← Back to home

Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 1 June 2026

1. Data Controller

Turban Sauna is the data controller responsible for your personal data. We are located at Vasbygade 18, 2450 København SV, Denmark. For questions regarding data processing, contact us at [email protected].

2. Legal Basis

We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven). Our legal bases for processing include:

  • Contract performance — processing necessary to fulfil your booking and provide our services (Art. 6(1)(b) GDPR).
  • Legitimate interest — improving our services, preventing fraud, and maintaining security (Art. 6(1)(f) GDPR).
  • Consent — marketing communications and non-essential cookies, where you have given explicit consent (Art. 6(1)(a) GDPR).
  • Legal obligation — tax and accounting requirements under Danish law (Art. 6(1)(c) GDPR).

3. Data We Collect

3.1 Booking Information

When you make a booking, we collect your name, email address, phone number (if provided), session date and time, number of guests, and payment reference. Payment card details are processed directly by Stripe and are never stored on our servers.

3.2 Account Information

If you create an account, we store your name, email address, and an encrypted (hashed) version of your password. We do not store passwords in plain text.

3.3 Contact Forms

When you contact us via email or a contact form, we collect your name, email address, and the content of your message. This data is used solely to respond to your enquiry.

3.4 Newsletter

If you subscribe to our newsletter, we collect your email address. You may unsubscribe at any time using the link in each newsletter or by contacting us directly.

3.5 Analytics

We may use analytics tools to understand how visitors interact with our website. This may include anonymised data such as pages visited, time spent, device type, and approximate geographic location. See our Cookie Policy for details.

3.6 Cookies

Our website uses cookies. For full details on which cookies we use and their purposes, see our Cookie Policy.

4. How We Use Your Data

  • Processing and confirming bookings
  • Sending booking confirmations and reminders
  • Managing cancellations and refunds
  • Responding to your enquiries
  • Sending newsletters and marketing (only with your consent)
  • Improving our website and services
  • Complying with legal and accounting obligations

5. Third-Party Processors

We share your data with the following categories of third-party processors, all of whom are bound by data processing agreements:

  • Stripe — payment processing (PCI DSS compliant)
  • Hosting provider — website and database hosting within the EU/EEA
  • Email service provider — transactional and marketing emails

We do not sell your personal data to third parties.

6. Data Retention

  • Booking data — retained for up to 5 years after the booking date, as required by Danish accounting law (Bogføringsloven).
  • Account data — retained for as long as your account is active. You may request deletion at any time.
  • Contact form data — retained for up to 12 months after your enquiry is resolved.
  • Newsletter data — retained until you unsubscribe.
  • Analytics data — retained for up to 26 months in anonymised form.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction — request that we limit processing of your data in certain circumstances.
  • Right to data portability — receive your data in a structured, commonly used format.
  • Right to object — object to processing based on legitimate interest or direct marketing.
  • Right to withdraw consent — withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration. These include encrypted connections (HTTPS/TLS), hashed passwords, access controls, and regular security reviews.

9. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
www.datatilsynet.dk

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website. The date at the top of this page indicates when this policy was last revised.