Privacy Policy

Aroma Wellness (“we,” “us,” or “our”) provides a range of professional massage and therapeutic wellness services, including Swedish Massage, Effleurage Massage, Sports Massage, Shiatsu Massage, Therapeutic Massage, Neck and Shoulder Massage, Full Body Massage, and Deep Tissue Massage. Our practice is rooted in client well-being, safety, and trust.

This Privacy Policy explains in full how we collect, use, disclose, store, secure, and manage your personal and health-related information across all channels of interaction—including in-person visits, phone calls, email correspondence, online booking platforms, our official website (if applicable), social media, and any mobile applications we may operate or integrate with.

We are deeply committed to upholding the highest standards of confidentiality, ethics, and compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) for individuals in the European Economic Area (EEA), the UK GDPR, the California Consumer Privacy Act (CCPA), and other relevant national, state, or provincial privacy statutes.

By engaging with Aroma Wellness, whether by booking a session, completing a consultation form, or communicating with our team, you acknowledge and consent to the practices described herein. If you do not agree with any portion of this Privacy Policy, please discontinue use of our services.

This Privacy Policy applies to all individuals who interact with Aroma Wellness in any capacity, including:

• Current and former clients
• Prospective clients who inquire about services
• Individuals who subscribe to our communications
• Visitors to our physical location, website, or social media channels

It governs all personal information collected, regardless of format (digital, paper, or verbal), and covers both direct and indirect data collection methods.

We collect and process various categories of personal information, categorized as follows:

• Basic Identifying Information
  • Full legal name
  • Date of birth
  • Gender (when relevant to treatment)
  • Contact details: home or work address, telephone number, mobile number, email address
• Appointment and Service-Related Information
  • Preferred type of massage or wellness service
  • Date, time, and duration of scheduled appointments
  • Therapist preference or assignment
  • Session notes documenting pressure preferences, focus areas, or real-time feedback
  • Cancellation history and rescheduling patterns

• Health and Medical Information (Sensitive Personal Data)

To ensure your safety and the effectiveness of your treatment, we collect health-related information that may include:

• • Current or past injuries, surgeries, or musculoskeletal conditions
  • Chronic illnesses (e.g., diabetes, hypertension, arthritis)
  • Pregnancy status and trimester (if applicable)
  • Known allergies (e.g., to oils, lotions, or essential oils used in aromatherapy)
  • Skin conditions or sensitivities
  • Medications that may affect massage (e.g., blood thinners, muscle relaxants)
  • Psychological or emotional considerations (e.g., anxiety, PTSD) disclosed voluntarily
  • Contraindications or physician-recommended restrictions

This information is classified as “special category data” under GDPR and is handled with heightened confidentiality and security.

• Payment and Financial Information
  • Credit or debit card details (processed via secure, PCI DSS-compliant third-party payment gateways)
  • Billing address
  • Receipt and invoice records
  • Insurance information (if applicable and provided for reimbursement purposes)

Note: Aroma Wellness does not store full credit card numbers or CVV codes on our internal systems.

• Digital and Technical Information

If you interact with our online systems, we may automatically collect:

• • IP address and approximate geolocation
  • Device type, operating system, and browser version
  • Referring website or search terms used to find us
  • Pages viewed, time spent on site, and navigation behavior
  • Cookies, pixels, and similar tracking technologies (detailed in Section 9)

• Communications and Feedback
  • Content of emails, text messages, or voicemails
  • Responses to client satisfaction surveys
  • Testimonials or reviews (published only with explicit permission)
  • Notes from phone or in-person consultations

• Referral or Third-Party Information
  • Details provided by healthcare professionals (e.g., physiotherapists, chiropractors) referring you, always with your knowledge and consent
  • Information imported from third-party booking platforms (e.g., Mindbody, Fresha, Square Appointments) used to manage appointments

We process your personal information solely for legitimate, necessary, and transparent purposes directly related to our wellness services:

• Service Delivery: To schedule, prepare for, and administer your massage therapy safely and effectively based on your health profile and preferences.
• Health and Risk Assessment: To evaluate whether a requested service is medically appropriate and to avoid techniques that could cause harm.
• Client Communication: To confirm appointments, send reminders (via SMS or email), follow up on treatment progress, and respond to inquiries.
• Billing and Recordkeeping: To process payments, issue receipts, manage accounts, and maintain accurate financial records.
• Legal and Regulatory Compliance: To adhere to licensing requirements, professional standards set by massage therapy boards, tax obligations, and public health regulations.
• Quality Assurance and Staff Training: To review session outcomes (anonymized where possible) and enhance practitioner skills, always without identifying the client unless necessary for case discussion with supervision and consent.
• Marketing and Outreach (Opt-In Only): To send newsletters, promotional offers, seasonal wellness tips, or loyalty program updates only if you have explicitly consented. You may unsubscribe at any time.
• Website and System Functionality: To operate, maintain, and improve our digital platforms, analyze traffic, and prevent fraud or abuse.

We do not use your health data for automated decision-making or profiling.

Depending on your location and the nature of the data, our lawful bases for processing include:

• Performance of a Contract: Processing is necessary to fulfill our agreement to provide you with a booked massage service.
• Legal Obligation: We are required by law or professional regulatory bodies to maintain certain records (e.g., client intake forms for a minimum retention period).
• Vital Interests: In rare emergency situations, to protect your life or physical well-being (e.g., if you experience an adverse reaction during a session).
• Explicit Consent: For processing sensitive health data, for marketing communications, or for sharing information beyond our internal team. Consent is freely given, specific, informed, and revocable.
• Legitimate Interests: For operational improvements, fraud prevention, or internal analytics—provided these interests do not override your fundamental rights and freedoms.

