BOOK NOW

Privacy Policy

This Privacy Policy last updated – July 15, 2025.

This Privacy Policy explains how LAPPI CABINS OY (“we” or the “Controller”) processes your personal data, the purposes of that processing, the recipients of the data, your rights, and other relevant conditions. 

LAPPI CABINS OY (legal entity code 3449368-3, Korpijoentie 575, 99870 Aska, Finland; tel. +370 620 34520, e-mail info@lunvio.com) is the data controller – the entity that determines the purposes and means of processing your personal data. 

All provisions of this Privacy Policy are derived from and based on the EU General Data Protection Regulation (GDPR) and other applicable legislation. 

Please take the time to read this Privacy Policy carefully, as its terms apply to all natural persons who visit our website, order our services, communicate with us, or otherwise provide personal data to us. The Policy may change in the future to reflect legal or operational developments, so we encourage you to review the current version regularly. 

Should you have any questions, requests or concerns, you can at any time contact us at info@lunvio.com or written mail to the address above, marked “Privacy”. 

 

What data we collect – why we need it – where it comes from – how long we keep it

 We hope to ensure that personal data we process is accurate at all times and therefore we encourage you to update your information as necessary when any changes occur. 

Guest & booking management 

We may obtain your personal data when you complete inquiry or reservation forms on our website; place an order for our services or otherwise contact us; fill in a registration card and provide data upon arrival at the hotel; or communicate with us by telephone, through social networks, or via other electronic channels or platforms. We may also receive your personal data indirectly through the online booking channel you use to reserve our hotel. 

This personal data includes your full name, ID, contact details (email address, phone number, address), personal identification number / date of birth, nationality, country from which you have traveled to Finland, passport/travel document number, arrival and departure date, reason for stay (leisure, work, meeting, other purpose), signature, other reservation related information (such as hotel room preferences), possible health related information (if you have provided information e.g., on allergies), any consents (e.g., marketing consent). 

The purpose of processing your data is to deliver our services, i.e. to manage and confirm your booking, to send you necessary communication related to your booking (such as booking confirmation), etc. 

The legal basis of processing your data is the performance of a contract with you (Article 6 (1)(b) GDPR), also complying with statutory obligations (GDPR Art. 6 (1)(c)). 

Providing this data is necessary; without it, we would be unable to provide the services. 

We keep your personal data for one year. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Recruitment 

We may obtain your personal data when you submit a CV, cover letter or other application documents via our website, by e-mail, through online job platforms or recruitment agencies; participate in interviews, skills tests or other assessment activities; provide references or additional information at our request; or communicate with us by telephone, e-mail, messaging tools or similar electronic channels. We may also receive your personal data indirectly from recruitment agencies, online job boards, or referees you have authorised us to contact. 

The personal data processed for recruitment may include your full name; contact details (e-mail address, phone number, postal address); date of birth; education, qualifications and work history; language and technical skills; salary expectations; results of interviews or assessments; reference information; and any other details you choose to provide. Where applicable, we may also process limited special-category data – such as information about health conditions that require workplace accommodation – only with your explicit consent and in accordance with GDPR Art. 9 (2)(b). 

The purpose of processing your data is to evaluate your suitability and, if applicable, take steps at your request prior to entering into an employment contract. 

The legal basis of processing your data is your consent to participate in the recruitment (GDPR Art. 6 (1)(a)); performance of pre-contractual measures at your request (Art. 6 (1)(b)); and our legitimate interest in recruiting qualified staff (Art. 6 (1)(f)). 

Providing this data is necessary; without it, we could not assess your application. 

We keep your personal data no longer than six months from receipt, unless you become our employee (in which case the data forms part of your personnel file and is retained under the employee-data schedule), or a longer period is required to establish, exercise or defend legal claims. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Employment Relationship 

We may obtain your personal data when you sign an employment contract or complete onboarding and HR forms; enter company premises with access cards, or use our IT systems (e-mail, laptops, internal apps); submit medical certificates, accident reports or other documents required by labour law; or communicate with us by telephone, e-mail, messaging tools or similar electronic channels. We may also receive your personal data indirectly from public authorities (e.g., tax or social-insurance offices) and internal systems that generate access or payroll records. 

