Saunatech AS Company, support, and compliance

Versioned compliance copy

Privacy Policy

This page hosts a static compliance copy for Saunatech AS and BookSauna reviewers. BookSauna remains the live source of truth and may contain a newer version.

Version
1.0.0
Effective date
2026-04-27
Last updated
2026-04-27
Live version
https://booksauna.app/privacy
Contact
privacy@saunatech.no

This Privacy Policy explains how Saunatech AS ("Saunatech", "we", "us") collects, uses, shares, and protects your personal information when you use our website and related services (the "Services"). If and when we launch mobile apps later, this Policy will also apply to those apps unless we say otherwise.

Our Services are available worldwide. We currently provide Services through our web app, and we may launch mobile apps later. This Policy applies globally. If local law requires specific disclosures, those rights and disclosures are described in Section 8.

1) Who we are

Data controller: Saunatech AS (Norway)

Email: privacy@saunatech.no

Address: Kløverveien 12, 4326 Sandnes, Norway

Complaints: You may lodge a complaint with Datatilsynet or your local data protection authority, as applicable.

If you are in the EU/EEA/UK, Saunatech is the controller of your personal data for the processing described in this Policy.

If we are required to appoint a local representative in a particular jurisdiction, we will publish the representative's contact details here or on our website.

2) What we collect

We collect information in these categories:

A. Information you provide

  • Account and profile details: first/last/display name, email, phone number, date of birth (for age verification in certain saunas), locale/language, profile photo/avatar, and verification status.
  • Billing address: if you enter it for payments or invoices/receipts.
  • Friends and invitations: information used for friend discovery and invitations (subject to your privacy settings), such as whether your profile is searchable, whether your email is discoverable, whether other users can send you friend requests, and whether other users can send you booking invites.
  • Support and communications: messages you send to support, support ticket details, and information you include in forms or emails (for example, booking information or account details).
  • Content you upload: sauna photos (for owners), shop item images, and administrative CSV imports.
  • Payment and settlement details: billing address, invoices, receipts, refund receipts, payment or refund references, settlement records, outstanding balances, and related support or correction records where applicable.
  • Verification details: phone number, whether phone verification is enabled for your account, and records needed to document your consent to receive SMS verification codes where applicable.
  • Third-party sign-in: If you choose to sign in using a third-party provider (such as Google), we may receive information such as your name, email address, and profile image, depending on the provider and your settings. We use this to create and manage your account.

B. Information created through your use of the Services

  • Bookings and participation: booking details, attendees/participants (as applicable), booking status, and operational records.
  • Payments, refunds, and postpay settlement records: payment status, transaction records, refund history, refund audit/correction records, receipts and refund receipts, settlement review and confirmation records, participant or organizer payment-responsibility records, overdue balances, late-fee records where applicable, and dispute or chargeback records where applicable.
  • Optional wellness tracking (opt-in): sauna session history, wellness preferences, achievements, and related wellness insights if you choose to use these features. These features are intended for personal wellness tracking and are not medical or diagnostic services.
  • Explicit consent for wellness tracking: Wellness tracking is optional. Where applicable, wellness tracking data may be treated as special category personal data under EU/EEA/UK law or as sensitive personal data under other applicable law. We only collect and use wellness tracking data after you give explicit consent. You can withdraw that consent at any time through available in-product controls or by contacting us at privacy@saunatech.no. Withdrawing consent is as easy as giving consent.
  • Effect of withdrawal or deletion request: If you withdraw consent, request deletion of wellness tracking data, or request account deletion, we will stop collecting and using new wellness tracking data for that feature without undue delay. We will delete or irreversibly anonymize existing wellness tracking data without undue delay and, in any event, within 30 days, except that we may retain limited data where required or permitted for legal compliance, security, fraud prevention, dispute resolution, protection of legal rights, or backup/disaster recovery processes.
  • No advertising use: We do not use wellness tracking data for advertising.

C. Information collected automatically

  • Technical and usage data: IP address, browser/user agent, device and connection information, and logs related to how you use the Services.
  • First-party analytics events: consent-aware product events that may include event name, anonymous session ID, a server-resolved user ID for signed-in sessions, normalized route, surface, limited approved event properties, user agent, IP address, and the analytics-consent decision captured at ingestion time. We use these events to understand product usage, improve reliability, diagnose issues, and improve the Services. We do not intentionally store raw URLs, free-text fields, payment details, or wellness data in analytics events.
  • Cookies and similar technologies: used for authentication, session management, security, and preferences like language/locale. See Section 9.

