I. INTRODUCTION

This Privacy & Cookies Policy describes how F&A Consulting Srl (P.IVA 08705771007),
with registered office at Via delle Terme di Traiano 4A – 00184 Rome, manages the personal data of users accessing both the main website https://www.thesanctuaryecoretreat.com  and the Membership Platform https://membership.thesanctuaryecoretreat.com .
All processing activities are carried out in compliance with Regulation (EU) 2016/679 (“GDPR”), Legislative Decree 196/2003 as amended, and applicable European and Italian data protection laws.

II. DATA CONTROLLER AND DPO

Data Controller: F&A Consulting Srl, Via delle Terme di Traiano 4A – 00184 Rome.
Data Protection Officer (DPO): F&A Consulting Srl, Via delle Terme di Traiano 4A – 00184 Rome. For any inquiries or to exercise your rights under the GDPR, please contact:
privacy@thesanctuaryecoretreat.com  or sanctuaryevoodooromasrl@legalmail.it  or dpo@thesanctuaryecoretreat.com

III. SCOPE OF APPLICATION

This policy applies to all users interacting with The Sanctuary’s digital ecosystem, including:
– visitors and customers of the main website (information, events, restaurants, wellness, and bookings);
– registered members using the Membership Platform for account management, payments (via Stripe), rewards (via iPratico), and newsletter communications (via Mailchimp).

IV. DATA CATEGORIES AND PURPOSES

Personal data processed include identification and contact information (name, surname, email, phone, city, age),  navigation data (IP address, browser, device type), membership and booking data (plan, payments, rewards, preferences),  and voluntarily provided data (contact forms, newsletters, event participation).
Data are processed lawfully, fairly, and transparently for:
1. Managing bookings, reservations, and event participation;
2. Managing membership accounts, renewals, and rewards;
3. Processing payments securely through Stripe;
4. Sending newsletters and marketing communications (via Mailchimp);
5. Ensuring website and platform security, performance, and maintenance;
6. Fulfilling legal and contractual obligations;
7. Preventing fraud or unauthorized access.
Data are never sold or disclosed to unauthorized third parties.

V. RECRUITMENT AND JOB APPLICATIONS (WORK WITH US SECTION)

Through the “Work with Us” section available in the website, candidates can submit their personal information and CVs for evaluation.
The data voluntarily provided (including personal details, education, professional experience, and any additional documents or messages) are processed exclusively for recruitment and selection purposes by F&A Consulting Srl as Data Controller.  The data will be stored securely for up to 36 months and will not be shared with third parties without explicit authorization.  Processing is based on the candidate’s consent under Article 6(1)(a) GDPR and, if special categories of data  (e.g. health or photographs) are included, on Article 9(2)(a) GDPR. Candidates may withdraw consent or request data deletion at any time by contacting:  privacy@thesanctuaryecoretreat.com

VI. LEGAL BASIS

Processing is carried out under the following legal bases (Articles 6–7 GDPR):
– consent for marketing or optional services;
– contractual necessity for membership and booking management;
– legal obligations (invoicing, accounting);
– legitimate interest (security, analytics, optimization).

VII. COOKIES POLICY

Cookies are small text files stored on the user’s device to enhance navigation and functionality.
The Sanctuary’s websites use the following types of cookies:
– Technical cookies: required for access, login, and site functionality;
– Analytical cookies (Google Analytics): aggregated data for performance monitoring. Policy: https://policies.google.com/privacy;
– Profiling cookies (Google Ads, Meta): to provide personalized ads. Info: https://adssettings.google.com;
– Social media cookies (Facebook, Instagram, YouTube, Pinterest): for sharing and interaction.
Users can manage cookies through their browser settings (Chrome, Firefox, Safari, Edge, Opera).

VIII. SECURITY AND HOSTING

Access logs, IPs, and security data are collected to protect the platform from unauthorized access or attacks. All information is encrypted and hosted in secure cloud environments managed by Philmark Group (CriticalCase),  with TLS 1.3 and advanced backup protocols.

IX. DATA RETENTION

Data are stored only for the time necessary for processing:
– Membership and billing data: 10 years;
– Marketing data: until consent withdrawal;
– Logs and cookies: up to 12 months.

X. USER RIGHTS (GDPR 15–22)

Users have the right to access, rectify, erase, restrict, object to processing, or request data portability.  They may also withdraw consent at any time or file a complaint with the Italian Data Protection Authority (www.garanteprivacy.it ). Requests should be sent to: privacy@thesanctuaryecoretreat.com  or sanctuaryevoodooromasrl@legalmail.it .

XI. DATA TRANSFER OUTSIDE THE EU

Data are not transferred outside the EU unless the use of third-party services (e.g., Google, Stripe, Mailchimp)  requires transfer under Standard Contractual Clauses (SCC) ensuring adequate protection.

XII. POLICY UPDATES

The Sanctuary reserves the right to modify this policy for legal or technical reasons.  Updates will be published at https://www.thesanctuaryecoretreat.com/privacy-policy  and https://membership.thesanctuaryecoretreat.com/privacy-policy .
Last update: October 2025.

XIII. CONTACT DETAILS

F&A Consulting Srl – Via delle Terme di Traiano 4A – 00184 Rome
Email: privacy@thesanctuaryecoretreat.com  / dpo@thesanctuaryecoretreat.com