Privacy Policy of chorusspa.com

1. WHO IS THE DATA CONTROLLER?

ChorusWellness S.r.l., with registered office in Via Andrea Moretti, 34, 24124 – Bergamo, Companies Register – Tax Code – VAT No. 04855570166, REA of Bergamo No. 494321 is the data controller (“ChorusWellness” or “Data Controller”) of the personal data of users (“Users”) who access the website chorusspa.com (“Website”) to consult and/or purchase access passes to the ChorusWellness Immersive SPA and other services available from time to time (“Services”) or to Gift the Services to a third party (“Voucher”).

In accordance with Regulation (EU) 2016/679 (“Regulation”), ChorusWellness provides Users with the following information.

2. FOR WHAT PURPOSES ARE THE DATA PROCESSED?

The personal data collected through the Website and/or otherwise provided by the User are processed for the following purposes:

A. to enable ChorusWellness to comply with its legal obligations;

B. to allow the User to purchase the Services and/or gift them via Voucher (this may also include User registration);

C. to allow ChorusWellness, upon the User’s request, through a specific contact form, to contact the User in order to respond to their requests;

D. to allow ChorusWellness to contact the User for ChorusWellness’ and third parties’ commercial purposes, as well as for market research and surveys via email and other communication tools (e.g. SMS, direct messaging, telephone, etc.);

E. to allow ChorusWellness to assess the User’s tastes, preferences, interests and habits in order to personalize the commercial communications referred to in the previous point;

F. to allow ChorusWellness to share certain personal data of the User with third parties for commercial purposes.

Furthermore, in the event of corporate transactions (transfer of the company or business units), due diligence activities, or in the event of the defense of a right in court and related preparatory activities, ChorusWellness may carry out further processing related to corporate or legal matters.

3. WHAT DATA ARE PROCESSED?

When the User browses the Website, usage data are collected (including, among others, IP address, user ID, browsing data such as pages visited and time spent on them, session duration) and, if the User completes the contact form available on the Website, their name, surname, email address and any personal data freely entered by the User will also be processed.

To book the Services, the following User data will be collected: name, surname, gender, ZIP/postal code, country, phone number and email address. Failure to provide such data makes it impossible to complete the purchase.

To gift a Voucher, the User may choose to send it via email to the recipient, providing the recipient’s name, surname and email address.

To complete the purchase, the User’s billing and payment data will be processed.

For commercial purposes, where the User has given consent, the User’s contact details will also be processed for the sending of commercial communications. If the User decides to respond to the surveys referred to in letter D of paragraph 2 above, ChorusWellness will also process the information included in the relevant responses.

Furthermore, subject to the User’s consent, the Data Controller may share the User’s contact details and certain information relating to the purchased Service with third parties for commercial purposes.

4. ON WHAT LEGAL BASIS ARE THE DATA PROCESSED?

The processing of personal data for the purpose referred to in letter A of paragraph 2 is based on legal obligations to which ChorusWellness is subject.
The processing of personal data for the purposes referred to in letters B and C of paragraph 2 is carried out on the basis of a contract with the User and/or the performance of pre-contractual measures.

The provision of personal data by the User for the purposes referred to in paragraph 2, letters D, E and F (sending commercial communications, their personalization and communication of the User’s personal data to third parties for commercial purposes) is optional and ChorusWellness may process personal data for such purposes only with the User’s prior consent. If the User does not intend to consent to the processing of their personal data for such purposes, the Data Controller will not be able to send commercial communications, personalize them or disclose personal data to third parties for commercial purposes. Any consent given by the User for one or more of the purposes referred to in the aforementioned paragraph may be withdrawn at any time. Failure to provide such consent will have no consequences on the provision of the Data Controller’s services within the scope of the purpose referred to in paragraph 2, letter B.

The User’s personal data may also be processed on the basis of ChorusWellness’ legitimate interest in carrying out corporate transactions or managing/exercising its rights, for example in the context of corporate transactions (transfer of the company or business units), due diligence activities, or in the event of the defense of a right in court and related preparatory activities.

5. HOW ARE THE DATA PROCESSED?

In relation to the above purposes, data processing will mainly be carried out through electronic tools and, to a residual extent, in paper form, but in any case using tools suitable to ensure security and confidentiality.

6. TO WHOM ARE THE DATA DISCLOSED?

The personal data collected through the Website and/or otherwise provided by the User will be processed by persons authorized to process data within ChorusWellness and may be disclosed solely and exclusively for the purposes indicated and where necessary, to the following categories of subjects: IT service providers (such as providers of restaurant table booking services); ChorusWellness developers and consultants, for example in the IT, legal, fiscal and tax fields; group companies such as, by way of example and not limited to, ChorusLife S.p.A..

