Privacy Policy

This Privacy Policy explains how Zota Group JSC (“Zota Group”, “us”, “we” or “our”) and its affiliates collect, use, disclose, transfer, protect, store, and otherwise process your information when using our Services. Zota Group JSC is committed to the privacy and secure processing of the personal data it maintains for its Customers openly and transparently. It is also committed to the collection and processing of personal data in full compliance with the General Regulation on the Protection of Personal Data of the European Union (Regulation 2016/679) (hereafter referred to as "the Regulation") and the legislation in force in Cyprus that governs the collection and processing of Personal Data of individuals.

This Privacy Policy was updated on 12 May 2023.

Definitions

‘’Services’’ means eSpa247 point of sale and inventory management products and services, and any features, technologies, or functionality provided by those products or services, offered by us from time to time, including the eSpa247 POS, eSpa247 Dashboard, eSpa247 Schedule, and eSpa247 Walk-in applications ("Apps") and eSpa247.com ("Website")

"Customer” or “Merchant’’ means the person or entity who registers to use the Service by creating an eSpa247 account. If you are creating an account or using the Services on behalf of a business, you agree that you are accepting these Terms and have the authority to enter into these Terms, on behalf of the business, which will be deemed to be the Customer, and will be bound by these Terms.

"You" means the Customer and (where the context permits) includes any Authorised Users.

Identifying the Data Controller and Data Processor

For the purposes of EU Privacy Law, depending on the category of Personal Data described in this Privacy Policy, we are operating as a Controller or as a Processor.
In general, Zota Group is the Controller for Customer (Merchant) Information and Processor for Consumer and Employee Information where the Controller is the Customer (Merchant).
For questions regarding the processing of personal data and the exercise of your rights by the GDPR, you may contact us via the email address privacy@espa247.com.

Types of Personal Data Collected

We collect and use several types of data for the individuals we cooperate with, including information by which subjects may be identified ("Personal Data" means any Data relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), such as your first and last name, identity number, e-mail address, address and province and telephone number.

We are committed to protecting the privacy of the individuals on our websites, mobile applications, products, and services. By registering for using our Services you acknowledge the collection, transfer, processing, storage, disclosure, and other uses of your information.

Customer information, being personal information relating to our Customers/Merchants (where applicable). We collect this information so that we can provide our Services to those Customers.
Consumer information, being personal information relating to consumers with whom our Customers interact (such as consumers of their products or services) including their email address, phone number, or other information.
Employee information, being personal information relating to employees of our Customers, including email address, phone number, or other information.
Guests, being personal information relating to the visitors of our webpages and participants at eSpa247. Town and/or any other blogs or interactive platforms we have or may have lunch.

Our customers are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as all privacy policies, agreements, or other obligations, relating to the collection of personal data in connection with the use of our Services by individuals with whom our Customers interact.

We collect information under the direction of our Customers and have no direct relationship with individuals whose personal data we process in connection with the use of our Services. If you are a Customer providing information (including personal data) about someone else, you must have the legal ability to do so and, if necessary, inform them about how their data will be used (as described in this Privacy Policy).

If you are an individual who interacts with a Customer using our Services - for instance, if you’re an employee or consumer of a retail store – that Customer is the controller of your data and you should contact them directly (e.g. - the owner or manager of the retail store) – for assistance with any requests or questions relating to your data.

Guests are solely responsible for the personal data they provide on the blogs or other interactive media and that we do not collect for providing the blog capability, such as the blog content.

How and what information do we collect

1. We collect information about you when you register for an account, create or modify your profile, set preferences, sign up for or make purchases through the Services (Contact information such as name, email address and country, profile information such as business phone number, and preferences information such as notification and marketing preferences). Such information might be provided to us directly through eSpa in case you have previously consumed eSpa services (https://legal.eSpa.com/uk/privacy).

Operational data. We store the information you upload to or send through our Services, ( Information about products and services the Customer sells (including inventory, pricing, sale, transaction, tax, and other data and Information about the Customer or the Customer’s business (employees, consumers, and suppliers).

Information for Support. When you contact our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. (contact information, problem summary, any documentation, screenshots, or information that would help resolve the issue).

Payment Information. We collect certain payment and billing information when you subscribe to certain paid Services. You might also provide payment information, such as payment card details, which we collect via secure payment processing services.

Contribution to a discussion. You might contribute to an online discussion at eSpa247. Town or any other interactive media or blog about the Service we are providing to you. The content of the discussion might include personal data you input.

