Privacy Policy
Last updated: 15.07.2026
1. Data Controller
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter, "GDPR") and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, "LOPD-GDD"), the following information about the data controller is provided:
- Controller: Iryna Baieva
- NIF/NIE: Z0055995P
- Address: Calle Castaños 5, 1º izq., oficina 1, 03001 Alicante, Spain
- Email for data protection inquiries: iryna.baieva20@gmail.com
- Trade name: Studio Pure Nails
2. Categories of Data Processed
Depending on how the user interacts with the business, the following categories of personal data may be processed:
2.1. Data provided when booking a service (through the website, WhatsApp, phone, or in person):
- First name and surname
- Contact phone number
- Email address
- Selected service, date and time of visit
2.2. Data obtained during the provision of the service:
- Visit history (dates, services received)
- Notes on client preferences (if applicable)
- Photographs of completed work (hands only, without face or other identifying features), taken with the client's explicit consent for subsequent publication in the portfolio and on social media
2.3. Health-related data
The Controller does not systematically collect or store data on clients' health. During the preliminary consultation, the client may voluntarily provide verbal information about possible contraindications (allergies to components of the materials used, condition of nails and skin) necessary for the selection of an appropriate procedure and materials. This information is used solely during the provision of the service and is not stored in electronic or paper form.
2.4. Data collected automatically when visiting the Website:
- IP address
- Browser type and operating system
- Date and time of visit
- Pages viewed
- Source of referral to the Website
This data is processed through cookies and analytical tools (see the Cookie Policy).
2.5. Data provided through the contact form (if applicable):
- Name
- Email address
- Message content
3. Purposes and Legal Bases of Processing
- Organising and providing the booked service — performance of a contract (Art. 6.1.b GDPR)
- Maintaining client history for repeat visits — legitimate interest of the Controller (Art. 6.1.f GDPR)
- Sending booking confirmations and reminders — performance of a contract (Art. 6.1.b GDPR)
- Fulfilment of tax and accounting obligations — legal obligation (Art. 6.1.c GDPR)
- Responding to inquiries through the contact form — user consent (Art. 6.1.a GDPR)
- Publication of photographs of completed work on social media and the Website — explicit client consent (Art. 6.1.a GDPR)
- Web analytics and improvement of the Website — user consent obtained through the cookie banner (Art. 6.1.a GDPR)
The Controller does not currently send any advertising or marketing communications (promotions, discounts, newsletters). Should such communication channels be launched, subscription will be based exclusively on the explicit consent of the user, with the possibility of withdrawal at any time.
4. Data Retention Period
Personal data is retained for the time necessary to fulfil the purposes for which it was collected:
- Client data and service history: throughout the client relationship and for up to 5 years after the last visit — for the purpose of potential resumption of the relationship and protection of the parties' legal interests.
- Data for tax accounting: for the periods established by Spanish tax law (generally 6 years).
- Data received through the contact form: until the inquiry is resolved and up to 1 year thereafter.
- Photographs published with client consent: until the client withdraws consent or the Controller decides to remove the relevant materials from the portfolio.
- Web analytics data: for the periods established by the corresponding cookies (see the Cookie Policy).
Upon expiration of these periods, the data is deleted or anonymised.
5. Data Recipients
Personal data is not transferred to third parties, except in cases provided for by law and to the following data processors acting on behalf of the Controller:
- Wix.com Ltd. — provider of the Website platform and the Wix Bookings online booking system. Data may be stored on servers within the EU and in other countries with which the EU has an adequate protection agreement. Wix Privacy Policy: https://www.wix.com/about/privacy
- Google LLC — provider of mapping data (Google Maps) when using the corresponding functions of the Website. Policy: https://policies.google.com/privacy
- Meta Platforms Ireland Limited (Facebook Pixel) — used for web analytics and remarketing on Meta services (Facebook, Instagram). Policy: https://www.facebook.com/privacy/policy
- External accounting service (gestoría / asesoría contable) — receives the data necessary to issue invoices and fulfil the Controller's tax obligations (name, NIF where applicable, amount and description of the service). Processing is regulated by a corresponding data processing agreement pursuant to Art. 28 GDPR.
Transfers of data outside the European Economic Area are carried out exclusively using appropriate legal safeguards provided for by the GDPR (standard contractual clauses, adequacy decisions).
6. User Rights
Under the GDPR, users have the following rights:
- Right of access — to obtain information on whether and how their data is being processed.
- Right to rectification — to request the correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — to request the deletion of data when there is no longer a legal basis for its processing.
- Right to restriction of processing — to request a temporary suspension of data processing.
- Right to data portability — to receive one's data in a structured, machine-readable format.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent at any time, where processing is based on consent (withdrawal does not affect the lawfulness of processing carried out prior to withdrawal).
- Right to lodge a complaint with the supervisory authority — Agencia Española de Protección de Datos (AEPD), website: https://www.aepd.es
To exercise any of these rights, the user may send a request to: iryna.baieva20@gmail.com, attaching a copy of an identification document. A response will be provided within a maximum of one month from the receipt of the request.
7. Security Measures
The Controller applies technical and organisational measures aimed at protecting personal data from unauthorised access, alteration, loss, or disclosure. In particular:
- Restriction of access to the client database (only persons necessary for the provision of the service)
- Use of secure connections (HTTPS) on the Website
- Regular updating of passwords and security systems
- Storage of data on secure platforms that comply with GDPR requirements
Notwithstanding the measures taken, the Controller cannot guarantee absolute security of data transmission over the Internet.
8. Minors
The services offered through the Website are intended for persons over 18 years of age. Processing of minors' data is carried out only with the consent of their legal representatives.
9. Changes to the Policy
The Controller reserves the right to make changes to this Privacy Policy in order to adapt to changes in legislation or in data processing practices. The current version is always available on the Website. Users will be notified of significant changes through a visible message on the Website or by email.
10. Contact
For any questions related to the processing of personal data, you may contact:
- Email: iryna.baieva20@gmail.com
- Postal address: Calle Castaños 5, 1º izq., oficina 1, 03001 Alicante, Spain