D. Location information (now and planned)

  • Today: we do not request precise (GPS) location by default. We may use approximate location inferred from IP for security, fraud prevention, and limited service measurement.
  • Planned "near me" map feature (web and/or mobile): with your permission, we may use your precise location to auto-zoom the map and show distance to nearby saunas. We intend to use this only while you are using the relevant feature (for example, on the map screen), and not for continuous/background tracking. You can deny or revoke location permission in your device/browser settings.
  • Map features may load third-party services (see Section 5 and Section 9).

E. Mobile app data (if/when mobile apps are launched)

If and when we launch iOS/Android apps, we may process mobile-specific data needed to operate the apps, such as:

  • device and app information (device model, OS version, app version, language),
  • device identifiers used for security and session management,
  • push notification tokens if you enable notifications (to send service messages like booking updates).

F. Advertising data (future)

If we introduce advertising in the Services, we (and our advertising partners) may collect or receive information such as cookies and similar technologies, device and browser information, IP address, approximate location (for example, city/region), and information about ad impressions and interactions. Advertising may be contextual (based on the content you're viewing) or personalized (based on activity/identifiers, where permitted). Where required by law, we will obtain consent and provide choices before enabling personalized advertising. If we introduce additional permissions (camera/photos, contacts, microphone, etc.), we will request permission at the time and update this Policy as needed.

3) How we use your information

We use personal information to:

  • Provide and operate the Services (accounts, profiles, bookings, invitations/friends features, maps, payment and refund history, and postpay settlement views where available).
  • Process payments and manage billing, including invoicing, receipts, refund receipts, refunds, payment-provider refund records, dispute or chargeback handling where applicable, postpay settlements, balance calculations, settlement review or confirmation, participant or organizer payment responsibility, overdue payment handling, late fees where applicable, payment recovery or collections where applicable, account restrictions for non-payment where applicable, and payouts to sauna owners/operators (or other settlement recipients, such as franchisors, where applicable) through connected accounts.
  • Handle booking change operations initiated by operators, such as operator-initiated cancellations and reschedules, including sending service notifications and processing full refunds for operator-cancelled bookings where payment was collected.
  • Verify identity and protect accounts, including email or phone verification (where enabled), sending one-time SMS verification codes for account security, storing related consent and verification records where applicable, and preventing fraud or abuse.
  • Provide support and communications, including responding to requests and sending service messages.
  • Maintain, improve, and develop the Services, including debugging, monitoring, analytics, and feature development.
  • Security and compliance, including enforcing our terms and meeting legal obligations.

At launch, our analytics are limited to first-party analytics operated by Saunatech. We do not use third-party analytics providers, advertising cookies, ad pixels, or cross-site tracking at launch. We also do not use your personal information for cross-context behavioral advertising, and we do not sell personal information. If we introduce advertising features or third-party analytics in the future, we will update this Policy and, where required, provide choices and obtain consent.

Automated tools and decisions:

We may use automated tools to help detect and prevent fraud, abuse, and security incidents. We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. If your account is restricted for security or fraud reasons, you can request review by contacting us at privacy@saunatech.no.

4) Legal bases (EU/EEA/UK)

If you are in the EU/EEA/UK, we rely on these legal bases where applicable:

  • Contract: We process personal data where necessary to perform our contract with you, including providing the Services, creating and managing accounts, processing bookings and payments, handling refunds, postpay settlement, disputes or chargebacks, and enforcing our terms (including payment recovery or non-payment restrictions where applicable).
  • Legitimate interests: to secure, operate, and improve the Services; prevent fraud; and run limited operational measurement where consent is not required.
  • Consent: where required or where we choose to rely on consent, including explicit consent for optional wellness tracking, precise location permissions, certain cookies or similar technologies, and marketing where you opt in.
  • Legal obligation: for accounting, tax, and regulatory requirements.

