This is the Privacy Policy of Blue Lagoon Ltd., Id. no. 490792-2369, a company registered in Iceland with its office address at Norðurljósavegur 9, 240 Grindavík, Iceland (also referred to as „we“ in this Privacy Policy). Blue Lagoon Ltd. operates geothermal spas, hotels, restaurants and shops in Iceland, including an icelandic online shop, for skincare products, spa products as other home products.

This Privacy Policy applies to personal information and data which we collect and process regarding guests, customers, potential customers and those who visit our websites. When doing so, Blue Lagoon Ltd. is acting as a data controller.

Your privacy is of paramount importance to us. We value your trust and we commit to safeguarding any personal information you leave with us. It is important that you read this Privacy Policy carefully as it explains what types of information we collect, what purposes it will be used for, whom it may be shared with and your rights regarding the personal information processed.

By confirming you have read this Privacy Policy, you are confirming that you are aware of the processing of your personal information and how the processing will be conducted

WHAT PERSONAL INFORMATION WE MAY COLLECT AND FOR WHAT PURPOSES

The kinds of personal information we may collect from you depend on the services we provide you with. We first and foremost use your personal information for providing and improving our services and products.

Please be aware that if you do not wish to provide us with personal information, e.g. which is necessary for the performance of a contract or which we are legally required to process, we may not be able to provide you with a part or all of the services requested, and your experience may be affected.

Our geothermal spas, hotels, restaurants and related services
When you book our spas, hotels, restaurants or related services we collect necessary information in order for us to provide you with our services.

The information we may collect and process include:

• Identification and contact information, such as name, date of birth, ID number, email address,
• Information related to your booking and stay.
• Payment details, such as credit card number, expiration date, and CVC code.
• Accommodation preferences, meal preferences and travel arrangements.
• Photos of you in the lagoon if you so request.
• Health requirements or required additional assistance, but only if you have submitted such information to us on your own initiative.
• Booking history.
• Communication and correspondence with you.
• Customer feedback or complaints.

Your personal information may for example be used to:

• Process bookings and reservations.
• Send you status and updates on a service you have booked and get your feedback.
• Carry out accounting, billing and other administrative tasks.
• Personalise and enhance your stay.
• Improve our services.
• Provide third party services when specifically requested by you.
• Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
• Ensure your safety and contact you in emergency situations.
• To meet legal and regulatory requirements.

The processing of contact information, booking information, payment details and such is based on contractual requirements. The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, your consent, our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. The processing of health requirements, photos of you in the lagoon and such is based on your consent. Whenever we process personal information based on your consent, you may withdraw your consent at any time.

The processing of your personal information is in some cases also based on legal requirements, e.g. the Icelandic Accounting Act. In rare cases, there may be an urgent need that we process your personal information to protect your vital interests, e.g. if there is a medical emergency.

At our facilities there are surveillance cameras located at crucial places to ensure the safety of assets and our guests while enjoying our services. The surveillance is based on our legitimate interests. Recordings are kept for no longer than 30 days unless related to possible legal issues, such as incidents.

Please note that we might process information in relation to usage and interaction with our websites, e.g. for statistical analysis, to improve our websites and tailor the content to your needs. For more information please see our Cookie Policy.

Our Icelandic online shop

When products are purchased from our Icelandic online shop (for people residing in Iceland) we collect necessary information in order for us to be able to service and process the purchase order. Blue Lagoon Ltd. and its subsidiary Bláa Lónið Heilsuvörur ehf. act as joint data controllers with respect to the processing of personal information collected from the Icelandic online shop.

The information we may collect and process include:

• Identification and contact information, such as name, email address, phone number, shipping and billing address.
• Payment details, such as credit card number, expiration date, and CVC code.
• Choice of shipping method.
• Tracking information.
• Information on the purchase which has been especially submitted to us, e.g. a gift message.
• Purchase history.
• Record of communication and correspondence.
• Customer feedback or complaints.

The personal information may for example be used to:

• Process the order.
• Send status and updates on a product which has been purchased.
• Carry out accounting, billing and other administrative tasks.
• Tracking information.
• Provide third party services, e.g. courier services.
• Respond to inquiries, requests and feedback submitted, e.g. through our website or by email.
• Send tracking information for the purchase.
• Improve our products and services.
• To meet legal and regulatory requirements.

The processing of contact information, payment details, tracking information and such is based on contractual requirements. The processing of communication and correspondence, customer feedback and such can be based on contractual requirements, consent, our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. Whenever we process personal information based on consent, the consent can be withdrawn at any time. The processing of personal information is in some cases also based on legal requirements, e.g. the Icelandic Accounting Act.

Please note that we might process information in relation to usage and interaction with our website, e.g. for statistical analysis, to improve our website and tailor the content to cutomer‘s needs. For more information please see our Cookie Policy.

Blue Lagoon Club and inquires sent to you

If you become a member of our Blue Lagoon Club we process your contact information for the purpose of communicating with you. We may use your personal information to contact you with newsletters, marketing or promotional material and other information that may be of interest to you. The data is processed based on your consent.

When you send us requests, inquiries, complaints or feedback we process your contact information as well as the information you send us in order for us to respond. Personal information is processed based on your consent or our legitimate interests.

You will not receive any communication from us that is unsolicited or not related to a product or a service that you have purchased, booked or inquired about.

