← Back to Home

Privacy Policy

Protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and Spanish Organic Law 3/2018 (LOPDGDD), as services are delivered in Spain by a French-registered auto-entrepreneur.

1. Data Controller

The entity responsible for processing your personal data is:

• Legal name: Vanessa Carvalho
• Trading as: Magical Touch by Vanessa
• Legal status: Auto-entrepreneur (Profession Libérale Non Réglementée), registered in France
• SIRET: 90344459400027
• Registered address: 1600 RTE DE NAY, 64290 BOSDARROS, France
• Place of service delivery: Marbella, Costa del Sol, Spain
• Email: info@magicaltouchbyvanessa.com
• Phone / WhatsApp: +33 6 66 64 29 13

2. Data Protection Officer (DPO)

As a sole-proprietor auto-entrepreneur processing only a limited volume of personal data for booking and communication purposes, the appointment of a Data Protection Officer is not required under Article 37 GDPR. For any data protection inquiries, please contact the data controller using the details listed above.

3. What Personal Data We Collect

We collect and process the following personal data:

• Name — To identify you and personalise your booking
• Email address — Collected through our booking tool (Cal.com) to send booking confirmations and reminders
• WhatsApp phone number — To communicate about bookings and send confirmations
• Booking details — Treatment type, selected date and time, location for home service, any notes you provide during booking
• Technical data during booking — IP address, browser user-agent, and timezone, processed by Cal.com while you interact with the booking widget
• Payment information — Transaction data processed through PayPal (we do not store your PayPal credentials or payment card details)
• Communication history — WhatsApp messages exchanged for booking purposes

We do not collect any special categories of personal data (health data, biometric data, etc.) unless specifically required and with your explicit consent.

4. Purpose and Legal Basis for Processing

4.1 Booking Management

Purpose: To confirm, manage, and fulfil your treatment bookings. Bookings are handled through Cal.com, which acts as a data processor on our behalf to provide the scheduling widget, confirmation emails, and calendar synchronisation.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the service you have requested. The transfer of your booking data to Cal.com is covered by a Data Processing Addendum (DPA) under Art. 28 GDPR and, where applicable, EU Standard Contractual Clauses.

4.2 WhatsApp Communication

Purpose: To communicate with you regarding bookings, scheduling, and service-related queries via WhatsApp.

Legal basis: Consent (Art. 6(1)(a) GDPR) — by initiating contact via WhatsApp, you consent to communication through this channel. Legitimate interest (Art. 6(1)(f) GDPR) — to respond to your inquiries and provide customer service.

4.3 Payment Processing

Purpose: To process payments for services rendered.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

4.4 Analytics & Marketing (Coming Soon)

Purpose: To analyse website usage and measure the effectiveness of marketing campaigns.

Legal basis: Consent (Art. 6(1)(a) GDPR) — we will request your consent before activating Google Analytics or Meta Pixel tracking. See our Cookie Policy for details.

5. Data Recipients & Third Parties

Your personal data may be shared with the following third parties, all of whom act as data processors under a written Data Processing Agreement with the data controller (Art. 28 GDPR):

• Cal.com, Inc. — Online scheduling platform used to display real-time availability, collect booking requests (name, email, date, time, notes), send automated confirmation and reminder emails, and synchronise appointments with the data controller’s calendar. Cal.com is headquartered in the United States. Transfers outside the EEA are safeguarded by Cal.com’s Data Processing Addendum and EU Standard Contractual Clauses. Cal.com Privacy Policy · Cal.com DPA
• Google LLC (Google Workspace) — Hosts the email inbox and calendar used by the data controller to communicate with clients and store booking confirmations. Data may be transferred to the US under the EU-US Data Privacy Framework. Google Privacy Policy
• WhatsApp / Meta Platforms, Inc. — Communication platform for bookings. Data may be transferred to the US under Meta’s data processing terms and Standard Contractual Clauses. WhatsApp Privacy Policy
• Google LLC (Google Analytics) — Website analytics (coming soon). Data may be transferred to the US. Google Privacy Policy
• Meta Platforms, Inc. (Meta Pixel) — Advertising analytics (coming soon). Meta Privacy Policy
• PayPal (Europe) S.à r.l. et Cie, S.C.A. — Payment processing. PayPal Privacy Policy
• GoDaddy.com, LLC — Website hosting provider. Data transferred to the US under Standard Contractual Clauses. GoDaddy Privacy Policy

We do not sell your personal data to any third party.

6. International Data Transfers

Some of our third-party service providers (Cal.com, Google Workspace, WhatsApp, Google Analytics, Meta, PayPal, GoDaddy) may transfer your data outside the European Economic Area (EEA), primarily to the United States. Where this occurs, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework adequacy decisions, where applicable
• Data Processing Addenda signed with each processor under Art. 28 GDPR

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined above:

• Booking data & communications: 3 years after the last service provided
• Invoicing & accounting records: 10 years, as required by French tax law (Code de commerce, Art. L123-22)
• Marketing consent data: Retained until consent is withdrawn
• Cookie consent records: 6 months
• Analytics data (when activated): Up to 14 months (Google Analytics default)

After the retention period, your data will be securely deleted or anonymised.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — Request a copy of the personal data we hold about you
• Right to rectification (Art. 16 GDPR) — Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17 GDPR) — Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing (Art. 18 GDPR) — Request limitation of how we process your data
• Right to data portability (Art. 20 GDPR) — Receive your data in a structured, commonly used format
• Right to object (Art. 21 GDPR) — Object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3) GDPR) — Withdraw consent at any time without affecting prior processing

To exercise any of these rights, please contact us at: info@magicaltouchbyvanessa.com

As the data controller is established in France and services are provided in Spain, you have the right to lodge a complaint with either supervisory authority:

• France — CNIL (Commission Nationale de l'Informatique et des Libertés): www.cnil.fr
• Spain — AEPD (Agencia Española de Protección de Datos): www.aepd.es

9. Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes:

• End-to-end encrypted communications via WhatsApp
• Secure payment processing via PayPal
• SSL/TLS encryption on our website

10. Cookies

Our website uses cookies. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "last modified" date. We encourage you to review this page periodically.

Last updated: 1 April 2026