/

Privacy Policy

Last updated: February 16, 2026

SAUNA GUUS — PRIVACY POLICY


Website: saunaguus.io
Last Updated: February 2026
Effective Date: February 2026


This Privacy Policy applies to users of saunaguus.io and visitors to our sauna locations in New York, United States and London, United Kingdom.



1. Introduction and Scope


This Privacy Policy explains how Sauna Guus and its affiliated entities ("Sauna Guus," "we," "us," or "our") collect, use, disclose, and protect your personal information when you:


  • Visit or use our website at saunaguus.io (the "Site");
  • Book, purchase, or attend saunagus sessions at our physical locations in New York, United States or London, United Kingdom;
  • Create an account, purchase tickets or punchcards, or interact with our achievement and rewards features;
  • Communicate with us via email, social media, or other channels.


Sauna Guus operates as a dual-entity business. Depending on your location and the services you use, the data controller responsible for your personal data is:


  • For users in the United States: Sauna Guus LLC, registered in the State of New York.
  • For users in the United Kingdom: Sauna Guus Ltd, registered in England and Wales.


We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy is designed to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018") for our UK users, and the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") and other applicable US federal and state privacy laws for our US users.


By using our Site or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Site or services. For questions about this policy, contact us at privacy@saunaguus.io.



2. Information We Collect


We collect different types of information depending on how you interact with us. We are committed to data minimisation and only collect information that is necessary for the purposes described in this policy.


2.1 Information You Provide Directly


Account Registration and Profile Data. When you create an account on saunaguus.io, we collect your name, email address, password (stored in hashed form), and optionally your phone number and date of birth. You may also provide a profile photo and display name.


Booking and Transaction Data. When you book a saunagus session, purchase tickets, or buy punchcards, we collect your billing name, billing address, email address, and information about the sessions you have booked (dates, times, locations, and session types). Payment card details are collected and processed directly by our payment processor, Stripe, and are not stored on our servers.


Health Declaration Data. Before your first session, we require you to complete a health declaration form. This form collects information about medical conditions, medications, and health status that may be relevant to the safe use of our sauna facilities. This constitutes "special category data" under the UK GDPR and "health data" under the SHIELD Act, and we treat it with the highest level of care and security. You have the right to decline to provide this information, but we may be unable to allow you to participate in sessions if we cannot assess your safety.


Communications Data. When you contact us by email, through our website contact form, or via social media, we collect the content of your communications, your contact information, and any attachments you send.


2.2 Information Collected Automatically


Device and Usage Data. When you visit our Site, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device identifiers, referring URLs, pages viewed, time spent on pages, and clickstream data. We use this information to operate, maintain, and improve the Site.


Cookies and Similar Technologies. We use cookies, pixels, and similar tracking technologies to enhance your experience on the Site, remember your preferences, and analyse Site usage. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy, available on the Site. You can manage cookie preferences through your browser settings or our cookie consent tool.


Achievement and Activity Data. When you interact with our achievement system, we collect data about your session attendance, milestones reached, badges earned, and other activity within the platform. This data is used to operate the gamification features and personalise your experience.


2.3 Information from Third Parties


Payment Processor (Stripe). Our payment processor, Stripe, Inc., may share limited transaction data with us, including confirmation of payment, transaction identifiers, the last four digits of your payment card, card brand, and billing postal code. Stripe's own collection and use of your data is governed by Stripe's Privacy Policy. We encourage you to review it.


Social Media and Authentication Providers. If you choose to log in to our Site using a third-party authentication provider (such as Google or Apple), we receive basic profile information as permitted by that provider and your privacy settings.



3. How We Use Your Information


We use the information we collect for the following purposes:


3.1 Service Delivery and Contract Performance


  • Processing your bookings, ticket purchases, and punchcard transactions;
  • Managing your account and providing access to the Site's features, including achievements;
  • Sending booking confirmations, reminders, receipts, and other transactional communications;
  • Providing customer support and responding to your enquiries;
  • Administering punchcard balances and tracking session credits.


3.2 Safety and Health


  • Assessing whether it is safe for you to participate in saunagus sessions based on your health declaration;
  • Maintaining records of health declarations for the protection of your vital interests and for the establishment, exercise, or defence of legal claims;
  • Ensuring compliance with health and safety regulations at our facilities.


3.3 Improvement and Analytics


  • Analysing usage patterns to improve the Site, our services, and the overall customer experience;
  • Conducting internal research and analytics on session attendance, popularity, and customer preferences;
  • Testing new features and functionality.