We treat your information as strictly confidential and do not sell, lease, or monetize your data in any form. Disclosure occurs only under the following controlled circumstances:

• Internal Staff: Only licensed massage therapists and authorized administrative personnel involved in your care or appointment management have access, bound by professional codes of ethics and signed confidentiality agreements.
• Third-Party Service Providers: We engage trusted vendors for essential functions such as:
  • Payment processing (e.g., Stripe, PayPal, Square)
  • Booking and client management software (e.g., Zen Planner, Acuity)
  • Email marketing platforms (e.g., Mailchimp)
  • Cloud storage and IT security services

All vendors are contractually obligated to protect your data and are prohibited from using it for their own purposes.

• Legal and Regulatory Authorities: If compelled by a court order, subpoena, or government agency, or to protect our legal rights, safety, or property.
• Healthcare Professionals: Only with your written authorization, we may share limited information with your doctor, physiotherapist, or other care providers to coordinate treatment.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, client data may be transferred as a business asset, with continued adherence to this Privacy Policy or an equivalent.

We never disclose your session details, health notes, or personal preferences to advertisers, data brokers, or unrelated third parties.

Should your data be transferred outside your country of residence (e.g., to cloud servers located in the United States or elsewhere), we ensure adequate safeguards are in place. These may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (if applicable)
• Certification under recognized data protection frameworks (e.g., Privacy Shield successor mechanisms)

You may request details about specific transfer mechanisms upon written request.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law:

• Health and Treatment Records: Retained for seven (7) years from the date of your last session, in compliance with massage therapy licensing board requirements and potential medical liability statutes.
• Appointment and Contact Information: Kept for two (2) years after your last visit to facilitate rebooking and service continuity unless you request earlier deletion.
• Financial Records: Maintained for seven (7) years to meet tax and accounting obligations.
• Marketing Preferences: Stored until you unsubscribe or withdraw consent.
• Website Analytics Data: Aggregated and anonymized data may be retained indefinitely; identifiable logs are typically deleted after 12–24 months.

Upon request, we will delete or anonymize your data earlier, except where retention is mandated by law.

If Aroma Wellness operates a website or online portal, we may use the following technologies:

• Essential Cookies: Necessary for core functionality (e.g., maintaining login sessions, remembering booking selections).
• Performance/Analytics Cookies: Collect anonymous usage data to improve site performance and user experience (e.g., Google Analytics). No personally identifiable information is linked without consent.
• Functional Cookies: Remember preferences (e.g., language, location) to personalize your visit.
• Marketing/Targeting Cookies: Used only with your explicit opt-in to deliver relevant ads or measure campaign effectiveness (e.g., Facebook Pixel, Google Ads).

You can manage or disable non-essential cookies through your browser settings or via a cookie consent banner on our website. Disabling essential cookies may limit your ability to use certain features.

We implement a multi-layered approach to data security, including:

• Technical Safeguards: End-to-end encryption for online communications, firewalls, intrusion detection systems, and regular security patching.
• Administrative Controls: Staff training on privacy best practices, strict access controls based on role, and mandatory confidentiality agreements.
• Physical Protections: Locked filing cabinets for paper records, restricted access to treatment and office areas, and secure disposal of documents (shredding).
• Data Minimization: We collect only the information necessary for the stated purpose.
• Incident Response Plan: Procedures to detect, report, and mitigate any data breach, including notifying affected individuals and regulators where required by law.

All client health records digital or paper, are stored separately from general administrative files and accessible only to treating practitioners and management.

Depending on your jurisdiction, you may exercise the following rights regarding your personal data:

• Right to Access: Obtain confirmation of whether we process your data and receive a copy of the information held.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure (‘Right to Be Forgotten’): Request deletion of your data when no longer necessary for our legal or service obligations.
• Right to Restriction of Processing: Limit how we use your data under certain conditions (e.g., while accuracy is verified).
• Right to Data Portability: Receive your data in a structured, commonly used format (e.g., PDF or CSV) for transfer to another provider.
• Right to Object: Opt out of processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: At any time, without affecting the lawfulness of prior processing.

To exercise these rights, submit a written request to our Privacy Contact (see Section 13). We may require verification of your identity to prevent unauthorized disclosure. We will respond within 30 calendar days, unless complexity requires extension (in which case we will inform you).

Aroma Wellness services are intended exclusively for adults aged 18 and over. We do not knowingly collect or process personal information from children under 18. If we discover that a minor has provided information without parental consent, we will promptly delete such data upon notification.

For questions, requests, or concerns regarding this Privacy Policy or your personal information, please contact our designated Privacy Officer:

Aroma Wellness

Attn: Privacy Officer

Email: awsom138@gmail.com

Phone: (408) 320-1600

Mailing Address: 10601 S De Anza Blvd Suite 212, Cupertino, CA 95014

We are committed to addressing your inquiries promptly and respectfully.

You also retain the right to file a complaint with your local data protection authority (e.g., the Information Commissioner’s Office in the UK, the Data Protection Commission in the EU, or the relevant state Attorney General in the U.S.).

We review this Privacy Policy periodically to reflect changes in our services, technology, legal landscape, or operational practices. The “Effective Date” at the top of this document will be updated to indicate revisions. We encourage you to revisit this page regularly. Material changes will be communicated via email (if we have your address) or posted prominently on our website or reception area.