The personal data processed for employment may include your full name; contact details (e-mail address, phone number, postal address); personal identification number and/or date of birth; nationality; bank-account and tax details; employment history and job title; working-time and salary information; performance reviews; training records; CCTV or access-control logs; and any health data necessary for occupational-health or safety purposes. We process special-category data, such as health information, only with the safeguards set out in GDPR Art. 9 (2)(b) and (h). 

The purpose of processing your data is to administer and perform the employment contract, pay salary and benefits, meet statutory obligations, and maintain workplace security and safety. 

The legal basis of processing your data is performance of the employment contract with you (GDPR Art. 6 (1)(b)); compliance with legal obligations arising from labour, tax, social-security and occupational-health legislation (Art. 6 (1)(c)); and our legitimate interests in safeguarding company assets, maintaining IT and building security, and managing our business efficiently (Art. 6 (1)(f)).

Providing this data is necessary; without it, we could not conclude or perform the employment contract or meet our legal duties. 

We keep your personal data no longer than ten (10) years after the employment relationship ends and all mutual claims are settled, unless a longer period is required by law. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Newsletters and Other Direct-Marketing Communications 

We may obtain your personal data when you subscribe to our newsletter; tick a box or otherwise indicate that you wish to receive direct-marketing materials; or interact with our social-media accounts, campaigns or other electronic channels where you voluntarily provide contact details. 

The personal data processed for marketing may include your name, e-mail address, telephone number, preferred language, marketing consents and any interests or preferences you choose to share (e.g., favorite cabin type or stay dates). 

The purpose of processing your data is to send you information about our services, news, promotions, events and other marketing content via the contact details you supplied or through social networks, media channels and similar electronic platforms. 

The legal basis of processing your data is your consent to receive direct marketing (GDPR Art. 6 (1)(a)). 

Providing this data is voluntary; without it, we cannot deliver the requested communications. 

We process your personal data for marketing for up to three (3) years from the date you gave consent or until our relationship with you ends – whichever occurs first. 

Opt-out: every e-mail, message or notice we send contains an easy opt-out link. You may also withdraw your consent at any time by contacting us via the details provided in this Privacy Policy; in that case we will stop sending marketing communications. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your 

data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Complaints and Inquiries 

We may obtain your personal data when you submit a complaint, claim or inquiry by e-mail, post, telephone, social media, website form or any other channel; provide supporting documents, photographs or correspondence; or communicate with our staff during the handling of your request. 

The personal data processed may include your name; contact details (e-mail address, phone number, postal address); order or booking reference; the content of your complaint or inquiry; and any evidence you choose to supply (e.g., photographs, receipts). 

The purpose of processing your data is to register, investigate and resolve your complaint, claim or inquiry and, if necessary, to establish or defend legal claims. 

The legal basis of processing your data is your consent, reflected in your decision to submit the complaint or inquiry (GDPR Art. 6 (1)(a)); our legitimate interest in protecting our rights and resolving potential disputes (Art. 6 (1)(f)); and compliance with legal obligations that may require us to retain certain records (Art. 6 (1)(c)). 

If the matter could lead to a dispute, alleged damage or contractual claim, we may keep the data for up to ten (10) years; if no dispute is expected, we delete the data sooner – once it is no longer needed for the stated purpose. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Contracts with Natural Persons 

We may obtain your personal data when you negotiate, sign or amend a service or purchase contract with us; complete order or payment forms and provide billing details; or communicate with us by telephone, e-mail, online chat or other electronic channels regarding contractual matters. We may also receive your personal data indirectly from payment processors or public authorities that confirm tax or identity information. 

The personal data processed for contractual purposes may include your full name; contact details (e-mail address, phone number, postal address); personal identification number 

and/or date of birth; identity-document data; bank-account or payment-card details; the subject-matter of the contract (e.g., ordered services, pricing, delivery address); correspondence about performance; and any other information you choose to provide in connection with the agreement. 

The purpose of processing your data is to conclude, administer and perform the contract, handle payments, provide customer support and meet related legal obligations (e.g., invoicing, tax reporting). 

