← Back

Last updated: May 7, 2026

Privacy Policy

This Privacy Policy explains how Les Bains New Yorkais (“LBNY”, “we”, “us”) collects, uses, and protects personal data when you interact with our website at lesbainsny.com.

1. Data Controller

The data controller responsible for the processing of your personal data is:

[LEGAL_NAME] [STREET_ADDRESS] [POSTAL_CODE] [CITY], [COUNTRY] Email: [PRIVACY_EMAIL]

2. What Data We Collect

When you submit our inquiry form, we collect:

  • Name — to address you personally in our reply
  • Email address — to respond to your inquiry
  • Company — optional context about your background
  • Message — the content of your inquiry
  • Technical data — your IP address (stored as a salted hash, not in raw form) and your browser's User-Agent string, used only for spam protection and rate limiting

We do not use cookies for tracking, do not run analytics tools, and do not embed third-party trackers.

3. Legal Basis for Processing

We process your data on the following legal bases under Article 6 of the GDPR:

  • Your consent (Art. 6(1)(a)) — given when you submit the inquiry form with the consent checkbox ticked
  • Our legitimate interest (Art. 6(1)(f)) — to respond to your inquiry, prevent abuse of our forms, and operate our website securely

4. How Long We Keep Your Data

We retain inquiry submissions for up to 24 months from the date of submission, after which they are deleted. You may request earlier deletion at any time (see Section 7).

5. Who We Share Data With

We share data with the following processors, each acting on our instructions under a Data Processing Agreement:

  • Resend, Inc. (United States) — sends email notifications about inquiries to our admin inbox. Resend processes the name, email, company, and message you submit, plus the inquiry timestamp.
  • [HOSTING_PROVIDER] (e.g., Hetzner, Germany) — hosts our application and database.

Because Resend is based in the United States, your data may be transferred outside the European Economic Area. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission.

We do not sell your data and do not share it with third parties for marketing purposes.

6. How We Protect Your Data

Your data is transmitted to our servers over HTTPS. Your IP address is hashed with a server-side secret before being stored, so the raw IP cannot be recovered from the database. Access to the database is restricted to authorized personnel.

7. Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Restriction — request that we limit processing of your data
  • Portability — request your data in a machine-readable format
  • Object — object to processing based on our legitimate interest
  • Withdraw consent — withdraw consent you previously gave, without affecting prior lawful processing

To exercise any of these rights, email [PRIVACY_EMAIL]. We will respond within 30 days.

You also have the right to lodge a complaint with a data protection authority. In Germany, this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

8. Changes to This Policy

We may update this Privacy Policy occasionally. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated to anyone whose data we currently hold.

9. Contact

Questions about this policy or our data practices? Email [PRIVACY_EMAIL].