Data Protection Policy

We respect your privacy and your choices.
We ensure that issues relating to the protection and security of personal data are at the heart of everything we do.

We only send you commercial communications if you have requested them. You may change your mind at any time.
We do not share or sell your data.
We are committed to securing and protecting your personal data. This means that we only work with trusted partners.
We are committed to being open and transparent about how we use your data.
We do not use your personal data in ways that we have not previously disclosed to you.
We respect your rights and continually strive to respond to your requests wherever possible, while complying with our own legal and operational responsibilities.

To provide further insight into our practices regarding personal data protection and privacy, we outline below the different types of personal data we may obtain directly from you or as a result of your interaction with us, how we may use it, the people with whom we may share it, how we protect and secure it, and the rights you have in relation to your personal data. Naturally, you may not be concerned by all of these situations. This personal data protection policy is intended to give you an overview of all situations in which we may interact with you.

The more you communicate with us and provide information about yourself, the better we will be able to offer you personalised services.
When you provide us with personal data or when we collect personal data about you, we commit to using it in accordance with this Policy. Please read this information carefully, along with our Frequently Asked Questions (FAQ) page. If you have any questions or concerns regarding your personal data, please contact us at: dpo@tsgmb.com or via our contact form

The company THERMES de SAINT-GERVAIS LES BAINS LE FAYET, a simplified joint-stock company with a sole shareholder, with a share capital of €1,047,014, registered with the Annecy Trade and Companies Register under number 605 920 172, with its registered office at 355 Allée du Docteur Lépinay, 74170 Le Fayet, France.

The terms “THERMES de SAINT-GERVAIS”, “we” or “our” used herein refer to THERMES de SAINT-GERVAIS LES BAINS.

In accordance with applicable personal data protection regulations, THERMES de SAINT-GERVAIS LES BAINS acts as the data controller.

"Personal data” means any information that can directly (e.g., your name) or indirectly (e.g., through pseudonymised data such as a unique identifier) identify you. This means that personal data includes information such as postal and email addresses, mobile phone numbers, usernames, profile pictures, personal preferences and shopping habits, user-generated content, financial data, and information relating to your beauty or wellness. Personal data may also include unique digital identifiers such as your computer’s IP address or your mobile device’s MAC address, as well as cookies.

Saint-Gervais Mont Blanc Thermal Spa considers that, as a consumer, you are at the heart of everything we do. We value receiving information from you, getting to know you, and creating and providing services and products that you appreciate. We are also aware that many of you enjoy communicating with us. For all these reasons, there are numerous ways you can provide us with personal data, and for us to collect it.

A. HOW DO WE COLLECT OR RECEIVE YOUR PERSONAL DATA?

We may collect personal data from you or receive it from you via our websites, questionnaires, applications, devices, pages dedicated to Saint-Gervais Mont Blanc services, products, or brands on social media, or by any other means. In some cases, you provide personal data directly (e.g., when creating an account, contacting us, or making a purchase on our websites/apps or at a spa/institute/store). In other cases, we collect this data (for example, using cookies to understand how you use our websites/apps) or when data is provided to us by third parties.

When we collect data, mandatory fields are indicated with an asterisk (*). Some of the data we request is essential for the following reasons:

• Contract performance: To organise and manage the treatment you have booked or deliver goods purchased on our website/app.

• Service provision: To provide the service you have requested (e.g., sending a newsletter).

• Legal compliance: To meet legal obligations (e.g., invoicing).

Failure to provide mandatory information may affect our ability to provide the requested services and products.

We provide detailed information below regarding:

• Situations in which your personal data may be provided or collected: Activities you engage in or situations you encounter where we use or collect personal data (e.g., making a purchase, subscribing to a newsletter, or browsing a website/app).

• Personal data we may obtain directly from you or from your interaction with us: Types of data we may collect depending on the situation.

• How and why we may use this data: Explains how we use your data and for what purposes.

• Legal basis for processing your personal data: The reason we are entitled to use your data.

Depending on the purpose of data use, the legal basis may be:

• Your consent.

• Our legitimate interest, which may include:

  • Improving our products and services, understanding your needs to enhance our offerings.

  • Fraud prevention, to ensure payments are legitimate.

  • Securing our tools (websites/apps/devices).

• Contract performance: Delivering the services you request.

• Legal obligations: When required by law.

