Privacy Policy · HEADSPA
- Effective from:
- 01.05.2026
- Version:
- 1.0
- Service provider:
- SIA HEADSPA, Reg. No. 40203721075 (Data Controller)
1 · Introduction
1.1. SIA HEADSPA (Reg. No. 40203721075, registered office: Rūpniecības iela 5-1A, Rīga, LV-1010), hereinafter HEADSPA, respects your privacy and protects personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the Law of the Republic of Latvia on the Processing of Personal Data of Natural Persons.
1.2. This privacy policy (the “Policy”) explains how HEADSPA collects, uses, stores and protects your personal data, as well as your rights in respect of this data.
1.3. The Policy applies to all HEADSPA clients and visitors of the head-spa.lv website.
2 · Data Protection Officer (DPO)
Name: Konstantins Talikovs
Role: Director of SIA HEADSPA and Data Protection Officer
Email: admin@head-spa.lv
Phone: +371 22 830 328
Address: Rūpniecības iela 5-1A, Rīga, LV-1010
For any question about how your data is processed, you can contact the DPO directly.
3 · What data we process
3.1. Identification data
- First name, last name
- Date of birth
- Phone number
- Communication language (LV / EN / RU)
Purpose: managing reservations, communication, reminders, issuing documents.
Legal basis: contract between the Client and HEADSPA (GDPR 6.1.b).
3.2. Health data ⚠️ Special category
Under Article 9 of the GDPR, health data is a special category of personal data with additional protection.
We process:
- Answers to the online health questionnaire — a short questionnaire filled in after the reservation
- Answers to the full health questionnaire in the studio — before the procedure
- Information about contraindications, allergies, chronic conditions, medications taken
- The specialist’s notes about the course of the procedure and the Client’s condition (only what is important for safety and adaptation of the programme)
Purpose: to ensure the safety of the procedure, adapt the programme, avoid health risks.
Legal basis: explicit consent (GDPR 9.2.a) — the Client gives consent by completing the questionnaire and signing the informed consent in the studio.
3.3. Payment data
- Bank account number (provided by the Client themselves)
- Payment history
- Invoice numbers and amounts
We do NOT have access to the Client’s bank card numbers or passwords — this information is handled by banks and payment service providers. HEADSPA does not receive or store the full card number, expiry date, CVV/CVC code or 3DS authentication codes.
Card payments are technically processed by Paynt (Pivotal Payments Designated Activity Company / Oppwa) as our payment service provider.
Purpose: invoicing, accounting.
Legal basis: legal obligation (Latvian Accounting Law) + contract.
3.4. Technical data from the website
- IP address
- Browser type and version
- Date and time of website visit
- Pages viewed
- Traffic source (which website you came from)
Purpose: operation of the website, security, statistics.
Legal basis: legitimate interests (GDPR 6.1.f) and — for cookies — consent.
3.5. Marketing data (with consent)
- Consent to receive newsletters, special offers and invitations
- Clicks and opens in emails
Purpose: marketing communication.
Legal basis: consent (GDPR 6.1.a).
4 · How long we store data
| Data category | Retention period | Justification |
|---|---|---|
| Client profile (identification) | 2 years after the last active communication | Commercial necessity |
| Online health questionnaire (Layer 1) | 2 years after the last procedure | Procedure safety history |
| Signed studio questionnaire (Layer 2) | 5 years | Latvian law requirement for medical documents |
| Invoices and accounting data | 10 years | Latvian Accounting Law |
| Marketing data | Until consent is withdrawn, or 3 years after last activity | Consent |
| Cookies | Depends on the cookie (see cookies policy) | Consent or legitimate interests |
| Technical server logs | 12 months | Security |
Once the retention period expires, data is deleted or anonymised.
5 · Who we share data with
5.1. Our staff and partners
Access to data is granted only to people who need it to perform their duties:
- Aleksandra Taļikova — health questionnaires and procedure notes
- Konstantins Talikovs (DPO) — all data for administration purposes
- Accountant — invoices, payments, annual report
5.2. Data processors
| Service | Purpose | Location | Transfer basis |
|---|---|---|---|
| Notion Labs Inc. | CRM (client database, reservations, visit history) | USA | SCC + DPA, EU-US Data Privacy Framework |
| Supabase Inc. | Storage of the online health questionnaire | EU (Frankfurt, AWS eu-central-1) | DPA, data does not leave the EU |
| Google Workspace | Email, Drive (signed studio questionnaires) | EU | DPA, EU-US Data Privacy Framework |
| Telegram Bot API | Internal operational studio notifications | — | Only de-identified data (name + reservation time) |
| AS Citadele banka | Advance and final payments, invoicing | Latvia | Banking secrecy regulated by FKTK |
| Paynt (Pivotal Payments Designated Activity Company / Oppwa) | Card payment processing | EU / Ireland | PCI DSS, DPA, SCC where applicable |
All data processors have signed Data Processing Agreements (DPA) with HEADSPA.
5.3. Data transfers outside the EU
Most of the Client’s personal data is processed within the European Economic Area (EEA).
Transfers to third countries:
- Notion Labs Inc. (USA) — used as a CRM system for the client database and reservation history. The transfer is protected by: the EU Standard Contractual Clauses (SCC); EU-US Data Privacy Framework (DPF) certification; a Data Processing Agreement (DPA) signed with HEADSPA.
- Google Workspace — the main infrastructure is located in EU data centres. In the event of a technical transfer of data to the US, the same safeguards apply: SCC and the EU-US Data Privacy Framework.
