Privacy

ANGATI NaturElement GmbH As of: January 2026

1. Controller

ANGATI NaturElement GmbH Aurikelweg 54/2

1220 Vienna

Austria

Email: naturelement@angati.at

Phone: +43 650 2 831 831

Please direct any data protection inquiries to the email address listed above.

2. General Information

The protection of your personal data is of utmost importance to us. We process your data exclusively in accordance with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and all relevant statutory provisions.

This Privacy Policy informs you about the types of personal data we process, the purposes for which we process it, the legal basis for doing so, and how long it will be stored.

3. Categories of Personal Data

Depending on how you interact with us, we process the following categories of data in particular:

  • Master and contact data (name, address, email address, phone number)
  • Contract, order, and payment data (billing address, order history, payment information)
  • Appointment and booking data (booked treatments, dates, locations)
  • Communication data (email correspondence, notes from consultations)
  • Usage and access data (IP address, browser type, access times)
  • Membership and status data (VIP member status, purchase history)
  • Health and skin-related information (provided voluntarily, strictly within the scope of treatments and skin analyses)
  • Payment and banking details (for SEPA direct debit mandates for VIP members)

4. Legal Basis for Processing

  • Art. 6 (1) (a) GDPR – Consent
  • Art. 6 (1) (b) GDPR – Performance of a contract
  • Art. 6 (1) (c) GDPR – Compliance with a legal obligation (e.g., tax-related retention requirements)
  • Art. 6 (1) (f) GDPR – Legitimate interests (e.g., IT system security, direct marketing for existing customers)
  • Art. 9 (2) (a) GDPR – Explicit consent for sensitive data (health data)

5. Website & Hosting

When you visit our website (www.angati-naturelement.com), technical access data is automatically processed:

  • IP address (anonymized after the session ends)
  • Time of access
  • Browser type and operating system
  • Pages visited and referring website (referrer)

Purpose: Ensuring technical operations, IT security, and error analysis.

Legal Basis: Art. 6 (1) (f) GDPR.

Retention Period: Server logs are automatically deleted after 7 days.

Hosting: Our website is hosted by Webflow, Inc. (USA). Data transfer to the USA is based on the Standard Contractual Clauses (SCCs) of the European Commission (Art. 46 (2) (c) GDPR). For further information, please visit: https://webflow.com/legal/eu-privacy-policy

Email Hosting: Our email provider is One.com A/S (Denmark). Data processing is conducted under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.

6. Cookies

We exclusively use strictly necessary cookies that are required for the operation of the website (e.g., session cookies for the shopping cart).

We currently do not use any analytical or marketing tracking tools (such as Google Analytics, Facebook Pixel, etc.). Furthermore, no social media plugins are utilized.

Legal Basis: Art. 6 (1) (f) GDPR.

7. Contacting Us

When you contact us via email, phone, contact form, or in person, we process your data to handle and respond to your inquiry.

Legal Basis: * Art. 6 (1) (b) GDPR (pre-contractual inquiries)

  • Art. 6 (1) (f) GDPR (general inquiries)

Retention Period: Maximum of 6 months after the correspondence has concluded, provided that no contractual relationship is established or no statutory retention periods apply.

8. Product Catalog & Price Overview

We provide a product catalog with a price overview on our website. This is for informational purposes only (specifically for distributors and business partners) and does not offer a direct ordering function.

Orders are placed via alternative channels (email, phone, personal contact).

Legal Basis for display: Art. 6 (1) (f) GDPR (legitimate interest in product presentation).

9. Payment Service Providers

9.1 Stripe (In-Person Card Payments)

For card payments at our institutes and spa locations, we use Stripe Payments Europe Ltd. (Ireland) via card readers. When paying on-site, your payment data is transmitted directly to Stripe through the terminal. We do not receive complete credit card details, but only a transaction confirmation.

Legal Basis: Art. 6 (1) (b) GDPR (performance of a contract).

Stripe Privacy Policy: https://stripe.com/privacy

9.2 GoCardless (SEPA Direct Debit for VIP Members)

For SEPA direct debit handling regarding VIP member subscriptions, we use GoCardless Ltd. (UK/EU). For this purpose, we require your name, IBAN, and a SEPA direct debit mandate.

Legal Basis: Art. 6 (1) (b) GDPR (performance of a contract).

GoCardless Privacy Policy: https://gocardless.com/legal/privacy/

Retention Period for Payment Data: Payment information and transaction data are stored for the duration of the business relationship as well as in compliance with statutory retention periods (7 years for invoices pursuant to § 132 of the Austrian Federal Fiscal Code / BAO).

10. CRM and Administrative Systems (Odoo)

To manage customer data, orders, appointments, memberships, and internal processes, we utilize Odoo (ERP/CRM system).

