Privacy Policy · HEADSPA

Effective from:
01.05.2026
Version:
1.0
Service provider:
SIA HEADSPA, Reg. No. 40203721075 (Data Controller)

1 · Introduction

1.1. SIA HEADSPA (Reg. No. 40203721075, registered office: Rūpniecības iela 5-1A, Rīga, LV-1010), hereinafter HEADSPA, respects your privacy and protects personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the Law of the Republic of Latvia on the Processing of Personal Data of Natural Persons.

1.2. This privacy policy (the “Policy”) explains how HEADSPA collects, uses, stores and protects your personal data, as well as your rights in respect of this data.

1.3. The Policy applies to all HEADSPA clients and visitors of the head-spa.lv website.


2 · Data Protection Officer (DPO)

Name: Konstantins Talikovs

Role: Director of SIA HEADSPA and Data Protection Officer

Email: admin@head-spa.lv

Phone: +371 22 830 328

Address: Rūpniecības iela 5-1A, Rīga, LV-1010

For any question about how your data is processed, you can contact the DPO directly.


3 · What data we process

3.1. Identification data

  • First name, last name
  • Date of birth
  • Phone number
  • Email
  • Communication language (LV / EN / RU)

Purpose: managing reservations, communication, reminders, issuing documents.

Legal basis: contract between the Client and HEADSPA (GDPR 6.1.b).

3.2. Health data ⚠️ Special category

Under Article 9 of the GDPR, health data is a special category of personal data with additional protection.

We process:

  • Answers to the online health questionnaire — a short questionnaire filled in after the reservation
  • Answers to the full health questionnaire in the studio — before the procedure
  • Information about contraindications, allergies, chronic conditions, medications taken
  • The specialist’s notes about the course of the procedure and the Client’s condition (only what is important for safety and adaptation of the programme)

Purpose: to ensure the safety of the procedure, adapt the programme, avoid health risks.

Legal basis: explicit consent (GDPR 9.2.a) — the Client gives consent by completing the questionnaire and signing the informed consent in the studio.

3.3. Payment data

  • Bank account number (provided by the Client themselves)
  • Payment history
  • Invoice numbers and amounts

We do NOT have access to the Client’s bank card numbers or passwords — this information is handled by banks and payment service providers. HEADSPA does not receive or store the full card number, expiry date, CVV/CVC code or 3DS authentication codes.

Card payments are technically processed by Paynt (Pivotal Payments Designated Activity Company / Oppwa) as our payment service provider.

Purpose: invoicing, accounting.

Legal basis: legal obligation (Latvian Accounting Law) + contract.

3.4. Technical data from the website

  • IP address
  • Browser type and version
  • Date and time of website visit
  • Pages viewed
  • Traffic source (which website you came from)

Purpose: operation of the website, security, statistics.

Legal basis: legitimate interests (GDPR 6.1.f) and — for cookies — consent.

3.5. Marketing data (with consent)

  • Consent to receive newsletters, special offers and invitations
  • Clicks and opens in emails

Purpose: marketing communication.

Legal basis: consent (GDPR 6.1.a).


4 · How long we store data

Data categoryRetention periodJustification
Client profile (identification)2 years after the last active communicationCommercial necessity
Online health questionnaire (Layer 1)2 years after the last procedureProcedure safety history
Signed studio questionnaire (Layer 2)5 yearsLatvian law requirement for medical documents
Invoices and accounting data10 yearsLatvian Accounting Law
Marketing dataUntil consent is withdrawn, or 3 years after last activityConsent
CookiesDepends on the cookie (see cookies policy)Consent or legitimate interests
Technical server logs12 monthsSecurity

Once the retention period expires, data is deleted or anonymised.


5 · Who we share data with

5.1. Our staff and partners

Access to data is granted only to people who need it to perform their duties:

  • Aleksandra Taļikova — health questionnaires and procedure notes
  • Konstantins Talikovs (DPO) — all data for administration purposes
  • Accountant — invoices, payments, annual report

5.2. Data processors

ServicePurposeLocationTransfer basis
Notion Labs Inc.CRM (client database, reservations, visit history)USASCC + DPA, EU-US Data Privacy Framework
Supabase Inc.Storage of the online health questionnaireEU (Frankfurt, AWS eu-central-1)DPA, data does not leave the EU
Google WorkspaceEmail, Drive (signed studio questionnaires)EUDPA, EU-US Data Privacy Framework
Telegram Bot APIInternal operational studio notificationsOnly de-identified data (name + reservation time)
AS Citadele bankaAdvance and final payments, invoicingLatviaBanking secrecy regulated by FKTK
Paynt (Pivotal Payments Designated Activity Company / Oppwa)Card payment processingEU / IrelandPCI DSS, DPA, SCC where applicable

All data processors have signed Data Processing Agreements (DPA) with HEADSPA.

5.3. Data transfers outside the EU

Most of the Client’s personal data is processed within the European Economic Area (EEA).

Transfers to third countries:

  • Notion Labs Inc. (USA) — used as a CRM system for the client database and reservation history. The transfer is protected by: the EU Standard Contractual Clauses (SCC); EU-US Data Privacy Framework (DPF) certification; a Data Processing Agreement (DPA) signed with HEADSPA.
  • Google Workspace — the main infrastructure is located in EU data centres. In the event of a technical transfer of data to the US, the same safeguards apply: SCC and the EU-US Data Privacy Framework.

