Privacy Policy

Your privacy matters to us. Here's how we handle your data.

📅 Effective Date: May 5, 2026

Welcome to USH Spa Center ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our mobile application, website, and related services (collectively, the "Services"). By using our Services, you agree to the practices described in this Privacy Policy.

📋 1. Information We Collect

1.1 Personal Information You Provide

When you register, book a service, or interact with our app, we may collect:

  • Account Information: Full name, email address, phone number, date of birth, and password.
  • Profile Information: Gender preferences for services, profile photo, and communication preferences.
  • Booking Information: Appointment dates, selected services, therapist preferences, and spa center location.
  • Payment Information: Payment method details processed securely through our payment provider (Stripe). We do not store your full credit card number on our servers.
  • Gift Card Information: Sender and recipient details, personal messages, and redemption history.
  • Communications: Messages, reviews, ratings, and feedback you submit through the app.

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

  • Device Information: Device type, operating system, unique device identifiers, and app version.
  • Usage Data: Pages visited, features used, interaction patterns, and time spent on the app.
  • Log Data: IP address, browser type, access times, and referring URLs.
  • Location Data: Approximate location based on IP address to show nearby spa centers (precise location is only collected with your explicit consent).

⚙️ 2. How We Use Your Information

We use the information we collect to:

  • Provide Services: Create and manage your account, process bookings and appointments, and facilitate payments.
  • Personalize Experience: Recommend services based on your preferences, display relevant spa centers in your region, and tailor content to your language preference (English/Arabic).
  • Communication: Send booking confirmations, reminders, and status updates via SMS and email. Send verification codes for account security. Notify you about promotions, gift cards, and loyalty rewards (with your consent).
  • Improve Services: Analyze usage patterns to enhance app features, monitor and fix technical issues, and conduct internal research and analytics.
  • Safety & Security: Detect and prevent fraud, abuse, and unauthorized access. Enforce our terms of service and comply with legal obligations.

🤝 3. Information Sharing & Disclosure

We do not sell your personal information. We may share your data with:

  • Spa Center Partners: Your booking details (name, contact, selected services) are shared with the specific spa center where you've made an appointment, solely to fulfill your booking.
  • Payment Processors: Payment data is securely transmitted to MyFatoorah for transaction processing. MyFatoorah's privacy policy governs their handling of your payment information.
  • SMS Providers: Your phone number is shared with our SMS service provider to deliver verification codes, booking confirmations, and appointment reminders.
  • Cloud Infrastructure: Your data is stored on Amazon Web Services (AWS) infrastructure, subject to AWS's security standards and compliance certifications.
  • Legal Requirements: We may disclose your information if required by law, court order, or governmental regulation, or to protect the rights, property, or safety of USH Spa, our users, or the public.

🔒 4. Data Storage & Security

We implement industry-standard security measures to protect your personal information:

  • Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL (HTTPS).
  • Password Security: Passwords are hashed using strong one-way algorithms and are never stored in plain text.
  • Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis with role-based permissions.
  • Token-Based Authentication: We use JWT (JSON Web Tokens) with automatic expiration and rotation for secure API access.
  • Regular Audits: We maintain audit logs of administrative actions and conduct regular security reviews.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected users in the event of a data breach.

🍪 5. Cookies & Tracking Technologies

Our web-based services (gift card pages, admin panel) may use:

  • Session Cookies: Essential cookies required for authentication and security (CSRF protection).
  • Language Preference: A cookie to remember your selected language (English or Arabic).

Our mobile application does not use browser cookies. Authentication is handled via secure JWT tokens stored locally on your device.

🔗 6. Third-Party Services

Our Services integrate with the following third-party providers, each governed by their own privacy policies:

7. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate personal information through your profile settings or by contacting us.
  • Deletion: Request deletion of your account and associated personal data. Note that some data may be retained for legal or legitimate business purposes.
  • Data Portability: Request your data in a structured, commonly used, machine-readable format.
  • Withdraw Consent: Opt out of promotional communications at any time by updating your notification preferences or contacting us.
  • Restrict Processing: Request that we limit how we use your data in certain circumstances.

To exercise any of these rights, please contact us using the details provided in Section 12 below.

🗄️ 8. Data Retention

We retain your personal information for as long as necessary to:

  • Provide our Services and maintain your account.
  • Comply with legal obligations (e.g., tax and financial reporting requirements).
  • Resolve disputes and enforce our agreements.
  • Maintain business records as required by applicable law.

When your data is no longer needed, we will securely delete or anonymize it. Booking history and transaction records may be retained in anonymized form for analytics and reporting purposes.

🌍 9. International Data Transfers

USH Spa Center operates primarily in the Middle East region (Qatar, Kuwait, and the United Arab Emirates). Your data may be processed and stored on servers located in the AWS Middle East region or other AWS regions as necessary for service reliability.

If your data is transferred to a jurisdiction with different data protection laws, we ensure appropriate safeguards are in place to protect your information in compliance with applicable regulations.

📝 10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the "Effective Date" at the top of this page.
  • We will notify you via in-app notification or email for significant changes.
  • Your continued use of the Services after changes constitutes acceptance of the updated policy.

📧 11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

USH Spa Center

📧 Email: Info@ushspakw.com

🌐 Website: spaush.com

This privacy policy was last updated on May 5, 2026.