3.4 Marketing and Communications


  • Sending promotional emails about new sessions, locations, events, or offers (only with your consent where required by law, and with a clear opt-out mechanism in every communication);
  • Personalising your experience on the Site based on your preferences and activity.


3.5 Legal and Compliance


  • Complying with applicable laws, regulations, and legal obligations, including tax reporting requirements;
  • Detecting, preventing, and responding to fraud, security incidents, and illegal activity;
  • Enforcing our Terms of Service and protecting our rights, property, and the safety of our users and the public;
  • Responding to lawful requests from governmental authorities.



4. Legal Bases for Processing


For UK users: Under the UK GDPR, we must have a valid legal basis for processing your personal data. The bases we rely on include:


  • Contract performance (Article 6(1)(b)): Processing necessary to perform our contract with you, such as processing bookings, managing your account, and fulfilling ticket and punchcard purchases.
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms. This includes analytics, fraud prevention, Site improvement, and direct marketing to existing customers (subject to your right to opt out).
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with a legal obligation, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.
  • Consent (Article 6(1)(a)): Where we rely on your consent (for example, for marketing emails to non-customers or for non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Vital interests (Article 6(1)(d)): In rare cases, processing necessary to protect someone's life, such as sharing health data with emergency services in the event of a medical emergency at our facilities.


For health declaration data (special category data), we rely on your explicit consent (Article 9(2)(a)) to process this information, which you provide when completing the health declaration form. You may withdraw this consent at any time by contacting us, though this may prevent you from attending future sessions. In emergency situations, we may also process health data to protect your vital interests (Article 9(2)(c)).


For US users: US law does not generally require a specific legal basis for processing personal data in the manner that the UK GDPR does. However, we process your data in accordance with this Privacy Policy and applicable US laws, including the New York SHIELD Act. Where required by state law, we obtain your consent before collecting or sharing sensitive personal information.



5. How We Share Your Information


We do not sell your personal data to third parties. We share your information only in the following circumstances:


Payment Processor. We share transaction and billing data with Stripe, Inc. to process your payments. Stripe acts as an independent data controller for certain data it collects during the payment process (such as fraud detection data) and as our data processor for other data. Stripe's processing is governed by the Stripe Privacy Policy and our Data Processing Agreement with Stripe.


Hosting and Infrastructure Providers. We use third-party cloud hosting and infrastructure providers to operate the Site and store data. These providers process data on our behalf and are contractually bound to protect your data and process it only as we instruct.


Analytics Providers. We use analytics services to understand how the Site is used. These providers may receive anonymised or pseudonymised data. Where analytics providers process personal data, they do so under data processing agreements with us.


Email and Communication Providers. We use third-party email service providers to send transactional and marketing communications. These providers process your email address and communication content on our behalf under data processing agreements.


Professional Advisors. We may share information with our lawyers, accountants, auditors, and insurers where necessary for them to provide their services to us.


Legal and Regulatory Compliance. We may disclose information where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, the safety of others, or to detect, prevent, or address fraud, security issues, or technical problems.


Business Transfers. In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your data.


Emergency Services. In the event of a medical emergency at our facilities, we may share your health declaration data with emergency medical personnel to protect your vital interests.



6. International Data Transfers


Because we operate in both the United States and the United Kingdom, your personal data may be transferred between these jurisdictions.


UK to US Transfers. Where we transfer personal data of UK users to the United States, we rely on appropriate safeguards as required by UK data protection law. These may include the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework), Standard Contractual Clauses (UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses), or other approved transfer mechanisms. Our payment processor Stripe relies on the Data Privacy Framework and Standard Contractual Clauses for its international data transfers.


US to UK Transfers. Where personal data of US users is processed in the United Kingdom, such transfers do not require additional safeguards under US law. The UK is generally considered to maintain robust data protection standards.


You may request a copy of the safeguards we have put in place for international transfers by contacting us at privacy@saunaguus.io.



7. Data Retention


We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by law. Our general retention periods are:


  • Account Data: Retained for as long as your account is active, plus 12 months after account closure (to allow for reactivation and to address any outstanding issues).
  • Booking and Transaction Data: Retained for 7 years from the date of the transaction to comply with tax, accounting, and financial reporting obligations in both jurisdictions.
  • Health Declaration Data: Retained for the duration of your active membership or customer relationship, plus 6 years after your last session (consistent with limitation periods for personal injury claims in both the US and UK).
  • Marketing Consent Records: Retained for the duration of the consent plus 3 years after withdrawal, to demonstrate that consent was properly obtained.
  • Achievement Data: Retained for as long as your account is active. Achievement data is deleted upon account closure.
  • Cookies and Analytics Data: Retained in accordance with our Cookie Policy, typically for no longer than 24 months.
  • Communication Records: Retained for 3 years from the date of the last communication, unless a longer retention period is required for legal or compliance purposes.


