PRIVACY POLICY

Expedition Lapland

Last updated: 7 September 2025

1. Purpose of the Privacy Policy and General Provisions

This Privacy Policy defines the rules for collecting, processing, storing and protecting personal data of users of the Expedition Lapland website.

As the data controller, we are committed to ensuring the highest level of privacy protection for users of our services and to complying with applicable data protection laws, in particular:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR),
• The Swedish Data Protection Act – Dataskyddslag (2018:218) and its supplementary regulations.

By using our website, contact forms, making bookings, or contacting us by phone, email or in person, you accept the principles set forth in this Privacy Policy.

2. Data Controller

The controller of your personal data is:
Discover North AB
Org nr 559548-4436
Slaggvägen 16, 98 261 Svappavaara, Sweden

Contact details:
office@expeditionlapland.com
+46 76 006 82 36

3. What data do we collect?

When using our website and to provide our services, we may collect and process the following personal data:

• first and last name
• date of birth,
• email address,
• phone number,
• data necessary to process payments,
• accommodation address during the service,
• clothing and shoe size,
• information about allergies or physical limitations (special category data – processed only with your consent),
• technical data related to website use (e.g., IP address, device information, logs).

Data may be provided via online forms, when placing an order, or during contact via email, phone, or in person.

Providing personal data is voluntary, but necessary to deliver our services, process bookings and communicate with you.

In justified cases, we may request additional data if required for the proper provision of a specific service.

4. Purposes of data processing

We process your personal data for the following purposes:

• first and last name
• Provision of tourist services – organisation, preparation and delivery of booked activities.
• Customer communication – responding to inquiries, sending confirmations, organisational information.
• Marketing of our own services – sending information about new offers and promotions (based on legitimate interest or consent where required).
• Establishing, exercising or defending legal claims.
• Compliance with legal obligations, including accounting and tax regulations.

We do not use automated decision-making or profiling.

5. Legal bases for processing

Processing is carried out on the basis of:

GDPR:

• Article 6(1)(b) – performance of a contract or steps prior to entering into a contract,
• Article 6(1)(f) – legitimate interests of the controller (marketing, communication, defence against claims),
• Article 6(1)(a) – consent,
• Article 6(1)(c) – compliance with a legal obligation,
• Article 9(2)(a) – explicit consent for processing special category data (e.g., allergies).
• Compliance with legal obligations, including accounting and tax regulations.

Applicable Swedish legislation:

• Dataskyddslag (2018:218) – the Swedish Data Protection Act supplementing GDPR,
• Lag (2003:389) om elektronisk kommunikation – applicable to cookies and electronic marketing,
• Konsumentköplagen (2022:260) and Distansavtalslagen (2005:59) – consumer protection and the right of withdrawal for distance contracts.

6. Data recipients

Your data may be shared with:

• IT service providers (hosting, booking systems, payment processors),
• subcontractors assisting in the delivery of tourist activities (e.g., guides, transport providers, partner agencies),
• legal, advisory and accounting service providers,
• public authorities when required by law.

Our website may contain links to third-party websites. Discover North AB is not responsible for the privacy practices of those third parties.

We do not transfer personal data outside the European Economic Area (EEA).

7. Data retention period

Personal data is stored:

• for the time necessary to provide services and manage customer communication,
• as required by Swedish accounting regulations (generally 7 years, per Bokföringslag),
• until consent is withdrawn (where processing is based on consent),
• until the expiry of limitation periods for potential claims.

8. Your rights

Under GDPR and the Swedish Data Protection Act, you have

• access your data,
• rectify your data,
• erase your data (“right to be forgotten”),
• restrict processing,
• object to processing,
• data portability,
• withdraw consent at any time (if processing is based on consent).

You have the right to lodge a complaint with the Swedish supervisory authority: I

Integritetsskyddsmyndigheten (IMY)

www.imy.se

9. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy.

Any updates will be published on our website.