Privacy statement


This privacy policy describes how the Blue Lagoon group (Blue Lagoon Beauty Oy business ID: 2657576-9, Blue Lagoon Yrjönkatu Oy Business ID: 2902896-3, Blue Lagoon Kamppi Oy Business ID: 3154061-6, Chakra Voyage Oy Y ID: 2989708-5 and Blue Lagoon Omppu Oy ID: 2895633-8) processes personal data; what personal data the company collects, for what purposes the data is used and to which parties the data can be disclosed and how the data subject can influence the processing.

The company protects the privacy of data subjects and complies with the EU’s General Data Protection Regulation (2016/679) (“data protection regulation”) and other applicable data protection legislation and good data processing practices in all processing of personal data.

“Personal data” means all information about a natural person (“data subject”) from which she / he can be directly or indirectly identified, as defined in the data protection regulation. Data controller and data protection officer.


Blue Lagoon Beauty Oy, 2657576-9

Blue Lagoon Kamppi Oy, 3154061-6

Blue Lagoon Yrjönkatu Oy, 2902896-3

Blue Lagoon Omppu Oy, 2895633-8

Contact person of the registrar: Sini Virtanen +358 10 5826 270.

The company group’s data protection officer: Sini Virtanen

Contact information: +358 10 5826 270,

Data protection officers of the offices:

Kamppi, Kolmikulma, Punavuori & Turku – Milla Malkki

Iso Omena – Heidi Taipalus

Töölö & Tampere – Amira Mäkinen

Lippulaiva – Vilma Strandman

Kallio – Vilma Torkko

Purposes of personal data processing and legal basis for processing

Personal data is processed e.g. for the following purposes:

  • For ordering / reserving the company’s products and services
  • For service production, maintenance, development and quality assurance
  • To ensure the security of the services and to prevent and investigate abuses
  • To fulfill statutory obligations
  • For business planning and product development
  • For personalized customer service and targeted customer communication and monitoring the use of services
  • For marketing and targeting marketing to customers and potential customers
  • For risk management and prevention of abuses

Legal basis for processing personal data:

The legal basis for the processing of registered personal data is primarily the contractual relationship between the Company and the data subject. The processing of personal data is also based on statutory obligations, such as accounting obligations, customer-knowing obligations and statutory reporting obligations. Processing for customer relationship management and direct marketing is based on the Company’s legitimate interest.

In addition, digital direct marketing and subscribing to the Company’s newsletter and saving personal data collected through the Company’s website for direct marketing are based on consent.

Processed personal data groups, data content and data sources

The company only collects such personal data from registered users that is essential and necessary for the purposes described in this privacy statement.

The following information is processed about the registered:

Personal data group Examples of information content
Contact information The registrant’s name, address (if necessary), telephone number and email address.
Information related to the customer relationship Billing and payment information (if necessary) and other information that identifies the customer relationship.
Customer transaction information as well as contract and product information Information about the contract between the Company and the data subject, product and order information and customer feedback, as well as contacts and complaints between the data subject and the Company.
Consents and prohibitions given by the registrant Information regarding the consent given by the registrant to digital direct marketing and the consent given to the processing of personal data, as well as information regarding the above-mentioned withdrawal of consents and prohibitions given by the registrant. Consent given by the registrant about images used for marketing.
Behavioral data and technical identification data Monitoring of registered online behavior and the Company’s services using, for example, cookies or similar technical identifiers. Collected information may include, for example, the user’s IP address, pages used, browser type, web address, time and duration of the session.

You can find more information about the use of cookies and other technical tracking methods in the Company’s cookie policy.

Personal data, the provision of which is necessary to fulfill the obligations based on the contract and/or legislation between the Company and the data subject and to provide the Company’s services, is reported to the data subject in each connection.

Mainly, personal data is collected from the registrants themselves or from the company represented by the registrant, e.g. in connection with making an offer, concluding a customer contract or during the customership, in connection with marketing or via website forms. The registered person may also have provided information to the Company, for example, in connection with a competition or raffle, in connection with the use of websites or by subscribing to an digital newsletter.

In marketing, the company uses external service providers who process the contact information of registered users for marketing purposes. This information is not permanently stored in the Company’s registers.

Personal data can also be collected from the entity on whose behalf the data subject acts. In addition, data can also be collected and updated in situations permitted by legislation from registers maintained by third parties, such as the Population Register Center, trade register and credit information registers of credit information companies.

Retention of personal data

The company keeps personal data for as long as is necessary to fulfill the purposes defined in the privacy statement, unless the legislation obliges to keep personal data longer (for example, responsibilities and obligations related to special legislation, accounting obligations or reporting obligations), or unless the company needs the information to prepare, present or defend against a legal claim or to resolve a similar disagreement situation.

The data retention period and retention criteria vary by personal data group, depending on the purpose of use of a particular personal data group.

Personal data is processed for the duration of the customer and contractual relationship and the necessary time after the end of the customer and contractual relationship.

Information about potential customers is mainly kept for 24 months.

In the case of entities, the retention of the registered person’s personal data is linked to how long the data subject acts as the entity’s representative towards the Company. Personal data will be deleted within a reasonable time after the respective role ends.

When the personal data is no longer needed as defined above, the data will be deleted within a reasonable time, unless the legislation obliging the Company is obliged to keep the data for a longer period of time.

Recipients of personal data

In accordance with this privacy policy, the company may outsource the processing of personal data to service providers or subcontractors. The company ensures with sufficient contractual obligations that personal data is processed appropriately and in accordance with the law.