The following data is processed:

  • Customer master data
  • Order history and contracts
  • Appointment schedules and treatment notes
  • VIP member status and purchase history
  • Internal notes regarding customer service

Legal Basis: * Art. 6 (1) (b) GDPR (performance of a contract)

  • Art. 6 (1) (f) GDPR (legitimate interest in efficient business organization)

Processing is carried out in compliance with data protection laws under a Data Processing Agreement pursuant to Art. 28 GDPR. Data is stored on servers within the European Union.

11. Appointment Booking (Website & Treatwell)

Online appointment bookings are managed via:

  1. Our website (direct booking system)
  2. Treatwell (external booking platform)

Data processed: Name, email address, phone number, requested treatment, preferred date/time, and location.

Purpose: Appointment scheduling, customer communication, and service provision.

Legal Basis: Art. 6 (1) (b) GDPR.

Treatwell: Treatwell processes personal data as an independent data controller. Treatwell’s privacy policy can be found at: https://www.treatwell.at/info/privacy-policy/

12. Treatments – Online & Offline

Within the scope of facial and body treatments, sensitive health data may be processed on a voluntary basis, including:

  • Skin condition and skin type
  • Allergies and intolerances
  • Pre-existing medical conditions (if relevant to the treatment)
  • Current medications

This information is always provided voluntarily and strictly to ensure optimal treatment execution.

Legal Basis: * Art. 6 (1) (b) GDPR (performance of a contract)

  • Art. 9 (2) (a) GDPR (explicit consent for health data)

Retention: Treatment records are retained for 3 years following your last treatment (for liability reasons).

13. VIP Members

For VIP members, we additionally process:

  • Membership status and contract data
  • Purchase history and booked treatments
  • SEPA direct debit mandate (for automated billing)
  • Individual preferences and notes

Purpose: Personalized customer care, automated payment processing, and exclusive offers.

Legal Basis: Art. 6 (1) (b) GDPR.

Retention Period: For the duration of the membership and subsequently in accordance with statutory retention periods.

14. Newsletter

We send newsletters and promotional information only with your explicit consent (using the double opt-in procedure).

Legal Basis: Art. 6 (1) (a) GDPR.

Management: Newsletter distribution is managed through our internal CRM system (Odoo).

Unsubscribing: An unsubscribe link is included in every email. You can opt out at any time.

Upon unsubscribing, your data will be removed from the newsletter distribution list, unless other legal bases (e.g., an ongoing customer relationship) justify further processing.

15. Disclosure and Sharing of Data

Your personal data will only be shared in the following scenarios:

  1. Legal obligations (e.g., to tax authorities, public bodies)
  2. Performance of a contract (e.g., shipping carriers, payment providers)
  3. Data processors (e.g., hosting providers, CRM system) – who are contractually bound to comply with the GDPR pursuant to Art. 28 GDPR
  4. Consent (if you have explicitly agreed)

We never share or sell your data to third parties for advertising or marketing purposes.

16. Data Retention Period

Personal data is only stored for as long as necessary to fulfill the respective purpose or as required by statutory retention periods:

Type of DataRetention PeriodInquiries without contract conclusion6 monthsContracts and orders7 years (§ 132 BAO – statutory tax retention)Invoices7 years (§ 132 BAO)Treatment records3 years after the last treatmentVIP member dataDuration of membership + 7 years (for invoices)Newsletter subscribersUntil unsubscribe/withdrawal of consentWebsite logs7 days

Upon expiry of these periods, the data will be deleted unless you have consented to a longer retention period.

17. Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR. All decisions (e.g., concluding contracts, creating individual offers) are made by our team members.

18. Rights of the Data Subject

You have the following rights at any time regarding your personal data:

  • Right of Access (Art. 15 GDPR): You can request information about the personal data we store about you.
  • Right to Rectification (Art. 16 GDPR): You can request the correction of incorrect or incomplete data.
  • Right to Erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligations conflict.
  • Right to Restriction of Processing (Art. 18 GDPR): You can request that the processing of your data be restricted.
  • Right to Data Portability (Art. 20 GDPR): You can request that we provide your data in a structured, commonly used format.
  • Right to Withdraw Consent (Art. 7 (3) GDPR): You can withdraw your consent at any time with effect for the future.
  • Right to Object (Art. 21 GDPR): You can object to the processing of your data based on grounds relating to your particular situation.

To exercise your rights, please contact us at: naturelement@angati.at

19. Right to Lodge a Complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority.

Competent Supervisory Authority in Austria: Österreichische Datenschutzbehörde (Austrian Data Protection Authority)

Barichgasse 40–42

1030 Vienna

Austria

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

Website: https://www.dsb.gv.at

20. Data Security

We implement appropriate technical and organizational security measures (TOMs) to protect your data from unauthorized access, loss, or misuse:

  • SSL/TLS encryption of the website
  • Secure passwords and strict access controls
  • Regular security updates
  • Data backups
  • Regular data protection training for our staff

21. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy to align with updated legal requirements or changes to our services. The current version published on our website shall always apply.