We value your privacy

    We use cookies to run this site, understand how it is used, and (with your permission) measure marketing performance. You can accept everything, reject everything non-essential, or choose per category below. Read our Privacy Policy and Cookie Policy.

    Required for the site to work (e.g. session, security, consent state). Always on.

    Anonymous usage measurement via Google Analytics 4 (page views, aggregated behaviour).

    Advertising and campaign measurement via Meta Pixel and Google Ads consent signals.

    Skip to main content

    Privacy Policy

    Last updated: July 6, 2026 · Version 1.1

    1. Introduction

    Sana Sana Retreat ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website sanasanaretreat.com and use our services.

    We are based in Spain and comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.

    2. Data Controller

    The data controller responsible for your personal data is:

    • Controller: Mirjam Luitjes (sole trader / autónoma), trading as Sana Sana Retreat
    • NIE: Y2637525Z
    • Address: Camino Pou Dels Clots 9, 03725 Teulada (Alicante), Spain
    • Email: hello@sanasanaretreat.com
    • WhatsApp: +34 694 223 262

    For a full identification of the site owner, see our Aviso Legal.

    3. Information We Collect

    Personal Information You Provide

    • Contact Forms: Name, email address, phone number, and message content
    • Newsletter Subscription: First name, last name, and email address
    • Wellness Quiz: Name, email, quiz responses, and wellness preferences
    • Booking Inquiries: Name, contact details, and retreat preferences

    Automatically Collected Information

    • Device Information: Browser type, operating system, IP address
    • Usage Data: Pages visited, time spent, click patterns (via analytics)
    • Cookies: See our Cookie Policy for details

    4. How We Use Your Information

    We use your personal data for the following purposes:

    • To respond to your inquiries and provide customer support
    • To process retreat bookings and send confirmation details
    • To send newsletters and wellness tips (with your consent)
    • To personalize your quiz results and recommendations
    • To improve our website and services based on analytics
    • To comply with legal obligations

    5. Legal Basis for Processing (GDPR)

    • Consent: Newsletter subscriptions, marketing communications, analytics cookies
    • Contractual Necessity: Processing bookings and providing retreat services
    • Legitimate Interest: Website analytics, fraud prevention, improving services
    • Legal Obligation: Tax records, regulatory compliance

    6. Third-Party Services

    We use the following third-party services:

    Google Analytics (Analytics)

    Collects anonymized usage data to help us understand how visitors use our site. Google Privacy Policy

    Meta Pixel (Marketing)

    Tracks conversions and enables targeted advertising on Facebook/Instagram. Meta Privacy Policy

    Mailchimp (Email Marketing)

    Manages newsletter subscriptions and email communications. Mailchimp Privacy Policy

    Supabase (Database)

    Securely stores form submissions and reservation data. Supabase Privacy Policy

    Stripe (Payments)

    Processes card payments for deposits and balances when this method is used. Card details are entered on Stripe's own secure environment and are not stored by us. Stripe Privacy Policy

    Bank transfer

    Where you choose to pay by SEPA / bank transfer, your name and payment reference are visible to our bank as part of the transaction.

    Jotform (Forms)

    Where a booking, pre-arrival or intake form is powered by Jotform, the data you submit (contact details and any health, dietary or booking information you provide) is processed on Jotform's platform on our behalf as a data processor. Jotform Inc. is a US-headquartered company; form submissions are hosted in the EU (Frankfurt, Germany) when the account's EU/GDPR data-residency setting is enabled, which is the setting we use. Any transfer of personal data outside the EEA is covered by the European Commission's Standard Contractual Clauses (SCCs) included in Jotform's Data Processing Addendum, which is incorporated into our paid Jotform subscription with GDPR mode enabled. Jotform GDPR & DPA · Jotform Privacy Policy

    Resend (Transactional Email)

    Delivers booking confirmations, admin notifications and automated transactional emails on our behalf. Resend Privacy Policy

    WATI (WhatsApp Business)