Other submissions. We ask your consent to collect personal information from you when you submit web forms on our websites or when you participate in any interactive features of our Services, participate in a survey, promotion, activity, or event, request customer support, communicate with us via third party social media sites, or otherwise communicate with us.

2. Information We Collect Automatically When You Use Our Services:

Access log: We gather certain information and store it in log files when you interact with our websites and Services or eSpa apps. This information includes Internet protocol (IP) addresses as well as browser type, URLs of referring/exit pages, operating system, language and location preferences, time/date stamp, search history, device identification numbers, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as is necessary to improve our Services. If we do this, we will treat the combined information by this Privacy Policy.

Cookies: Cookies are used by our organization and by our third-party partners (for example, our analytics partners) to collect information. A cookie is a small text file that is stored on your hard drive or in device memory for record-keeping purposes. We use cookies to give you better and more personalized use of the Services, to save you from logging in every time, and to count the number of visits. Please refer to our Cookies Policy for more information.

3. Information We Receive from Other Sources

We collect information from other sources, such as our business partners. We do not control, supervise, or respond to how the third parties providing your information process your data, and any information request regarding the disclosure of your personal information to us should be directed to such third parties.

Legal Basis for processing

We collect and process information about you only where we have legal bases for doing so under applicable EU laws. The legal bases depend on the Services you use and how you use them. This means we collect and use your information only where:

It is necessary to provide you the Services, including operating the Services, providing customer support and personalized features, and protecting the safety and security of the Services.
It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services, and to protect our legal rights and interests.
We need to process your data to comply with a legal obligation; or
You give us consent to do so for a specific purpose
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.

How we use your personal information

We are continually striving to improve Services. We may use information about you for purposes such as:

  • Enabling you to access and use our Services
  • Enabling you to access and use other eSpa services as per the eSpa Privacy Policy
  • Displaying historical sale information
  • Sending you marketing, advertising, educational content and promotional messages, and other information that may be of interest to you, including information about us, our Services, or general promotions for business partner campaigns and services and only if you consented to. You can unsubscribe or opt-out from receiving these communications at any time
  • Measuring, customizing, and improving the Services and developing new products
  • Sending to you service, support, and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you
  • Investigating and preventing fraudulent transactions, unauthorized access to Services, and other illegal activities
  • Providing the capability for online discussion with other customers and/or users.
  • With your consent, we may use information about you for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.

Sharing & disclosure of your information

When you use the Services, we may share your information only as described below:

Service Providers, Business Partners, and Others

We use and work with third-party service providers and our trusted Business Partners to provide application development, hosting, website, infrastructure, maintenance, backup, payment processing, customer relationship management, marketing, accounting, human resources, business intelligence and analytics, data enrichment, customer support and other services for us. These service providers may have access to or process your information to provide those services for us. Some of our pages use white-labeling techniques to serve content from our service providers while providing the look and feel of our site. Please note that you are providing your information to these third parties acting on our behalf. These third parties are located in countries that may be outside of your location.

We also share your contact information with select trusted Business Partners, such as our partners who integrate with Services, to enable them to contact you about their services (as they relate to your Services).

Compliance with Laws and Protection of Rights

In certain situations, we may be required to use and disclose your information (including personal information) to a third party if we believe the disclosure is reasonably necessary:

  • To comply with any applicable law, legal process (for example, subpoenas and warrants), or governmental request
  • To enforce and administer our agreements, policies, and terms of use
  • To protect the property, rights, and safety of, our Customers or the public from harm or illegal activities
  • For fraud prevention, risk assessment, investigation, customer support, product development, or debugging purposes
  • To protect the rights, property, or our safety, its users or members of the public
  • To establish or exercise our legal rights or defend ourselves against any third-party claims or allegations

Business Transfers

If we undertake or are involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may transfer or share some or all our assets, including your personal information. In this event, we will notify you if your personal information is transferred and becomes subject to a different privacy policy.

Non-Identifying or Aggregated Data

We may share aggregated or other non-personal information that does not directly identify you with third parties to improve our Services.

Internal eSpa Parties

All eSpa Group companies have a legitimate business interest in accessing the data and may do so for the purposes and in the way described in this Privacy Notice. eSpa Group companies shall be taken to include any entity that directly or indirectly controls, is controlled by, or is under common control with eSpa from time to time, whether located in or outside of the United Kingdom. When we transmit data between our group entities located inside and outside of the EEA, this sharing is governed by our intra-group data sharing and processing agreement which is drafted in compliance with the GDPR and includes the relevant safeguards necessary for transfers outside the EEA.