5) How we share your information

We share personal information only as needed to run the Services:

A. Service providers (processors)

Depending on your use, we may share data with trusted providers such as:

  • Hosting, database, authentication, and file storage: Supabase.
  • Payments, refunds, and payouts: Stripe (including Stripe Connect). Payment card details are handled by Stripe's secure payment flow; we do not store your full card number. We receive payment, settlement, refund, and dispute or chargeback details from Stripe to provide the Services, keep records, review balances, and handle billing issues where applicable. Depending on venue setup, payouts may be routed to the relevant operator/owner or to another settlement recipient (such as a franchisor) designated for that venue, who then settles with the sauna owner. If you are a sauna owner/operator, Stripe may collect and process identity verification and payout information (such as legal name, date of birth, address, government ID, bank account details, and tax information) to comply with financial regulations. We receive limited information such as onboarding/verification status and account identifiers needed to route payouts (as applicable) to sauna owners/operators or other settlement recipients (such as franchisors).
  • Email delivery: Postmark.
  • SMS verification: Twilio is used to send one-time SMS verification codes for account security verification. We do not use SMS for marketing or promotional messages, and at launch we do not use SMS for booking updates or owner/customer communications. SMS verification code delivery is governed by the separate SMS Verification Terms.
  • Maps and address autocomplete: Google Maps / Google Places. Where required by law, we load these services only after you provide consent via our cookie controls, where this feature is available.
  • At launch, we do not share analytics data with a separate third-party analytics provider because our analytics are first-party analytics operated by Saunatech. If that changes later, we will update this Policy.
  • Advertising partners (future): If we introduce advertising, we may use advertising partners such as Google Ads to display ads, measure performance, and prevent fraud. These partners may process information under their own privacy policies and may act as independent controllers depending on the context.

These providers process data on our instructions to provide the Services. Some providers (for example, payment providers) may also process data as independent controllers for their own compliance and security purposes under their own privacy policies. We may add or replace service providers over time; we will update this Policy if our data-sharing practices materially change.

B. Sauna owners/operators and booking participants

  • If you book a sauna, the relevant sauna owner/operator may receive the information necessary to fulfill the booking (for example, booking time, number of participants, and contact details where needed for service delivery and support).
  • If you participate in group bookings/invitations, other participants may see limited information depending on your settings and the feature (for example, display name, invitation status).
  • Depending on your privacy settings, other users may be able to find you by username or email and may see limited profile information such as your display name and avatar.
  • Friends and invitation features are subject to your privacy settings. You can separately control whether other users can find your account by email, send you friend requests, or send you booking invites through available account controls. Those settings affect whether other users can discover your account or invite you through those features.
  • To protect privacy and prevent abuse, some account discovery or invitation requests may receive a generic accepted or unavailable response even when no invitation is delivered. This helps limit whether another user can infer account availability from a single request.

Important: Sauna owners/operators may process booking information to provide their services and meet their own legal obligations. Their handling of personal information outside the Services is governed by their own policies and practices, and they may be independent data controllers in those contexts.

For operator-initiated booking cancellations or reschedules, Saunatech processes related booking/refund data to operate the Services, but the decision to cancel or reschedule is made by the relevant operator and remains the operator's responsibility.

C. Legal and safety disclosures

We may disclose information if we reasonably believe it is necessary to:

  • comply with law or legal process,
  • protect the rights, safety, and security of users, sauna owners/operators, or Saunatech,
  • investigate or prevent fraud, security, or technical issues.

D. Business transfers

If we're involved in a merger, acquisition, financing, restructuring, or sale of assets, information may be transferred as part of that transaction, subject to appropriate safeguards.

E. Collections and enforcement (Pay-Later / Postpay)

If you do not pay amounts due, we may share information necessary to pursue payment, apply late-fee or recovery measures where applicable, and enforce our agreements with service providers involved in payment recovery or collections, and with professional advisers (such as legal counsel) and relevant authorities/courts as required. This may include contact details, booking, settlement, invoice, balance, payment, refund, or correspondence records.

6) International transfers

We operate globally, and our providers may process data outside your country (for example, in the United States or other regions). Where required, we use appropriate safeguards such as Standard Contractual Clauses (and the UK addendum where applicable) or other lawful transfer mechanisms.

7) Data retention

We keep personal information only as long as necessary for the purposes described in this Policy. We retain some information longer when needed to:

  • comply with legal obligations (accounting/tax),
  • prevent fraud and abuse,
  • resolve disputes and enforce agreements,
  • maintain business records and security.

