Current International Covid-19 Travel Requirements Here

Privacy Policy

Privacy Policy

This Privacy Policy describes how XpresSpa Group, Inc. (collectively with its subsidiaries, “XpresSpa Group,” “we,” “us,” or “our”) collects, uses, shares, and safeguards personal information.  This Privacy Policy also tells you about your rights and choices with respect to your personal information, and how you can reach us to get answers to your questions.  You can jump to particular topics by going to the headings below:

 

XpresSpa Group is committed to protecting all information we collect, use, and share. XpresSpa Group will deploy reasonable safeguards aligned with industry standards in order to maintain the security and privacy of information processed by XpresSpa Group. XpresSpa Group will continue to practice privacy by design to ensure only the necessary Information is being collected and/or transmitted.

 

Types Of Information We Collect.

The following provides examples of the type of information that we collect from you and how we use that information. 

Context

Types of Data

Primary Purpose for Collection
and Use of Data

Account Registration

We collect your name and contact information when you create an account.  We also collect information relating to the actions that you perform while logged into your account.

We have a legitimate interest in providing account related functionalities to our users. Accounts can be used for easy checkout and to save your preferences and transaction history. 

Client Information

We collect the name, and contact information, of our clients and their employees with whom we may interact. 

We have a legitimate interest in contacting our clients and communicating with them concerning normal business administration such as projects, services, and billing.

Cookies and first party tracking

We use cookies and clear GIFs. “Cookies” are small pieces of information that a website sends to a computer’s hard drive while a web site is viewed.

We have a legitimate interest in making our website operate efficiently.

Cookies and Third Party Tracking

We participate in behavior-based advertising, this means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites. 

Where required by law, we base the use of third party cookies upon consent. 

Demographic Information

We collect personal information, such as your age or location. 

We have a legitimate interest in understanding our users and providing tailored services.

Distance Information

When you use one of our Apps we collect your location from the GPS, Wi-Fi, and/or cellular technology in your device to determine your location and your distance from a store that sells our products. 

We have a legitimate interest in understanding our users and providing tailored services.  In some contexts our use is also based upon your consent to provide us with geo location information.

Email Interconnectivity

If you receive email from us, we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.

We have a legitimate interest in understanding how you interact with our communications to you.

Employment

If you apply for a job posting, or become an employee, we collect information necessary to process your application or to retain you as an employee.  This may include, among other things, your Social Security Number.  Providing this information is required for employment.

We use information about current employees to perform our contract of employment, or the anticipation of a contract of employment with you.  In some contexts, we are also required by law to collect information about our employees.  We also have a legitimate interest in using your information to have efficient staffing and work force operations.

Feedback/Support

If you provide us feedback or contact us for support we will collect your name and e-mail address, as well as any other content that you send to us, in order to reply.

We have a legitimate interest in receiving, and acting upon, your feedback or issues.

Mailing List

When you sign up for one of our mailing lists we collect your email address or postal address.   

We share information about our products and services with individuals that consent to receive such information.  We also have a legitimate interest in sharing information about our products or services.

Mobile Devices

We collect information from your mobile device such as unique identifying information broadcast from your device when visiting our website or when visiting one of our stores.

We have a legitimate interest in identifying unique visitors, and in understanding how users interact with us on their mobile devices.

Order Placement

We collect your name, billing address, shipping address, e-mail address, phone number, and credit card number when you place an order.

We use your information to perform our contract to provide you with products or services.

Partner Promotion

We collect information that you provide as part of a co-branded promotion with another company.

We have a legitimate interest in fulfilling our promotions.

Surveys

When you participate in a survey we collect information that you provide through the survey.  If the survey is provided by a third party service provider, the third party’s privacy policy applies to the collection, use, and disclosure of your information.

We have a legitimate interest in understanding your opinions, and collecting information relevant to our organization.

Sweepstakes or contests

When you participate in a sweepstakes or contest we collect information about you which includes contact information to notify you if you are selected.