We require all third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and, unless otherwise notified to you, only permit them to process your personal data for specified purposes and in accordance with our instructions.

Your privacy rights

Subject to the provisions of the General Data Protection Regulation, you have the following rights in regard to your Personal Data: (Please note, these rights are not absolute and, in some cases, they are subjected to conditions as defined by law)

  • Right of Access: You have the right to access your own Personal Information through the platform, as well as the right to request a copy of your personal information that is maintained and processed by us.
  • Right to Erasure: You have the right to request the deletion of Personal Data only if one of the following reasons is true:
    • Personal Data are no longer necessary in relation to the purposes for which they were collected or processed.
    • If the processing is based on your consent and you have withdrawn this consent (on which processing is based) in accordance with Articles 6.1.a and 9.2.a of the Regulation and if no other legal basis for processing applies.
    • If you object to processing in accordance with Article 21.1 of the Regulation and there are no compelling and legitimate reasons for processing.
    • If Personal Data has been processed illegally.
    • If Personal Data should be deleted in compliance with a legal obligation under Union law to which our company is subject.
    • If the Personal Data have been collected in relation to the provision referred to in Article 8.1 of the Regulation.
  • Right to Object: Object to the processing of your Personal Data for marketing purposes or on grounds relating to your situation.
  • Right to Restriction of Processing: Request the restriction of the processing of your Personal Data in specific cases.
  • Right to Data Portability: Receive your Personal Data in a machine-readable format and send it to another controller (data portability);
  • Right to Object and Automated Individual Decision-Making (Including Profiling): Request that decisions based on automated processing concerning you or significantly affecting you and based on your Personal Data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

If you are an individual who interacts with a Customer using our Services - for instance if you’re an employee or consumer – that Customer is the controller of your information. If this is the case, please direct your data privacy request and questions to that controller.

You can request to exercise these rights by emailing privacy@eSpa247.com.

Our global operations (including transfers of data from your home country to another)

To bring you Services, we operate globally. To do so, your personal information may be transferred to, and processed in countries other than the country you live in, outside of your home country, including the United States. These countries may have laws different from what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your data remains protected.

Specifically, Zota Group hosts data with Amazon Web Services in Germany. If you are a non-EU resident, this means that your personal information will be transferred to the EU. The servers on which personal information is stored are kept in a controlled environment.

European Economic Area (EEA) users: This means that your information may be transferred outside of the EEA. Where your personal information is transferred outside the EEA, it will only be transferred to countries that have been deemed to provide adequate protection for EEA information (Adequacy Decision Countries), or to a third party where we have approved transfer mechanisms in place to protect your personal information – i.e., European Commission’s Standard Contractual Clauses.

Americas Economic Area (EUS) users: This means that your information may be transferred outside of the EUS. Where your personal information is transferred outside the EUS, it will only be transferred to countries that have been deemed to provide adequate protection for EEA information (Adequacy Decision Countries), or to a third party where we have approved transfer mechanisms in place to protect your personal information – i.e., Americas Commission’s Standard Contractual Clauses.

How long we retain your information

We generally retain your information only as long as reasonably necessary to provide you the Services or to comply with applicable law.

However, even after you cancel your account, we can retain copies of information about you and any transactions or Services in which you may have participated for a period that is consistent with applicable law, the applicable statute of limitations, or as we believe is reasonably necessary to comply with applicable law, regulation, legal process, or governmental request, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of use or other applicable agreements or policies, or to take any other actions consistent with applicable law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.

Children’s use of the services

Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information. If you know that a child has provided us with personal information, please contact us at dpo@espa247.com.

Security

We take appropriate security technical and organizational measures (including physical, electronic, and procedural measures) to safeguard your Personal Information from unauthorized access, unlawful use, intervention, modification, or disclosure under the requirements of the Regulation.

Where data is transferred over the Internet as part of the Services, the data is encrypted using industry-standard TLS (HTTPS).

Updates to our privacy policy

We reserve the right to change this Privacy Policy from time to time, and if we do we will post any changes on this webpage. If you disagree with these changes, you can cancel your account at any time and/or stop your use of our Services. Your continued use of the Services after any changes to the Privacy Policy constitutes your acceptance of such changes.