Lagoon GDPR Privacy Notice

Introduction

This Privacy Notice is intended to inform you how Lagoon gathers, defines, and uses information that could identify you, such as your name, email address, address, other contact details or online identifiers or other personal information that you provide to us when using Lagoon’s services. Please take a moment to read this Privacy Notice carefully.
In the current Covid-19 circumstances, if requested by Public Health England, we will share your contact details with NHS Test and Trace, to comply with our legal requirement to do so.


Purpose and Legal Basis for Processing Your Data

Lagoon takes your privacy seriously and we will never sell or rent your personal data to any third-party. Direct marketing activities are only carried out with your express consent, which you are free to withdraw at any time.
We need to obtain and process your personal data to provide you with our products, services and treatments and to fulfil our business and legal obligations. We will never collect any personal information from you that we do not need or retain any data that is no longer necessary for the purposes specified in this notice.
Where we request sensitive personal data from you (i.e. health or medical data), the reason(s) for the request will be clearly given along with the purposes of the processing. Explicit consent through a signature will always be required for us to obtain and process your health information.


Personal data collected

The personal data that we collect is:
• Name
• Phone number(s)
• Email Address
• Home address
• Date of birth
• Gender
• Health information
• Photo(s)
• CCTV footage (no sound)
• Credit card number (for payment).
• Other relevant personal information that you may voluntarily provide to us when using our services (including when booking services; having treatments and submitting after-treatment feedback).


Who is processing my data?

Lagoon, 139 Alexandra Road, London, SW19 7JY is the data controller and processes your personal information for the purposes laid out in this privacy notice. You can contact the Data Protection Officer by sending an email to info@lagoonspa.co.uk or writing to the Lagoon, 139 Alexandra Road, London, SW19 7JY.

Phorest, Anglesea Mills, 9 Anglesea Row, Smithfield, Dublin 7, D07 W5NE, Ireland, acts as data processor on behalf of the salon and have access to personal information only in cases that customer support or troubleshooting is required by Lagoon. Further, they must process the personal information in accordance with this Privacy Notice and as permitted by applicable data protection laws.

Swann Communications Ltd, 2 Canon Harnett Court, Wolverton Mill, Milton Keynes, MK12 5NF acts as a data processor on behalf of salon to administer Lagoon’s CCTV system using the Swann Security App.


How do we use your personal information?

In general terms, we use Personal Information to provide you with the services and products you request; to process payments; provide customer services; deliver our content; efficiently run our business; for customer research; to send you marketing communications and to notify you about important changes to Lagoon.
We also use your Personal Information for the following purposes:

To fulfil a contract, or take steps linked to a contract:

This is relevant where you request a service from Lagoon and includes:
• The collection and processing of personal data that is required to enter into a contract to sell you a product and/or service.
• The collection and processing of health information to perform the agreed services appropriately, and potentially highlight areas that products and services may cause issues to clients because of their health.
• To make and securely store written notes with respect to appointments booked, products sold and treatment services performed. This helps ensure that we maintain and exceed our level of service.
• To engage in communication with you via SMS, email, phone call or other relevant means, regarding your request to book an appointment; purchase products; appointment confirmations; appointment reminders; requests to cancel or amend bookings; post-treatment enquiries and customer service enquiries.
• In certain circumstances photograph(s) in which you can be identified may be taken by Lagoon or supplied voluntarily to Lagoon by yourself. An example would be images of you before and after having eyelash extensions (the photos would obviously show all or part of your face). Such images are added to your client treatment record to maintain an accurate record of your treatment(s) and only authorised personnel have access to view these photos.
No photograph will be taken of you by Lagoon without your knowledge and consent to take the picture. In most circumstances (such as a photo of your fingernails after a manicure) the data subject cannot be identified in photographs of treatments performed.

As required by Lagoon to conduct our business and pursue our legitimate interests, in particular:

• To engage in communication with you via SMS, email, phone call or other relevant means, to respond to general enquiries and/or correspondence that you may raise with Lagoon.
• After visiting us, we may send you an email or SMS asking you to provide feedback and rate the service you have received from Lagoon. This important communication between customer and salon enables us to focus on the quality of the treatments we deliver and maintain our service standards. For customers who object to receiving service feedback requests, it is possible to contact the salon and opt out at any time.
• The processing of personal data, including card payment details and CCTV footage to prevent crime, fraud and to ensure customer & employee safety.
• To hold and process personal data for insurance purposes. To verify compliance with our terms and conditions and for the establishment, exercise or defence of legal claims.
• To conduct market research and consumer surveys.
• To store customer records including personal data and process such data to enable our business to run efficiently and effectively. This includes conducting internal research and analysis so that we can see how our products and services are being used and how our business is performing. The process enables us to ensure that we deliver safe service levels and provide industry standard advice.
Examples of processing include data analysis of the number of customers; customer purchase activity & patterns; the success of marketing campaigns; analysis of customer feedback; salon turnover; therapist performance; identifying & merging duplicate customer treatment records; identifying & correction of data errors; managing customer late cancellations & no shows.
• To hold and process personal data relating to a candidate was has made a job application to work at Lagoon.

Where you give us consent:

• We will not undertake email or SMS marketing without you first providing consent for us to do so. With your consent we may communicate to you, relevant offers, promotions and information, and other selected third parties’ goods or services. Some of our marketing campaigns are partially automated and use rules based on services and products purchased and information we collect from you. For example, we may send marketing campaigns related to your birthday or for services that you have previously purchased or to reconnect with you if you have not visited the salon recently. Our marketing activities involve a level of human interaction and decision making to set up, administer and action campaigns. You may opt out of receiving marketing material at any time.
• On occasion Lagoon may request from you consent to post a photograph of you on our website and/or social media (i.e. before and after pics of a beauty treatment). Lagoon will never post a photograph of you (in which you can be identified) without your express consent to do so. If you consent to this and change your mind later, you are able to withdraw consent and request the removal of the photograph(s) from Lagoon’s web content.
• We consider becoming a member of our customer loyalty program ‘Treatcard’, as consent to send you emails and SMS related to the loyalty program. The Treatcard loyalty scheme allows Lagoon customers to collect points and qualify for rewards (additional treatment services which are either free or at a reduced price). You may opt out of the loyalty scheme at any time. Please note, should you opt out of the Lagoon loyalty scheme, you will no longer be entitled to receive Treatcard rewards.
• On other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

For purposes which are required by law:

• To meet legal, regulatory and compliance requirements. This includes supplying contact details of customers to Public Health England for Covid-19 NHS Test & Trace.
• To comply with Local Authority beauty salon licencing requirements.
• To respond to requests by government or law enforcement authorities conducting an investigation.


Your rights as the individual

If your personal data is held by Lagoon, you hold particular rights over it. Where you have provided consent for us to contact you as part of our marketing services, you have the right to modify or withdraw your consent at any time by using the unsubscribe option accompanying our direct marketing or by contacting the Lagoon Data Protection Officer.
You also have the right:
• To be informed of how your personal data will be used before it is collected.
• To access your personal data personal data and to information on how your information is used after it has been gathered.
• To have personal data corrected if it is incomplete, inaccurate or out-of-date.
• To request the removal or deletion of personal data where there is no compelling reason for its continued processing.
• To restrict processing, to block processing of your personal data.
• To data portability, having your data moved, copied or transferred from Lagoon to another organisation in an easily readable format.
• To object to direct marketing from us.

Special categories of personal data collected

Health questions are asked in many of our treatment consultation forms to potentially highlight treatments that may have a negative effect on your health due to medication you are taking or a condition you have. Lagoon asks for consent prior to gathering and processing this information. At any time after giving consent, you can withdraw you consent, subject to legal, insurance and contractual restrictions (see more on "your rights as an individual"). Your privacy is very important to us and we only use this information for determining your suitability for the treatment.


Process of collection

Your personal data is collected when you provide it to us through Phorest software, our website, over the phone, in person at Lagoon, by email, by text message, social media, in writing or any other means by which you provide it to us. Information is stored using the Phorest software platform, Lagoon salon IT systems, secure email systems, as well as some level of paper record keeping.


Children's Privacy

Lagoon does not collect the personal data of children under the age of 13 without parental or guardian consent. If you believe that we hold any information from or about a child under age 13, please contact Lagoon and if we cannot immediately obtain appropriate parental or guardian consent, will remove the personal data from storage.
When completing a treatment consultation form as a parent / guardian for a child, Lagoon politely requests that you supply the contact details (email and phone numbers) that relate to the parent / guardian, not the child.


Card Payment Details

Card payment details (i.e. credit and debit cards) are only processed for the purpose of payments made relating to services and/or products purchased from Lagoon and the prevention of fraud. Card payments are made via secure card processing systems and with recognised card payment processors.
A single paper receipt (one per transaction) is generated by the card payment terminal, these receipts are securely stored by Lagoon. For security and data protection reasons, other than the single paper receipt, no digital or paper record of card payment number is ever created or stored by Lagoon.


Data Sharing

Your personal data is shared with Phorest representatives in cases that account administration, customer support and troubleshooting is required for the salon.
Lagoon does not share your personal information with any third-party without your prior consent, other than those disclosed in this privacy notice or as part of our legal obligations under the relevant data protection laws.

