Data Protection and Privacy Policy | Mandalay

Mandalay Spa

At Mandalay Spa, we place great value on honesty, transparency and trust. We are committed to protecting the privacy of our clients and users, ensuring that their personal data is handled responsibly, securely and in accordance with the applicable data protection legislation.

This Data Protection and Privacy Policy explains how we collect, use, store and protect the personal data of users of the Mandalay Spa microsite, as well as of clients who contact us or use our services.

Mandalay Spa is a brand within TOPSPA, the entity responsible for managing the spas and their digital channels.

Our commitment

We commit to:

  • Respecting your privacy and your choices;
  • Processing your personal data lawfully, fairly and transparently;
  • Collecting only the data necessary for the stated purposes;
  • Not sending marketing communications without your prior consent;
  • Allowing you to withdraw your consent at any time;
  • Never selling your personal data to third parties;
  • Working only with trusted partners and service providers;
  • Applying appropriate technical and organisational measures to protect your data;
  • Being clear about how we use your information.

1. Entity responsible for processing the data

The entity responsible for processing personal data collected through the Mandalay Spa microsite and in the provision of the services is TOPSPA.

For any matter related to data protection, privacy, or the exercise of rights, you can contact the Data Protection Officer at: dpo@topspa.pt (mailto:dpo@topspa.pt)

2. Definitions

Personal data

Personal data is any information relating to an identified or identifiable natural person. This may include, among others:

  • Name;
  • Email;
  • Phone number;
  • Address;
  • Billing data;
  • Booking-related data;
  • Treatment preferences;
  • Information necessary to tailor the spa experience, where applicable.

In certain contexts and only when necessary for the safe and appropriate provision of services, we may collect information related to wellbeing, preferences, physical limitations, or contraindications shared by the client.

Processing of personal data

Processing of personal data refers to any operation carried out on personal data, by automated or non-automated means, including collection, recording, organisation, storage, consultation, use, transmission, restriction, deletion, or destruction.

3. Personal data we may collect

When you use the Mandalay Spa microsite, contact forms, information requests, bookings, voucher purchases, or communications with our team, we may collect the following data:

  • Name;
  • Email address;
  • Phone number;
  • Information about the service or treatment you are interested in;
  • Data needed to manage your booking;
  • Billing data, where applicable;
  • Information you provide voluntarily through forms, emails, or other means of contact;
  • Technical browsing data, where applicable, in line with the cookie policy.

4. Purposes of data processing

The personal data collected may be used for the following purposes:

  • Responding to contact or information requests;
  • Managing bookings, appointments and service requests;
  • Processing purchases of vouchers or treatments, where applicable;
  • Issuing billing documents;
  • Providing customer support;
  • Personalising the spa experience, where necessary and appropriate;
  • Complying with legal obligations;
  • Sending informational, promotional, or marketing communications, whenever consent has been given;
  • Carrying out statistical analysis and improving the quality of our services;
  • Ensuring the operation, security and improvement of the microsite.

5. Legal grounds

Mandalay Spa/TOPSPA may rely on the following legal grounds for processing personal data:

  • Consent of the data subject, for example for sending marketing communications;
  • Performance of a contract or pre-contractual steps, for example to manage bookings, information requests, or service purchases;
  • Compliance with legal obligations, in particular tax, accounting, or regulatory obligations;
  • Legitimate interest, where necessary to improve services, respond to enquiries, ensure the security of our digital channels, or manage the client relationship — always respecting the rights and freedoms of the data subjects.

6. Marketing communications

Mandalay Spa will only send marketing communications, campaigns, news, promotions, or commercial information where the client has given prior consent.

The data subject may withdraw consent at any time through the unsubscribe mechanism present in the communications received or by contacting:

dpo@topspa.pt

Withdrawing consent does not affect the lawfulness of the processing previously carried out on the basis of that consent.

7. Retention of personal data

Personal data will be retained only for the period necessary to fulfil the purposes for which it was collected, without prejudice to applicable legal retention periods.

Whenever the data is no longer necessary, it will be deleted, anonymised, or kept only where there is a legal basis to do so.

8. Sharing data with third parties

To ensure the operation of the microsite and the delivery of the services, TOPSPA may rely on third parties — in particular technology providers, booking platforms, web hosting, email marketing tools, payment systems, IT support, accounting, or other operational partners.

These entities will only have access to the personal data strictly necessary for the contracted services and will be required to process the data according to TOPSPA's instructions and in compliance with the applicable data protection legislation.

TOPSPA does not sell, rent, or make its clients' personal data available to third parties for their own commercial purposes.

9. Security of personal data

TOPSPA adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, disclosure, or misuse.

These measures include internal security procedures, access controls, the use of trusted partners and mechanisms appropriate to the nature of the data processed and the associated risks.

10. Rights of data subjects

Under the applicable legislation, data subjects may exercise the following rights at any time:

  • Right of access to their personal data;
  • Right to rectification of inaccurate or incomplete data;
  • Right to erasure of data, where applicable;
  • Right to restrict processing;
  • Right to object to processing;
  • Right to data portability;
  • Right to withdraw consent, where processing is based on it;
  • Right to lodge a complaint with the competent supervisory authority.

To exercise any of these rights, the data subject must send a written request to: dpo@topspa.pt

The request should clearly identify the right being exercised and include contact details for a response.

11. Complaints and suggestions

Clients and users can submit complaints or suggestions related to data protection at: dpo@topspa.pt

Without prejudice to this direct contact, data subjects also have the right to lodge a complaint with the supervisory authority in Portugal, the National Data Protection Commission (CNPD).

12. Reporting incidents

If any client or user becomes aware of a situation that may constitute a personal data breach — such as unauthorised access, loss, unauthorised disclosure, or improper alteration of data — they should report the situation to: dpo@topspa.pt

13. Changes to this Data Protection and Privacy Policy

TOPSPA may update this Data Protection and Privacy Policy whenever necessary — in particular due to legal, technical, or operational changes, or changes related to the services provided by Mandalay Spa.

The updated version will be made available on the Mandalay Spa microsite to ensure transparency for clients and users.

14. Consent and acceptance

The free, specific and informed provision of personal data by the data subject implies knowledge and acceptance of the conditions of this Data Protection and Privacy Policy.

By using the Mandalay Spa microsite or providing personal data through our channels, the user acknowledges that they are aware of the terms of this Policy, without prejudice to specific consents that may be requested for certain purposes, such as marketing communications.

15. Contacting the Data Protection Officer

For any matter related to data protection, privacy, information security, or the exercise of rights, you can contact TOPSPA's Data Protection Officer at:

Email: dpo@topspa.pt

In your request, please indicate the subject, the right you wish to exercise where applicable and a contact for response.