Privacy Policy | Blue Lagoon Iceland

Privacy Policy

Thank you for visiting our website. Your privacy is very important to us. This policy explains what information we collect, why we collect it, and how we use it. We value your trust and are committed to safeguarding your details.

This is the Privacy Policy of Blue Lagoon Ltd., Id. no. 490792-2369, a company registered in Iceland with its office address at Norðurljósavegur 9, 240 Grindavík, Iceland (also referred to as „we“ in this Privacy Policy). Blue Lagoon Ltd. operates geothermal spas, hotels, restaurants and shops for skincare products, spa products as other home products.

This Privacy Policy applies to personal information and data which we collect and process regarding guests, customers, potential customers and those who visit our website. When doing so, Blue Lagoon Ltd. is acting as a data controller.
Your privacy is of paramount importance to us. We value your trust and we commit to safeguarding any personal information you leave with us. It is important that you read this Privacy Policy carefully as it explains what types of information we collect, what purposes it will be used for and who it may be shared with. By accepting this Privacy Policy, you are confirming that you are aware of the processing of your personal information and how the processing will be conducted.

WHAT PERSONAL INFORMATION WE MAY COLLECT AND FOR WHAT PURPOSES

The kinds of personal information we may collect from you depend on the services we provide you with. We first and foremost use your personal information for providing and improving our services and products.

Please be aware that if you do not wish to provide us with personal information, e.g. which is necessary for the performance of a contract or which we are legally required to process, we may not be able to provide you with part or all of the services requested, and your experience may be affected.

Our geothermal spas, hotels, restaurants and related services
When you book our spas, hotels, restaurants or related services we collect necessary information in order for us to provide you with our services.

The information we may collect and process include:

  • Identification and contact information, such as name, date of birth, ID number, email address, phone number and postal address.
  • Information related to your booking and stay.
  • Payment details, such as credit card number, expiration date, and CVC code.
  • Accommodation preferences, meal preferences and travel arrangements.
  • Photos of you in the lagoon if you so request.
  • Health requirements or required additional assistance, but only if you have submitted such information to us on your own initiative.
  • Booking history.
  • Record of our communication and correspondence with you.
  • Customer feedback or complaints.

Your personal information may for example be used to:

  • Process bookings and reservations.
  • Send you status and updates on a service you have booked and get your feedback.
  • Carry out accounting, billing and other administrative tasks.
  • Personalise and enhance your stay.
  • Improve our services.
  • Provide third party services when specifically requested by you.
  • Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
  • Ensure your safety and contact you in emergency situations.
  • To meet legal and regulatory requirements.

The processing of contact information, booking information, payment details and such is based on contractual requirements. The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, our legitimate interests of ensuring good services and processing requests concerning the rights of individuals, and/or your consent. The processing of health requirements, photos of you in the lagoon and such is based on your consent.

Whenever we process personal information based on your consent, you may withdraw your consent at any time. The processing of your personal information is in some cases also based on legal requirements, e.g. the Icelandic Accounting Act. In rare cases, there may be an urgent need that we process your personal information to protect your vital interests, e.g. if there is a medical emergency.

At our facilities there are surveillance cameras located at crucial places to ensure the safety of assets and our guests while enjoying our services. The surveillance is based on our legitimate interests. Recordings are kept for no longer than 3 months unless related to possible legal issues, such as incidents.

Please note that we might process personal information in relation to usage and interaction with our website and subdomains, e.g. for statistical analysis, to improve our website and tailor the content to your needs. For more information please see our Cookie Policy.

Our shops

When you purchase our products we collect necessary information in order for us to be able to service and process your purchase order.
The information we may collect and process include:

  • Identification and contact information, such as name, date of birth, email address, phone number, shipping and billing address.
  • Payment details, such as credit card number, expiration date, and CVC code.
  • Choice of shipping method.
  • Tracking information.
  • Information on your purchase that you have especially submitted to us, e.g. a gift message.
  • Purchase history.
  • Record of our communication and correspondence with you.
  • Customer feedback or complaints.

Your personal information may for example be used to:

  • Process your order.
  • Send you status and updates on a product you have purchased.
  • Carry out accounting, billing and other administrative tasks.
  • Provide third party services, e.g. warehouse and courier services.
  • Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
  • Send you tracking information for your purchases.
  • Improve our products and services.
  • To meet legal and regulatory requirements.

The processing of contact information, payment details, tracking information and such is based on contractual requirements. The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, our legitimate interests of ensuring good services and processing requests concerning the rights of individuals, and/or your consent. Whenever we process personal information based on your consent, you may withdraw your consent at any time. The processing of your personal information is in some cases also based on legal requirements, e.g. the Icelandic Accounting Act.

Please note that we might process personal information in relation to usage and interaction with our website and subdomains, e.g. for statistical analysis, to improve our website and tailor the content to your needs. For more information please see our Cookie Policy.

Blue Lagoon Club, loyalty members and inquiries sent to us

If you become a member of our Blue Lagoon Club we process your contact information for the purpose of communicating with you. We may use your personal information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. The data is processed based on your consent.

If you reside in America and use the online shop for America you can become a Blue Lagoon loyalty member. If you become a loyalty member we process your contact information for the purpose of communicating with you and giving you points which you can turn into rewards. We may for example use your personal information to contact you with newsletters, offers, marketing or promotional materials and other information that may be of interest to you. The data is processed based on your consent.

When you send us requests, inquiries, complaints or feedback we process your contact details as well as the information you send us in order for us to respond. The data is processed based on your consent and our legitimate interests.
You will not receive any communication from us that is unsolicited or not directly related to a product or a service that you have purchased or enquired about.