    Sends WhatsApp messages related to your enquiry or booking (via the WhatsApp Business Platform provided by Meta). WATI Privacy Policy

    7. Your Rights (GDPR)

    Under GDPR, you have the following rights:

    • Right of Access: Request a copy of your personal data
    • Right to Rectification: Correct inaccurate or incomplete data
    • Right to Erasure: Request deletion of your data ("right to be forgotten")
    • Right to Restrict Processing: Limit how we use your data
    • Right to Data Portability: Receive your data in a machine-readable format
    • Right to Object: Object to processing based on legitimate interests
    • Right to Withdraw Consent: Withdraw consent at any time

    To exercise these rights, contact us at hello@sanasanaretreat.com. We will respond within 30 days.

    8. Data Deletion Request

    You can request deletion of all your personal data by:

    • Emailing us at hello@sanasanaretreat.com with subject "Data Deletion Request"
    • Using our Contact Form and selecting "Data Deletion Request" as the subject

    We will process your request within 30 days and confirm deletion via email.

    9. Data Retention Schedule

    We keep personal data only for as long as necessary for the purpose it was collected, or as required by law. The table below sets out the retention periods for each type of data we process.

    Data TypePurposeRetention PeriodLegal Basis
    Booking recordsContract fulfilment, payment records, customer support7 years after the retreat dateSpanish legal / tax obligation (Art. 30 LIVA)
    Payment recordsAccounting, fraud prevention, tax reporting7 years after the transactionSpanish legal / tax obligation
    Contact form submissionsResponding to enquiries and follow-up communication2 years from submission, or until deletion is requestedLegitimate interest and consent
    Newsletter subscribersEmail marketing and wellness communicationsUntil you unsubscribe, or until 2 years of inactivity, whichever is soonerConsent
    Quiz dataPersonalised results, lead nurturing, wellness recommendations2 years from submission, or until deletion is requestedConsent
    Website analyticsUnderstanding site usage and improving experienceUp to 26 months in Google Analytics (aggregated/anonymised where possible)Consent (via cookie banner)
    Marketing dataAd performance and retargetingAs set by Meta (typically up to 2 years)Consent (via cookie banner)
    Cookies / consent recordsProof of consent choices1 year from consent selectionLegal obligation

    How We Delete and Anonymise Data

    When the retention period ends, or when you request deletion, we remove your personal data from our active systems and databases. Where full deletion is not possible because the data is required for legal, accounting or fraud-prevention purposes, we:

    • Delete identifiable personal details such as name, email, phone number and address
    • Retain only the minimum information needed for legal compliance (for example, invoice amounts and dates)
    • Anonymise or pseudonymise data where possible so it can no longer be linked to you
    • Securely delete backups containing personal data on our standard backup rotation cycle (typically within 90 days)

    You may request deletion earlier by contacting hello@sanasanaretreat.com. We will comply unless a legal obligation requires us to retain the data, in which case we will inform you and explain why.

    10. Data Security

    We implement appropriate technical and organizational measures to protect your data, including:

    • SSL/TLS encryption for all data transmission
    • Secure database storage with access controls
    • Regular security reviews and updates

    11. International Transfers

    Some of our third-party services (Google, Meta, Mailchimp) may transfer data outside the EU. These transfers are protected by Standard Contractual Clauses or adequacy decisions as required by GDPR.

    12. Children's Privacy

    Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be highlighted in the change log below, and where required by law we will notify you directly.

    Change log

    • Version 1.1 — July 6, 2026: Added detailed data retention schedule (Section 9), documented Stripe, Jotform, Resend and WATI as processors, added cookie consent audit logging, and introduced the Legal Hub and Accessibility Statement.
    • Version 1.0 — December 19, 2024: Initial GDPR-compliant Privacy Policy published.

    14. Contact & Complaints

    If you have questions or complaints about this policy:

    • Email: hello@sanasanaretreat.com
    • WhatsApp: +34 694 223 262

    You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es