Back to booking
|

Privacy Policy

How we handle your personal data

Last updated: 2026-05-01

1. Data Controller

The data controller responsible for personal data is Rituals Wellness Studio Dudzinska (Org.no. 934 792 955), operating Rituals Massage Oslo.

Carl Berners Plass, 0568 Oslo, Norge

E-post: info@ritualsmassageoslo.com

Phone: +47 463 85 435

2. What data we collect

When you book a treatment we collect the following personal data:

  • Name
  • Phone number
  • Email address
  • Booking details (date, time, service, price, optional notes about allergies or preferences)
  • Technical info (IP address, browser, device) — only for security & analytics

3. Cookies and tracking

We use minimal cookies and tracking:

  • Technical cookies — necessary for the site to function (e.g. admin login session, language preference)
  • Anonymous visit statistics — we log page views with IP address and browser info to understand traffic and detect misuse. No third-party tracking (Google Analytics, Facebook Pixel etc.) is used
  • We do not use cookies for marketing or profiling

4. Purpose & legal basis

We process personal data to:

  • Manage bookings (creation, confirmation, cancellation, reminders) — GDPR Art 6(1)(b), necessary for contract
  • Send booking-related email notifications — GDPR Art 6(1)(b)
  • Prevent misuse and keep the service secure (logging IP, blocking suspicious attempts) — GDPR Art 6(1)(f), legitimate interest
  • Comply with bookkeeping and other legal obligations — GDPR Art 6(1)(c)

5. Obligation to provide data

Name, phone number and email are required to complete a booking. Without this data we cannot confirm your appointment, send reminders, or contact you about changes. You are not legally required to provide this data, but without it the service cannot be delivered.

6. Age limit

This service is exclusively for adults (18+). We do not knowingly process data of minors.

7. Special category data (health information)

If you choose to share information about allergies, injuries, pregnancy, medical conditions, or other health-relevant preferences in your booking notes, this constitutes special category data under GDPR Art 9. We process this data:

  • only with your explicit consent (GDPR Art 9(2)(a))
  • only for the purpose of ensuring your safety and comfort during the treatment
  • we do not share it with any third party other than the therapist performing your treatment
  • it is deleted together with your booking record according to the retention period in Section 8

Providing this information is voluntary. You can book a treatment without sharing health-related notes, but in that case we cannot adjust the treatment to your specific health needs and you accept full responsibility for any consequences.

8. Retention period

  • Email log and page views: 90 days (auto-deleted)
  • Bookings and customer data: 5 years (required by Norwegian Bookkeeping Act § 13)
  • Blocked attempts: 24 hours (auto-deleted)
  • Admin login session: expires automatically on logout

9. Third parties

We use the following data processors to deliver the service:

  • Vercel Inc. (USA) — website hosting & delivery
  • Supabase Inc. (EU/USA) — database storage (servers in EU)
  • Resend Inc. (USA) — email delivery
  • Telegram FZ-LLC (UAE) — internal admin notifications (booking details only, no extra customer data beyond name)
  • one.com (Denmark/EU) — email mailbox for info@ritualsmassageoslo.com

Transfers outside the EEA (USA, UAE) are protected by the EU Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards. We do not sell or share personal data with any other third parties.

10. Your rights

Under the GDPR you have the following rights:

  • Access — be informed what data we hold about you (Art 15)
  • Rectification — have inaccurate data corrected (Art 16)
  • Erasure — have your data deleted (Art 17), except bookings which must be retained for accounting purposes
  • Restriction — have processing restricted (Art 18)
  • Data portability — receive your data in machine-readable format (Art 20)
  • Objection — object to processing based on legitimate interest (Art 21)
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time (Art 7(3))
  • Complaint to the Norwegian Data Protection Authority (datatilsynet.no, phone +47 22 39 69 00)

To exercise your rights, contact us at info@ritualsmassageoslo.com. We respond within 30 days.

11. Cancellation & deletion

You can cancel your booking at any time using the link in your confirmation email — up to 2 hours before your appointment. To request full deletion of your personal data, contact us by email. We will delete all data not subject to legal retention (e.g. completed bookings must be retained for 5 years for accounting purposes).

12. Security & breach notification

We take IT security seriously. All data is transmitted encrypted (HTTPS/TLS), passwords are not stored in plaintext, and the database is protected with security rules (Row Level Security). We perform regular security updates and monitor for suspicious activity.

In the event of a personal data breach, we will notify the Norwegian Data Protection Authority within 72 hours as required by GDPR Art 33, and affected users without undue delay if there is a high risk to their rights (Art 34). We do not use automated decision-making or profiling that produces legal effects or significantly affects you (GDPR Art 22).

13. Changes to this policy

We may update this policy when needed. The date at the top shows when it was last changed. For material changes, we will notify you by email if you have an active booking.