ANGATI NaturElement GmbH
January 2026
January 2026
1. Controller
**ANGATI NaturElement GmbH**
Aurikelweg 54/2
1220 Vienna
Austria
Email: naturelement@angati.at
Phone: +43 650 2 831 831
Please direct any data protection inquiries to the email address above.
### 2. General Information
The protection of your personal data is very important to us. We process your data exclusively in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act, and applicable legal provisions.This Privacy Policy informs you about which personal data we process, for what purposes, on what legal basis, and for how long.
### 3. Categories of Personal Data
Depending on the context, we may process:- **Identification and contact data** (name, address, email, phone number)
- **Contract, order, and payment data** (billing address, order history, payment information)
- **Appointment and booking data** (booked treatments, appointments, locations)
- **Communication data** (email correspondence, consultation notes)
- **Website usage and access data** (IP address, browser, access times)
- **Membership and status data** (VIP member status, purchase history)
- **Health- and skin-related information** (voluntary, only in the context of treatments)
- **Payment and banking data** (for SEPA direct debit for VIP members)---### 4. Legal Bases
- **Art. 6(1)(a) GDPR** – consent
- **Art. 6(1)(b) GDPR** – contract performance
- **Art. 6(1)(c) GDPR** – legal obligation (e.g., tax retention requirements)
- **Art. 6(1)(f) GDPR** – legitimate interest (e.g., IT security, direct marketing to existing customers)
- **Art. 9(2)(a) GDPR** – explicit consent for sensitive data (health data)
### 5. Website & Hosting
When visiting our website (www.angati-naturelement.com), technical access data is processed automatically:
- IP address (anonymized after session ends)
- Time of access
- Browser and operating system
- Pages accessed and referrer**Purpose:** Technical operation, IT security, and error analysis.
**Legal basis:** Art. 6(1)(f) GDPR.
**Retention:** Logs are deleted after 7 days.**Hosting:** Our website is hosted by **Webflow, Inc. (USA)**. Data transfers to the USA are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). More information: https://webflow.com/legal/eu-privacy-policy**Email hosting:** Our email provider is **One.com A/S (Denmark)**. Processing is carried out under a data processing agreement in accordance with Art. 28 GDPR.---
###6. Cookies
We use only **technically necessary cookies** required for website operation (e.g., session cookies for shopping cart).We currently **do not use analytics or marketing tracking tools** (Google Analytics, Facebook Pixel, etc.). **Social media plugins** are also not used.**Legal basis:** Art. 6(1)(f) GDPR.
### 7. Contact
If you contact us by email, phone, contact form, or in person, we process your data to handle your request.**Legal basis:**
- Art. 6(1)(b) GDPR (pre-contractual inquiries)
- Art. 6(1)(f) GDPR (general inquiries)**Retention:** Up to 6 months after conclusion of correspondence, unless a contractual relationship is established or statutory retention obligations apply.
### 8. Product Catalog & Price Overview
On our website we provide a product catalog with price overview. This serves exclusively for information purposes (particularly for distributors and business partners) and offers **no direct ordering function**.Orders are placed through other channels (email, phone, personal contact).**Legal basis for display:** Art. 6(1)(f) GDPR (legitimate interest in product presentation).
### 9. Payment Service Providers
### 9.1 Stripe (Card Payments On-Site)
For card payments at our institutes and spa locations we use **Stripe Payments Europe Ltd. (Ireland)** with card readers. When making payments on-site, your payment data is transmitted directly via the card terminal to Stripe. We do not receive complete credit card data, only a transaction confirmation.**Legal basis:** Art. 6(1)(b) GDPR (contract performance).
**Stripe Privacy Policy:** https://stripe.com/privacy
#### 9.2 GoCardless (SEPA Direct Debit for VIP Members)
For SEPA direct debit for VIP member subscriptions we use **GoCardless Ltd. (UK/EU)**.
For this we require your name, IBAN, and a SEPA direct debit mandate.**Legal basis:** Art. 6(1)(b) GDPR (contract performance).
**GoCardless Privacy Policy:** https://gocardless.com/legal/privacy/**Payment Data Retention:** Payment information and transaction data are stored for the duration of the business relationship and according to statutory retention requirements (7 years for invoices, § 132 BAO).
