Privacy Policy

Article 1 – Purpose and Scope of Application

1. This Privacy Policy applies to all personal data processed by Bloomhouse SL in connection with studio services, subscriptions, Blooms, booking systems, communications, payments, safety measures and website interactions.

2. By creating an account, booking lessons, purchasing a subscription, visiting the studio or interacting with Bloomhouse online or offline, the Client accepts and agrees to this Privacy Policy.

3. This Policy complies with: Regulation (EU) 2016/679 (GDPR); Spanish Organic Law 3/2018 (LOPDGDD); ePrivacy Directive (2002/58/EC); Law 34/2002 (LSSI-CE); PSD2 (EU Directive 2015/2366) and applicable provisions of Spanish Civil and Commercial Law.

Article 2 – Data Controller

The Data Controller is:

Bloomhouse SL NIF B24995581 Avenida Diputación, C.C. Plaza Central, 5, Local 5 03710 Calpe/Calp, Alicante, Spain Email: hola@bloomhouse.es

Article 3 – Categories of Personal Data Processed

Bloomhouse processes the following categories of data:

1. Identification and Contact Data: name, surname, date of birth, email, phone number, address, emergency contact.

2. Account and Subscription Data: membership type, Blooms balance, attendance, cancellations, no-shows, login credentials (encrypted).

3. Payment Data: billing details, transaction history, subscription records, tokenised card details. Bloomhouse does not store full card numbers.

4. Health Data (Special Category Data): injuries, medical conditions, pregnancy, mobility limitations, or other information relevant to safe participation. Processed only with explicit consent.

5. Technical Data: IP address, device/browser information, cookies, analytics, app usage (where applicable).

6. Security Data: CCTV footage, studio access logs, fraud-prevention identifiers.

7. Image and Media Data: photographs and video recordings captured in the studio for promotional, educational, or social media purposes.

Article 4 – Purposes and Legal Grounds for Processing

Bloomhouse processes personal data for the following purposes:

1. Service Delivery (Art. 6(1)(b) GDPR): Creating and managing accounts, administering subscriptions and Blooms, processing bookings, providing lessons and offering customer support.

2. Health and Safety (Art. 6(1)(d) and Art. 9(2)(a) GDPR): Ensuring safe participation in classes. Health data is processed only with explicit consent.

3. Payment Processing (Art. 6(1)(b) and 6(1)(c) GDPR): Managing recurring payments, billing, accounting and financial compliance.

4. Legal Obligations (Art. 6(1)(c) GDPR): Tax, accounting, security and regulatory requirements under Spanish and EU law.

5. Legitimate Interests (Art. 6(1)(f) GDPR): Studio safety and security (including CCTV surveillance), fraud prevention, internal administration, service improvement and operational analytics. CCTV is used to protect the safety of Clients, staff and property. Appropriate signage is displayed at the studio entrance and within the premises in accordance with LOPDGDD requirements.

6. Marketing (Art. 6(1)(a) GDPR): Newsletters and promotional communications are sent only with prior consent.

7. Photography and Media (Art. 6(1)(f) GDPR): Bloomhouse may photograph or record video in the studio for promotional and marketing purposes. This processing is based on legitimate interest. Clients who do not wish to appear in such materials may notify staff before the start of each class, as set out in the General Terms and Conditions.

8. Cookies and Analytics (Art. 6(1)(a) GDPR): Non-essential cookies require explicit consent.

Article 5 – Special Category Data (Health Data)

1. Bloomhouse processes health data only when voluntarily provided by the Client and only with explicit consent (Art. 9(2)(a) GDPR).

2. Health data is used exclusively to ensure safe participation and adapt training when necessary.

3. Consent for health data may be withdrawn at any time.

Article 6 – Data Retention

1. Account and subscription data: retained for the duration of active membership.

2. Financial and billing data: retained for six years under Spanish tax law.

3. Health data: retained only as long as necessary or until consent is withdrawn.

4. CCTV footage: retained for a maximum of thirty days, unless required for investigation.

5. Photographs and video for marketing: retained for as long as they remain in use for promotional purposes, or until the Client requests removal.

6. Communications and customer support messages: retained for twelve to twenty-four months.

7. Deleted accounts: erased or anonymised within ninety days, unless legal obligations require longer retention.

Article 7 – Disclosure of Personal Data

Bloomhouse may share data only where strictly necessary:

1. Data Processors (Art. 28 GDPR): booking platforms, payment providers, email delivery services, hosting providers and analytics tools. All operate under GDPR-compliant Data Processing Agreements.

2. External Instructors (Autónomos): only class-relevant information (e.g., booking lists). No payment or sensitive data is shared without consent.

3. Public Authorities: only when legally required (tax, security, judicial authorities).

Bloomhouse does not sell personal data.

Article 8 – International Data Transfers

1. When personal data is transferred outside the EU/EEA, Bloomhouse ensures compliance through Adequacy Decisions (Art. 45 GDPR), Standard Contractual Clauses (Art. 46 GDPR) and additional technical and organisational safeguards in accordance with post-Schrems II requirements.

2. Clients may request details of such safeguards by contacting hola@bloomhouse.es.

Article 9 – Security Measures

Bloomhouse implements appropriate technical and organisational measures in accordance with Art. 32 GDPR, including: encrypted databases and secure servers; strict access control and authentication procedures; secure backups and disaster-recovery mechanisms; TLS/SSL encryption for online systems; GDPR training and confidentiality obligations for staff; PSD2-compliant payment processing; and regular security evaluations and risk assessments.

Article 10 – Rights of the Client

Clients have the following rights under GDPR: Right of Access (Art. 15); Right to Rectification (Art. 16); Right to Erasure (Art. 17); Right to Restriction (Art. 18); Right to Data Portability (Art. 20); Right to Object (Art. 21); Right to Withdraw Consent (Art. 7(3)) at any time; and Right not to be subject to automated decision-making (Art. 22).

To exercise these rights, Clients may contact: hola@bloomhouse.es

Bloomhouse will respond to data subject requests within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. Clients will be informed of any such extension within one month of the initial request.

Article 11 – Cookies and Tracking Technologies

1. Bloomhouse uses essential cookies for website and booking functionality.

2. Non-essential cookies (analytics, preferences) require prior consent under GDPR and Law 34/2002 (LSSI-CE).

3. A separate Cookie Policy is available on the Bloomhouse website, where you can also manage your cookie preferences.

Article 12 – Data Breach Procedures

1. Bloomhouse will notify the Spanish Data Protection Authority (AEPD) within seventy-two hours if a data breach poses a risk to Client rights (Art. 33 GDPR).

2. Clients will be notified when a breach presents a high risk (Art. 34 GDPR).

3. All incidents are documented.

Article 13 – Children's Data

1. Bloomhouse services are intended exclusively for adults aged eighteen and over.

2. Bloomhouse does not knowingly collect data from minors.

Article 14 – Amendments to This Policy

Bloomhouse may amend this Privacy Policy at any time.

Material changes will be communicated via email or prominently displayed in the booking system or studio.

Article 15 – Contact and Complaints

1. For any data protection matters, Clients may contact Bloomhouse at: hola@bloomhouse.es

2. Clients may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at https://www.aepd.es