Retention periods

  • Account profile data (name, email, phone, settings): kept while your account is active. If you request deletion, we delete or anonymize within a reasonable period (within 30 days), unless retention is required or permitted for legal compliance, security, fraud prevention, dispute resolution, or protection of legal rights.
  • Bookings and booking history: kept while your account is active; after account deletion we retain booking records for up to 7 years for dispute handling, fraud prevention, and recordkeeping.
  • Payments, refunds, payouts, invoices, receipts, refund receipts, settlement records, and transaction records: retained for up to 10 years to meet accounting, tax, audit, and compliance obligations (including handling disputes/chargebacks, corrections, and regulatory requests).
  • Support tickets and customer support messages: retained for up to 3 years after ticket closure (longer if needed for ongoing disputes or legal obligations).
  • Verification codes, phone verification attempts, related delivery metadata, and verification logs (including associated phone number, IP, and user agent): retained for up to 30 days for security and abuse prevention.
  • Security logs and audit logs (including IP and device/user agent data): retained for up to 2 years, depending on severity and security needs.
  • First-party analytics events: retained for up to 2 years, then deleted or de-identified/aggregated where feasible.
  • Friends/invitations data and audit logs: retained while the relevant relationship/invite is active; invitation/audit logs retained for up to 2 years for abuse prevention and support.
  • Uploaded content (photos, images, CSV imports):
  • owner/listing/shop images: retained until removed by the uploader or until the related listing/content is removed;
  • admin CSV imports: retained up to 12 months unless required longer for audit or operational reasons.
  • Wellness tracking data (opt-in): retained only while needed to provide the wellness tracking feature and while associated with your account. If you withdraw consent, request deletion of wellness tracking data, or request account deletion, we delete or irreversibly anonymize wellness tracking data without undue delay and, in any event, within 30 days, except that we may retain limited data where required or permitted for legal compliance, security, fraud prevention, dispute resolution, protection of legal rights, or backup/disaster recovery processes.
  • Consent and deletion request records: we may retain limited records showing when consent was given, withdrawn, or acted on, including SMS verification consent records, and records needed to handle deletion requests, where reasonably necessary for accountability, security, dispute handling, or legal compliance.
  • Backups and disaster recovery copies: deleted or updated information may remain in backup or disaster recovery systems for a limited period of time, generally up to 90 days, until those systems are overwritten or rotated. Backup copies are not used for ordinary product operations. If backup data is restored, we take reasonable steps to re-apply applicable deletion or anonymization measures.

For clarity, the 30-day deletion/anonymization timeframe described above applies to production wellness tracking data. Backup or disaster recovery copies may persist temporarily until overwritten or rotated under applicable backup cycles.

Account deletion does not always mean immediate deletion of every record associated with your use of the Services. For example, we may retain certain booking, payment, tax, fraud-prevention, security, dispute, and legal-compliance records for the periods described above.

Deletion and anonymization

When deletion is requested, we delete or anonymize information unless we must retain it for legal compliance, fraud prevention, security, dispute resolution, or protection of legal rights. In some cases, we may retain information for longer where required or permitted by law.

8) Your choices and rights

A. Account settings

You can update certain profile information and privacy settings using available account controls. These settings may include whether your profile appears in search, whether your account can be found by email, whether other users can send you friend requests, and whether other users can send you booking invites. You can request account deletion through available in-product controls (if offered) or by emailing us at privacy@saunatech.no from the email address associated with your account.

B. Wellness tracking (explicit consent)

If you enable wellness tracking, you can withdraw your consent at any time through available in-product controls or by contacting us at privacy@saunatech.no. Withdrawing consent is as easy as giving it. After withdrawal, we stop collecting and using new wellness tracking data for that feature without undue delay.

You can also request deletion of wellness tracking data through available in-product controls or by contacting us at privacy@saunatech.no. If you withdraw consent, request wellness-data deletion, or request account deletion, we delete or irreversibly anonymize existing wellness tracking data without undue delay and, in any event, within the timeframe described in Section 7, subject to the limited exceptions described there.

C. Location permissions

If we request location access for map features, you can deny permission and still use most of the Services. You can revoke permission in your device/browser settings at any time.

D. Notifications (mobile)

If our mobile apps offer push notifications, you can enable/disable them in your device settings.

E. Marketing

If we send marketing messages, you can opt out using the unsubscribe link or your account settings. We may still send transactional or service-related messages (for example, booking confirmations).

F. Advertising choices

If we introduce advertising, you may have choices depending on your location and device:

  • Cookie controls/consent: Where required by law, you can accept or reject non-essential cookies used for advertising and measurement.
  • Opt-out rights (where applicable): In some jurisdictions (including certain U.S. states), you may have the right to opt out of "sharing" of personal information for cross-context behavioral advertising as defined by law.
  • Device settings: On mobile, you can adjust your device privacy settings, and (on iOS) you can control app tracking permissions if requested. Where required, we will provide a "Do Not Sell or Share My Personal Information" option in the Services or on our website.

G. Privacy rights (global)

Depending on where you live, you may have rights to:

  • access, correct, or delete your personal information,
  • object to or restrict certain processing,
  • receive a portable copy of your data,
  • withdraw consent where processing is based on consent,
  • lodge a complaint with a regulator (EU/EEA: local authority; UK: ICO; other regions: your local authority).