### 10. CRM and Administration Systems (Odoo)
For managing customer data, orders, appointments, memberships, and internal processes, we use **Odoo** (ERP/CRM system).**Data processed:**
- Customer master data
- Order history and contracts
- Appointment calendar and treatment notes
- VIP member status and purchase history
- Internal notes for customer care**Legal basis:**
- Art. 6(1)(b) GDPR (contract performance)
- Art. 6(1)(f) GDPR (legitimate interest in efficient business organization)Processing is carried out in compliance with Art. 28 GDPR. Data is stored on servers within the EU.
### 11. Appointment Booking (Website & Treatwell)
Online appointment bookings are handled via:
1. Our website (direct booking system)
2. **Treatwell** (external booking platform)**Data processed:** Name, email, phone number, desired treatment, preferred appointment, location.**Purpose:** Appointment management, customer communication, service provision.
**Legal basis:** Art. 6(1)(b) GDPR.**Treatwell:** Treatwell processes personal data as an **independent controller**. Treatwell's privacy policy can be found at: https://www.treatwell.com/info/privacy-policy/
### 12. Treatments – online & offline
In the context of facial and body treatments, **sensitive health data may be processed voluntarily**, such as:
- Skin condition and skin type
- Allergies and intolerances
- Pre-existing conditions (if relevant for treatment)
- Medication intakeThis information is always provided voluntarily and exclusively for optimal treatment execution.**Legal basis:**
- Art. 6(1)(b) GDPR (contract performance)
- Art. 9(2)(a) GDPR (explicit consent for health data)**Retention:** Treatment records are kept for 3 years after the last treatment (liability reasons).
###13. VIP Members
For VIP members we additionally process:
- Member status and contract data
- Purchase history and booked treatments
- SEPA direct debit mandate (for automatic payment)
- Individual preferences and notes**Purpose:** Personalized care, automatic payment processing, exclusive offers.
**Legal basis:** Art. 6(1)(b) GDPR.
**Retention:** For the duration of membership and subsequently according to statutory periods.
### 14. Newsletter
Newsletters and promotional information are sent only with **explicit consent** (double opt-in procedure).**Legal basis:** Art. 6(1)(a) GDPR.
**Management:** Newsletter management is handled via our internal CRM system (Odoo).
**Unsubscribe:** Each email contains an unsubscribe link. You can unsubscribe at any time.If you unsubscribe, your data will be deleted from the newsletter list unless other legal bases (e.g., customer relationship) exist.
### 15. Data Sharing
Personal data is shared only in the following cases:1. **Legal obligation** (e.g., to tax authorities, government agencies)
2. **Contract performance** (e.g., shipping service providers, payment providers)
3. **Processors** (e.g., hosting providers, CRM system) – these are contractually obligated to comply with GDPR (Art. 28 GDPR)
4. **Consent** (if you have agreed)We **do not share data with third parties for advertising purposes**.
### 16. Data Retention
Personal data is stored only as long as necessary for the respective purpose or as required by law:| Data type | Retention period |
|-----------|------------------|
| **Inquiries without contract** | 6 months |
| **Contracts and orders** | 7 years (§ 132 BAO – tax requirement) |
| **Invoices** | 7 years (§ 132 BAO) |
| **Treatment records** | 3 years after last treatment |
| **VIP member data** | Duration of membership + 7 years (invoices) |
| **Newsletter subscribers** | Until unsubscription |
| **Website logs** | 7 days |After these periods expire, data will be deleted unless you have consented to longer storage.
### 17. Automated Decision-Making
We **do not use automated decision-making** or profiling as defined in Art. 22 GDPR. All decisions (e.g., contract conclusions, individual offers) are made by our employees.
### 18. Data Subject Rights
You have the following rights at any time:- **Access** (Art. 15 GDPR): You can request information about your personal data.
- **Rectification** (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
- **Erasure** (Art. 17 GDPR): You can request deletion of your data unless statutory retention obligations apply.
- **Restriction of processing** (Art. 18 GDPR): You can request that processing be restricted.
- **Data portability** (Art. 20 GDPR): You can request that we provide your data in a structured, common format.
- **Withdrawal of consent** (Art. 7(3) GDPR): You can withdraw any consent given at any time with effect for the future.
- **Objection** (Art. 21 GDPR): You can object to processing based on your particular situation.**To exercise your rights, please contact:**
naturelement@angati.at
### 19. Right to Lodge a Complaint
If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority.**Competent supervisory authority in Austria:**
Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
Austria Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at
### 20. Data Security
We implement appropriate technical and organizational security measures to protect your data from unauthorized access, loss, or misuse:- SSL/TLS encryption of the website
- Secure passwords and access controls
- Regular security updates
- Data backups
- Employee training in data protection
### 21. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in legal requirements or changes to our services.The current version published on our website always applies.