When processing is based on your consent you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at contact@bluelagoon.com with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.

Additional use for analysis and market research
We may use pseudonymized or anonymized information generated from your personal information to carry out analysis and market research. For example we might analyse the way our products and services are being used by customers so that we can understand how to improve the services and products we offer. The data is processed based on our legitimate interests to improve our services and products.

Our website
Our websites and subdomains (our „website“) use cookies, for example to provide you with as relevant information as possible and tailor the content to your needs. Examples of this would be presenting the appropriate currency and preserving user‘s selection during any booking process.

We also use Google Analytics, Google Adwords and other tools. We use e.g. Google Analytics to collect information on how visitors use our website, information such as IP address, operating system, browser type, origin of traffic etc. This data is then used to measure performance and implement improvements as needed. We use e.g. Google AdWords for remarketing, to advertise our products and services on third party websites tailored to specific targeting groups and previous visitors to our website. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits. You can set preferences for how Google advertises to you using the Google´s Ads settings page.

You can choose not to accept certain cookies when you visit our website. You can also choose not to accept cookies by disabling them in the settings of your web browser. See further our Cookie Policy for information about the use of cookies and other tracking technologies.

You can find more information about cookies at: http://www.allaboutcookies.org

You have the right to object at any time to the processing of your information to the extent that it is related to direct marketing purposes. If you object to remarketing based on your information you can for example opt out of a third-party vendor's use of cookies by visiting the Network Advertising Initiative opt-out page.

PRESERVATION OF YOUR PERSONAL INFORMATION

Your personal information will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal information may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.

SHARING OF PERSONAL INFORMATION WITH DATA PROCESSORS, THIRD PARTIES AND WITHIN THE BLUE LAGOON GROUP

We may share personal information with data processors to facilitate our services, to provide requested services on our behalf and/or to assist us in analyzing how our services and products are used. For example, our courier service in Iceland has selected access to personal information for delivery purposes only when products are purchased from our Icelandic online shop. Personal

information might also be shared with data processors who supply us with information technology services, cloud services and payment services.

These parties have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These parties may be located outside of Iceland. However, we will not transfer personal data outside of the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms, your consent or a notice issued by the Data Protection Authority listing states granting personal data adequate protection.

Your personal information may be shared within the Blue Lagoon group, with Bláa Lónið Heilsuvörur ehf., as our subsidiary might provide us with certain support, such as marketing support with respect to our Icelandic online shop.

We do reserve the right to disclose your personal information when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity. We also reserve the right to disclose your personal information to our legal representatives to uphold our legal rights as a business or the rights of our employees.

Your personal information may be shared with third party services when requested by you, e.g. when you have authorised a third party such as an agent to manage your personal information on your behalf to make necessary bookings, requests, payments etc.

We may also use data processors to assist us with analytics regarding our website and to display relevant market material to website visitors. For further information, please see our Cookie Policy.

Any disclosure of personal information by us to another party will only be made on a confidential basis.

TRANSFER OF YOUR PERSONAL INFORMATION FROM THIRD PARTIES TO US

When you have authorized a third party, such as a travel agent or a booking service, to manage your personal information on your behalf to make necessary bookings or reservations for our geothermal spas, hotels, restaurants or related services, our Privacy Policy applies when the information has been transferred to us.

Any additional service providers which provide a part of your services, stay or journey will be separate data controllers under European Union/EEA data protection law. Their privacy policies should be accessible from them directly for further information on their processing of personal information

SECURITY

Payment transactions for the geothermal spas, hotels, restaurants, shops and online shop for Iceland are operated through Planet. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.

Personal information, except surveillance videos, may be stored and managed by data processors who must comply with privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and damage of information. Surveillance data is stored inhouse with strict access control.

In case of a personal data breach, we will without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Icelandic Data Protection Authority (Persónuvernd), unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.

YOUR RIGHTS REGARDING OUR PROCESSING – WITHDRAWAL OF CONSENT

You have the right to access your personal information at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal information if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal information if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased.

If the processing of your personal informaton is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes, e.g. when you have signed up for our Blue Lagoon Club.

You have the right to have personal data erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if data is required to be kept in accordance with law, e.g. the Icelandic Accounting Act No. 145/1994.

You have the right to transfer personal data concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall, however, not adversely affect the rights and freedoms of others.

If you wish to have your personal information removed from our database, withdraw your consent for processing or have any other questions regarding this Privacy Policy or our processing and protection of personal information, please contact us by email at contact@bluelagoon.com with “Privacy“ in the subject line.

We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. a copy of a government issued ID, such as your passport or driving licence and your signature.

MINORS

We do not intentionally collect personal information from minors (children under 13). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately.

PRIVACY POLICY AMENDMENTS

We may make changes to this Privacy Policy at any time so that it reflects how we process personal information from time to time. Changes, additions or deletions shall be effective immediately after an updated version has been published and be a part of all new bookings, purchases, inquiries and website visits after publication. The date of the latest revision of this Privacy Policy is set at the bottom of this page.

COMPLAINTS

You have the right to lodge a complaint to the Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland (www.personuvernd.is) if you disagree with our processing of personal data. You are also entitled to submit a complaint to a data protection authority in the member state of the European Economic Area where your habitual residence is or your place of work.

Updated: 11 February 2022