Click here for a detailed overview of information regarding your interactions with us and their impact on your personal data

Failure to provide mandatory personal data may affect the products and services we can provide.

Sensitive Personal Data:
Processing special categories of personal data (“sensitive data”) is limited to data made public by you or a third party on your behalf, or when you have given your consent. For example, we may need to understand your health or dietary requirements to provide access or catering for an event you attend or to handle a query or complaint. We always check these requirements with you and only request information you are comfortable sharing.

B. AUTOMATED INDIVIDUAL DECISION-MAKING

Automated decision-making refers to the ability to make decisions using technology without human intervention.

To secure transactions on our websites/apps/devices and protect them against fraud, we use a solution developed by a third-party provider.

The fraud detection solution uses methods including: comparisons, association rules, clustering, prediction, anomaly detection via intelligent agents, data fusion, and data mining techniques.

This process may be fully automated or may involve human intervention, where a final decision is made by a person. In all cases, we take reasonable precautions to limit access to your personal data.

As a result of automated fraud detection:

1. Processing your order/request may be delayed while your transaction is reviewed.

2. You may be excluded from a service, or access may be restricted if a risk of fraud is detected.

You have the right to access information underlying any decision. See the section “Your Rights and Choices” below.

C. PROFILING

When we send or display personalised communications or content, we may use techniques referred to as “profiling” (automated processing of personal data to evaluate certain personal aspects, e.g., predicting preferences, interests, financial situation, behaviour, location, health, reliability, or travel).

We collect and analyse such data to assess and predict your personal preferences and/or interests. Based on this, we send or display communications and/or content tailored to your needs.

In certain circumstances, you have the right to object to the use of your data for profiling. See “Your Rights and Choices.”

D. JOINT CONTROL

We are always responsible for personal data we collect about you. In some cases, when working with trusted partners, we may share responsibility for data protection.

Our commitments as joint controllers include:

• Defining roles and responsibilities of each party.

• Being transparent about the purposes of shared data processing.

• Ensuring you can exercise your legal rights.

• Informing you of your rights when requesting personal data in collaboration with partners.

E. WHO MAY ACCESS YOUR PERSONAL DATA?

Your personal data may be processed on our behalf by trusted service providers. We engage third parties for business operations and only provide them with the information necessary to perform the service.

Examples of such third parties include:

• Providers assisting with digital and e-commerce services, e.g., social listening, store locator, loyalty programmes, identity management, user reviews, CRM, web analytics, content creation.

• Advertising, marketing, social media, and digital agencies to assist with campaigns and manage customer queries.

• Postal/delivery services.

• IT service providers: platform providers, hosting, maintenance, and technical support.

• Payment service providers and credit reporting agencies.

• Customer service and cosmetovigilance support.

We may also share personal data:

• In case of business or asset sale, with the acquiring party.

• To comply with legal obligations or enforce terms of use/sale.

• With your consent.

• Where legally authorised.

Data may also be shared with partners if services are co-branded, or if you opted-in to receive communications from our partners.

We may display social media content on our platforms. Accessing such content may result in social media cookies being placed on your device.

We do not sell your personal data.

F. WHERE IS YOUR PERSONAL DATA STORED?

Data may be transferred, accessed from, and stored outside the European Economic Area (EEA). This includes processing by staff outside the EEA working for us or our service providers.

Transfers outside the EEA are carried out securely and in compliance with applicable law, with safeguards including contractual obligations or EU-approved clauses.

G. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We retain personal data only as long as necessary for the purpose, to meet your needs, or to comply with legal obligations.

Examples:

• Purchases: retained for the duration of the contractual relationship.

• Promotional offers: retained for the offer period.

• Requests: retained for the duration of handling.

• Accounts: retained until deletion request or after defined inactivity.

• Marketing consent: retained until withdrawal or after three years of inactivity.

• Cookies: retained only as long as needed for their purpose.

After use, data is deleted or anonymised.

H. SECURITY OF PERSONAL DATA

We take reasonable measures to protect your personal data. Third-party processors must also comply contractually.

While we strive for security, internet transmission is not completely secure, and data is transmitted at your own risk.

I. LINKS TO THIRD-PARTY SITES AND SOCIAL MEDIA LOGIN

Our websites and apps may contain links to partner or affiliate sites, which have their own privacy policies.

Connecting via social media may result in sharing profile information as per your social media settings.