**ANGATI NaturElement GmbH**
Aurikelweg 54/2
1220 Vienna
Austria
Email: naturelement@angati.at
Phone: +43 650 2 831 831
Please direct any data protection inquiries to the email address above.
### 2. General Information
The protection of your personal data is very important to us. We process your data exclusively in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act, and applicable legal provisions.This Privacy Policy informs you about which personal data we process, for what purposes, on what legal basis, and for how long.
### 3. Categories of Personal Data
Depending on the context, we may process:- **Identification and contact data** (name, address, email, phone number)
- **Contract, order, and payment data** (billing address, order history, payment information)
- **Appointment and booking data** (booked treatments, appointments, locations)
- **Communication data** (email correspondence, consultation notes)
- **Website usage and access data** (IP address, browser, access times)
- **Membership and status data** (VIP member status, purchase history)
- **Health- and skin-related information** (voluntary, only in the context of treatments)
- **Payment and banking data** (for SEPA direct debit for VIP members)---### 4. Legal Bases
- **Art. 6(1)(a) GDPR** – consent
- **Art. 6(1)(b) GDPR** – contract performance
- **Art. 6(1)(c) GDPR** – legal obligation (e.g., tax retention requirements)
- **Art. 6(1)(f) GDPR** – legitimate interest (e.g., IT security, direct marketing to existing customers)
- **Art. 9(2)(a) GDPR** – explicit consent for sensitive data (health data)
### 5. Website & Hosting
When visiting our website (www.angati-naturelement.com), technical access data is processed automatically:
- IP address (anonymized after session ends)
- Time of access
- Browser and operating system
- Pages accessed and referrer**Purpose:** Technical operation, IT security, and error analysis.
**Legal basis:** Art. 6(1)(f) GDPR.
**Retention:** Logs are deleted after 7 days.**Hosting:** Our website is hosted by **Webflow, Inc. (USA)**. Data transfers to the USA are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). More information: https://webflow.com/legal/eu-privacy-policy**Email hosting:** Our email provider is **One.com A/S (Denmark)**. Processing is carried out under a data processing agreement in accordance with Art. 28 GDPR.---
###6. Cookies
We use only **technically necessary cookies** required for website operation (e.g., session cookies for shopping cart).We currently **do not use analytics or marketing tracking tools** (Google Analytics, Facebook Pixel, etc.). **Social media plugins** are also not used.**Legal basis:** Art. 6(1)(f) GDPR.
### 7. Contact
If you contact us by email, phone, contact form, or in person, we process your data to handle your request.**Legal basis:**
- Art. 6(1)(b) GDPR (pre-contractual inquiries)
- Art. 6(1)(f) GDPR (general inquiries)**Retention:** Up to 6 months after conclusion of correspondence, unless a contractual relationship is established or statutory retention obligations apply.
### 8. Product Catalog & Price Overview
On our website we provide a product catalog with price overview. This serves exclusively for information purposes (particularly for distributors and business partners) and offers **no direct ordering function**.Orders are placed through other channels (email, phone, personal contact).**Legal basis for display:** Art. 6(1)(f) GDPR (legitimate interest in product presentation).
### 9. Payment Service Providers
### 9.1 Stripe (Card Payments On-Site)
For card payments at our institutes and spa locations we use **Stripe Payments Europe Ltd. (Ireland)** with card readers. When making payments on-site, your payment data is transmitted directly via the card terminal to Stripe. We do not receive complete credit card data, only a transaction confirmation.**Legal basis:** Art. 6(1)(b) GDPR (contract performance).
**Stripe Privacy Policy:** https://stripe.com/privacy
#### 9.2 GoCardless (SEPA Direct Debit for VIP Members)
For SEPA direct debit for VIP member subscriptions we use **GoCardless Ltd. (UK/EU)**.
For this we require your name, IBAN, and a SEPA direct debit mandate.**Legal basis:** Art. 6(1)(b) GDPR (contract performance).
**GoCardless Privacy Policy:** https://gocardless.com/legal/privacy/**Payment Data Retention:** Payment information and transaction data are stored for the duration of the business relationship and according to statutory retention requirements (7 years for invoices, § 132 BAO).
### 10. CRM and Administration Systems (Odoo)
For managing customer data, orders, appointments, memberships, and internal processes, we use **Odoo** (ERP/CRM system).**Data processed:**
- Customer master data
- Order history and contracts
- Appointment calendar and treatment notes
- VIP member status and purchase history
- Internal notes for customer care**Legal basis:**
- Art. 6(1)(b) GDPR (contract performance)
- Art. 6(1)(f) GDPR (legitimate interest in efficient business organization)Processing is carried out in compliance with Art. 28 GDPR. Data is stored on servers within the EU.