When the retention period expires, we securely delete or anonymise the data so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and analytical purposes.



8. Data Security


We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. Our security measures include:


  • Encryption: All data transmitted between your browser and our Site is encrypted using TLS 1.2 or higher. Sensitive data at rest, including health declaration data, is encrypted using industry-standard encryption algorithms.
  • Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis. We use role-based access controls and multi-factor authentication for administrative access.
  • Payment Security: We do not store payment card details on our servers. All payment processing is handled by Stripe, which is certified as a PCI Level 1 Service Provider, the highest level of certification available in the payment card industry.
  • Regular Assessments: We conduct regular risk assessments and vulnerability testing of our systems and infrastructure.
  • Employee Training: All employees with access to personal data receive regular data protection and security training.
  • Incident Response: We maintain a data breach response plan that includes procedures for identifying, containing, and remediating security incidents, as well as notifying affected individuals and relevant authorities where required by law.


In compliance with the New York SHIELD Act, we have designated a security programme coordinator and maintain administrative, technical, and physical safeguards appropriate to the nature and scope of our business activities and the sensitivity of the personal information we process.


While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections.



9. Your Rights


9.1 Rights of UK Users


Under the UK GDPR, you have the following rights in relation to your personal data:


  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
  • Right to Rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to Erasure (Article 17): You have the right to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller, where technically feasible.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
  • Right to Withdraw Consent: Where we process your data based on consent (including for health declarations and marketing), you may withdraw consent at any time by contacting us or using the unsubscribe mechanism provided.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.


To exercise any of these rights, please contact us at privacy@saunaguus.io. We will respond to your request within one month. In complex cases, we may extend this by an additional two months, but we will inform you of any extension within the initial one-month period.


9.2 Rights of US Users


While the United States does not have a single comprehensive federal privacy law equivalent to the UK GDPR, we extend the following rights to all our US users:


  • Right of Access: You may request a copy of the personal information we have collected about you.
  • Right to Correction: You may request that we correct inaccurate personal information.
  • Right to Deletion: You may request that we delete your personal information, subject to certain legal exceptions (such as data required for tax compliance or legal defence).
  • Right to Opt Out of Marketing: You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.


Under the New York SHIELD Act, you have the right to be notified within 30 days if a data breach affects your private information. We will comply with all applicable notification requirements under the SHIELD Act and other relevant state laws. To exercise any of your rights, please contact us at privacy@saunaguus.io.



10. Cookies and Tracking Technologies


We use cookies and similar technologies on the Site. Cookies are small text files placed on your device that help us provide and improve our services.


Strictly Necessary Cookies: These cookies are essential for the Site to function properly. They enable core features such as session management, authentication, and security. These cookies cannot be disabled.


Functional Cookies: These cookies allow us to remember your preferences (such as language or location settings) and provide enhanced, personalised features.


Analytics Cookies: These cookies help us understand how visitors interact with the Site by collecting information about pages visited, time spent on the Site, and errors encountered. This data is typically aggregated and anonymous.


Marketing Cookies: These cookies are used to deliver relevant advertisements and to track the effectiveness of our marketing campaigns. We only use marketing cookies with your consent.


For UK users, we comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and obtain your consent before placing non-essential cookies on your device. You can manage your cookie preferences through our cookie consent tool or through your browser settings. For detailed information, please refer to our Cookie Policy available on the Site.



11. Children's Privacy


Our services are strictly limited to individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that data. If you believe we may have collected data from a person under 18, please contact us at privacy@saunaguus.io.



12. Third-Party Links and Services


Our Site may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our Site.



