LEGAL

Privacy policy.

Blue Mountains Sauna Pty Ltd · ABN 22 659 365 018 Last updated 25 May 2026

We look after your personal information the same way we look after the sauna, with care, without fuss, and only as much heat as is needed. This policy explains what we collect, why we collect it, who we share it with, and how to ask us about it.

1. Who we are

In this policy, we, us, and Blue Mountains Sauna means Blue Mountains Sauna Pty Ltd (ABN 22 659 365 018), trading from 7 Quinns Avenue, Leura NSW 2780 . We're bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

The kinds of personal information we collect depend on how you interact with us:

  • Contact information: name, email, phone number, postcode, and emergency contact details.
  • Booking and account information: session bookings, pass/membership type, attendance history, gift voucher details, and preferences (e.g. session type).
  • Payment information: handled by our booking provider (Punchpass) and its payment processor. We don't store full card numbers on our systems; we may see a masked summary (e.g. last four digits, card brand, expiry).
  • Health and safety information: see section 5. Limited to what's necessary to keep you safe in heat and cold environments.
  • Communications: emails, SMS, social-media DMs, and feedback you send us, plus our replies.
  • Imagery: CCTV footage of exterior and common areas (never inside saunas or changerooms, see section 9). Occasionally, marketing photography taken at events with on-site notice and the right to opt out.
  • Website usage data: IP address, device/browser, pages viewed, referring URL, and similar log data collected through cookies and analytics tools (see section 8).

3. How we collect it

We collect personal information:

  • Directly from you: when you book a session, sign a waiver, sign up to the mailing list, fill out a form on this site, buy a gift voucher, attend an event, or contact us.
  • Automatically: through our website (cookies, analytics, hosting logs).
  • From third parties: for example, when a friend buys you a gift voucher, when our booking provider passes a booking through to us, or when you tag us on social media.

Where it's reasonable and practicable, we collect personal information directly from you. If we receive personal information about you that we didn't ask for, we'll decide whether we could have lawfully collected it ourselves. If not, we'll destroy or de-identify it.

4. Why we collect it

We collect, hold, use, and disclose personal information for purposes related to running the sauna, including:

  • Taking and confirming bookings, processing payments and refunds, and managing passes/memberships.
  • Operating the venue safely, including health-screening for sauna and cold-plunge use, attendance records during sessions, and incident reporting.
  • Responding to enquiries, feedback, and complaints.
  • Sending you transactional communications (booking confirmations, schedule changes, refunds).
  • Marketing, only where you've consented, and only with an easy unsubscribe (see section 10).
  • Improving the website, the sessions we run, and the way the venue operates.
  • Meeting our legal obligations, for example, work health and safety, tax, and responding to lawful requests.

5. Health information & waivers

Sauna and cold-water immersion aren't suitable for everyone. Before your first session, and at our request afterwards, we may ask you to complete a waiver that includes limited health information, for example, whether you're pregnant, have a heart condition, have had recent surgery, or take medication that affects how your body handles heat or cold.

Health information is treated as sensitive information under the Privacy Act. We will:

  • Only collect it with your consent, and only what's reasonably necessary to keep you safe at our venue.
  • Use it for the primary purpose of safety screening and incident response. We won't use health information for marketing.
  • Share it only with staff who need to see it to do their job safely (for example, the duty manager or a first-aid responder), and with emergency services if required to respond to an incident.
  • Store it securely (see section 11) and de-identify or destroy it when it's no longer needed.

You can decline to provide health information, but in some cases that may mean we can't safely admit you to a particular session.

6. Who we share it with

We don't sell your personal information. We disclose it only to the extent needed to do the things in section 4, including to the following categories of recipients:

  • Service providers we use to run the business: including:
    • Punchpass: bookings, passes, gift vouchers, and payment processing.
    • Airtable and Notion: internal records, contact lists, and operations.
    • Zapier: the webhook plumbing that moves form submissions into our systems.
    • Cloudflare: the host/CDN that delivers this website.
    • Email and SMS providers: to send booking confirmations and (where consented) marketing.
    • Google Analytics and (where enabled) Meta Pixel: see section 8.
  • Professional advisors: accountants, lawyers, insurers, and auditors, where reasonably necessary.
  • Emergency services: if there's a safety incident at the venue.
  • Law enforcement or regulators: where required by law (for example, a subpoena, court order, or lawful request).
  • A successor entity: if we restructure, sell, or transfer part of the business, your information may be transferred to the buyer, on terms that continue this policy's protections.

We require our service providers to handle your information in line with this policy and applicable privacy law.

7. Overseas storage and transfers

Some of our service providers store or process data outside Australia, including in the United States (Punchpass, Airtable, Notion, Zapier, Google Analytics, Meta, Cloudflare) and other jurisdictions their infrastructure runs in. We take reasonable steps to ensure those providers handle your personal information in a way consistent with the APPs, including by reviewing their published privacy and security commitments.