The following entities participate in the processing of personal data:

  • Paytrail Oyj
  • Phorest

Personal data is not disclosed for direct marketing purposes and for opinion and market surveys and other similar surveys.

In special cases, personal data can be disclosed to the authorities in situations required and justified by legislation.

In addition, in emergencies or other unexpected situations, the Company may have to hand over personal data of registered users in order to protect people’s lives and health, as well as property. In addition, the Company may have to hand over the personal data of the registrants if the Company is involved in legal proceedings or proceedings in other dispute resolution bodies.

If the Company is involved in a merger, business deal or other business arrangement, it may have to hand over personal data of registered users to third parties. The data protection of the data subject is also protected in in the arrangements, and the data subject will be notified of them appropriately if necessary.

The transfer of data to a third party mainly takes place by means of electronic data transfer connections, but data can also be transferred in other ways, such as by phone or letter.

Transfer of personal data outside the EU/EEA

Personal data will not be transferred outside the European Union or the European Economic Area.

Personal data protection principles and processing security

The company processes personal data in a way that aims to ensure the appropriate security of personal data, including protection against unauthorized processing and accidental loss, destruction or damage.

The company uses appropriate technical and organizational safeguards to secure this, including the use of firewalls, encryption technologies, secure equipment rooms, appropriate access control and access management, instructions and contracts for personnel and subcontractors involved in the processing of personal data.

Contracts and other documents that are kept as Originals are kept in locked rooms, to which the right of access is limited only to authorized parties.

Based on the Employment Contracts Act and the confidentiality clauses of contracts, all entities that process personal data have a duty of confidentiality regarding matters related to the processing of registered personal data.

Rights of registrants

The right to access data and the right to inspect data

The registered person has the right to receive confirmation as to whether the registered person’s personal data is being processed.

The registered person has the right to check and see the information about him- / herself and, upon request, the right to receive the information in written or digital form.

The right to correct data and delete data

The registered person has the right to demand the correction of incorrect or inaccurate information. In addition, the data subject has the right to request the deletion of her / his data.

The controller also deletes, corrects and completes on its own initiative personal data that is incorrect, unnecessary, incomplete or out of date in terms of the purpose of the processing.

The right to transfer data and to limit processing and to object to processing

The registered person has the right to request the transfer of her / his data to another controller.

In addition, the data subject has the right to request the restriction of the processing of personal data in accordance with the conditions defined by the data protection legislation.

The registered person has the right to object to the use of the data for certain types of processing. The registrant has the right to refuse the disclosure and processing of their data for direct marketing.

The right to withdraw consent

If the processing of personal data is based on the consent given separately by the user, the data subject has the right to withdraw his consent to the processing of data about her / him. The cancellation has no effect on the processing carried out before the cancellation.

Implementation of rights

Requests regarding the rights of registered persons are made digitally and addressed to the data protection officer mentioned in this data protection appendix. Identity is checked before providing information. The inspection request will be answered within a reasonable time and, if possible, no later than one month after the request is submitted and the identity is verified.

If the data subject’s request cannot be agreed to, the data subject will be informed of the refusal in writing.

The right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the data protection authority if the data subject considers that his/her personal data has been processed in violation of current legislation.

Changes to the privacy statement

The company is constantly developing its services and, as a result, may have to change and update this privacy policy as necessary. The changes may also be based on changes in the legislation on data protection. We recommend that you familiarize yourself with the content of the privacy statement regularly. Significant changes will be notified to registered users.

The data protection statement has been updated on 10 March 2022.

Cookie policy

General information about cookies

We use cookies on our website to improve the site’s user experience. Cookies are short text files that the web server stores on the user’s terminal device. After saving, the browser sends the data back to the server as part of the request. This way, the service site can identify and track web browsers.

Cookies tell how users use our website. We may use cookies to develop our services and website, to analyze website usage, and to target and optimize marketing. The user of the website can give her / his consent or deny the use of cookies in the settings of her / his web browser.

Types of cookies

There are two main types of cookies: session cookies and persistent cookies:

  • Session cookies disappear from the computer as soon as the browser is closed.
  • Permanent cookies remain stored on the computer until they are separately deleted or their validity expires.

Cookies used

cookies on the site for the following purposes:

  • to collect information about the user using Google Analytics tools
  • to enable sharing of content using Facebook
  • for showing recommendations to the user if she / he has visited the site before
  • to identify the user when she / he logs in; anonymous users do not receive this cookie
  • to save the selected language in the cookie
  • We also use the AdWords service to track purchase decisions and retarget ads. These are third-party cookies with a validity period of 90 days to two years.

Third party cookies

Google Analytics

We use the Google Analytics system to analyze the use of the website. Google Analytics generates statistics and other information about the use of the website with the help of cookies stored on users’ computers. The information collected from the website is used to prepare reports on the use of the website. Here are the tasks performed by Google cookies in brief:

  • specifying the domain to monitor
  • separating individual users
  • remembering the number and time of previous visits
  • remembering traffic source data
  • defining the start and end of the session
  • remembering the value of visitor-level custom variables.

Google stores and uses this information from 30 minutes to two years, depending on the type of cookie.

Google’s Privacy Policy is available at

Allowing cookies

Most web browsers allow cookies automatically.

By using the site and accepting this policy, you consent to the use of cookies in accordance with the cookie policy document.

Blocking cookies

Instructions for blocking the use of cookies can be found on the help pages of your browser:

Blocking cookies hinders the usability of some websites.