Privacy notice

PRIVACY NOTICE

The protection of your privacy is important to us, and Flamingospa Oy is committed to protecting it to the best of our ability and to process your personal data transparently following applicable data protection legislation and good data protection practices. Personal data will be processed in accordance with the EU General Data Protection Regulation (2016/679, GDPR) and the Finnish Data Protection Act (1050/2018) within the limits and in the situations permitted by them.

This privacy notice applies to the processing of personal data carried out by Flamingospa Oy to provide its services and market them to its customers. This privacy notice covers personal data concerning Flamingospa Oy’s spa-, restaurant-, sports- and indoor playground customers; the customers using our treatment services in the Adult spa area and MySense; business customers; newsletter subscribers, and website users. For the purposes of this notice, the term “person” refers to all such natural persons.

In this privacy notice, we explain in more detail how Flamingospa Oy is committed to collecting, processing, and protecting your personal data. It is of paramount importance to us that you can be confident that your data is handled securely. We encourage you to read this privacy notice and contact us if you have any questions.

1. The Controller and contact information

Flamingospa Oy
Bsuiness ID: 2029086-9
Address: Tasetie 8, 01510 Vantaa
tietosuoja@flamingospa.fi

For all matters and questions concerning data protection and the processing of personal data, please send an email to the above address.

Fair data processing assessment

Fair processing practices ensure that our approach to the processing of personal data and the measures we have to take to protect personal data are appropriate. We have implemented fair processing in the following ways:

There is a specific purpose and a legitimate basis for the processing. The processing is transparent to the data subject.
Only necessary personal data of data subjects is processed and used solely for the purpose it was originally collected.
The personal data may only be processed within the organization by those persons who need it for their work. Data will only be appropriately disclosed to third parties.
Personal data will be stored with due regard to security and for only as long as necessary.
The data is accurate and up to date.

3. The personal data processed

We process the following personal data that are strictly necessary:

Basic personal data, such as

Name
Email address
Telephone number
Address, postal code and city
Date of birth
Personal identification number
Contact details of the minor’s guardian

Data based on the customer’s purchase transactions, such as

Purchase transactions and details of orders processed
Time of use of services
The person’s interests in our services
Payment method
Billing information

Data related to the use of the website, such as

IP-address and cookie information
Technical information, such as the type of the device and information about how you accessed our website
Website activity, e.g. forms submitted; time spent on the site; use of the site

Other information, such as

The person’s direct marketing permissions and prohibitions
Information about contacts with our customer service
Information on special dietary requirements collected for camp- and group registrations

Sensitive data when providing treatment services

In order to provide you with a safe treatment, we need information about your health, such as information about allergies, medical conditions or other health information that may affect the delivery of the service. Your privacy is very important to us, and we will only use such information to determine whether a particular treatment is appropriate and therefore safe for you. Health data is collected from you at the time of the delivery of the service in the format of a preliminary information form. You will also be able to provide information about your health when you book an appointment for a treatment.
For certain treatments, we are also required by law to collect your social security number to be able to identify you. The purpose of collecting your social security number is to safeguard your treatment.

Flamingospa Oy does not collect all of the above personal data from all data subjects.

4. Regular data sources

As a general rule, personal data is collected directly from you or from a company with which we have concluded a customer contract with. Personal data is collected in the course of digital transactions, during the delivery of a treatment, during your visit to the website or other interactions with you, such as at marketing events, for example at trade fairs.

5. The legal bases and purposes for processing

We will always process your personal data based on a legal ground provided in the GDPR. The processing of personal data is based on one or more of the following legal grounds:

A contract concluded between us
Obligatory legislation binding us
Conset given by the data subject
Examples of personal data processed on the basis of consent include in particular the following:
(i) Cookies
(ii) Newsletters and marketing
(iii) Health data
Legitimate interest of the controller
Legitimate interest means processing that is substantially related to the controller’s activities and which the customer can reasonably expect to be part of the controller’s activities. In situations where the processing is based on a legitimate interest, we have performed a balance test and assessed that the interests or fundamental rights and freedoms of a person requiring the protection of personal data do not override the legitimate interests of our organization.

Personal data is processed for the following purposes: processing, delivering and archiving orders made online; processing appointments; producing, developing and providing operational services; managing and maintaining customer relationships; gaining customers; improving the customer experience; providing better customer service; informing customers; ensuring safety; providing more personalized targeted content and marketing; delivering a newsletter; administering campaigns and competitions; providing recreational activities; enforcing marketing prohibitions under the law; preventing abuse; developing third party services; analytics and statistical purposes; billing; complying with legal obligations; profiling and automated decision making (we collect information about your interests and, based on the information provided, we may suggest other services you may be interested in).

6. Retention period of personal data

We will retain personal data in accordance with applicable law only for as long as retention is necessary for the purposes for which the personal data are processed. Personal data will be deleted when its retention is no longer necessary by legislation or to fulfill the rights or obligations of either party.

You can unsubscribe from our email marketing list yourself via the unsubscribe link in each marketing email we send.

