Privacy Policy

thermesingapore.com is operated by Therme Singapore, part of the Therme Group, a 35-year European wellbeing operator. Therme Singapore acts as an organisation for the purposes of the PDPA, and is the data controller for personal data collected through this site.

For questions relating to this privacy policy, contact us at privacy@thermesingapore.com. Pursuant to the PDPA, we have appointed a Data Protection Officer; our DPO can be reached at the same address.

This policy applies to the website only. Other Therme Group sites — including thermegroup.com, thermemanchester.co.uk, and thermecanada.com — operate under their own privacy policies. When the venue opens in 2030, separate venue-specific terms and notices will be published.

Because the site is pre-opening, we collect very little personal data. Specifically:

• Inner Circle sign-ups: your email address and your chosen topic preferences. To evidence your consent we also record the IP address, browser user-agent, the consent wording shown to you, and the timestamp at sign-up, plus the date you confirm. We do not ask for your name.
• Press, careers, and general enquiries: anything you choose to send us — typically your name, email address, message, and any attachments.
• Server logs: your IP address, user agent, referring URL, paths visited, timestamps, and HTTP response codes. These are collected by our hosting provider for stability and abuse detection.
• Analytics: we use Google Analytics 4 with Google Consent Mode v2. Before you make a cookie choice — and if you reject — GA4 runs in a restricted, privacy-preserving mode: it sets no cookies and sends Google only aggregated, cookieless measurement signals (no analytics identifier, and IP addresses are not stored). If you accept analytics cookies, GA4 additionally sets first-party cookies that include a randomly-generated client ID and measures the pages you visit, your approximate region, and your browser and device type. No advertising profile is built and no advertising cookies are ever set. See our Cookie Policy for the cookie inventory.
• Cookie consent record: a first-party cookie storing your cookie choices (which categories you accepted, the policy version you saw, and a random anonymous ID), plus a server-side audit log keeping the same record alongside a peppered, irreversible hash of your IP address. We need this record under GDPR Article 7(1) to prove you gave consent.

We do not collect payment data, health data, government IDs, biometric data, precise location data, or any data from advertising cookies — we run no ads on this site and have no advertising integrations.

We do not knowingly collect personal data from children under 13. If you believe a child below the age of 13 has provided us with personal data, please contact us and we will delete it.

We use your personal data only for the purposes you were notified of when we collected it. The lawful basis varies by purpose:

• Sending Inner Circle updates — based on your consent (PDPA Consent Obligation; GDPR Article 6(1)(a)). You may withdraw consent at any time.
• Replying to enquiries you send us — based on our legitimate interest in responding to people who contact us (GDPR Article 6(1)(f)) and, in Singapore, deemed consent under the PDPA where you've voluntarily provided the data for that purpose.
• Keeping the site running, secure, and abuse-free — based on our legitimate interest in operating a secure service.
• Understanding how the site is used, so we can improve it — for cookie-based analytics, which runs only after you accept, the basis is your consent (PDPA Consent Obligation; GDPR Article 6(1)(a)). For the aggregated, cookieless measurement that runs before any choice, the basis is our legitimate interest in measuring and improving the site in a privacy-preserving way (PDPA legitimate-interests; GDPR Article 6(1)(f)). You can decline the cookie-based layer at any time from the cookie banner.
• Complying with legal obligations — for example, responding to a lawful regulatory request from the PDPC, the ICO, or a court.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. We do not sell your personal data, and we do not share it with third parties for their own marketing.

The Inner Circle is our pre-opening update list. Sign-up is double opt-in: you submit your email, we send a confirmation link, and the subscription only activates when you click it. As proof of consent we log the date, time, and IP address when you sign up, and the date you confirm.

We send Inner Circle emails through Brevo, acting as our processor under a written data-processing agreement. Every email contains a one-click unsubscribe link. You can also email privacy@thermesingapore.com to be removed.

Under the Singapore Spam Control Act 2007, our marketing emails carry valid sender identification, an accurate reply-to address, and an unsubscribe facility valid for at least 30 days. We honour unsubscribes within 10 working days.

The Singapore Do Not Call Registry covers phone numbers (voice, SMS, fax) and does not apply to email. We don't currently send marketing SMS or make marketing calls; if that changes, we will check the DNC Registry before contacting Singapore numbers and update this policy.

If you opt out, we keep a minimal suppression record (your email plus the fact you unsubscribed) so we don't accidentally re-add you. We don't use it for any other purpose.

