Privacy Policy

INFORMATION ON THE PROCESSING OF PERSONAL DATA

In accordance with Article 13 of EU Regulation 2016/679, ONE SOUL SPA provides information on the purposes and methods of processing the personal data collected, the scope of their communication and dissemination, as well as the nature of their provision.

1. Data Controller and Processors

The Data Controller is ONE SOUL SPA, located in Vaitape – BP: 651 Bora Bora – French Polynesia. The Data Protection Officer (DPO) can be contacted at the email address hello@onesoulspa.com.

The updated list of external data processors can be consulted by submitting a written request to the above-mentioned Data Controller.

Data is processed exclusively by personnel appointed by ONE SOUL SPA. Personal data provided by website users/visitors will be disclosed to third parties only if such disclosure is necessary to fulfill the users’/visitors’ requests.

For any questions regarding the processing of your data, please write to the email address indicated above.

2. Nature of Processed Data
1. Browsing Data

The IT systems and software procedures used to operate this website acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols.

This category of data includes IP addresses and/or domain names of the computers used by users connecting to this website, URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used to submit a request to the server, the size of the file returned, a numerical code indicating the server’s response status (success, error, etc.), and other parameters related to the user’s operating system and IT environment.

This data is used only to extract anonymous statistical information about website usage and to check its correct functioning; it is deleted immediately after processing. The data may be used to establish liability in the event of cybercrimes committed against this website; except for this circumstance, all web contact data is currently stored for no longer than strictly necessary.

2. Data Voluntarily Provided by the User

Sending an email to the addresses indicated on this website, or filling out any information or contact request forms (such as the form for providing consent to marketing activities), results in the subsequent acquisition of the sender’s email address (necessary to respond to requests), as well as any other personal data included in the message or registration form.

Specific summary information will be progressively provided or displayed on the website pages set up for particular services on request.

3. Cookies

This website uses cookies.

By using our website, you declare that you accept and consent to the use of cookies in accordance with the terms expressed in our Cookie Policy, which can be accessed from the website footer.

In processing personal data that may, directly or indirectly, identify you, we aim to follow the principle of strict necessity. For this reason, we have configured the website so that the use of personal data is minimized and limited to cases where it is strictly necessary or requested by authorities or law enforcement (such as traffic data and your activity on the site or your IP address), or for establishing liability in case of hypothetical cybercrimes against the website.

3. PURPOSES OF DATA PROCESSING, LEGAL BASIS, AND RETENTION PERIOD

The collected data, subject to processing, will be used by ONE SOUL SPA, in full compliance with the principles of lawfulness and correctness, for the proper provision of products and services in accordance with its corporate purpose.
Depending on the interaction method chosen by the User, we may process the User’s Personal Data for different purposes and on different legal grounds.

a) Direct Marketing:
  • If the data subject fills out dedicated data collection forms in specific areas for the purpose of Direct Marketing: with prior consent and until objection, for direct marketing activities by the Controller, market research, direct sales, sending newsletters and promotional, commercial, or advertising material or related to events and initiatives, through automated email systems and also via operator phone calls, including automated systems.
  • Legal basis: Consent, Art. 6 para. 1 letter a): the data subject has given consent to the processing of their personal data.
  • Retention: Until objection (opt-out/revocation of consent);
  • Provision of data: providing data for purpose a) is optional; if not provided, your data will not be processed for this purpose. Refusal does not affect the availability of services described in the following points.
b) Website Navigation

Purpose:
The data necessary to use the website services are also processed in order to:

  • obtain statistical information on the use of services (most visited pages, number of visitors per time slot or day, geographical origin, etc.);
  • monitor the correct functioning of the services offered.
    Legal basis: Legitimate interest, Art. 6 letter f) and Recital 47: the processing is necessary for the pursuit of the legitimate interest of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject do not override such interests, considering the reasonable expectations based on the relationship between the data subject and the data controller. Activities strictly necessary for the operation of the site and provision of the browsing service on the platform.
  • Retention period: for the duration of the browsing session. For browsing, refer to the cookie policy.
  • Provision of data: except for browsing data (which are necessary to navigate the website), the user is free to provide personal data.

