Talk to our team Enquire
Legal

Privacy Policy

How wellnessbyNOOK collects, uses, and protects personal data. Compatible with UK GDPR, EU GDPR (Regulation 2016/679), and the California Consumer Privacy Act (CCPA, as amended by CPRA).

Last updated: 2026-05-27

Who we are

Wellness by NOOK (wellnessbyNOOK) is a wellness sub-brand of NOOK Prefab. We build one product: a 10 m² outdoor sauna, built across our production bases in Valencia (Spain), Black Forest (Germany), and Sarasota (Florida). This site is operated as part of the NOOK Prefab business.

For privacy queries: [email protected]. Parent company: NOOK Prefab.

What we collect, and why

Lead-form submissions

When you submit the form at /contact (or any email-based enquiry), we collect your name, email address, the audience-segment radio you selected, and any optional property name, location, or notes you include. We use this only to respond to your enquiry, send the operator dossier when you have requested it, and, for hospitality operators, follow up about the next stage of the sales process.

Site analytics

Cloudflare Web Analytics is planned but is not enabled yet. If we enable it, we intend to use Cloudflare's cookieless analytics product: no analytics cookies, no visitor fingerprinting, and only aggregate traffic metrics (page views, top referrers, country-level geography) for internal reporting. We do not run Google Analytics, Meta Pixel, or any cross-site tracker on this site.

What we do not collect

No biometric data. No health information. No payment information (we do not process payments through this site; transactions occur offline once you have signed the dossier-stage statement of work). No data from children — this site is a general business brochure targeted at adult buyers (hospitality operators, private estate owners, and architecture studios), not children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has sent us personal information, email us and we will delete it.

Who processes your data on our behalf

Klaviyo (planned lead capture + dossier delivery)

Today, the contact form opens your email client and sends your enquiry directly to [email protected]. The planned lead-capture workflow will send form submissions to Klaviyo (Klaviyo Inc., 125 Summer Street, Floor 6, Boston, MA 02110, USA) through a Cloudflare Worker. If you submit the form after that workflow is enabled, Klaviyo will process your contact details and enquiry context for lead capture, dossier delivery, and sales follow-up. Klaviyo's own privacy practices are at klaviyo.com/privacy/policy. Klaviyo states that it participates in the EU–US Data Privacy Framework, the UK Extension, and the Swiss–US Data Privacy Framework, and that it uses standard contractual clauses where needed.

Cloudflare (hosting + planned lead-form Worker)

The site is hosted on Cloudflare Pages (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA). Cloudflare processes the network-level metadata required to serve the site, such as IP address, request headers, region, and security events. The planned lead-capture workflow will use Cloudflare Workers and Cloudflare Turnstile for bot mitigation, but that workflow is not live yet. Cloudflare's privacy posture is at cloudflare.com/privacypolicy.

Sub-processors

Our current direct infrastructure provider is Cloudflare. Klaviyo is planned for the lead-capture workflow but is not currently receiving form submissions from this site. If we add another direct processor, such as Sentry for Worker error monitoring, we will update this page.

Legal basis for processing (UK GDPR / EU GDPR)

  • Email enquiries, dossier delivery, and sales follow-up: performance of pre-contract steps at your request (Article 6(1)(b)).
  • Planned internal analytics: legitimate interest in measuring how the site performs commercially (Article 6(1)(f)), balanced against your privacy by using a cookieless, non-fingerprinting tool if Cloudflare Web Analytics is enabled.
  • Legal record-keeping: compliance with applicable record-keeping obligations (Article 6(1)(c)) for tax, accounting, and contractual purposes.

How long we keep it

  • Email enquiries: for as long as your enquiry is open, plus 24 months after the last meaningful contact, unless you ask us to delete it sooner and we do not need to keep it for legal, tax, accounting, warranty, or dispute reasons.
  • Future active lead in Klaviyo: if the planned workflow is enabled, for as long as your enquiry is open, plus 24 months after the last meaningful contact, unless you ask us to delete it sooner and no exception applies.
  • Customers post-install: for the warranty period and any legally required record-keeping period, then deleted or archived unless we need the record for a dispute, legal claim, tax, accounting, or service obligation.
  • Planned cookieless analytics: if Cloudflare Web Analytics is enabled, Cloudflare retains aggregate analytics according to Cloudflare's own retention policy.

Your rights

Under UK GDPR and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to overriding legal obligations.
  • Restrict our processing.
  • Port your data to another controller in a structured, machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time where consent was the basis for processing.
  • Lodge a complaint with your local supervisory authority (UK: the ICO at ico.org.uk; Spain: the Agencia Española de Protección de Datos at aepd.es; or your country's equivalent).

Under CCPA / CPRA, California residents additionally have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising). We honor Global Privacy Control signals as opt-out preference signals for sale or sharing; because we do not sell or share personal information, a GPC signal does not change the site's behavior today. We do not respond to legacy "Do Not Track" headers because there is no common technical standard for them. You may exercise these rights without discriminatory treatment.

To exercise any of these rights, email [email protected] with the subject "Data subject request". We will respond within one month of receipt for EU/UK requests, with any legally permitted extension where a request is complex or numerous, and within 45 days for CCPA requests where the CCPA applies.

California Notice at Collection

We collect the following categories of personal information from site visitors and prospects:

  • Identifiers: name, email address, and any property or project name you provide.
  • Internet or network activity: technical request metadata processed by Cloudflare to serve and protect the site.
  • Commercial information: enquiry context, audience segment, dossier request, project location, anticipated installation timing, and notes you choose to send.
  • Geolocation at coarse level: country or region inferred by Cloudflare for routing and security, not precise GPS location.
  • Professional or business information: role, company, property, or architecture-studio details if you choose to provide them.
  • Sensitive personal information: we do not ask for it and do not use sensitive personal information to infer characteristics.

We collect this information directly from you when you email us or use the contact form, and from your browser or network connection when Cloudflare serves the site. We use it for the business purposes described above: responding to enquiries, pre-contract sales correspondence, site security, hosting, record-keeping, and planned cookieless analytics. We do not sell it, share it for cross-context behavioral advertising, or use it for automated decision-making that produces legal or similarly significant effects.

International transfers

Cloudflare, and planned processor Klaviyo, are US-headquartered. Transfers from the UK/EU/EEA to the US rely on the EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF where the relevant provider is certified and the transfer is covered, plus standard contractual clauses where DPF coverage is not applicable. We have not found evidence that the DPF has been invalidated as of 2026-05-27, but transatlantic transfer law remains litigation-sensitive.

Security

The current contact form opens your mail client; no form payload is posted to our server from the site. The planned Cloudflare Worker will verify a Cloudflare Turnstile token, run a per-IP rate limit, and validate payloads against a strict schema before forwarding to Klaviyo. When implemented, the Klaviyo private API key must be stored as a Cloudflare Worker secret and never sent to the browser. Site traffic uses TLS, and Cloudflare Pages is configured with HSTS via the Strict-Transport-Security response header.

Changes to this policy

We will post material changes here and update the "Last updated" date at the top of the page. If we add a new processor or extend retention, we will notify operators we have an active lead relationship with by email.

This policy is published in good faith. It has not yet been reviewed by external counsel; the operator behind wellnessbyNOOK will arrange counsel review before any large-scale outreach launches. If you spot an error, please email [email protected] so we can correct it.

Questions

Email [email protected] and we will respond inside one business day.

Open mail client Back to home