We share data only with service providers (processors) who help us run the site. Each is bound by a written agreement requiring them to protect your data and only use it on our instructions. Our current processors are:

• Vercel Inc. (United States) — website hosting, build pipeline, and CDN.
• Neon (via Vercel Postgres) (Neon Inc., United States) — Postgres database hosting for the CMS, the Inner Circle list, the consent audit log, and the press-access log.
• Cloudflare R2 (Cloudflare, Inc., United States) — image, video, and document storage. R2 stores objects in Cloudflare's global network with automatic replication; data may be served from any Cloudflare edge location worldwide and a single canonical jurisdiction is not guaranteed.
• Brevo (Sendinblue SAS, France) — Inner Circle email delivery and double opt-in confirmation. Subscriber data is stored on Brevo infrastructure inside the European Economic Area.
• Vimeo, LLC (United States) — hosts and streams the videos embedded on the homepage and the press room. When you watch one of these videos, your browser connects to Vimeo and Vimeo can set its own cookies (subject to your cookie choices here). We do not pass any account data to Vimeo — only your IP address and the video request are visible to them, the same as any video embed.
• Google LLC (United States) — Google Analytics 4, acting as our processor. We use Consent Mode v2: before you consent, Google receives only aggregated, cookieless measurement signals with consent flagged as denied (no cookies are set and no analytics identifier is stored); if you accept analytics cookies, Google additionally receives cookie-based analytics. GA4 does not store full IP addresses. We never share data with Google for advertising and set no Google advertising cookies.

We may also disclose personal data:

• to professional advisers (lawyers, auditors) under a duty of confidentiality;
• to a buyer or successor in the event of a corporate restructuring or sale of all or part of our business;
• where required by law, court order, or a lawful regulatory request — for example from the Personal Data Protection Commission (PDPC) of Singapore, the UK Information Commissioner’s Office (ICO), or a Singapore court.

We do not share your data with advertisers, data brokers, or any third party for their own marketing.

Because our processors are based in the United States, the European Economic Area, and elsewhere, your personal data is transferred outside Singapore. We protect those transfers as follows.

Under the Singapore PDPA Transfer Limitation Obligation (section 26), we ensure recipients provide a standard of protection comparable to the PDPA. We do this through contractual obligations in our service agreements, including the ASEAN Model Contractual Clauses where appropriate.

For transfers from the EEA or the UK to non-adequacy countries, we rely on the EU Standard Contractual Clauses and, for UK-origin data, the UK International Data Transfer Addendum. We carry out transfer impact assessments where required by GDPR Articles 44–49.

You can ask us for a copy of the safeguards we have in place — see "Your rights" below.

Under the PDPA Retention Limitation Obligation (section 25) we cease retention once the data is no longer necessary for the purpose for which it was collected, unless retention is required by law. Our indicative retention periods are:

• Inner Circle subscribers: kept while your subscription is active. A minimal suppression record (email + unsubscribe flag) is kept only for as long as reasonably necessary to ensure we do not re-add you to the Inner Circle.
• Enquiry emails: typically kept for 24 months after the matter is resolved.
• Server logs: typically kept for 30 to 90 days for security and abuse-detection.
• Backups: rolled and overwritten on a 30-day cycle.

After these periods, data is deleted or irreversibly anonymised.

You have the following rights over the personal data we hold about you. Some apply to all visitors; others depend on the law that protects you.

Under the Singapore PDPA, you have the right to:

• access your personal data and a record of how it has been used or disclosed in the past year;
• request correction of any data that is inaccurate or incomplete;
• withdraw your consent on reasonable notice.

Under the GDPR and UK GDPR, you additionally have the right to:

• erasure ("right to be forgotten") in defined circumstances;
• restriction of processing;
• object to processing, including any direct marketing;
• not be subject to solely automated decision-making with legal or similarly significant effects.

To exercise any of these rights, email privacy@thermesingapore.com with enough information for us to verify your identity. We respond within 30 days under the PDPA, or one month under the GDPR — extendable in complex cases with notice to you. We may charge a reasonable fee for processing an access request under the PDPA.

We use industry-standard security measures: encryption in transit (HTTPS/TLS), role-based access controls on the CMS, multi-factor authentication for administrators, least-privilege database access, and security headers (CSP, HSTS, X-Frame-Options) on the public site. We choose processors with recognised security postures.

Under the PDPA Protection Obligation (section 24) and the Mandatory Data Breach Notification regime in force since 1 February 2021, if we suffer a data breach that is likely to result in significant harm to any individual or that affects 500 or more individuals, we will notify the PDPC within 3 calendar days of assessing that the breach has that effect, and notify affected individuals who are likely to suffer significant harm as soon as practicable. We will make equivalent notifications to the ICO and other relevant supervisory authorities under the GDPR and UK GDPR.

No system is 100% secure. We will tell you if a notifiable breach affects your personal data.

If you have a concern about how we handle your personal data, please email privacy@thermesingapore.com first. We will investigate and respond within 30 days.

If you are not satisfied, you can lodge a complaint with the regulator that protects you:

• Singapore: the Personal Data Protection Commission (PDPC).
• United Kingdom: the Information Commissioner's Office (ICO).
• European Economic Area: your local data protection authority.

Complaining to a regulator does not affect your right to pursue civil remedies.

We may update this policy from time to time. The "last updated" date at the top of the page reflects the most recent change.

For material changes, we will post a prominent notice on the site. Where the change affects how we use data you have already given us, we will email Inner Circle subscribers before it takes effect. Your continued use of the site after the effective date means you accept the updated policy. We will not rely on continued use for changes that require fresh consent under the PDPA or GDPR — for those we will ask you again.