Sharing personal data with third parties

We treat the security and method of processing your personal data very seriously, and we will never sell or rent your personal data under any circumstances.
However, we may disclose your personal data to selected third parties, including in the following situations:
• To third party service providers that perform functions on our behalf in relation our appointment booking system(s) / software or otherwise in connection with the running of our business, recruiting candidates and for the provision of Lagoon's services (for example, processing credit card payments, website hosting, conducting surveys and market research, providing social media analysis, providing marketing email services, data analysis tools and to manage customer services communications including telephone calls).
• To third party brands with which we collaborate on products, services, competitions and campaigns
• To third party software providers to ensure that any third party software solutions used by Lagoon and our Phorest salon management software are compatible and work together to display real-time appointment availability to our customers.
• To Media agencies and advertising partners in order to run targeted marketing campaigns.
• To other third parties, for the purpose of facilitating our business and improving our products, content or services.
• If we buy, sell or transfer any business or assets or if go into insolvency, bankruptcy or receivership. If this should happen, we may need to disclose your Personal Information to the seller or buyer of such business or assets, as appropriate
• If we are under a duty to disclose or share your Personal Data to comply with any legal obligation or in order to enforce or apply our terms and conditions and other agreements or protect the rights, property, or safety of our customers, or others. This includes exchanging information with other companies and organisations for fraud protection.
• To government authorities, and to other third parties as required or permitted by law, including but not limited to in response to court orders. We also may disclose user information when we have reason to believe that someone is causing injury to or interference with our rights or property, or anyone else that could be harmed by such activities.


Use of Data Processors

Data processors are third parties who provide some elements of our business services for us. Where we use a third-party, we have strict agreements in place governing the processing of your personal data, on which no action can be taken without instruction from us. The third-parties with whom we work will never share or disclose your personal information and will hold it securely at all times.

Phorest
Lagoon use software provided by Phorest to manage the salon for appointment scheduling, CRM (customer relationship management) and marketing.

Swan Communications Ltd
Lagoon uses software provided by Swann Communications Ltd to manage its CCTV system and footage.

How Long Do We Keep Your Data?

Lagoon retains your personal data for as long as necessary to provide you with our services as our client. Where we have your consent for marketing purposes, we will retain the minimum required data until you notify us that you no longer wish to receive such information.
Lagoon is required under tax laws to keep your personal data for a minimum of 7 years. Salon insurance records are retained for 7 years; compliance with Local Authority beauty salon licencing requires personal data to be retained for 2 years. CCTV footage is retained for 3 months. Data relating to unsuccessful job applications is keep for 9 months.
The criteria for which we would continue to process your personal information includes:
• Where there is a legal basis, obligation or legitimate interest to continuing processing your personal information
• Where processing is necessary for the establishment, exercise or defence of legal claims

Transfers of personal information

When your personal data is processed through Phorest software, all of it is held within the EU. Your information is processed by the Phorest software and stored in the Amazon Web Services cloud. During this process your data is encrypted in transit and at rest.
By agreeing to this privacy policy you accept that your data may be transferred outside of the European Economic Area (EEA). Where we use data servers that may transfer data out of the EEA we will take steps to ensure adequate protections are in place to ensure the security of your information.
Consequences of not providing your personal information to Lagoon
In the event that you want to purchase a product or service from Lagoon, certain personal information is required to enter into a contract with you. Lagoon will not be able to enter into a contract with you to fulfil an attempt to purchase a service or certain products if you do not provide your personal information.
As stated in this privacy notice, we are processing your personal data to comply with legal and statutory obligations and in the performance of a contract. You can always choose not to provide personal information; however, we will be unable to provide certain products, services and treatments in these instances.


Safeguarding your Personal Data

Appropriate measures are taken to protect your personal data from access from unauthorized persons or inappropriate access, internal or external. Your connection to the Phorest system uses a HTTP Secure communication protocol and TLS security. This means all information passed to the Phorest system is encrypted during data input and transfer to the cloud. Any paper files recording your personal data are held in a secure location which can only be accessed by authorised salon personnel. Employees are only assigned specific access rights and can only access the salon software with the PIN number assigned to them by the management of the salon.


Complaints

In the occurrence that you want to make a complaint about how your personal data was gathered, how it is being processed by Lagoon (or third parties used by Lagoon) or you are not satisfied about how a complaint has been handled, you retain the right to lodge a complaint directly with the supervisory authority and Lagoon and also the salon Data Protection Officer.

Data Protection Commissioner
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Tel. 0303 123 1113

Data Protection Officer
Lagoon, 139 Alexandra Road, London, SW19 7JY
info@lagoonspa.co.uk
Tel. 020 8947 2332

Lagoon, Wimbledon
Updated 27/09/20