8. Cookies, analytics & pixels

We keep tracking light and ask before setting anything non-essential. We use:

  • Cloudflare Web Analytics: privacy-first, cookieless visitor statistics (page views, referrers, country, device type). It sets no cookies and doesn't track you across sites.
  • Google Analytics 4: measures how visitors move through the site so we can improve it. GA4 doesn't store full IP addresses. You can opt out site-wide with Google's opt-out browser add-on, or by blocking cookies in your browser.
  • Microsoft Clarity: anonymous heatmaps and session replays (aggregate mouse movement, clicks and scrolling) so we can see which parts of a page help or confuse people. Clarity masks text you type and other sensitive content by default; it isn't used to identify you.
  • Essential storage: small preferences saved in your browser (not used for tracking).
  • Hosting logs: Cloudflare records standard request metadata (IP, user-agent, timestamp) for security and abuse prevention.

Australian privacy law doesn't require a cookie pop-up, so we don't use one; instead we disclose our use here. You can block or delete cookies in your browser at any time. Some parts of the site may not work as well if you do.

9. CCTV at our premises

We operate CCTV cameras at exterior and common areas of the venue (entrances, reception, corridors, outdoor areas) for the safety of guests and staff and to deter and investigate property damage and theft. We do not have cameras inside sauna rooms, plunge areas, changerooms, or toilets.

CCTV footage is stored securely, accessed only by authorised staff, and retained only as long as needed for its purpose, typically up to 30 days, longer if it relates to a reported incident or a lawful request. CCTV use complies with the Surveillance Devices Act 2007 (NSW).

10. Direct marketing & the mailing list

We send occasional marketing (new sessions, Aufguss line-ups, gift voucher news, the odd story) to people who've opted in via the mailing-list signup or signed up at the front desk. We comply with the Spam Act 2003: every marketing email and SMS includes a clear way to unsubscribe, and we honour unsubscribe requests promptly.

To unsubscribe, use the link in any email we send you, reply STOP to any SMS, or email goodheat@bmsauna.com.au with "unsubscribe" in the subject.

11. How we store and protect it

Personal information is held in our service providers' systems (Punchpass, Airtable, Notion) and on our own devices. We take reasonable steps to protect it from misuse, interference, loss, and unauthorised access, modification, or disclosure, including access controls, password protection, secure transport (HTTPS), and staff training. No system is perfectly secure; we'll let you know if we become aware of a notifiable data breach affecting your information, as required by Part IIIC of the Privacy Act.

12. How long we keep it

We keep personal information only as long as we need it for the purpose it was collected, or as required by law. Typical retention:

  • Bookings & transactions: at least 7 years (tax/business records).
  • Waiver / health-screening records: for the duration of your relationship with us plus a reasonable period for incident response, then destroyed or de-identified.
  • Mailing-list contacts: until you unsubscribe, then removed.
  • CCTV: typically up to 30 days unless related to an incident.
  • Analytics / log data: per the relevant provider's standard retention.

13. Your rights: access, correction, complaints

Under the Privacy Act, you have the right to:

  • Access the personal information we hold about you.
  • Ask us to correct information that's inaccurate, out of date, incomplete, irrelevant, or misleading.
  • Make a complaint if you think we've mishandled your information.

To make a request, email goodheat@bmsauna.com.au with "Privacy request" in the subject line. We'll respond within a reasonable time, usually within 30 days. We may need to verify your identity first. Access is generally free; if a request is complex or would take significant time, we'll let you know about any reasonable cost before proceeding.

If you're not satisfied with how we've handled your complaint, you can escalate to the Office of the Australian Information Commissioner (OAIC) on 1300 363 992.

14. Children

Some of our sessions are restricted to adults (18+). Where children attend with a parent or guardian, we collect only the minimum information necessary for safety, and only with the parent/guardian's consent. We don't knowingly direct marketing to people under 16. If you believe we hold information about a minor that we shouldn't, please contact us.

15. Changes to this policy

We may update this policy from time to time. The most current version is always at bmsauna.com.au/privacy, with the "last updated" date at the top of this page. Material changes will be notified through the website and, where appropriate, to people on our mailing list.

16. Contact us

For anything to do with this policy, your personal information, or a privacy complaint:

Blue Mountains Sauna Pty Ltd
ABN 22 659 365 018
7 Quinns Avenue, Leura NSW 2780
Email: goodheat@bmsauna.com.au
Phone: +61 438 287 252

This page is provided in plain language alongside our legal obligations under the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), the Surveillance Devices Act 2007 (NSW), and the Australian Privacy Principles.