We have a legitimate interest in operating the sweepstakes.  In some contexts we are also required by law to collect information about those that enter into our sweepstakes, and we have a legitimate interest in complying with those laws.

Website interactions

We use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms.  This may also include information about your device or browser.

We have a legitimate interest in understanding how you interact with our website to better improve it, and to understand your preferences and interests in order to select offerings that you might find most useful.  We also have a legitimate interest in detecting and preventing fraud.

Web logs

We collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.

We have a legitimate interest in monitoring our networks and the visitors to our websites.  Among other things, it helps us understand which of our services is the most popular.

Wedding, baby, and/or Gift Registry

We collect your name, contact information, shipping address, and information about an event for which you are registering.

We have a legitimate interest in offering gift registry related services.

Medical Information

We collect information about your medical visit in order to adequately provide services for which you’ve scheduled or engaged digitally.

In order to provide medical care and wellness services to individuals, we collect information about medical history, existing encounter data such as medical conditions in order to properly provide services to individuals

 

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources.  For example, if you submit a job application, or become an employee, we may conduct a background check.

Please note, this Privacy Policy does not address the privacy practices of third-parties, including those incorporated through the services. Please review the privacy policies of any third-parties before you disclose information to them. Through your use of the services, you consent to these practices when directed to the Policy.

 

Use And Processing Of Information.

In addition to the purposes and uses described above, we use information in the following ways:

  • To identify you when you visit our websites or our stores.
  • To provide products and services or to process returns.
  • To improve our services and product offerings.
  • To streamline the checkout process.
  • To conduct analytics.
  • To respond to inquiries related to support, employment opportunities, or other requests.
  • To send marketing and promotional materials including information relating to our products, services, sales, or promotions, or those of our business partners.
  • For internal administrative purposes, as well as to manage our relationships.

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose.  For example, if you complete an online purchase we may collect your information to perform our contract with you, but we also collect your information as we have a legitimate interest in maintaining your information after your transaction is complete so that we can quickly and easily respond to any questions about your order.  As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in conducting our business.

Sharing Of Information.

In addition to the specific situations discussed elsewhere in this policy, we disclose information in the following situations:

  1. Affiliates and Acquisitions. We may share information with our corporate affiliates (g., parent company, sister companies, subsidiaries, joint ventures, or other companies under common control). If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage. 
  2. Other Disclosures with Your Consent. We may ask if you would like us to share your information with other unaffiliated third parties who are not described elsewhere in this policy. As a data controller and data processor, we may also provide your information to third parties that provide us with data processing services. We only make such disclosures to the extent they are necessary and appropriate, in our discretion, to perform certain services on our behalf. These third parties are required to keep the information confidential and are not authorized to process your information for any other purpose other than as instructed by us. They are also required to ensure appropriate safeguards are in place to protect your information. We will not make third-party disclosures of any personal information we process in our role as a data processor for our customers, unless we are instructed or authorized to do so by our customers. We will also update the list of third-party service providers with whom we share your personal information as needed. The following is an inexhaustive list of current third-party vendors that may either directly or indirectly collect information from you in their capacity as a processor:
    • 98 Point 6 SDK Providing on Demand Realtime Virtual Care
    • RxValet for Discount Prescription Services
    • Stripe Payment Processing Services
    • Cloud Based Databases and Software Hosting Services
  3. Other Disclosures without Your Consent. We may disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies, or to comply with your request for the shipment of products to or the provision of services by a third-party intermediary.
  4. Public. Some of our websites may provide the opportunity to post comments, or reviews, in a public forum. If you decide to submit information on these pages, that information may be publically available.
  5. Partner Promotion. We may offer contests, sweepstakes, or other promotions with third party partners. If you decide to enter a contest, sweepstakes, or promotion that is sponsored by a third party partner the information that you provide will be shared with us and with them. Their use of your information is not governed by this privacy policy.
  6. Service Providers. We may share your information with service providers. Among other things service providers may help us to administer our website, conduct surveys, provide technical support, process payments, and assist in the fulfillment of orders.