HEADSPA does not transfer personal data to countries that do not have an EU-recognised level of data protection without applying appropriate legal safeguards.

5.4. Recipient categories

HEADSPA does not transfer the Client’s personal data to third parties for marketing, advertising or commercial purposes.

Data is transferred only to:

  • Data processors listed in section 5.2, solely for the performance of contractual obligations towards the Client
  • State authorities — only upon lawful request (Tax Service VID, PTAC, court, police)
  • HEADSPA accountants and legal advisors — on the basis of confidentiality agreements

6 · Your rights

Under the GDPR you have the following rights:

6.1. Right of access (GDPR Article 15)

You can request a copy of all the data we process about you. We respond within 30 days.

6.2. Right to rectification (GDPR Article 16)

If the data is inaccurate or incomplete, you can request its correction.

6.3. Right to be forgotten (GDPR Article 17)

You can request deletion of your data, except:

  • Data whose retention is required by law (invoices, signed studio health questionnaires)
  • Data necessary to defend legal claims

6.4. Right to restriction of processing (GDPR Article 18)

You can request restriction of processing if you contest the accuracy of the data.

6.5. Right to data portability (GDPR Article 20)

You can request your data in a structured, machine-readable format (CSV or JSON) to transfer it to another service provider.

6.6. Right to object (GDPR Article 21)

You can object to data processing based on legitimate interests or for marketing purposes.

6.7. Right to withdraw consent

You can withdraw your consent at any time by emailing admin@head-spa.lv. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

6.8. Right to lodge a complaint with a supervisory authority

If you believe your rights have been violated, you can file a complaint:

Data State Inspectorate of Latvia

  • Elijas iela 17, Rīga, LV-1050
  • Phone: +371 67223131
  • Email: pasts@dvi.gov.lv
  • Website: www.dvi.gov.lv

7 · Data security

7.1. HEADSPA applies technical and organisational measures to protect your data:

Technical measures:

  • SSL/TLS encryption on the website and in payment systems
  • Encryption at the storage layer in Supabase (health data)
  • Access control with authentication and two-factor verification
  • Regular backups

Organisational measures:

  • Staff training on personal data processing
  • Confidentiality agreements with employees and partners
  • Need-to-know access principle
  • Data Processing Agreements (DPA) with all processors

7.2. In the event of a data breach we notify the Data State Inspectorate within 72 hours, and, if the breach poses a high risk to Clients’ rights — the affected Clients as well.


8 · Cookies

8.1. The following cookies are used on head-spa.lv:

TypePurposeDurationConsent
NecessaryOperation of the websiteSessionNot required
FunctionalLanguage and preferences12 monthsRequired
StatisticalAnonymous visit counting (Google Analytics 4)14 monthsRequired
MarketingMeta Pixel, remarketing systems12 monthsRequired

8.2. Cookie management — on the first visit to the website a consent banner is shown. Settings can be changed at any time.


9 · Special categories of data (medical information)

9.1. Before each procedure, the Client completes a health questionnaire (contraindications, allergies, chronic conditions, pregnancy, medications). This data is a special category of personal data under Article 9 of Regulation (EU) 2016/679 (GDPR).

9.2. Legal basis for processing: the Client’s explicit consent (GDPR Article 9(2)(a)), given by signing the questionnaire or confirming a checkbox in the online form.

9.3. Storage location:

  • The online questionnaire (completed before the visit) is stored in Supabase (Frankfurt, EU). The data is not transferred to third countries.
  • The signed paper questionnaire in the studio is scanned and stored in Google Workspace (EU).
  • The content of the health questionnaire is not duplicated in the CRM system (Notion). The CRM only records the fact that the questionnaire was completed and general specialist notes on the applicability of the programme.

9.4. Access to health data is granted only to:

  • The specialist performing the procedure
  • The HEADSPA lead specialist (Aleksandra Taļikova, medical education)
  • The data protection officer (Konstantins Talikovs)

9.5. Retention period for health data: 3 years from the Client’s last visit, after which the data is deleted. If the Client does not return within that period, the questionnaire is deleted automatically.

9.6. The Client may at any time request deletion of health data before the end of the retention period by emailing admin@head-spa.lv. Deletion is carried out within 30 days.


10 · Data transfers outside the EU/EEA

10.1. Most data processors are located within the EU/EEA.

10.2. Some services (for example, Notion Labs) are located in the USA. In those cases, the data transfer follows:

  • The EU-US Data Privacy Framework (the new framework in force since 2023)
  • The Standard Contractual Clauses (SCC)
  • Approved Data Processing Agreements (DPA) with the service provider

10.3. Health data (health questionnaires) is not transferred outside the EU — it is stored in Supabase (Frankfurt) and Google Drive (EU services).


11 · Changes to this policy

11.1. HEADSPA reserves the right to amend this Policy. Changes are published on the website together with the effective date.

11.2. For material changes (new data categories, new processing purposes) we notify Clients at the registered email address no later than 30 days before the changes take effect.


12 · Contacts

Data Controller:

  • SIA HEADSPA
  • Reg. No. 40203721075
  • Rūpniecības iela 5-1A, Rīga, LV-1010

Data Protection Officer (DPO):

  • Konstantins Talikovs
  • Email: admin@head-spa.lv
  • Phone: +371 22 830 328

Supervisory authority:

  • Data State Inspectorate of Latvia
  • www.dvi.gov.lv
WhatsApp