This is the Privacy Policy of Blue Lagoon Skincare ehf., Id. no. 671296-2819, a company registered in Iceland, with its office address at Norðurljósavegur 9, 241 Grindavík, Iceland. Blue Lagoon Skincare ehf. is a subsidiary of Blue Lagoon Ltd., a company also registered in Iceland.

Blue Lagoon Skincare ehf. produces skin care products, spa products as other home products. Blue Lagoon NL B.V. is a subsidiary of Blue Lagoon Skincare ehf. and operates an online shop for such products for European and international market except America (collectively referred to as „we“ in this Privacy Policy).

This Privacy Policy applies to personal information and data which we collect and process regarding customers, potential customers and those who visit our online shop website. The data controller for the purposes of this Privacy Policy is Blue Lagoon Skincare ehf.

Your privacy is of paramount importance to us. We value your trust and we commit to safeguarding any personal information you leave with us. It is important that you read this Privacy Policy carefully as it explains what types of information we collect, what purposes it will be used for, whom it may be shared with and your rights regarding the personal information processed.

By confirming you have read this Privacy Policy, you are confirming that you are aware of the processing of your personal information and how the processing will be conducted.




Our online shop

When you purchase a product from our online shop we first and foremost collect and use the personal information you provide to service and process your purchase order and to improve our services.

Please be aware that if you do not wish to provide us with personal information, e.g. which is necessary for the performance of a contract or which we are legally required to process, we may not be able to provide you with the product requested.

The information we may collect and process include:

  • Identification and contact information, such as name, email address, phone number, shipping and billing address.
  • Payment details, such as credit card number, expiration date, and CVC code.
  • Choice of shipping method.
  • Tracking information.
  • Information on your purchase that you have especially submitted to us, e.g. a gift message.
  • Purchase history.
  • Record of our communication and correspondence with you.
  • Customer feedback and complaints.


Your personal information may be used to:

  • Process your order.
  • Send you status and updates on a product you have purchased.
  • Carry out accounting, billing and other administrative tasks.
  • Provide third party services, e.g. warehouse and courier services.
  • Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
  • Send you tracking information for your purchases.
  • Improve our products and services.
  • To meet legal and regulatory requirements.


The processing of contact information, payment details, choice of shipping method and tracking information is based on contractual requirements.

The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, your consent, our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. Whenever we process personal information based on your consent, you may withdraw your consent at any time.

The processing of your personal information is in some cases also based on legal requirements, e.g. the applicable Accounting Act.

Please note that we might process information in relation to usage and interaction with our online shop website, e.g. for statistical analysis, to improve the website and tailor the content to your needs. For more information please see our Cookie Policy.


Blue Lagoon Skin Care Club and inquires sent to us

If you become a member of our Blue Lagoon Skin Care Club we process your contact information for the purpose of communicating with you. We may use your personal information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. The personal information is processed based on your consent.

When you send us requests, inquiries, complaints or feedback we process your contact information as well as the information you send us in order for us to respond. Personal information is processed based on your consent or our legitimate interests.

You will not receive any communication from us that is unsolicited or not related to a product that you have purchased or inquired about.

When processing is based on your consent you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at [email protected] with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.


Additional use for analysis and market research

We may use pseudonymized or anonymized information generated from your personal information to carry out analysis and market research so that we can understand how to improve the products and services we offer and make sure that our products meet the needs of our customers. The personal information is processed based on our legitimate interests to improve our products and services.


Our website

Our online shop website uses cookies. The cookies are used to provide you with as relevant information as possible and tailor the content to your needs. Examples of this would be presenting the appropriate currency and preserving users’ selections during any purchase process.

Google Analytics, Google Adwords and other tools are also used on the website. Google Analytics is for example used to collect information on how visitors use our websites, information such as IP address, operating system, browser type, origin of traffic etc. This data is then used to measure performance and implement improvements as needed. Google AdWords is used for remarketing, to advertise products and services on third party websites tailored to specific targeting groups and previous visitors to our website. This could be in the form of an advertisement on the Google search results page or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits. You can set preferences for how Google advertises to you using the Google´s Ads settings page. 

You can choose not to accept certain cookies when you visit our online shop website. You can also choose not to accept cookies by disabling them in the settings of your web browser. See further our Cookie Policy for information about the use of cookies and other tracking technologies. 

You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes. If you object to remarketing based on your information you can for example opt out of a third-party vendor's use of cookies by visiting the Network Advertising Initiative opt-out page. 



Your personal information will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal information may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.



We may share personal information with third parties (e.g. data processors) to faciliate our services, provide requested services on our behalf and/or to assist us in analyzing our services and products. For example, we share personal information with our partner who provides us with marketing and customer care support. Our warehouse partner and its courier services also have selected access to your personal information for delivery purposes only. Personal information might also be shared with third parties who supply us with information technology services, cloud services and payment services.

These third parties have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These third parties may be located outside of Iceland. However, we will not transfer personal information outside the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms, your consent or a notice issued by the Data Protection Authority listing states granting personal information adequate protection.

Your personal information may be shared within the Blue Lagoon group, with Blue Lagoon Ltd., as Blue Lagoon Ltd. might provide us with certain services, such as IT support, accounting services, sales and marketing support.

We do reserve the right to disclose your personal information when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity. We also reserve the right to disclose your personal information to our legal representatives to uphold our legal rights as a business or the rights of our employees.

Any disclosure of personal information by us to a third party will only be made on a confidential basis. 



Payment transactions are operated through our partner Adyen. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.

Personal information is stored and managed inhouse or by third parties who must comply with privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and damage of information.

In case of a personal data breach, we will without undue delay and not later than 72 hours after becoming aware of it, notify the personal data breach to the Icelandic Data Protection Authority, unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.



You have the right to access your personal information at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal information if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal information if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased. 

If the processing of your personal informaton is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes.

You have the right to have personal information erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if personal information is required to be kept in accordance with law, e.g. the applicable Accounting Act.

You have the right to transfer personal information concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall however not adversely affect the rights and freedoms of others. 

If you wish to have your personal information removed from our database, withdraw your consent for processing or have any other questions regarding this Privacy Policy or our processing and protection of personal information, please contact us by email at [email protected] with “Privacy“ in the subject line.

We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. a copy of a government issued ID, such as your passport or driving licence and your signature.




We do not intentionally collect personal information from minors (children under 13). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately. 




We may make changes to this Privacy Policy at any time so that it reflects how we process personal information from time to time. Changes, additions or deletions shall be effective immediately after an updated version has been published and be a part of all new purchases, inquiries and website visits after publication. The date of the latest revision of this Privacy Policy is set at the bottom of this page.  




You have the right to lodge a complaint to the Icelandic Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland ( if you disagree with our processing of personal information. You are also entitled to submit a complaint to a data protection authority in the member state of the European Economic Area where your habitual residence is or your place of work.


15th July 2020