Thank you for visiting our website. Your privacy is very important to us. This policy explains what information we collect, why we collect it, and how we use it. We value your trust and are committed to safeguarding your details.
What personal information we may collect and for what purposes
The kinds of personal information we may collect from you depend on the services we provide you with. We first and foremost use your personal information for providing and improving our services and products.
Please be aware that if you do not wish to provide us with personal information, e.g. which is necessary for the performance of a contract or which we are legally required to process, we may not be able to provide you with a part or all of the services requested, and your experience may be affected.
When you book our hotels, restaurants or related services we collect necessary information in order for us to provide you with our services.
The information we may collect and process includes:
Identification and contact information, such as name, date of birth, ID number, email address,
Information related to your booking and stay.
Payment details, such as credit card number, expiration date, and CVC code.
Accommodation preferences, meal preferences and travel arrangements.
Photos of you in the Highland Base Baths if you so request.
Health requirements or required additional assistance, but only if you have submitted such information to us on your own initiative.
Communication and correspondence with you.
Customer feedback or complaints.
Your personal information may for example be used to:
Process bookings and reservations.
Send you status and updates on a service you have booked and get your feedback.
Carry out accounting, billing and other administrative tasks.
Personalize and enhance your stay.
Improve our services.
Provide third party services when specifically requested by you.
Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
Ensure your safety and contact you in emergency situations.To meet legal and regulatory requirements.
The processing of contact information, booking information, payment details and such is based on contractual requirements. The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, your consent, our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. The processing of health requirements, photos of you in the lagoon and such is based on your consent. Whenever we process personal information based on your consent, you may withdraw your consent at any time.
The processing of your personal information is in some cases also based on legal requirements, e.g. the Icelandic Accounting Act. In rare cases, there may be an urgent need that we process your personal information to protect your vital interests, e.g. if there is a medical emergency.
At our facilities there are surveillance cameras located at crucial places to ensure the safety of assets and our guests while enjoying our services. The surveillance is based on our legitimate interests. Recordings are kept for no longer than 30 days unless related to possible legal issues, such as incidents.
Highland Base newsletter and inquiries sent to you
If you sign up for our newsletter we process your contact information for the purpose of communicating with you. We may use your personal information to contact you with newsletters, marketing or promotional material and other information that may be of interest to you. The data is processed based on your consent.
When you send us requests, inquiries, complaints or feedback we process your contact information as well as the information you send us in order for us to respond. Personal information is processed based on your consent or our legitimate interests.
You will not receive any communication from us that is unsolicited or not related to a product or a service that you have purchased, booked or inquired about.
When processing is based on your consent you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at firstname.lastname@example.org with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.
Additional use for analysis and market research
We may use pseudonymized or anonymized information generated from your personal information to carry out analysis and market research. For example we might analyse the way our products and services are being used by customers so that we can understand how to improve the services and products we offer. The data is processed based on our legitimate interests to improve our services and products.
You can find more information about cookies at: http://www.allaboutcookies.org
Preservation of your personal information
Your personal information will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal information may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.
Sharing of personal information with data processors, third parties and within Highland Base
We may share personal information with data processors to facilitate our services, to provide requested services on our behalf and/or to assist us in analyzing how our services and products are used. For example, our courier service in Iceland has selected access to personal information for delivery purposes only when products are purchased from our Icelandic online shop.
Personal information might also be shared with data processors who supply us with information technology services, cloud services and payment services.
These parties have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These parties may be located outside of Iceland. However, we will not transfer personal data outside of the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms, your consent or a notice issued by the Data Protection Authority listing states granting personal data adequate protection.
We do reserve the right to disclose your personal information when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity. We also reserve the right to disclose your personal information to our legal representatives to uphold our legal rights as a business or the rights of our employees.
Your personal information may be shared with third party services when requested by you, e.g. when you have authorized a third party such as an agent to manage your personal information on your behalf to make necessary bookings, requests, payments etc.
Any disclosure of personal information by us to another party will only be made on a confidential basis.
Transfer of your personal information from third parties to us
Any additional service providers which provide a part of your services, stay or journey will be separate data controllers under European Union/EEA data protection law. Their privacy policies should be accessible from them directly for further information on their processing of personal information.
Payment transactions for the geothermal spas, hotels, restaurants, shops and online shop for Iceland are operated through Valitor. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.
Personal information, except surveillance videos, may be stored and managed by data processors who must comply with privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and damage of information. Surveillance data is stored in-house with strict access control.
In case of a personal data breach, we will without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Icelandic Data Protection Authority (Persónuvernd), unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.
Your rights regarding our processing - Withdrawal of consent
You have the right to access your personal information at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal information if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal information if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased.
If the processing of your personal information is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes, e.g. when you have signed up for our Newsletter.
You have the right to have personal data erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if data is required to be kept in accordance with law, e.g. the Icelandic Accounting Act No. 145/1994.
You have the right to transfer personal data concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall, however, not adversely affect the rights and freedoms of others.
We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. a copy of a government issued ID, such as your passport or driving license and your signature.
We do not intentionally collect personal information from minors (children under 13). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately.
You have the right to lodge a complaint to the Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland (www.personuvernd.is) if you disagree with our processing of personal data. You are also entitled to submit a complaint to a data protection authority in the member state of the European Economic Area where your habitual residence is or your place of work.
Updated: 16 February 2023