13. Payment Processing and Stripe


We use Stripe, Inc. as our payment processor. When you make a payment through our Site, Stripe collects and processes your payment information directly. We want you to understand the following:


  • Data Controller Status: Sauna Guus is the merchant of record for all transactions. Stripe acts as a data processor for transaction processing and as an independent data controller for its own fraud prevention and compliance activities.
  • Data Collected by Stripe: Stripe may collect your name, email, billing address, payment card details, IP address, browser information, and device data. Stripe may also collect behavioural data (such as typing patterns on the payment form) for fraud detection purposes.
  • Stripe's Privacy Policy: Stripe's collection and use of your data is subject to its own Privacy Policy, available at stripe.com/privacy. We encourage you to review it.
  • Data We Receive from Stripe: We receive from Stripe only the transaction confirmation, a transaction identifier, the last four digits of your card number, card brand, card expiration date, and billing postal code. We do not receive or store your full card number, CVV, or other sensitive payment credentials.
  • PCI Compliance: Stripe is certified as a PCI DSS Level 1 Service Provider. By using Stripe, we ensure that payment card data is handled in accordance with the highest industry security standards.
  • International Transfers by Stripe: Stripe processes data globally. For UK users, Stripe relies on the EU-US Data Privacy Framework (UK Extension), Standard Contractual Clauses, and other approved mechanisms for international data transfers.



14. Special Provisions for Health Data


We recognise that the health declaration data we collect constitutes special category data under the UK GDPR and sensitive personal information under applicable US laws. We apply enhanced protections to this data:


  • Purpose Limitation: Health declaration data is collected and processed solely for the purpose of assessing your fitness to participate in saunagus sessions safely, and for the establishment, exercise, or defence of legal claims. It is never used for marketing, profiling, analytics, or any other purpose.
  • Explicit Consent: For UK users, we rely on your explicit consent (UK GDPR Article 9(2)(a)) as the condition for processing health data. The health declaration form includes a clear, separate consent statement. You may withdraw consent at any time.
  • Access Restrictions: Access to health declaration data is strictly limited to authorised personnel who require it for safety assessments, specifically our facility managers and gusmasters. Health data is not accessible to general staff.
  • Enhanced Security: Health declaration data is encrypted at rest and in transit, stored separately from other personal data where technically feasible, and subject to additional access logging and monitoring.
  • Retention: Health declaration data is retained for the duration of your active customer relationship plus 6 years following your last session, consistent with limitation periods for personal injury claims. After this period, the data is securely deleted.
  • Data Protection Impact Assessment: We have conducted a Data Protection Impact Assessment (DPIA) in accordance with UK GDPR Article 35 to identify and mitigate risks associated with our processing of health data.



15. Marketing Communications


We may send you marketing communications about our services, new sessions, events, and promotions. Our approach to marketing differs by jurisdiction:


UK Users: We comply with the Privacy and Electronic Communications Regulations 2003 (PECR). We will only send you marketing emails if you have given your prior consent (opt-in), or if you are an existing customer and the marketing relates to similar products or services to those you have previously purchased from us (the "soft opt-in"), provided you were given a clear opportunity to opt out at the time of collection and in every subsequent communication.


US Users: We comply with the CAN-SPAM Act. All marketing emails include a clear identification of the message as an advertisement, our physical address, and a prominent opt-out mechanism. We honour opt-out requests within 10 business days.


You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, adjusting your preferences in your account settings, or contacting us at privacy@saunaguus.io. Opting out of marketing communications will not affect transactional communications (such as booking confirmations, receipts, and important service announcements).



16. Automated Decision-Making


We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. Our achievement system is based on straightforward session attendance tracking and does not involve profiling. If we ever introduce automated decision-making in the future, we will update this Privacy Policy and, where required by law, obtain your consent or provide you with the right to challenge such decisions.



17. Changes to This Privacy Policy


We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:


  • Update the "Last Updated" date at the top of this policy;
  • Post a prominent notice on the Site informing you of the changes;
  • Send you an email notification to the address associated with your account (for material changes affecting your rights).


We encourage you to review this Privacy Policy periodically. Your continued use of our Site or services after any changes constitutes your acceptance of the updated policy. For UK users, where changes affect processing based on consent, we will seek renewed consent where required.



18. Contact Us


If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:


Email: privacy@saunaguus.io


General Enquiries: info@saunaguus.io


Postal Address (US): Sauna Guus LLC, [Address], New York, NY [Zip Code], United States


Postal Address (UK): Sauna Guus Ltd, [Address], London [Postcode], United Kingdom


UK Data Protection Officer: If you are a UK user, you may also contact our Data Protection Officer at dpo@saunaguus.io.


UK Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):


  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom



This Privacy Policy was last reviewed and updated in February 2026.


IMPORTANT DISCLAIMER: This Privacy Policy is provided as a comprehensive template for Sauna Guus. It should be reviewed by qualified legal counsel in both the United States (New York) and the United Kingdom (England and Wales) before deployment to ensure full compliance with all applicable laws and regulations. Sauna Guus should fill in all bracketed placeholder information (addresses, postcodes, etc.) before publishing.