HEADSPA does not transfer personal data to countries that do not have an EU-recognised level of data protection without applying appropriate legal safeguards.
5.4. Recipient categories
HEADSPA does not transfer the Client’s personal data to third parties for marketing, advertising or commercial purposes.
Data is transferred only to:
- Data processors listed in section 5.2, solely for the performance of contractual obligations towards the Client
- State authorities — only upon lawful request (Tax Service VID, PTAC, court, police)
- HEADSPA accountants and legal advisors — on the basis of confidentiality agreements
6 · Your rights
Under the GDPR you have the following rights:
6.1. Right of access (GDPR Article 15)
You can request a copy of all the data we process about you. We respond within 30 days.
6.2. Right to rectification (GDPR Article 16)
If the data is inaccurate or incomplete, you can request its correction.
6.3. Right to be forgotten (GDPR Article 17)
You can request deletion of your data, except:
- Data whose retention is required by law (invoices, signed studio health questionnaires)
- Data necessary to defend legal claims
6.4. Right to restriction of processing (GDPR Article 18)
You can request restriction of processing if you contest the accuracy of the data.
6.5. Right to data portability (GDPR Article 20)
You can request your data in a structured, machine-readable format (CSV or JSON) to transfer it to another service provider.
6.6. Right to object (GDPR Article 21)
You can object to data processing based on legitimate interests or for marketing purposes.
6.7. Right to withdraw consent
You can withdraw your consent at any time by emailing admin@head-spa.lv. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
6.8. Right to lodge a complaint with a supervisory authority
If you believe your rights have been violated, you can file a complaint:
Data State Inspectorate of Latvia
- Elijas iela 17, Rīga, LV-1050
- Phone: +371 67223131
- Email: pasts@dvi.gov.lv
- Website: www.dvi.gov.lv
7 · Data security
7.1. HEADSPA applies technical and organisational measures to protect your data:
Technical measures:
- SSL/TLS encryption on the website and in payment systems
- Encryption at the storage layer in Supabase (health data)
- Access control with authentication and two-factor verification
- Regular backups
Organisational measures:
- Staff training on personal data processing
- Confidentiality agreements with employees and partners
- Need-to-know access principle
- Data Processing Agreements (DPA) with all processors
7.2. In the event of a data breach we notify the Data State Inspectorate within 72 hours, and, if the breach poses a high risk to Clients’ rights — the affected Clients as well.
8 · Cookies
8.1. The following cookies are used on head-spa.lv:
| Type | Purpose | Duration | Consent |
|---|---|---|---|
| Necessary | Operation of the website | Session | Not required |
| Functional | Language and preferences | 12 months | Required |
| Statistical | Anonymous visit counting (Google Analytics 4) | 14 months | Required |
| Marketing | Meta Pixel, remarketing systems | 12 months | Required |
8.2. Cookie management — on the first visit to the website a consent banner is shown. Settings can be changed at any time.
9 · Special categories of data (medical information)
9.1. Before each procedure, the Client completes a health questionnaire (contraindications, allergies, chronic conditions, pregnancy, medications). This data is a special category of personal data under Article 9 of Regulation (EU) 2016/679 (GDPR).
9.2. Legal basis for processing: the Client’s explicit consent (GDPR Article 9(2)(a)), given by signing the questionnaire or confirming a checkbox in the online form.
9.3. Storage location:
- The online questionnaire (completed before the visit) is stored in Supabase (Frankfurt, EU). The data is not transferred to third countries.
- The signed paper questionnaire in the studio is scanned and stored in Google Workspace (EU).
- The content of the health questionnaire is not duplicated in the CRM system (Notion). The CRM only records the fact that the questionnaire was completed and general specialist notes on the applicability of the programme.
9.4. Access to health data is granted only to:
- The specialist performing the procedure
- The HEADSPA lead specialist (Aleksandra Taļikova, medical education)
- The data protection officer (Konstantins Talikovs)
9.5. Retention period for health data: 3 years from the Client’s last visit, after which the data is deleted. If the Client does not return within that period, the questionnaire is deleted automatically.
9.6. The Client may at any time request deletion of health data before the end of the retention period by emailing admin@head-spa.lv. Deletion is carried out within 30 days.
10 · Data transfers outside the EU/EEA
10.1. Most data processors are located within the EU/EEA.
10.2. Some services (for example, Notion Labs) are located in the USA. In those cases, the data transfer follows:
- The EU-US Data Privacy Framework (the new framework in force since 2023)
- The Standard Contractual Clauses (SCC)
- Approved Data Processing Agreements (DPA) with the service provider
10.3. Health data (health questionnaires) is not transferred outside the EU — it is stored in Supabase (Frankfurt) and Google Drive (EU services).
11 · Changes to this policy
11.1. HEADSPA reserves the right to amend this Policy. Changes are published on the website together with the effective date.
11.2. For material changes (new data categories, new processing purposes) we notify Clients at the registered email address no later than 30 days before the changes take effect.
12 · Contacts
Data Controller:
- SIA HEADSPA
- Reg. No. 40203721075
- Rūpniecības iela 5-1A, Rīga, LV-1010
Data Protection Officer (DPO):
- Konstantins Talikovs
- Email: admin@head-spa.lv
- Phone: +371 22 830 328
Supervisory authority:
- Data State Inspectorate of Latvia
- www.dvi.gov.lv