Your Choices.

You can make the following choices regarding your personal information:

  1. Access To Your Personal Information. You may request access to your personal information by contacting us at the address described below. If required by law, upon request, we will grant you reasonable access to the personal information that we have about you. Note that California residents may be entitled to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for direct marketing. 
  2. Changes To Your Personal Information. We rely on you to update and correct your personal information. Most of our websites allow you to modify or delete your account profile.  If our website does not permit you to update or correct certain information, you contact us at the address described below in order to request that your information by modified. Note that we may keep historical information in our backup files as permitted by law. 
  3. Deletion Of Your Personal Information. Typically we retain your personal information for the period necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.  You may, however, request information about how long we keep a specific type of information, or request that we delete your personal information by contacting us at the address described below.  If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes. 
  4. Objection to Certain Processing. You may object to our use or disclosure of your personal information by contacting us at the address described below. 
  5. Online Tracking. We do not currently recognize automated browser signals regarding tracking mechanisms, which may include "Do Not Track" instructions.
  6. Promotional Emails. You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties. You can stop receiving promotional emails by following the unsubscribe instructions in e-mails that you receive.  If you decide not to receive promotional emails, we may still send you service related communications.
  7. Promotional Text Messages. If you receive a text message from us that contains promotional information you can opt-out of receiving future text messages by replying “STOP.”
  8. Revocation Of Consent. If you revoke your consent for the processing of personal information then we may no longer be able to provide you services. In some cases, we may limit or deny your request to revoke consent if the law permits or requires us to do so, or if we are unable to adequately verify your identity. You may revoke consent to processing (where such processing is based upon consent) by contacting us at the address described below.

Please address written requests and questions about your rights to privacyoffice@xspresspa.com or call us at [877-SPA-3434].

Note that, as required by law, we will require you to prove your identity.  We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name, the last item you purchased from us, or the date of your last purchase from us. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf.  We will require verification that you provided the authorized agent permission to make a request on your behalf.  You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us.  If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

  1. A completed Authorized Agent Designation Form indicating that you have authorization to act on the consumer’s behalf.
  2. If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.

 

How We Protect Personal Information

No method of transmission over the Internet, or method of electronic storage, is fully secure. While we use reasonable efforts to protect your personal information from unauthorized access, use, or disclosure, we cannot guarantee the security of your personal information. In the event that we are required by law to inform you of a breach to your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

Some of our websites permit you to create an account.  When you do you will be prompted to create a password.  You are responsible for maintaining the confidentiality of your password, and you are responsible for any access to or use of your account by someone else that has obtained your password, whether or not such access or use has been authorized by you.  You should notify us of any unauthorized use of your password or account.

Other Important Information

The following additional information relates to our privacy practices:

  • Transmission Of Information To Other Countries. As a multi-national company we transmit information between and among our affiliates. As a result your information may be processed in a foreign country where privacy laws may be less stringent than the laws in your country.  Nonetheless, where possible we take steps to treat personal information using the same privacy principles that apply pursuant to the law of the country in which we first received your information.  By submitting your personal information to us you agree to the transfer, storage and processing of your information in a country other than your country of residence including, but not necessarily limited to, the United States.  If you would like more information concerning our attempts to apply the privacy principles applicable in one jurisdiction to data when it goes to another jurisdiction you can contact us using the contact information below.
  • Third Party Applications/Websites. We have no control over the privacy practices of websites or applications that we do not own.
  • Changes To This Privacy Policy. We may change our privacy policy and practices over time. To the extent that our policy changes in a material way, the policy that was in place at the time that you submitted personal information to us will generally govern that information unless we receive your consent to the new privacy policy. We may periodically change our privacy policy without notification to keep pace with new technologies, industry practices, regulatory requirements, and similar reasons. Our privacy policy includes an “effective” and “last updated” date. The effective date refers to the date that the current version took effect. The last updated date refers to the date that the current version was last substantively modified.
  • Accessibility. If you are visually impaired, you may access this notice through your browser’s audio reader.
  • Children. We do not knowingly sell the personal information of minors under 16 years of age.
  • Information for California Residents. California law indicates that organizations should disclose whether certain categories of information are collected, “sold” or transferred for an organization’s “business purpose”(as those terms are defined under California law). You can find a list of the categories of information that we collect and share here. Please note that because this list is comprehensive it may refer to types of information that we share about people other than yourself. If you would like more information concerning the categories of personal information (if any) we share with third parties or affiliates for those parties to use for direct marketing please submit a written request to us using the information in the "Contact Information" section below. We do not discriminate against California residents who exercise any of their rights described in this Privacy Policy.