Consent to cookies is automatically retained in the browser for 12 months, at which time the website visitor will be asked again, unless the website visitor clears or deletes cookies from their browser, or we change our cookie policy. In these cases, we require the website visitor to update their consent status to reflect our current cookie policy. In this case, the website visitor’s consent status will only be restored for necessary cookies before they have accepted/rejected cookies.

7. Disclosures and transfers of personal data

We may disclose some necessary information to third parties that we use as service providers or subcontractors. We use trusted contractors with whom our contracts take into account the requirements of the GDPR and other legislation. We also use customer data with third parties for analytics and personalization purposes.

We may disclose your data to public authorities where we are required by law to do so, for example, to prevent or investigate fraud or other illegal activity. We may also disclose your personal data to other parties on the order of a competent court. In addition, we may disclose your data in connection with a potential sale of a business or other business reorganization to a purchaser of a business or other relevant party in connection with the reorganization.

We will transfer data to the following third parties:

analytical and statistical partners;
email marketing partners, where the customer has opted-in to receive a newsletter;
other relevant service providers or subcontractors.

Flamingospa Oy ensures a high level of data security and data protection when transferring and processing data in accordance with the GDPR. Third parties and their subcontractors may also transfer personal data outside the EU or the European Economic Area. In these situations, applicable legislation and its requirements, such as standard contractual clauses (SCCs) adopted by the European Commission, will be respected. Flamingospa Oy itself does not process personal data processed in accordance with this notice outside the EU or the European Economic Area.

8. Principles of protection of personal data

The confidentiality of personal data is important to us. We have implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction or unauthorized access. We use the following safeguards to ensure the security of personal data:

Access to personal data is restricted with access rights only to those predefined persons who need the data for the performance of their duties. Sensitive data is protected more securely than other personal data from unauthorized disclosure, modification or use.
The information systems and devices used for processing personal data are adequately protected technically, including access control with personal user IDs and passwords, firewalls, and other technical methods.
We only process personal data of persons under the age of 13 with the consent of their guardian. If we are unable to obtain appropriate parental or guardian consent, we will immediately delete such information. When processing personal data of children, we are particularly careful about who has access to the personal data. We will delete children’s personal data from our systems immediately when there is no longer a reason to process it.
The personnel have received comprehensive training and instructions related to the appropriate processing of personal data. Everyone who processes personal data has a duty of confidentiality regarding all personal data.
Electronic files are regularly backed up.
Any physical or paper material is stored in locked premises.
Material containing personal data is deleted in a secure way.
If, despite all the security measures, a personal data breach including negative effects on the data subjects’ privacy takes place, we will notify the authorities as well as the data subjects concerned in accordance with the applicable legislation.

9. The rights of data subjects

Where the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. For example, you can withdraw your consent to electronic marketing at any time. You may also object to direct marketing (including profiling for direct marketing purposes) at any time.

You also have the right to check what information we have collected of you or to request confirmation that we do not hold any personal data about you on our records. If you find any errors, inaccuracies, or omissions in the information, you can request that it be corrected or completed.

You also have the right to object to or request that we restrict the processing of your personal data in certain cases provided by law. If the controller has a legitimate interest in processing your personal data, you can object to the processing of your data. In this case, we may not continue to process your personal data unless we have a valid ground that overrides your rights.

In certain circumstances, you have the right to be forgotten in which case we will delete all the data we have collected about you unless the data needs to be retained for the purposes for which it was collected. Please note, however, that we may have legal obligations to retain your personal data that require us to retain your data for a certain period of time.

You may request a transfer of your personal data, in which case we will provide you with your personal data in a machine-readable format so that you can store it yourself or transfer it to another controller. Where technically feasible, we can transfer your data directly to another controller at your request.

You also have the right to lodge a complaint about the processing of your personal data with the competent supervisory authority, the Finnish Data Protection Ombudsman, whose contact details can be found at tietosuoja.fi/en.

10. Cookies

Our website uses cookies and tags to ensure that it functions optimally. A cookie is a text file that is sent from Flamingospa Oy’s web server and stored on your web server. We also use cookies to collect comprehensive analytical information about your use of our services to store functionality and to direct relevant news and offers to you.

You have the option to change your web browser settings regarding the use and coverage of cookies. An example of this type of change is to block all cookies or delete cookies when you close your browser. Do remember, however, that if cookies are not accepted, some of the functions of the website may be impaired and some of the content of the website may not be properly displayed.

11. Updates to this privacy notice

We are constantly following the updates on data protection legislation and aspire to continuously develop our business. Thus, we reserve the right to modify or update this privacy notice whenever necessary.

This privacy notice has been drafted 22 April 2024.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-9514049-2	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
TADCID	10 years	The domain of this cookie is owned by Tripadvisor. The cookie stores Unique ID for the tripadvisor user. The cookie helps in viewing embedded content from Tripadvisor.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie		The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uid	2 months	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__vt	1 hour	No description
C	1 month	No description

Waterpark

Funpark

Adult spa

MySense

Waffles & Wine

Location

Reporting channel

Customer service

Groups and companies

Search