/

Privacy Policy

28 Dec
2018

Privacy Policy

1. Introduction and Data Controller
This privacy policy describes how we collect, use, disclose, and store your personal data. Your privacy is important to us, and we want you to feel confident in how we handle your information.

Data Controller:
Lapland Resorts AB

Organization number:
556787-5611

Address:
Björklidenvägen 70,
981 93 Björkliden, Sweden

Contact person for privacy matters:
Annika Ahlgren

Email:
Marknad@laplandresorts.se

Data Protection Officer (DPO):
Lapland Resorts AB currently does not have a designated Data Protection Officer. If you have any questions regarding our processing of personal data or wish to exercise your rights, please contact us at the email address above.

Personal Data We Process and Purpose
We process your personal data to provide our services (e.g. accommodation, ski passes, activities), fulfill our contractual obligations, and market our business.

Category of Personal Data Purpose of Processing Legal Basis (GDPR Art. 6) Retention Period
Booking and Identification Data (Name, email, address, phone number, nationality, children’s ages, arrival/departure) To manage and complete your booking (including confirmations, check-in, stay, and check-out). Contract  Stored for 12 months after your stay is completed.
Payment Information (Card number, payment history, invoices) To process and follow up on payments, and to fulfill legal accounting obligations. Contract and Legal Obligation (Bookkeeping Act) Stored for 7 years in accordance with accounting regulations.
Guest Preferences (Allergies, disabilities, room type requests) To personalize your stay and provide the best possible service. Consent (for sensitive data such as allergies) and/or Contract  Deleted after your stay or within 30 days after check-out.
Marketing and Communication Data (Email address, purchase history, website browsing behavior) To send newsletters, offers, and promote our services. Consent (for direct marketing) and/or Legitimate Interest (for existing customers) Stored until you withdraw consent or for up to 3 years after your last interaction.
Technical Data / Logs (IP address, cookies, device information) To improve the website, diagnose errors, and ensure technical functionality. Legitimate Interest Stored for 90 days (logs) or up to 13 months (cookies).
CCTV Surveillance (at the premises) To protect guests, staff, and property (crime prevention). Legitimate Interest Stored for 7–30 days unless needed for an ongoing investigation.

Consent:
Consent is given actively, for example by ticking a box on our website or verbally when making a booking. You may withdraw your consent at any time via a link in our communications or by contacting us directly.

3. Sharing of Personal Data (Recipients)
We only share your personal data with trusted third parties who need access to it to perform their services or when required by law. Examples of recipients include:

  • Booking system (PMS): Picasso Digital – for managing your stay.

  • Payment service providers: Nets Easy, Nets – for processing your payment.

  • Marketing tools: Google Ads, Meta Ads, Mailchimp (for newsletters).

  • IT and operational service providers: Companies providing servers, cloud services, and technical support.

Data Processors:
We have signed Data Processing Agreements (DPAs) with all suppliers that process personal data on our behalf, ensuring that they handle data in accordance with the GDPR and our instructions.

Transfers outside the EU/EEA:
If we transfer your personal data to partners outside the EU/EEA (e.g. when using U.S.-based cloud services), we ensure that the transfer is lawful by:

  • Using the EU Commission’s Standard Contractual Clauses (SCCs) together with appropriate supplementary measures.

  • Relying on adequacy decisions where applicable.

4. Your Rights As a data subject, you have several rights regarding your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you.

  • Right to Rectification: You have the right to request correction of inaccurate or incomplete information.

  • Right to Erasure (“Right to be Forgotten”): You may request the deletion of your data under certain circumstances (e.g. if it is no longer needed for the purpose it was collected).

  • Right to Restriction: You have the right to request restriction of how we process your data.

  • Right to Object: You have the right to object to processing based on our legitimate interest, including objection to direct marketing.

  • Right to Data Portability: You have the right to receive the data you have provided to us in a machine-readable format.

  • Right to Withdraw Consent: If our processing is based on your consent, you may withdraw it at any time.

Security Measures:
We take appropriate technical and organizational security measures to protect your personal data from unauthorized access, loss, misuse, or alteration. These measures include access restrictions, encryption, firewalls, and secure backups. To exercise your rights, please contact us via the email address provided in Section 1.

5. Complaints to the Supervisory Authority
If you believe that we process your personal data in violation of the GDPR, you have the right to file a complaint with the Swedish supervisory authority:
Swedish Authority for Privacy Protection (IMY)

6. Technical Data/ Logs
We use cookies and similar technologies on our website to ensure it functions properly, improve user experience, analyze traffic, and, in some cases, provide relevant marketing. Some cookies may involve the processing of personal data (e.g., IP addresses or unique identifiers). For more information about the cookies we use, their purpose, and retention period, please see our Cookie Policy.

7. Changes to This Policy
We reserve the right to update this Privacy Policy as needed. The latest version will always be available on our websites.

This policy was last updated on: 2025-10-01

If we make significant changes to the policy, we will notify you via email or by posting a notice on our website.