The legal basis of processing your data is performance of a contract to which you are a party or steps taken at your request prior to its conclusion (GDPR Art. 6 (1)(b)); compliance with legal obligations, such as accounting and tax laws (Art. 6 (1)(c)); and your consent, where we request it for specific ancillary actions (Art. 6 (1)(a)). 

Providing this data is necessary; without it we cannot conclude or perform the contract. 

We retain your personal data for ten (10) years after the contractual relationship ends, unless a longer period is required to establish, exercise or defend legal claims or to comply with statutory record-keeping duties. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Contracts with Legal Entities

We may obtain your personal data when you – as an employee or authorised representative of a company that contracts with us – negotiate, sign or amend an agreement on behalf of that company; exchange purchase orders, invoices or other business-related documents; or communicate with us by telephone, e-mail, online chat or similar electronic channels regarding the contract. We may also receive your personal data indirectly from public registers (e.g., company databases) or your employer as part of the contracting process. 

The personal data processed for this purpose may include your full name; job title or position; professional contact details (work e-mail address, telephone number, business address); signature; power-of-attorney or proof of authorisation; and any correspondence or notes relating to contract performance. 

The purpose of processing your data is to conclude, administer and perform the contract with the legal entity you represent, handle payments, coordinate deliveries or services, and address any contract-related questions or disputes. 

The legal basis of processing your data is our legitimate interest in concluding and performing agreements with corporate counterparts and ensuring effective business communications (GDPR Art. 6 (1)(f)). 

Providing this data is necessary; without it we could not properly administer the contract with your organization. 

We retain the personal data of company representatives for ten (10) years after the contractual relationship ends, unless a longer period is required to establish, exercise or defend legal claims or to comply with statutory record-keeping duties. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Communication by E-mail or Other Electronic Channels 

When you communicate with us by e-mail or other electronic means, the processing of the personal data you voluntarily provide is based on your consent – i.e., your decision to engage in such communication. If you correspond as an employee of a legal entity with which we have (or may have) contractual relations, the legal basis may instead be our legitimate interest (GDPR Art. 6 (1)(f)). 

Beyond contractual purposes, your data is also processed for internal administration. 

We process your e-mail address, message content and related data in line with the principle of proportionality. They are normally visible only to the direct recipient, but may be accessed or otherwise processed by other staff members in situations such as internal-policy enforcement, potential legal- or regulatory-breach investigations, employee substitution, or similar circumstances. 

We may transfer your data to law-enforcement or other public authorities where such disclosure is required by applicable law, also third-party service providers who are listed below. Our chosen processors may process your personal data solely on our instructions and may not use it for any other purpose. They are additionally required to safeguard your 

data in accordance with applicable laws and the data-processing agreements we have concluded with them. 

Use of Social Networks 

We may obtain your personal data when you interact with our social-media accounts – for example, by sending a direct message, writing a comment, or clicking “Like” or “Follow.” Please note that all content you post on a social-media platform is ultimately controlled by the platform provider. We encourage you to review the privacy notices of any third-party platforms and to contact those providers directly if you have questions about how they process your personal data. 

The purpose of processing your data is to respond to your inquiries, engage with our community, and promote our services. 

The legal basis of processing your data is your consent when you initiate the interaction, and our legitimate interest in marketing and customer engagement (GDPR Art. 6 (1)(f)). 

We do not copy or store social-media content in our internal systems. 

 

Disclosure of personal data to recipients

Your personal data may be disclosed to the following categories of recipients, as necessary to provide our services, comply with legal obligations, protect our rights, and support corporate operations: 