J. SOCIAL MEDIA AND USER-GENERATED CONTENT

Some websites and apps allow users to post content. Content posted may be publicly accessible. Exercise caution with personal data (e.g., financial or address information). We are not responsible for third-party actions regarding user-posted content.

Les Thermes Saint-Gervais Mont Blanc respect your right to privacy: it is important that you have control over your personal data. You have the following rights:

Right to be informed
You have the right to obtain clear, transparent, understandable, and easily accessible information about how we use your personal data and about your rights. For this reason, we provide this information in this Policy.

Right of access
You have the right to access the personal data we hold about you (subject to certain restrictions). We may charge a reasonable fee taking into account the administrative costs of providing the information. Manifestly unfounded, excessive, or repeated requests may not receive a response.

To exercise your right of access, please contact us using the details provided below.

Right to rectification
You have the right to request that your personal data be corrected if it is inaccurate or outdated, and/or completed if it is incomplete. To exercise your right to rectification, please contact us using the details provided below. If you have an account, it may be easier to modify your own data via the “My Account” feature.

Right to erasure / right to be forgotten
In certain cases, you have the right to request the deletion of your personal data. This is not an absolute right, as we may be required to retain your personal data for legal or legitimate reasons. If you wish us to delete your data, please contact us using the details provided below.

Right to object to marketing, including profiling
You may unsubscribe or object to receiving our marketing messages at any time. Simply click the “unsubscribe” link in any email or communication we send you. You may also contact us using the details provided below. If you wish to object to profiling, please contact us using the details provided below.

Right to withdraw consent at any time for data processing based on consent
You may withdraw your consent for the processing of your data if this processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to the withdrawal. Please refer to the table in the section “What personal data do we collect from you and how do we use it?”—particularly the column “On what legal basis is your personal data processed?”—to determine whether our processing is based on consent.

If you wish to withdraw your consent, please contact us using the details provided below.

Right to object to processing based on legitimate interests
You may object at any time to the processing of your data when it is based on legitimate interests. Please refer to the table in the section “What personal data do we collect from you and how do we use it?”—particularly the column “On what legal basis is your personal data processed?”—to determine whether our processing is based on legitimate interests.

If you wish to exercise your right to object, please contact us using the details provided below.

Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with the data protection authority (CNIL) to challenge the practices of Les Thermes Saint-Gervais Mont Blanc regarding the processing of personal data and privacy. We encourage you to contact us using the details below before submitting any complaint to the competent data protection authority.

Right to data portability
You have the right to move, copy, or transfer the data concerning you from our database to another. This applies only to data you have provided, when processing is based on consent or a contract and carried out using automated means. Please refer to the table in the section “What personal data do we collect from you and how do we use it?”—particularly the column “On what legal basis is your personal data processed?”—to determine whether our processing is based on a contract or consent.

For more information, please contact us using the details provided below.

Right to restrict processing
You have the right to request the restriction of the processing we carry out on your data. This means that your personal data may be retained but not used or processed. This right applies in specific circumstances under the General Data Protection Regulation, namely:

• When the accuracy of personal data is contested by you, allowing the data controller to verify its accuracy;

• When processing is unlawful, and you oppose erasure and instead request restriction of use;

• When the controller no longer needs the data for processing purposes, but you need it for the establishment, exercise, or defence of legal claims;

• When you have objected to processing based on legitimate interests, pending verification of whether the controller’s legitimate grounds prevail over yours.

If you wish to request restriction of processing, please contact us using the details provided below.

Right to disable cookies
You have the right to disable cookies. Browser settings are usually set by default to accept cookies, but you can easily change this by adjusting your browser settings. Many cookies improve website/app usability and functionality; disabling cookies may prevent you from using certain parts of this site. For more information, see http://www.aboutcookies.org/.

To respond to your request, we may require proof of identity.

If you have any questions or comments regarding how we process and use your personal data, or if you wish to exercise any of the rights mentioned above, please contact us by email at: dpo@tsgmb.com, via our contact form, or write to us at the following address: THERMES de SAINT-GERVAIS LES BAINS, 355 Allée du Docteur Lépinay, 74170 LE FAYET, France.

We remind you that, in accordance with the provisions of Article 40-1 of Law No. 78-17 of 6 January 1978, you have the right to issue general directives (to a certified digital trusted third party approved by the CNIL) or specific directives (to the data controller) regarding the retention, deletion, and disclosure of your personal data after your death.