When processing is based on your consent you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at contact@bluelagoon.com with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.

Additional use for analysis and market research
We may use pseudonymized or anonymized information generated from your personal information to carry out analysis and market research. For example we might analyse the way our products and services are being used by customers so that we can understand how to improve the services and products we offer. The data is processed based on our legitimate interests to improve our services and products.

Our website
Our website (http://www.bluelagoon.com) and subdomains (our „website“) use cookies, for example to provide you with as relevant information as possible and tailor them to your needs. Examples of this would be presenting the appropriate currency and preserving users’ selections during any booking process. You can find more information about cookies at: http://www.allaboutcookies.org.

We also use Google Analytics, Google AdWords and other tools. We use e.g. Google Analytics to collect information on how visitors use our website, information such as IP address, operating system, browser type, origin of traffic etc. This data is then used to measure performance and implement improvements as needed. We use e.g. Google AdWords for remarketing, to advertise our products and services on third party websites tailored to specific targeting groups and previous visitors to our website. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits. You can set preferences for how Google advertises to you using the Google´s Ads settings page. You can choose not to accept certain cookies when you visit our website.

You can also choose not to accept cookies by disabling them in the settings of your web browser. See further our Cookie Policy for information about the use of cookies and other tracking technologies.

You have the right to object at any time to the processing of your personal data to the extent that it is related to direct marketing purposes. If you object to remarketing based on your personal data you can for example opt out of a third-party vendor's use of cookies by visiting the Network Advertising Initiative opt-out page.

PRESERVATION OF YOUR PERSONAL INFORMATION

Your personal information will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal information may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.

SHARING OF PERSONAL INFORMATION WITH THIRD PARTIES – DISCLOSURE

We may share personal information with third parties to facilitate our services, to provide requested services on our behalf and/or to assist us in analyzing how our services are used. For example, our warehouse partners and courier services have selected access to your personal information for delivery purposes only. Also, personal information might be shared with third parties who supply us with information technology services and other services related to processing.
These third parties have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These third parties may be located outside of Iceland. However, we will not transfer personal data outside of the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms, your consent or a notice issued by the Data Protection Authority listing states granting personal data adequate protection.
We use Shopify for our online stores. If you are located in America and purchase products at our online store for that region your necessary personal information will be transferred to our warehouse partner in USA, which is certified under the US privacy shield certification, in order to send you the purchased product. If you are located within the European Economic Area (except Iceland) or other countries outside of America your necessary personal information will be transferred to our warehouse partner in the United Kingdom in order to send you the purchased product. After our warehouse partner has prepared the inventory for shipment a relevant carrier will be contacted to deliver the package to you for the purpose of finalising your purchase order.
Personal information about you may also be shared with a third party as explained in the chapter „Payments and Security“ in this Privacy Policy. Your personal information may also be transferred within the Blue Lagoon group as our subsidiaries might provide us with certain services, such as sales support.
We do reserve the right to disclose your personal information when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity. We also reserve the right to disclose your personal information to our legal representatives to uphold our legal rights as a business or the rights of our employees.
Your personal information may be shared with third party services when requested by you, e.g. when you have authorised a third party such as an agent to manage your personal information on your behalf to make necessary bookings, requests, payments etc.
We may also use third parties to assist us with analytics regarding our website and to display relevant market material to website visitors. For further information, please see our Cookie Policy.
Any disclosure of personal information by us to a third party will only be made on a confidential basis.

TRANSFER OF YOUR PERSONAL INFORMATION FROM THIRD PARTIES TO US

When you have authorized a third party, such as a travel agent or a booking service, to manage your personal information on your behalf to make necessary bookings or reservations for our geothermal spas, hotels, restaurants or related services, our Privacy Policy applies when the information has been transferred to us.
Any additional service providers which provide a part of your services, stay or journey will be separate data controllers under European Union data protection law. Their privacy policies should be accessible from them directly for further information on their processing of personal information.

PAYMENTS AND SECURITY

Payment transactions are operated through Borgun hf. (http://www.borgun.com) except payment transactions for the America online shop which is operated through Shopify Pay. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.
Personal information, except surveillance videos, may be stored and managed by third parties who must comply with privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and damage of information. Surveillance data is stored inhouse with strict access control.
In case of a personal data breach, we will without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Icelandic Data Protection Authority (Persónuvernd), unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.

You have the right to access your personal information at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal information if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal information if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased.
If the processing of your personal information is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes, e.g. when you have signed up for our Blue Lagoon Club.
You have the right to have personal data erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if data is required to be kept in accordance with law, e.g. the Icelandic Accounting Act No. 145/1994.
You have the right to transmit personal data concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall, however, not adversely affect the rights and freedoms of others.
If you wish to have your personal information removed from our database, withdraw your consent for processing or have any other questions regarding this Privacy Policy or our processing and protection of personal information, please contact us by email at contact@bluelagoon.com with “Privacy“ in the subject line.
We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. a copy of a government issued ID, such as your passport or driving licence and your signature.

MINORS

We do not intentionally collect personal information from minors (children under 13). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately.

PRIVACY POLICY AMENDMENTS

We may make changes to this Privacy Policy at any time so that it reflects how we process personal information from time to time. Changes, additions or deletions shall be effective immediately after an updated version has been published and be a part of all new bookings, purchases, inquiries and website visits after publication. The date of the latest revision of this Privacy Policy is set at the bottom of this page.

COMPLAINTS

You have the right to lodge a complaint to the Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland (www.personuvernd.is) if you disagree with our processing of personal data. You are also entitled to submit a complaint to a data protection authority in the member states of the European Economic Area where your habitual residence is or your place of work.

Updated: November 2019.