WHAT PERSONAL DATA WE MAY COLLECT AND FOR WHAT PURPOSES
We do not collect personal data without your knowledge or consent. We collect personal data that you submit to us when you purchase a product from the online shop and otherwise use our services, including, but not limited to, creating an account and/or Loyalty Program member profile, or when you leave your comments or reviews on a product page. In principle, we do not receive your personal data from third parties. When we receive your personal data from a third party, we will discuss with that third party who is responsible to inform you about that data transfer.
Our online shop
When you purchase a product from our online shop we first and foremost collect and use the personal data you provide us to service and process your purchase order and to improve our services and products.
The information we may collect and process include:
- Identification and contact information, such as name, email address, phone number, shipping and billing address in connection with your purchase(s) of any products from our online shop.
- Payment details, such as credit card number, expiration date, and CVC code.
- Choice of shipping method.
- Tracking information.
- Information on your purchase that you have especially submitted to us, e.g. a gift message.
- Purchase history.
- Our communication and correspondence with you.
- Customer feedback, reviews, requests, inquiries, and complaints provided by you, and the associated contact details (e.g. email address) contained therein.
Your personal data may be used to:
- Process your order.
- Send you status and updates on a product you have purchased.
- Carry out accounting, billing and other administrative tasks.
- Provide third party services, e.g. warehouse and courier services.
- Respond to inquiries, requests and feedback you have submitted, e.g. through our Website or by email.
- Send you tracking information for your purchases.
- Improve our products and services, develop, test, and improve new services.
- To meet legal and regulatory requirements.
- Diagnose, troubleshoot, and fix technical problems or issues.
- Maintain registered user accounts.
Please also note that we may use your shipping address to automatically calculate and buy carbon credits to provide carbon neutral shipping. The processing of contact information, payment details, choice of shipping method and tracking information is based on contractual requirements.
The processing of communication and correspondence with you for your purchase is based on the performance of our purchase agreement with you, customer feedback and such can be based on our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. Whenever we process personal data based on your consent (e.g., information you send us in a gift message), you may withdraw your consent at any time.
The processing of your personal data is in some cases also based on legal requirements, e.g. the applicable financial legislation.
Our Loyalty Program
If you create an account and become a member of our Loyalty Program, we will collect your full name and email address. You also have the opportunity to provide us with your mailing address, mobile phone number and birth date. The information will be used to operate and facilitate your account and participation in our Loyalty Program. We may also use your phone number, email address, or address in order to send marketing information, special product information, special offers, and other similar communications. You may opt out of receiving such communications by following the instructions in the specific communication (e.g., clicking the unsubscribe button at the bottom of an email), or by managing your account settings.
If you would like to manage, change, limit, or delete your personal data, you can do so via your account settings, or by emailing us at [email protected].
Limiting use of, or deleting, your personal data may impact features and uses that rely on that information. However, we will not discriminate against you for exercising any of your rights, including otherwise denying you goods or services, providing you with a different level or quality of products or services, or charging you different prices or rates for services.
We process the personal data you provide us in the context of our Loyalty Program based on your consent.
Use of product reviews in the online shop
When you leave a product review on the online shop, we may collect the personal data given in the review, e.g., name, e-mail address, stars given, the title and the content of the review. Please be aware that when you submit your review it is visible to the public. By posting your review to the online shop, you grant us a worldwide, royalty-free, non-exclusive, transferable right to use your review for online and offline commercial purposes in any and all media, including, but not limited to, our social media platforms and marketing and/or advertising purposes. We therefore process this personal data based on your consent.
Blue Lagoon Skin Care newsletter and inquires sent to us
If you subscribe to our Blue Lagoon Skin Care newsletter we process your contact information for the purpose of communicating with you. We may use your personal data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. The personal data is processed based on your consent.
When you send us requests, inquiries, complaints or feedback we process your contact information as well as the information you send us in order for us to respond. Personal data is processed based on your consent or our legitimate interests.
You will not receive any communication from us that is unsolicited or not related to a product that you have purchased or inquired about.
Processing your personal data is based on your consent. You have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at [email protected] with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.