### 11. Appointment Booking (Website & Treatwell)
Online appointment bookings are handled via:
1. Our website (direct booking system)
2. **Treatwell** (external booking platform)**Data processed:** Name, email, phone number, desired treatment, preferred appointment, location.**Purpose:** Appointment management, customer communication, service provision.
**Legal basis:** Art. 6(1)(b) GDPR.**Treatwell:** Treatwell processes personal data as an **independent controller**. Treatwell's privacy policy can be found at: https://www.treatwell.com/info/privacy-policy/
### 12. Treatments – online & offline
In the context of facial and body treatments, **sensitive health data may be processed voluntarily**, such as:
- Skin condition and skin type
- Allergies and intolerances
- Pre-existing conditions (if relevant for treatment)
- Medication intakeThis information is always provided voluntarily and exclusively for optimal treatment execution.**Legal basis:**
- Art. 6(1)(b) GDPR (contract performance)
- Art. 9(2)(a) GDPR (explicit consent for health data)**Retention:** Treatment records are kept for 3 years after the last treatment (liability reasons).
###13. VIP Members
For VIP members we additionally process:
- Member status and contract data
- Purchase history and booked treatments
- SEPA direct debit mandate (for automatic payment)
- Individual preferences and notes**Purpose:** Personalized care, automatic payment processing, exclusive offers.
**Legal basis:** Art. 6(1)(b) GDPR.
**Retention:** For the duration of membership and subsequently according to statutory periods.
### 14. Newsletter
Newsletters and promotional information are sent only with **explicit consent** (double opt-in procedure).**Legal basis:** Art. 6(1)(a) GDPR.
**Management:** Newsletter management is handled via our internal CRM system (Odoo).
**Unsubscribe:** Each email contains an unsubscribe link. You can unsubscribe at any time.If you unsubscribe, your data will be deleted from the newsletter list unless other legal bases (e.g., customer relationship) exist.
### 15. Data Sharing
Personal data is shared only in the following cases:1. **Legal obligation** (e.g., to tax authorities, government agencies)
2. **Contract performance** (e.g., shipping service providers, payment providers)
3. **Processors** (e.g., hosting providers, CRM system) – these are contractually obligated to comply with GDPR (Art. 28 GDPR)
4. **Consent** (if you have agreed)We **do not share data with third parties for advertising purposes**.
### 16. Data Retention
Personal data is stored only as long as necessary for the respective purpose or as required by law:| Data type | Retention period |
|-----------|------------------|
| **Inquiries without contract** | 6 months |
| **Contracts and orders** | 7 years (§ 132 BAO – tax requirement) |
| **Invoices** | 7 years (§ 132 BAO) |
| **Treatment records** | 3 years after last treatment |
| **VIP member data** | Duration of membership + 7 years (invoices) |
| **Newsletter subscribers** | Until unsubscription |
| **Website logs** | 7 days |After these periods expire, data will be deleted unless you have consented to longer storage.
### 17. Automated Decision-Making
We **do not use automated decision-making** or profiling as defined in Art. 22 GDPR. All decisions (e.g., contract conclusions, individual offers) are made by our employees.
### 18. Data Subject Rights
You have the following rights at any time:- **Access** (Art. 15 GDPR): You can request information about your personal data.
- **Rectification** (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
- **Erasure** (Art. 17 GDPR): You can request deletion of your data unless statutory retention obligations apply.
- **Restriction of processing** (Art. 18 GDPR): You can request that processing be restricted.
- **Data portability** (Art. 20 GDPR): You can request that we provide your data in a structured, common format.
- **Withdrawal of consent** (Art. 7(3) GDPR): You can withdraw any consent given at any time with effect for the future.
- **Objection** (Art. 21 GDPR): You can object to processing based on your particular situation.**To exercise your rights, please contact:**
naturelement@angati.at
### 19. Right to Lodge a Complaint
If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority.**Competent supervisory authority in Austria:**
Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
Austria Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at
### 20. Data Security
We implement appropriate technical and organizational security measures to protect your data from unauthorized access, loss, or misuse:- SSL/TLS encryption of the website
- Secure passwords and access controls
- Regular security updates
- Data backups
- Employee training in data protection
### 21. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in legal requirements or changes to our services.The current version published on our website always applies.
