Privacy Policy

1. Introduction

Carnation Spa LLC ("Carnation Spa," "we," "our," or "us") operates the website at carnationspa.com and the online booking system associated with it. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have regarding your information.

By using our website or booking a service, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

• Name — used to identify your appointment.
• Phone number — used to send booking confirmations and appointment reminders via SMS, and to verify your identity during booking.
• Appointment notes — optional details you share (e.g., areas to focus on, allergies). Stored only to help us provide you a better service.

• Usage data — standard web server logs including IP address, browser type, and pages visited, retained for up to 30 days for security purposes.
• Cloudflare Turnstile — we use Cloudflare's CAPTCHA-alternative service to prevent automated abuse. Cloudflare may collect technical signals from your browser. See Cloudflare's Privacy Policy for details.

3. How We Use Your Information

• To create and manage your appointment bookings.
• To send you an SMS confirmation immediately after booking.
• To send appointment reminders via SMS (typically 24 hours before your appointment).
• To allow you to view or cancel your appointment via a secure link sent by SMS.
• To prevent fraud and abuse of our booking system.

We do not use your information for marketing, advertising, or any purpose beyond what is listed above.

4. SMS / Text Messages

By providing your phone number during booking, you consent to receive transactional SMS messages from Carnation Spa, including:

• Booking confirmation (sent once at time of booking).
• Appointment reminder (sent approximately 24 hours before your appointment).
• A secure management link to view or cancel your appointment.

Message and data rates may apply depending on your carrier. These are transactional messages — we do not send promotional or marketing texts. To opt out of reminders, reply STOP to any message or contact us directly.

5. Data Retention

Appointment records (including your name, phone number, and service details) are retained for up to 2 years to support business records and compliance. You may request deletion of your data at any time by contacting us (see Section 8).

Server access logs are retained for up to 30 days. Verification codes expire within 10 minutes of issuance.

6. Data Sharing

We do not sell, rent, or share your personal information with third parties for their own marketing purposes. We may share data only in the following limited circumstances:

• SMS delivery provider — your phone number is shared with our SMS gateway to deliver booking confirmations and reminders.
• Legal requirements — if required by applicable law, court order, or governmental authority.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice provided to you.

7. Cookies & Tracking

Our website uses a session cookie solely to keep you logged in if you access the staff management area. We do not use advertising cookies, tracking pixels, or analytics cookies. Third-party services (Cloudflare, Google Maps embed) may set their own cookies subject to their own policies.

8. Your Rights

Depending on where you are located, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your personal information.
• Opt out of SMS communications by replying STOP.

To exercise any of these rights, contact us at the information below. We will respond within 30 days.

9. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including encrypted connections (HTTPS), hashed passwords, and access controls limiting who can view booking data. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Continued use of our services after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or requests regarding this Privacy Policy, please contact us: