the purposes described.

Our third-party processors (such as Bookinglayer and Stripe) also attest to maintaining high security standards. Stripe, for instance, is certified to PCI-DSS standards for handling payment information. We also ensure that any personal data stored in cloud services is protected and, where feasible, pseudonymized or anonymized.

Please note that no method of transmission over the Internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. You can also help keep your data safe by using strong passwords for any accounts and not sharing your login credentials.

In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant authorities as required by GDPR.

Children’s Privacy

Our website and services are not directed to children under the age of 13. We do not knowingly collect personal data from anyone under 13 years old. If you are between 13 and 16 years of age, you should obtain permission from a parent or guardian to use our services, especially when providing personal data.

If we become aware that we have inadvertently collected personal data from a child under 13 without appropriate consent, we will take steps to delete that data. If you are a parent or guardian and believe your child has provided personal information to us, please contact us and we will promptly remove the data.

Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will update the “Last updated” date at the top of this Policy. If changes are significant, we may provide a more prominent notice (such as a banner on our website or an email notification). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of our Site or services after any updates to this Policy constitutes your acknowledgment of the changes and your agreement to the revised Policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Hiiu Heals OÜ

Registered Address: Hiiu maakond, Hiiumaa vald, Hagaste küla, Ristiranna, 92332, Estonia

Email: [email protected] (Attn: Privacy Team)

We will do our best to respond promptly and address your inquiry. Your privacy is important to us, and we value the trust you place in Hiiu Heals OÜ to handle your personal data with care.