PRIVACY POLICY AND PERSONAL DATA PROTECTION

Last Updated: 2026

1. IDENTIFICATION OF THE DATA CONTROLLER

In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), users are informed that the party responsible for the processing of their personal data is:

• Name: Massage Alliance

• Registered Office: [Complete legal address, Spain]

• Contact Email (Privacy): [email privacidad]

Massage Alliance acts as the Data Controller regarding personal data collected through its website, as well as the procedures for membership, certification, and the use of the Quality Seal.

2. PURPOSE AND LEGAL BASIS FOR PROCESSING

Personal data will be processed for the following purposes and under the indicated legal bases:

• a) Execution of a contractual or pre-contractual relationship (Art. 6.1.b GDPR): Management of membership applications; verification of professional and educational credentials; issuance, maintenance, monitoring, and, where appropriate, revocation of the Quality Seal; and administrative, accounting, and billing management.

• b) Legitimate interest of the controller (Art. 6.1.f GDPR): Conducting internal quality audits; prevention of fraud, misuse, or forgery of the Seal; and maintaining the integrity, reliability, and credibility of the registry of certified professionals. This processing is based on a balancing test, concluding that the legitimate interest of Massage Alliance does not override the fundamental rights and freedoms of the data subjects.

• c) Compliance with legal obligations (Art. 6.1.c GDPR): Compliance with tax, accounting, and administrative regulations; and responding to requirements from judicial or administrative authorities.

• d) Consent of the data subject (Art. 6.1.a GDPR): Sending informative or commercial communications; and publication of the professional profile in the public directory of certified professionals. Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3. CATEGORIES OF DATA PROCESSED

Massage Alliance may process the following categories of data:

• Identification data: Name, surname, ID or passport number, professional photograph.

• Contact data: Professional address, email, telephone number.

• Professional data: Degrees, certifications, insurance policies, work experience.

• Location data: Workplace location for display on maps.

• Economic data: Data necessary for billing and payment management. Massage Alliance does not store full bank card details, delegating payment management to external payment gateways certified under the PCI-DSS standard.

4. THIRD-PARTY DATA AND RESPONSIBILITY OF ASSOCIATED ENTITIES

When a Spa, School, or associated entity provides personal data of employees or collaborators (e.g., massage therapists), said entity declares and guarantees that:

• It has previously informed the data subjects about the processing of their data.

• It has a valid legal basis for such communication (consent or contractual obligation).

• The data provided is accurate and up to date. In the event of third-party claims arising from the breach of these obligations by the associated entity, said entity shall assume the corresponding legal responsibility, without prejudice to Massage Alliance’s own responsibilities under the GDPR.

5. INTERNATIONAL DATA TRANSFERS

Given the international nature of the platform, personal data may be processed on servers located outside the European Economic Area (EEA). In such cases, Massage Alliance guarantees that international transfers will be carried out in accordance with the mechanisms provided by European regulations, in particular:

• Adequacy decisions by the European Commission (including the Data Privacy Framework, where applicable), or

• The execution of Standard Contractual Clauses or other legally recognized guarantees, ensuring at all times a level of protection equivalent to that required in the European Union.

6. DATA RETENTION PERIOD

Personal data will be kept as long as the status of Member is maintained and the Quality Seal is valid. Upon termination of the relationship, the data will be blocked and kept exclusively for the periods legally required to address possible legal, contractual, or tax responsibilities. After such periods, the data will be securely deleted.

7. RIGHTS OF DATA SUBJECTS

Data subjects may exercise their rights of Access, Rectification, Erasure (Right to be Forgotten), Objection, Restriction of Processing, and Data Portability by sending a written request to [email privacidad], attaching a copy of a document proving their identity. They also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if they consider that the processing of their personal data infringes current regulations.

8. SECURITY MEASURES

Massage Alliance applies appropriate technical, organizational, and administrative measures to guarantee the security of personal data, including communication encryption (SSL/TLS), access controls, and monitoring systems. However, the user acknowledges that even with measures proportional to the state of the art, it is not possible to guarantee absolute security against unforeseeable cyber incidents, without prejudice to the legal responsibilities that may apply under Article 82 of the GDPR.

9. COMMUNICATION OF DATA TO THIRD PARTIES

Personal data will not be sold or transferred to third parties, except in the following cases:

• Technological or administrative service providers acting as Data Processors, under contract.

• Public authorities, when there is a legal obligation.

• Publication in the public directory of certified professionals, only with the express consent of the data subject.

10. VERACITY OF INFORMATION AND CONSEQUENCES

The user is solely responsible for the veracity, authenticity, and legality of the data, documents, and degrees provided. The detection of false, manipulated, or fraudulent information may lead to the immediate revocation of the Quality Seal, the loss of Member status, and, where appropriate, the exercise of corresponding legal actions.

11. COOKIES POLICY

This website uses technical cookies necessary for its operation and, with the user’s prior consent, analytical cookies or other non-essential cookies. The user may manage their preferences through the enabled configuration panel. For more information, please refer to the Cookies Policy, available independently.

12. MINORS

The services offered by Massage Alliance are not directed at minors. Personal data from minors is not intentionally collected.

13. AMENDMENTS TO THE PRIVACY POLICY

Massage Alliance reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential changes. Amendments will be published on this same page and, when legally required, communicated to the members.