Privacy Policy

Information We Collect

Personal Information

When you book an appointment or contact us, we may collect:

• Name and contact information (phone number, email address)
• Wellness preferences or health notes you choose to share for your appointment
• Appointment history and package or gift card purchase details
• Payment information (processed securely through third-party providers)

By booking a treatment or submitting wellness-related information, you consent to Leelawadee Thai Spa collecting and using that information only to schedule and provide your spa services.

Website Information

When you visit our website, certain non-identifiable information may be automatically collected for analytics and site performance purposes, including:

• IP address and browser information
• Pages visited and time spent on our site
• Referring website information
• Device and operating system information

How We Use Your Information

We use your personal information for the following purposes:

• Treatment and Care: To provide spa and wellness services and maintain appointment records
• Appointment Management: To schedule, confirm, and manage your appointments
• Payment and Packages: To process purchases, gift cards, packages, refunds, and receipts
• Communication: To contact you about appointments, packages, service updates, or inquiries
• Legal Compliance: To meet legal, tax, accounting, and business record requirements
• Website Improvement: To analyze website usage and improve our online services

AI Assistant and Third-Party Processing

If our website includes an AI-powered assistant or similar support feature, information you enter may be processed by the technology provider so the assistant can respond.

Please avoid entering sensitive medical, financial, or payment information into any chat assistant. We do not use assistant conversations for marketing profiling.

Important: By using the assistant, you acknowledge and consent to this data processing. You may choose not to use the assistant at any time. If you have questions about this integration or your data rights, please contact us.

Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Legal Requirements: When required by law or to protect our rights and safety
• Service Providers: With trusted third parties who assist in our operations, including:
  • Square Inc. - appointment booking, payment processing, customer records
  • Supabase - secure backend database and infrastructure
  • Resend - transactional email delivery (booking confirmations, etc.)
  • MailerLite - opt-in marketing email and waitlist management
  • Netlify - website hosting and content delivery
• Advertising and Measurement Partners: To measure the effectiveness of our advertising and reach prospective customers, we share cryptographically hashed (SHA-256 one-way hashed) identifiers - such as your email address, phone number, name, and approximate location - with:
  • Meta Platforms (Facebook/Instagram) - via the Meta Pixel and Conversions API. Hashed identifiers allow Meta to match your activity to your Facebook/Instagram account for ad attribution and audience building. We never send unhashed personal information.
  • Google - via Google Analytics and Google Tag Manager, for site analytics and conversion tracking.
  You may opt out of receiving personalized advertising through your Meta ad preferences and Google ad settings. Declining marketing cookies on our site will also stop these transmissions.

International Data Transfers

Some of our service providers (including Meta, Google, Square, Supabase, Resend, MailerLite, and Netlify) are based in the United States or other countries outside Canada. When we share information with them, your data may be stored or processed outside of Canada and may be subject to the laws of those jurisdictions, including lawful access requests by foreign government authorities.

We only work with service providers who offer privacy protections substantially comparable to those required under Canadian law (PIPEDA / BC PIPA). By using our services, you acknowledge and consent to this international transfer of your personal information.

Third-Party Links

Our website may contain links to third-party websites such as Square, Google Maps, social media platforms, and payment providers. We are not responsible for the privacy practices or content of those third-party sites. Please review their privacy policies before providing any personal information.

Data Security and Retention

Security Measures

We implement appropriate technical and organizational measures to protect your personal information, including:

• Secure storage of physical and electronic records
• Access controls and staff training on privacy protection
• Encrypted transmission of sensitive data
• Regular security assessments and updates

Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy or as required by law. Typical retention periods:

• Booking and customer records: 7 years (required for Canadian tax and business records)
• Marketing email subscribers: until you unsubscribe
• Website analytics data: typically 14-26 months (set by Google Analytics / Meta)
• Browser-stored identifiers (localStorage and cookies): automatically deleted after 6 months of inactivity, or whenever you clear your browser data
• Hashed identifiers sent to advertising partners: retained by those partners according to their own policies (typically 6-13 months)

Your Privacy Rights

Under Canadian privacy laws (PIPEDA federally, PIPA in British Columbia, and Law 25 in Quebec), you have the right to:

• Access - Request a copy of the personal information we hold about you
• Correction - Request correction of inaccurate or incomplete information
• Deletion - Request deletion of your personal information, subject to legal retention requirements (for example, we are required to keep booking and payment records for 7 years for tax purposes)
• Withdraw Consent - Withdraw permission for marketing communications or advertising tracking at any time, without affecting our ability to provide booked services
• Data Portability - Receive your personal information in a portable format
• Complaint - File a complaint with the Office of the Privacy Commissioner of Canada or, in BC, the Office of the Information and Privacy Commissioner for British Columbia

To exercise these rights, email info@leelawadeethaispa.com. We will respond within 30 days as required under PIPEDA.

Quebec Residents: Under Quebec Law 25, you also have additional rights including the right to be informed of any automated decision-making and to object to the use of your information for profiling. Our privacy officer for Law 25 inquiries is the proprietor of Leelawadee Thai Spa, reachable at the contact details below.

Cookies, Local Storage, and Tracking Technologies

Our website uses cookies, browser local storage, and similar technologies for the following purposes:

• Essential / Functional: Remember your booking progress, language preference, and other site settings.
• Analytics: Understand how visitors use our site (Google Analytics, Google Tag Manager). These use cookies and local storage to measure pageviews, conversions, and traffic sources.
• Advertising and Conversion Tracking: The Meta Pixel (Facebook/Instagram) and Meta Conversions API track when you book, add a service to your booking, or otherwise interact with our site, so we can measure ad performance and reach similar audiences. This involves transmitting cryptographically hashed (SHA-256) versions of your email, phone, name, and approximate location to Meta.
• Returning-visitor recognition: Browser local storage may retain hashed versions of contact information you have voluntarily shared with us (for example, when booking or joining the waitlist) for up to 6 months. This is used solely to improve the accuracy of advertising measurement on subsequent visits and is automatically cleared after 6 months of inactivity or when you clear your browser data.

Cookie Consent and Withdrawal: By continuing to use our website, you consent to our use of cookies and similar technologies as described in this Privacy Policy. You may withdraw consent at any time by:

• Disabling cookies in your browser settings
• Clearing your browser's local storage and cookies for this site
• Using browser-level tracking protections (Safari ITP, Firefox ETP, etc.)
• Adjusting your Meta ad preferences and Google ad settings

Disabling cookies will not prevent you from booking with us, but may reduce the personalization of certain features.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of our services after any changes indicates your acceptance of the updated policy.