For cookies and similar non-technical technologies, processing is based on consent for the processing of personal data (Art. 6 para. 1 letter a) and Recitals 42, 43 of the GDPR).
Consent is given through the banner and cookie policy of the website. See the cookie policy.

c) Fraud/Abuse Prevention and Detection through the Website:
  • Legal basis: Legitimate interest of the Data Controller;
  • Retention: personal data is retained for a maximum of 180 days and then deleted or anonymized;
  • Provision of data: if personal data is collected (i) to prevent and detect fraud/abuse/fraudulent activities through the Website or (ii) for the establishment, exercise, or defense of the Data Controller’s rights in court (personal data is retained for the duration of the claim and/or legal proceedings until the expiration of deadlines for legal remedies and/or appeals).
d) In case of information requests related to services offered by the Data Controller, in order to respond to inquiries submitted via the contact form
  • Legal basis: Processing is necessary for the execution of pre-contractual measures adopted at the request of the data subject (Recital 44), Art. 6 para. 1 letter b) GDPR
  • Retention period: 1 year from the request
  • Provision of data: Data provision is necessary. Failure to provide the data will make it impossible to fulfill the data subject’s request.
e) Handling of your requests and those of other data subjects, pursuant to Articles 15 and following of the GDPR (data subject rights).
  • Legal basis: Processing is necessary to comply with a legal obligation to which the controller is subject (Recital 45), Art. 6 para. 1 letter c) of the GDPR
  • Retention period: 5 years from the request closure, unless there is a legal dispute
  • Provision of data: Providing personal data is mandatory, as it is essential to comply with legal obligations.
f) Recruitment and personnel search activities.

o Legal basis: Providing personal data is not mandatory, but refusal to provide such data may prevent the Data Controller from evaluating the data subject’s professional profile for the establishment of a working relationship.
o Retention period: 1 year from the submission of the CV
o Provision of data: The related processing does not require the data subject’s consent for the execution of pre-contractual measures adopted at the request of the data subject pursuant to Art. 6 para. 1 letter b) GDPR.

4. Processing Methods

Personal data is processed using automated tools in accordance with organizational methods that respect the principles of data minimization, necessity, and proportionality, avoiding the processing of personal data when operations can be carried out using anonymous data or other means, for no longer than is necessary to achieve the purposes for which they were collected.

Specific security measures have been adopted to prevent the loss of personal data, unlawful or incorrect use, and unauthorized access. However, please remember that your data’s security also depends on your device having up-to-date antivirus software and that your internet provider ensures secure data transmission through firewalls, anti-spam filters, and similar protections.

The processing of personal data will be carried out only by personnel of the Data Controller specifically authorized under the GDPR. The Data Controller has adopted appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of personal data in accordance with Article 32 of the GDPR.

5. Data Communication and Disclosure

Data processing related to the website services takes place at the Data Controller’s headquarters and/or at the hosting and/or management company’s location, and is handled only by technical personnel appointed for processing, or by persons in charge of occasional maintenance activities in compliance with Article 29 of the Regulation. No data derived from the web service is communicated or disseminated.

Data is not currently transferred to third countries. If such a transfer should occur in the future, it will be communicated to the data subjects in accordance with Article 13, paragraph 1, letter f) of Regulation (EU) 2016/679 and in compliance with the Regulation’s requirements.

Personal data provided by users requesting information or materials is used solely to carry out the requested service or provision and is communicated to third parties only if necessary for that purpose. The complete list of third parties to whom your data may be disclosed is available upon request via the email address provided below.

6. Data Subject Rights

Rights under Articles 15, 16, 17, 18, 20, 21, and 22 of Regulation (EU) 2016/679

We inform you that, as a data subject, in addition to the right to lodge a complaint with a supervisory authority, you also have the following rights, which you may exercise by sending a written request to the Data Controller:

Art. 15 – Right of access
Art. 16 – Right to rectification
Art. 17 – Right to erasure (right to be forgotten)
Art. 18 – Right to restriction of processing
Art. 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
Art. 20 – Right to data portability
Art. 21 – Right to object
Art. 22 – Right not to be subject to automated decision-making, including profiling

To exercise the rights set out in Articles 15 and following of Regulation (EU) 2016/679, you must write to the email address: hello@onesoulspa.com

Data subjects who believe that the processing of their personal data through this website is in violation of the GDPR have the right to lodge a complaint with the Data Protection Authority as provided by Article 77 of the GDPR, or to take appropriate legal action (Article 79 of the GDPR).

7. Links to Other Websites

This site may contain links to other websites. However, once you have used these links and leave this site, [●] has no control over the other websites. [●] will not be responsible for the protection and confidentiality of any information you provide when visiting such sites. We recommend that you carefully read the privacy policy applicable to the website in question.

8. Changes to the Privacy Policy

The Data Controller reserves the right to modify, update, add or remove parts of this privacy policy. To facilitate verification and modification, the policy will include the update date.

Email: hello@onesoulspa.com
Phone: (+689) 87277 428

Update date: July 2025