Privacy Policy
Last updated: July 6, 2026 · Version 1.1
1. Introduction
Sana Sana Retreat ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website sanasanaretreat.com and use our services.
We are based in Spain and comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
- Controller: Mirjam Luitjes (sole trader / autónoma), trading as Sana Sana Retreat
- NIE: Y2637525Z
- Address: Camino Pou Dels Clots 9, 03725 Teulada (Alicante), Spain
- Email: hello@sanasanaretreat.com
- WhatsApp: +34 694 223 262
For a full identification of the site owner, see our Aviso Legal.
3. Information We Collect
Personal Information You Provide
- Contact Forms: Name, email address, phone number, and message content
- Newsletter Subscription: First name, last name, and email address
- Wellness Quiz: Name, email, quiz responses, and wellness preferences
- Booking Inquiries: Name, contact details, and retreat preferences
Automatically Collected Information
- Device Information: Browser type, operating system, IP address
- Usage Data: Pages visited, time spent, click patterns (via analytics)
- Cookies: See our Cookie Policy for details
4. How We Use Your Information
We use your personal data for the following purposes:
- To respond to your inquiries and provide customer support
- To process retreat bookings and send confirmation details
- To send newsletters and wellness tips (with your consent)
- To personalize your quiz results and recommendations
- To improve our website and services based on analytics
- To comply with legal obligations
5. Legal Basis for Processing (GDPR)
- Consent: Newsletter subscriptions, marketing communications, analytics cookies
- Contractual Necessity: Processing bookings and providing retreat services
- Legitimate Interest: Website analytics, fraud prevention, improving services
- Legal Obligation: Tax records, regulatory compliance
6. Third-Party Services
We use the following third-party services:
Google Analytics (Analytics)
Collects anonymized usage data to help us understand how visitors use our site. Google Privacy Policy
Meta Pixel (Marketing)
Tracks conversions and enables targeted advertising on Facebook/Instagram. Meta Privacy Policy
Mailchimp (Email Marketing)
Manages newsletter subscriptions and email communications. Mailchimp Privacy Policy
Supabase (Database)
Securely stores form submissions and reservation data. Supabase Privacy Policy
Stripe (Payments)
Processes card payments for deposits and balances when this method is used. Card details are entered on Stripe's own secure environment and are not stored by us. Stripe Privacy Policy
Bank transfer
Where you choose to pay by SEPA / bank transfer, your name and payment reference are visible to our bank as part of the transaction.
Jotform (Forms)
Where a booking, pre-arrival or intake form is powered by Jotform, the data you submit (contact details and any health, dietary or booking information you provide) is processed on Jotform's platform on our behalf as a data processor. Jotform Inc. is a US-headquartered company; form submissions are hosted in the EU (Frankfurt, Germany) when the account's EU/GDPR data-residency setting is enabled, which is the setting we use. Any transfer of personal data outside the EEA is covered by the European Commission's Standard Contractual Clauses (SCCs) included in Jotform's Data Processing Addendum, which is incorporated into our paid Jotform subscription with GDPR mode enabled. Jotform GDPR & DPA · Jotform Privacy Policy
Resend (Transactional Email)
Delivers booking confirmations, admin notifications and automated transactional emails on our behalf. Resend Privacy Policy
WATI (WhatsApp Business)
Sends WhatsApp messages related to your enquiry or booking (via the WhatsApp Business Platform provided by Meta). WATI Privacy Policy
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time
To exercise these rights, contact us at hello@sanasanaretreat.com. We will respond within 30 days.
8. Data Deletion Request
You can request deletion of all your personal data by:
- Emailing us at hello@sanasanaretreat.com with subject "Data Deletion Request"
- Using our Contact Form and selecting "Data Deletion Request" as the subject
We will process your request within 30 days and confirm deletion via email.
9. Data Retention Schedule
We keep personal data only for as long as necessary for the purpose it was collected, or as required by law. The table below sets out the retention periods for each type of data we process.
| Data Type | Purpose | Retention Period | Legal Basis |
|---|---|---|---|
| Booking records | Contract fulfilment, payment records, customer support | 7 years after the retreat date | Spanish legal / tax obligation (Art. 30 LIVA) |
| Payment records | Accounting, fraud prevention, tax reporting | 7 years after the transaction | Spanish legal / tax obligation |
| Contact form submissions | Responding to enquiries and follow-up communication | 2 years from submission, or until deletion is requested | Legitimate interest and consent |
| Newsletter subscribers | Email marketing and wellness communications | Until you unsubscribe, or until 2 years of inactivity, whichever is sooner | Consent |
| Quiz data | Personalised results, lead nurturing, wellness recommendations | 2 years from submission, or until deletion is requested | Consent |
| Website analytics | Understanding site usage and improving experience | Up to 26 months in Google Analytics (aggregated/anonymised where possible) | Consent (via cookie banner) |
| Marketing data | Ad performance and retargeting | As set by Meta (typically up to 2 years) | Consent (via cookie banner) |
| Cookies / consent records | Proof of consent choices | 1 year from consent selection | Legal obligation |
How We Delete and Anonymise Data
When the retention period ends, or when you request deletion, we remove your personal data from our active systems and databases. Where full deletion is not possible because the data is required for legal, accounting or fraud-prevention purposes, we:
- Delete identifiable personal details such as name, email, phone number and address
- Retain only the minimum information needed for legal compliance (for example, invoice amounts and dates)
- Anonymise or pseudonymise data where possible so it can no longer be linked to you
- Securely delete backups containing personal data on our standard backup rotation cycle (typically within 90 days)
You may request deletion earlier by contacting hello@sanasanaretreat.com. We will comply unless a legal obligation requires us to retain the data, in which case we will inform you and explain why.
10. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- SSL/TLS encryption for all data transmission
- Secure database storage with access controls
- Regular security reviews and updates
11. International Transfers
Some of our third-party services (Google, Meta, Mailchimp) may transfer data outside the EU. These transfers are protected by Standard Contractual Clauses or adequacy decisions as required by GDPR.
12. Children's Privacy
Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be highlighted in the change log below, and where required by law we will notify you directly.
Change log
- Version 1.1 — July 6, 2026: Added detailed data retention schedule (Section 9), documented Stripe, Jotform, Resend and WATI as processors, added cookie consent audit logging, and introduced the Legal Hub and Accessibility Statement.
- Version 1.0 — December 19, 2024: Initial GDPR-compliant Privacy Policy published.
14. Contact & Complaints
If you have questions or complaints about this policy:
- Email: hello@sanasanaretreat.com
- WhatsApp: +34 694 223 262
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es