Where required by law, data may also be disclosed to the competent Judicial Authorities, public administrations and supervisory and control authorities.
The User’s personal data will not be disseminated.
With regard to the personal data communicated to them, the subjects belonging to the categories listed above may operate, depending on the case, as data processors (and in such case they will receive appropriate instructions from ChorusWellness) or as independent data controllers. In the latter case, personal data will be communicated only with the express consent of the data subjects, except where disclosure is required by law or necessary, or for the pursuit of purposes for which consent is not required by law.

7. ARE THE DATA TRANSFERRED ABROAD?

ChorusWellness may transfer the User’s personal data to third countries. Transfers of data outside the European Economic Area are subject to a special regime under the Regulation and are carried out only to countries that ensure an adequate level of protection of personal data, on the basis of an adequacy decision of the European Commission or where appropriate safeguards have been adopted (including the standard contractual clauses provided by the European Commission), provided that data subjects have enforceable rights and effective legal remedies.

8. HOW LONG WILL MY PERSONAL DATA BE RETAINED?

The personal data collected will be retained in accordance with applicable legislation for a period not exceeding that necessary to achieve the purposes for which they are processed.
The criteria used to determine the retention period take into account the permitted processing period and the applicable statutes of limitation for rights and legitimate interests where they constitute the legal basis for processing. For example, in the event of account closure, the Data Controller will be entitled to retain information relating to the User in order to comply with legal obligations, where applicable (e.g. tax-related), as well as to protect itself in the event of the exercise of rights by the User until the expiry of the applicable limitation period (ten years).

With reference to commercial purposes, personal data will be processed until any withdrawal of consent, without prejudice to the fact that ChorusWellness will adopt procedures to inform the User of their rights, including the right to manage (and therefore also withdraw) their consent. In any case, in the absence of interaction between the User and the Data Controller for a period of 24 months, the relevant processing will be discontinued. In such circumstances, in the absence of other legal bases (for example User registration management), the data will be deleted or anonymized.
At the end of the retention period, the data will be deleted, anonymized or aggregated so as not to allow the identification of the User.

In relation to the personalization of the ChorusWellness experience, the Data Controller will use the information for a period of 12 months from its collection, without prejudice to the User’s right to withdraw consent at any time. At the end of the retention period, the data will be deleted, anonymized or aggregated so as not to allow the identification of the User.

9. WHAT ARE THE DATA SUBJECT’S RIGHTS?

Users may contact ChorusWellness at any time and free of charge to:

obtain confirmation as to whether or not personal data concerning them are being processed and, if so, obtain access to the information referred to in Article 15 of the Regulation, as well as a copy of the personal data being processed;

obtain the rectification of inaccurate personal data concerning them or, taking into account the purposes of the processing, the completion of incomplete personal data;

obtain the erasure of their personal data in the cases provided for by Article 17 of the Regulation;

obtain the restriction of processing of their personal data where one of the cases referred to in Article 18 of the Regulation applies;

object to the processing of their personal data for reasons related to their particular situation, where applicable, pursuant to Article 21 of the GDPR;

receive the personal data concerning them in a structured, commonly used and machine-readable format and transmit those data to another data controller without hindrance from the Data Controller, where technically feasible, in the cases and within the limits provided for in Article 20 of the Regulation, where applicable.

In addition, Users have the right to withdraw consent to the processing of their personal data (where given) at any time, without affecting the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, the Data Controller undertakes to comply as soon as possible; however, technically it may take up to 24 hours for the User’s action to be updated in the Data Controller’s systems.

Requests to exercise the above rights must be sent by email to info@chorusspa.com .
Pursuant to the Regulation, ChorusWellness is not authorized to charge costs for complying with one or more of the requests set out in this paragraph, unless they are manifestly unfounded or excessive, in particular due to their repetitive nature. In cases where the User requests more than one copy of their personal data or in cases of excessive or unfounded requests, ChorusWellness may (i) charge a reasonable fee, taking into account the administrative costs incurred in handling the request or (ii) refuse to comply with the request. In such cases, ChorusWellness will inform the User of the costs before processing the request.
ChorusWellness may request additional information before fulfilling the requests, if it needs to verify the identity of the natural person who submitted them.

The exercise of the same rights may in any case be delayed, limited or excluded by reasoned communication provided without delay to the User, unless such communication would compromise the purpose of the limitation, for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the User, in order to safeguard any interests in conducting defensive investigations or exercising a right in court (and related preparatory activities). In such cases, the rights of the data subject may also be exercised by lodging a complaint with the Supervisory Authority.
Without prejudice to any other administrative or judicial remedy, the User also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if they believe that the processing concerning them violates the General Data Protection Regulation. Further information is available on the website http://www.garanteprivacy.it.
In any case, ChorusWellness invites the User to contact it directly through the channels indicated above before contacting the Supervisory Authority, in order to resolve any dispute concerning personal data protection amicably and as quickly as possible.

09/01/2026