Skip to content


The protection of your privacy is important to us, and Flamingospa Oy is committed to protecting it to the best of our ability and to process your personal data transparently following applicable data protection legislation and good data protection practices. Personal data will be processed in accordance with the EU General Data Protection Regulation (2016/679, GDPR) and the Finnish Data Protection Act (1050/2018) within the limits and in the situations permitted by them.

This privacy notice applies to the processing of personal data carried out by Flamingospa Oy to provide its services and market them to its customers. This privacy notice covers personal data concerning Flamingospa Oy’s spa-, restaurant-, sports- and indoor playground customers; the customers using our treatment services in the Adult spa area and MySense; business customers; newsletter subscribers, and website users. For the purposes of this notice, the term “person” refers to all such natural persons.

In this privacy notice, we explain in more detail how Flamingospa Oy is committed to collecting, processing, and protecting your personal data. It is of paramount importance to us that you can be confident that your data is handled securely. We encourage you to read this privacy notice and contact us if you have any questions.

1. The Controller and contact information

For all matters and questions concerning data protection and the processing of personal data, please send an email to the above address.

  • Fair data processing assessment

Fair processing practices ensure that our approach to the processing of personal data and the measures we have to take to protect personal data are appropriate. We have implemented fair processing in the following ways:

  • There is a specific purpose and a legitimate basis for the processing. The processing is transparent to the data subject.
  • Only necessary personal data of data subjects is processed and used solely for the purpose it was originally collected.
  • The personal data may only be processed within the organization by those persons who need it for their work. Data will only be appropriately disclosed to third parties.
  • Personal data will be stored with due regard to security and for only as long as necessary.
  • The data is accurate and up to date.

3. The personal data processed

We process the following personal data that are strictly necessary:

Basic personal data, such as

  • Name
  • Email address
  • Telephone number
  • Address, postal code and city
  • Date of birth
  • Personal identification number
  • Contact details of the minor’s guardian

Data based on the customer’s purchase transactions, such as

  • Purchase transactions and details of orders processed
  • Time of use of services
  • The person’s interests in our services
  • Payment method
  • Billing information

Data related to the use of the website, such as

  • IP-address and cookie information
  • Technical information, such as the type of the device and information about how you accessed our website
  • Website activity, e.g. forms submitted; time spent on the site; use of the site

Other information, such as

  • The person’s direct marketing permissions and prohibitions
  • Information about contacts with our customer service
  • Information on special dietary requirements collected for camp- and group registrations

Sensitive data when providing treatment services

  • In order to provide you with a safe treatment, we need information about your health, such as information about allergies, medical conditions or other health information that may affect the delivery of the service. Your privacy is very important to us, and we will only use such information to determine whether a particular treatment is appropriate and therefore safe for you. Health data is collected from you at the time of the delivery of the service in the format of a preliminary information form. You will also be able to provide information about your health when you book an appointment for a treatment.
  • For certain treatments, we are also required by law to collect your social security number to be able to identify you. The purpose of collecting your social security number is to safeguard your treatment.

Flamingospa Oy does not collect all of the above personal data from all data subjects.

4. Regular data sources

As a general rule, personal data is collected directly from you or from a company with which we have concluded a customer contract with. Personal data is collected in the course of digital transactions, during the delivery of a treatment, during your visit to the website or other interactions with you, such as at marketing events, for example at trade fairs.

5. The legal bases and purposes for processing

We will always process your personal data based on a legal ground provided in the GDPR. The processing of personal data is based on one or more of the following legal grounds:

  • A contract concluded between us
  • Obligatory legislation binding us
  • Conset given by the data subject
    Examples of personal data processed on the basis of consent include in particular the following:
    (i) Cookies
    (ii) Newsletters and marketing
    (iii) Health data
  • Legitimate interest of the controller
    Legitimate interest means processing that is substantially related to the controller’s activities and which the customer can reasonably expect to be part of the controller’s activities. In situations where the processing is based on a legitimate interest, we have performed a balance test and assessed that the interests or fundamental rights and freedoms of a person requiring the protection of personal data do not override the legitimate interests of our organization.

Personal data is processed for the following purposes: processing, delivering and archiving orders made online; processing appointments; producing, developing and providing operational services; managing and maintaining customer relationships; gaining customers; improving the customer experience; providing better customer service; informing customers; ensuring safety; providing more personalized targeted content and marketing; delivering a newsletter; administering campaigns and competitions; providing recreational activities; enforcing marketing prohibitions under the law; preventing abuse; developing third party services; analytics and statistical purposes; billing; complying with legal obligations; profiling and automated decision making (we collect information about your interests and, based on the information provided, we may suggest other services you may be interested in).

6. Retention period of personal data

We will retain personal data in accordance with applicable law only for as long as retention is necessary for the purposes for which the personal data are processed. Personal data will be deleted when its retention is no longer necessary by legislation or to fulfill the rights or obligations of either party.

