Privacy Policy for Laugarás Lagoon

Laugarás Lagoon (“we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. This privacy policy has been developed to explain how we collect, use, safeguard and disclose your information. It applies to customers, potential customers, those who visit our websites and others that interacts with us through our website, by phone or email, through our third-party partners (“you” or “your”). Laugarás Lagoon is the data controller when doing so.

We encourage you to read this privacy policy carefully to understand how we handle information

Who We Are

Laugarás Lagoon ehf. Id. No. 531022-0760 is a company registered in Iceland that operates a geothermal spa and restaurant located in Laugarás, Iceland.

Definitions

Data Protection Law(s)**** means at least the following, the EU Data Protection Laws meaning the General Data Protection Regulation 2016/679/EU (“GDPR”) and laws and regulations supplementing the GDPR; and the Icelandic Data Protection Act no. 90/2018.

 

Consent: freely given, specific, informed, and unequivocal expression by a positive action by which the holder agrees to the processing of the latter’s personal data for a specific purpose.

 

Data Controller: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

 

Personal Data: any information relating to an identified or identifiable natural person.

 

Processing: any operation which is performed on personal data such as collection, recording, organization, structuring, storage, disclosure, adaptation or alteration, retrieval, consultations, use, erasure or destruction.

Types of personal data we collect

The collection and processing of personal data allows us to provide you with our services. The personal data we may collect includes:

Identity and contact information: name, social security number, phone number, email address, country of residence, gender, age.

Booking details: date and time of visit, number of guests, special requests. Occasionally, this may include health-related information, but only if you voluntarily choose to submit such information.

Payment information: payment card number, expiration date and cvc code.

Communication records: emails, messages, customer service inquiries, customer feedback and complaints.

Where do we get the information from

The information is usually gathered directly from you when you interact with us. When you make a booking through our website, by phone, email or our partners. When you submit a request, complaint or interact with us on social media or subscribe to our newsletter. We might also gather data when you visit our facilities.

How we use the information we collect

We process your personal data to be able to provide you with our services. We use your personal data to process your booking and reservations, send you updates on your booking and to carry out accounting and billing. We might also use your data to improve our services, personalize your stay and get your feedback.

The legal basis for processing personal data

We rely on different legal basis to process your personal data. We process your personal data that is necessary to fulfil our contract with you or to fulfill legal requirements, such as the Icelandic Accounting Act. We process your data if you give your consent and under some circumstances, we process your data if it is necessary for our, yours or a third-party legitimate interest unless your interests outweigh our or a third-party interest. This may include processing to provide personalized experience and development and testing of new services. Under special circumstances, if there is a medical emergency, we may process your personal data to protect your vital interests.

Our facilities are equipped with surveillance cameras at key locations to ensure the security of assets and the safety of our guests while they enjoy our services. This monitoring is conducted based on our legitimate interests. Recordings are retained for a maximum of 30 days, unless they relate to potential legal matters, such as incidents.

With whom we share your information

We do not sell your information, we may, however, share your information with:

Service providers: we may share your information with entities that perform certain services on our behalf, such as processing credit card payments, marketing assistance, and supporting website functionality. We will only provide these service providers with information that they need to provide such services, and they are not permitted to share or use your information for other purposes.

Legal obligations: we may disclose your information to third parties to comply with laws applicable to our operations, to respond to requests from government agencies, to establish or exercise our legal rights, to defend against legal claims and to take action to protect our property

Data transfer outside the EEA: we do not share your personal data outside the EEA. We may, under special circumstances, need to transfer personal information outside the EEA if it is necessary based on special circumstances according to Article 49 of the GDPR

Data security

We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. This includes secure servers, encrypted payment systems, and access controls.

Your rights

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal data including information about whether we process your personal data and, if so, access to the data. You can request that your personal data be transferred, corrected or deleted. Where the processing of your personal data is based on our legitimate interests you can at any time object to the processing of personal data and in certain cases request that temporary limitations apply to the processing of your personal data.

You have the right to contact the Data Protection Authority if you are in any way dissatisfied with the processing of your personal data.

You can exercise your rights through any reasonable means, including by sending us a written request at info@laugaraslagoon.is. We will review and process requests as soon as possible.

Withdrawal of consent

If you have given your consent for your personal data to be processed by us, you can withdraw your consent by sending us a written request at info@laugaraslagoon.is. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Third-party booking

Our website or booking system may link to third-party based websites not owned or operated by us. This privacy policy does not govern any third-party websites.

Our website

We process information regarding your interactions with our websites, such as statistical analysis, enhancing user experience, and tailoring content to better suit your needs.

Cookies serve different functions, such as:

Necessary cookies, ensure the website functions properly, support navigation and secure areas.

Analytics cookies, help us understand how visitors interact with the site, allowing us to enhance usability. These remain active unless you opt out.

Marketing cookies, track user activity to deliver targeted advertisements. These remain active unless you opt out.

When visiting our website, we may collect data such as your location, device type, and browsing patterns. This includes tracking how you navigate through the site to identify potential improvements.

Children

We do not intentionally collect personal data from children under the age of 13 without the verifiable consent of the child´s parent or guardian. Should it occur a parent or a guardian should contact us, and we will remove the data immediately.

Changes to this privacy policy..

We may update this privacy policy occasionally. The most current version will always be available on our website.