Additional use for analysis and market research
We may use pseudonymized or anonymized information generated from your personal data to carry out analysis and market research so that we can understand how to improve the products and services we offer and make sure that our products meet the needs of our customers. The personal data is processed based on our legitimate interests to improve our products and services. Such pseudonymized or anonymized information may be analyzed by a third party company solely in connection with the uses set forth in this paragraph. You have the right to object at any time to the processing of your personal data to the extent that it is related to direct marketing purposes by sending an email to [email protected] with “Privacy“ in the subject line.
Automated decision making
In principle, we do not use your personal data in the context of any automated decision making, such as profiling. If we do use your personal data in the context of automated decision making, we will make sure to inform you thereabout.
PRESERVATION OF YOUR PERSONAL DATA
Your personal data will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal data may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.
SHARING OF PERSONAL DATA WITH THIRD PARTIES AND WITHIN THE BLUE LAGOON GROUP
We may share personal data with third parties (e.g. data processors) to facilitate our services, provide requested services on our behalf and/or to assist us in analyzing our services and products. For example, we share personal data with our partner who provides us with marketing and customer care support. Our warehouse partner and its courier services also have selected access to your personal data for delivery purposes only. Personal data might also be shared with third parties who supply us with information technology services, cloud services and payment services.
These third parties have access to your personal data only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These third parties may be located outside of Iceland. We endeavor to ensure that this international data transfer does not adversely affect the level of protection of personal data. However, we will not transfer personal data outside the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms with relevant assessment and taking additional appropriate contractual, technical and organizational measures if necessary. In other cases, we will inform you of a possibly lower level of protection of your data. If necessary, we will ask for your specific consent before transferring the data. You can withdraw your consent at any time. Your preferences will then be adjusted immediately. This has no consequences for the processing that has already taken place. However, foreign authorities may require access to your data or you may not be able to turn to a judge easily. The transfer may also be based on a notice issued by the Data Protection Authority listing states granting personal data adequate protection. Your personal data may be shared within the Blue Lagoon group, with Blue Lagoon Ltd., as Blue Lagoon Ltd. might provide us with certain services, such as IT support, accounting services, sales and marketing support. Internally, we only grant our employees access to your personal data insofar as needed for the purpose your personal data is processed for.
We do reserve the right to disclose your personal data when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity, to investigate possible threats or illegal activity, or to protect the rights, safety and property of us and our employees. We also reserve the right to disclose your personal data to our legal representatives who are bound by confidentiality obligations to uphold our legal rights as a business or the rights of our employees.
Any disclosure of personal data by us to a third party will only be made on a confidential basis, except that any comments or reviews you post on the online shop will be accessible to anyone accessing the website.
Payment transactions are operated through our partner Adyen. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.
We maintain reasonable and appropriate administrative and technical safeguards designed to protect the personal data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. In connection with our security practices, personal data might be stored by third parties who must comply with applicable privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and unauthorized use of information.
In case of a personal data breach, we will without undue delay and not later than 72 hours after becoming aware of it, notify the personal data breach to the Icelandic Data Protection Authority, unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.
For your reference, we will never contact you via phone call or email requesting your username or password (for the shop, its platforms or any other website, app, or account), bank account information, credit card information or social security number.
YOUR RIGHTS REGARDING PROCESSING OF YOUR PERSONAL DATA – WITHDRAWAL OF CONSENT
You have the right to access your personal data at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal data if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal data if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased.
If the processing of your personal data is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal data to the extent that it is related to direct marketing purposes.
You have the right to have personal data erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if personal data is required to be kept in accordance with law, e.g. the applicable financial legislation.
You have the right to transfer personal data concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall however not adversely affect the rights and freedoms of others.
We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. via a verification e-mail or a copy of a government issued ID, such as your passport or driving license and your signature.
We do not intentionally collect personal data from minors (children under the age of 16). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately.
We require all account owners to be at least eighteen (18) years of age.
If you have any complaints about the way we process your personal data, please contact us via [email protected]. You also have the right to lodge a complaint to the Icelandic Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland (www.personuvernd.is) if you disagree with our processing of personal data. You are also entitled to submit a complaint to a data protection authority in the member state of the European Economic Area where your habitual residence is or your place of work.