You can unsubscribe from our email marketing list yourself via the unsubscribe link in each marketing email we send.

Consent to cookies is automatically retained in the browser for 12 months, at which time the website visitor will be asked again, unless the website visitor clears or deletes cookies from their browser, or we change our cookie policy. In these cases, we require the website visitor to update their consent status to reflect our current cookie policy. In this case, the website visitor’s consent status will only be restored for necessary cookies before they have accepted/rejected cookies.

7. Disclosures and transfers of personal data 

We may disclose some necessary information to third parties that we use as service providers or subcontractors. We use trusted contractors with whom our contracts take into account the requirements of the GDPR and other legislation. We also use customer data with third parties for analytics and personalization purposes.

We may disclose your data to public authorities where we are required by law to do so, for example, to prevent or investigate fraud or other illegal activity. We may also disclose your personal data to other parties on the order of a competent court. In addition, we may disclose your data in connection with a potential sale of a business or other business reorganization to a purchaser of a business or other relevant party in connection with the reorganization.

We will transfer data to the following third parties:

  • analytical and statistical partners;
  • email marketing partners, where the customer has opted-in to receive a newsletter;
  • other relevant service providers or subcontractors.

Flamingospa Oy ensures a high level of data security and data protection when transferring and processing data in accordance with the GDPR. Third parties and their subcontractors may also transfer personal data outside the EU or the European Economic Area. In these situations, applicable legislation and its requirements, such as standard contractual clauses (SCCs) adopted by the European Commission, will be respected. Flamingospa Oy itself does not process personal data processed in accordance with this notice outside the EU or the European Economic Area.

8. Principles of protection of personal data

The confidentiality of personal data is important to us. We have implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorized access. We use the following safeguards to ensure the security of personal data:

  • Access to personal data is restricted with access rights only to those predefined persons who need the data for the performance of their duties. Sensitive data is protected more securely than other personal data from unauthorized disclosure, modification or use.
  • The information systems and devices used for processing personal data are adequately protected technically, including access control with personal user IDs and passwords, firewalls, and other technical methods.
  • We only process personal data of persons under the age of 13 with the consent of their guardian. If we are unable to obtain appropriate parental or guardian consent, we will immediately delete such information. When processing personal data of children, we are particularly careful about who has access to the personal data. We will delete children’s personal data from our systems immediately when there is no longer a reason to process it.
  • The personnel have received comprehensive training and instructions related to the appropriate processing of personal data. Everyone who processes personal data has a duty of confidentiality regarding all personal data.
  • Electronic files are regularly backed up.
  • Any physical or paper material is stored in locked premises.
  • Material containing personal data is deleted in a secure way.
  • If, despite all the security measures, a personal data breach including negative effects on the data subjects’ privacy takes place, we will notify the authorities as well as the data subjects concerned in accordance with the applicable legislation.

9. The rights of data subjects 

Where the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. For example, you can withdraw your consent to electronic marketing at any time. You may also object to direct marketing (including profiling for direct marketing purposes) at any time.

You also have the right to check what information we have collected of you or to request confirmation that we do not hold any personal data about you on our records. If you find any errors, inaccuracies, or omissions in the information, you can request that it be corrected or completed.

You also have the right to object to or request that we restrict the processing of your personal data in certain cases provided by law. If the controller has a legitimate interest in processing your personal data, you can object to the processing of your data. In this case, we may not continue to process your personal data unless we have a valid ground that overrides your rights.

In certain circumstances, you have the right to be forgotten in which case we will delete all the data we have collected about you unless the data needs to be retained for the purposes for which it was collected. Please note, however, that we may have legal obligations to retain your personal data that require us to retain your data for a certain period of time.

You may request a transfer of your personal data, in which case we will provide you with your personal data in a machine-readable format so that you can store it yourself or transfer it to another controller. Where technically feasible, we can transfer your data directly to another controller at your request.

You also have the right to lodge a complaint about the processing of your personal data with the competent supervisory authority, the Finnish Data Protection Ombudsman, whose contact details can be found at

10. Cookies

Our website uses cookies and tags to ensure that it functions optimally. A cookie is a text file that is sent from Flamingospa Oy’s web server and stored on your web server. We also use cookies to collect comprehensive analytical information about your use of our services to store functionality and to direct relevant news and offers to you.

You have the option to change your web browser settings regarding the use and coverage of cookies. An example of this type of change is to block all cookies or delete cookies when you close your browser. Do remember, however, that if cookies are not accepted, some of the functions of the website may be impaired and some of the content of the website may not be properly displayed.

11. Updates to this privacy notice  

We are constantly following the updates on data protection legislation and aspire to continuously develop our business. Thus, we reserve the right to modify or update this privacy notice whenever necessary.

This privacy notice has been drafted 22 April 2024.