Contact Information.  If you have any questions, comments, or complaints concerning our privacy practices please contact us at the appropriate address below.  We will attempt to respond to your requests and to provide you with additional privacy-related information.

privacyoffice@xpresspa.com

254 W 31st Street

New York, New York 10001

877-SPA-3434

If you are not satisfied with our response, and are in the European Union, you may have a right to lodge a complaint with your local supervisory authority.

 

Effective Date: August 27, 2021

Last Update: August 27, 2021

 

 

*******Separate page to be linked from the Information for California Residents Section*********

California Information Sharing Disclosure

California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether the following categories of personal information are collected, transferred for “valuable consideration,” or transferred for an organization’s “business purpose” (as those terms are defined under California law).  We do not “sell” your personal information. The table below indicates the categories of personal information we collect and transfer in a variety of contexts.  Please note that because this list is comprehensive, it may refer to types of information that we collect and share about people other than yourself.  For example, while we transfer credit card or debit card numbers for our business purpose in order to process payments for orders placed with us, we do not collect or transfer credit card or debit card numbers of individuals that submit questions through our website’s “contact us” page.

 

Categories of Personal Information We Collect

To Whom We Disclose Personal Information for a Business Purpose

Identifiers – this may include real name, alias, postal address, unique personal identifier, online identifier, email address, account name, social security number, driver’s license number, passport number, state identification card number, signature, physical descriptors or other similar identifiers.

  • Service Providers
  • Affiliates or subsidiaries
  • Product and service fulfillment companies
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Payment Processors and financial institutions
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Financial Information – this may include credit card or debit card numbers.

  • Service Providers
  •        Payment Processors and financial institutions
  •        Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law

 

Medical / health insurance information – this may include information regarding an individual’s medical history, mental or physical condition or treatment, insurance policy number, etc.

  • Service Providers
  • Product and service fulfillment companies
  • Affiliates or subsidiaries
  • Internet service providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Characteristics of protected classifications – this may include age, gender, physical or mental disability, etc.

  • Service Providers
  • Product and service fulfillment companies
  • Affiliates or subsidiaries
  • Internet service providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Commercial information – this may include information about products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • Service Providers
  • Product and service fulfillment companies
  • Affiliates or subsidiaries
  • Advertising Networks
  • Social Networks
  • Payment Processors and financial institutions
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Biometric information – this includes sleep, health, exercise data.

  • Service Providers
  • Product and service fulfillment companies
  • Affiliates or subsidiaries
  • Internet service providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Internet or other electronic network activity information – this may include browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement.

  • Service Providers
  • Product and service fulfillment companies
  • Affiliates or subsidiaries
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Geolocation data

  • Service Providers
  • Affiliates or subsidiaries
  • Internet service providers
  • Advertising Networks
  • Social Networks
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law
  • Data analytics providers

 

Photographs or other video surveillance mechanisms

  • Service Providers
  • Government entities, law enforcement, lawyers, auditors, consultants and other parties as required by law

 

Occupation

  • Service Providers

 

 

 

My Bag

close

SUBTOTAL

Taxes and shipping calculated at checkout

;