Residents of certain U.S. states (including California) may have additional rights such as the right to know/access, delete, correct, and opt out of "sale" or "sharing" as defined by law. We do not sell personal information. Currently, we do not share personal information for cross-context behavioral advertising. If we introduce cross-context behavioral advertising in the future, we will update this Policy and, where required, provide opt-out rights and obtain consent.

How to exercise rights

Email us at privacy@saunatech.no with:

  • the email/phone used for your account,
  • the request you want to make (access, deletion, correction, etc.),
  • and any relevant details.

We will not discriminate against you for exercising your privacy rights. Where required, you may appeal our decision by replying to our response or emailing us at privacy@saunatech.no with "Privacy Appeal" in the subject line. We may need to verify your identity before completing your request. Where required by law, you may designate an authorized agent to make a request on your behalf. We respond within the time limits required by applicable law (typically within one month; this may be extended by up to two further months for complex or multiple requests).

In some cases, confirming, investigating, or fulfilling a request may require additional time, including where deletion must be carried out through scheduled operational processes or backup rotation cycles. Where we apply a specific deletion timeframe in this Policy for a category of data, that category-specific timeframe will govern completion of the deletion or anonymization process.

9) Cookies and similar technologies

We use cookies and similar technologies for:

  • Essential functionality: authentication and session management.
  • Preferences: language/locale settings.
  • Security: detecting suspicious activity.

We also use local storage/session storage for core flows (for example, preserving booking progress or verification state). This is not the same as cookies, but it is similar technology used to store data on your device.

Analytics

We currently use first-party analytics (events recorded by our own endpoint) to understand product usage, improve reliability, diagnose issues, and improve the Services. These analytics events may include the event name, normalized route, surface, anonymous session identifier, limited approved event properties, user agent, IP address, and a server-resolved user identifier when you are signed in. We do not intentionally store raw URLs, query strings, free-text fields, payment details, or wellness data in analytics events. At launch, we do not use a separate third-party analytics provider, advertising cookies, ad pixels, or cross-site tracking for analytics. If we introduce third-party analytics or crash reporting later, we will update this Policy and, where required, provide appropriate controls and obtain consent.

Non-essential cookies and consent (EU/EEA/UK and similar laws)

Where required by law (including in the EU/EEA/UK), we provide cookie consent controls (for example, a cookie banner) and ask for your consent before using non-essential cookies or similar technologies. Where required by law, we do not set non-essential cookies (or similar technologies) until you have made a choice. At launch, this includes the dedicated Analytics category for first-party measurement and the Maps category for services such as Google Maps / Google Places. If we later add third-party analytics, other optional measurement tools, advertising tools, or embedded services, we will update this Policy and the related controls.

Cookie controls

You can manage your choices at any time via Cookie Settings (for example, in the cookie banner and/or in your account/settings area). Rejecting non-essential cookies is as easy as accepting them. If you do not consent, we will not enable the optional first-party analytics or Maps categories where consent is required.

Advertising cookies (future)

If we introduce advertising, we may use (or allow partners to use) cookies or similar technologies to show ads, measure ad performance, and prevent fraud. Where required by law, we will obtain your consent before using non-essential cookies for advertising or measurement, and we will provide controls to withdraw or change your choices.

10) Security

We take security seriously and use administrative, technical, and organizational measures designed to protect personal information, such as:

  • access controls and least-privilege practices,
  • secure authentication and session management,
  • encryption in transit (HTTPS) and, where supported, encryption at rest via our infrastructure providers,
  • monitoring and logging to detect abuse and protect accounts,
  • secure payment processing via Stripe.

No system is 100% secure, but we work to protect your information and continuously improve safeguards as we grow.

11) Children's privacy

Our Services are not intended for children under 13 (or under the minimum age required in your country). We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us at privacy@saunatech.no.

12) Third-party links and services

Our Services may link to third-party websites or services (for example, payment flows or map providers). Their privacy practices are governed by their own policies.

13) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will take reasonable steps to notify you before or when those changes become effective, such as by posting a notice in the Services, updating the effective date, or sending a message where appropriate. Non-material updates (for example, clarifications, corrections, or administrative changes) may be posted by updating this Policy and its "Last updated" date.

14) Contact us

If you have questions or requests about this Policy, contact:

Email: privacy@saunatech.no

Address: Kløverveien 12, 4326 Sandnes, Norway