  • Reservation and booking platforms – to process reservations and manage booking channels. 
  • Payment processors and banks – to handle payments, deposits and banking transactions. 
  • IT, server, e-mail, cloud-storage and CRM service providers – to host our systems, store data securely, and send communications. 
  • Housekeeping, laundry, maintenance, catering and concierge partners – to deliver on-site guest services. 
  • Marketing and survey platforms – to distribute newsletters, promotions and collect guest feedback. 
  • Security and access-control contractors – to maintain CCTV monitoring, alarm systems and physical access control. 
  • Accounting, auditing and payroll providers – to prepare financial reports, process salaries and meet tax-reporting obligations. 
  • Legal advisers, notaries, bailiffs, debt-collection agencies and dispute-resolution bodies – to obtain legal advice, enforce contractual rights, audit records and resolve claims.
  • Recruitment-technology and HR-consultancy firms – to host applicant-tracking systems, conduct skills or psychometric testing, perform background/reference checks (with your consent) and provide administrative support for our HR processes. 
  • Analytics and business-intelligence platforms – to analyse operational data and improve our services. 
  • Prospective or actual acquirers of our business (or part thereof) and their authorised advisors – to conduct due diligence and facilitate corporate transactions. 
  • Public authorities, law-enforcement, supervisory bodies and courts – to comply with statutory requirements and respond to lawful information requests.

Each recipient receives only the data strictly necessary for his task, processes it solely on our documented instructions, and is bound by confidentiality and data-protection obligations under applicable law and our data-processing agreements. 

We do not sell, rent, or otherwise monetize your personal data to third parties for any purpose; we only use and share it as described in this policy to provide our services, fulfill legal obligations, and protect our legitimate interests. 

What are your rights and how can you use them 

Please note that upon exercising any of the rights listed below, you may be requested to provide additional information for identification purposes. Such additional information shall not be used for any other purposes. Without confirming that you are indeed the person whose personal data is being processed, we might not be able to fulfill your rights. 

We may also refuse to act on your request to exercise those rights – or charge a reasonable fee – if your request is manifestly unfounded or excessive, or in other cases permitted by applicable law. 

Choose not to provide your data 

If you withhold certain data, some features of our websites and other services may not be fully available to you (e.g., we may not process your bookings without the necessary details). 

Access your data 

You can request access to, or copies of, your personal data, also information on how we process and share it. Email info@lunvio.com. 

Correct, update or delete your data 

You can request to rectify, complete, restrict, or erase your personal data if it is inaccurate, unnecessary, or outdated. Email info@lunvio.com. 

Unsubscribe from marketing 

Every marketing message we send includes an unsubscribe link. You may withdraw your consent to direct marketing at any time. If you do so, we will promptly update our databases, and will not send you further direct marketing, but we may continue to contact you to the extent necessary for the purposes of any products or services you have requested. 

Object to or restrict processing 

Where we process your personal data on the basis of our legitimate interests (GDPR Art. 6 (1)(f)), you have the right to object at any time, on grounds relating to your particular situation, to such processing. If you believe our processing is unlawful or exceeds its stated purpose, you may also request that we restrict further processing. We will review any objection or restriction request promptly and inform you of the outcome. Email info@lunvio.com. 

Withdraw your consent 

You may at any time withdraw your consent to the processing of your personal data. If your consent is withdrawn, it does not prevent us from processing your personal data based on other lawful bases, such as for requirements set forth for us under applicable laws. The withdrawal of consent does not affect the lawfulness of any processing performed prior to the withdrawal. 

Data portability 

You have the right to data portability, which means you have your personal data transferred to another controller in a structured, commonly used and machine-readable format, to the extent applicable. 

Lodge a complaint 

If you believe our processing violates your rights, you may file a complaint with the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/home. 

How do we protect your personal data?

We have in place appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The safeguards include, for example, firewall protection of our systems and storing physical documents in locked premises. 

 

Automated decision-making

We do not use automated decisions or profiling that produce legal or similarly significant effects, such as automated rejection of job applications or dynamic pricing solely by algorithm. 

 

Do we process the personal data of children?

Our services and website are intended for adults (18+). We do not knowingly collect data from children and will delete such data if discovered. 

 

Do we transfer your data outside the EU/EEA?

We store all personal data on servers located in the EU/EEA and do not transfer it outside that area. If remote technical support from a non-EEA country is ever required, such transfer will take place only under EU Commission Standard Contractual Clauses or another lawful safeguard. 

Need more information? 

Please contact info@lunvio.com or write to Lappi Cabins Oy, Korpijoentie 575, 99550 Aska, Finland. We are happy to clarify any point in this Policy.