Privacy Policy

This Privacy Policy describes how megaSun Lounge ("megaSun Lounge", "we", "us") processes personal data collected through this website, our mobile app, and our lounges across Dubai and Abu Dhabi.

Data controller:

megaSun Lounge

Shop 21, Jumeirah Beach Park Plaza, Jumeirah 2, Dubai, UAE

For any privacy question or data subject request, contact: info@megasunlounge.com.

This policy is issued under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. We process personal data on the following lawful bases: (a) your explicit consent; (b) performance of a contract you enter with us; (c) compliance with a legal obligation; and (d) our legitimate interests, balanced against your rights.

Identity & contact: name, email, mobile, Emirates ID (in-studio only, for age verification under Article 7 below).

Booking & purchase: plan selected, lounge, session history, payment confirmation (we do not store card numbers — see Section 5).

Health & skin data (special category): Fitzpatrick skin type, contraindications you voluntarily disclose, signed consent form. Collected only with separate explicit consent, used only to operate the service safely, never sold or used for marketing.

Technical: IP address, device, browser, pages viewed, referring URL, cookie identifiers.

Marketing: preferences and consent state for newsletters and SMS.

(a) To deliver the service you booked — accounts, sessions, packages, memberships.

(b) To meet our health and safety duty (skin consult, contraindication screening, session spacing).

(c) To process payments and issue VAT-compliant invoices.

(d) To send service messages (booking confirmations, session reminders).

(e) Only with separate consent: marketing emails, SMS, app push.

(f) To secure our systems, prevent fraud, and comply with UAE law.

(g) To improve the website and app using aggregate, non-identifying analytics.

We share data only with processors who help us run the service, under written contracts that require PDPL-equivalent protection: payment processors (tap Payments / equivalent), email and SMS providers, cloud hosting (Cloudflare), customer-support tools, and our app store distributors (Apple, Google). We do not sell personal data. We disclose data to UAE authorities only when legally required.

Some of our processors store data outside the UAE. Where this happens, we ensure an adequate level of protection through contractual safeguards consistent with Article 22 PDPL.

Account and booking records: for the life of your account plus 5 years (UAE commercial-records retention).

Tax invoices: 5 years (UAE VAT Law).

Health/consent forms: for the duration of your client relationship plus 5 years.

Marketing data: until you withdraw consent.

Web analytics: 14 months in aggregated form.

You have the right to: access the personal data we hold about you; correct inaccurate data; request deletion (subject to our legal retention duties); restrict or object to certain processing; withdraw consent at any time; receive your data in a portable format; and lodge a complaint with the UAE Data Office.

To exercise any of these rights, email info@megasunlounge.com. We respond within 30 days.

We use TLS 1.2+ in transit, encryption at rest, role-based access, audit logging, and PCI-DSS-compliant payment partners. No system is perfectly secure; we will notify affected users and the UAE Data Office of any personal-data breach in line with Article 9 PDPL.

See our separate Cookie Policy at /cookies. Non-essential cookies (analytics, marketing) are set only after you opt in through our cookie banner.

Our services are restricted to persons aged 18 or older. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact info@megasunlounge.com and we will delete it.

We may update this policy. The "Effective date" at the top reflects the current version. Material changes are notified by email or banner.