At Nurobouncetral, we believe that respect for our guests starts with respect for their personal information. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.
1. Data Controller
The data controller for personal information collected through Nurobouncetral.tattoo and on our premises is:
Nurobouncetral
Aurorakatu 12, 96100 Rovaniemi, Finland
Email: [email protected]
Data Protection Officer (DPO): [email protected]
2. Data We Collect
We collect personal data only when it is necessary to deliver our services, fulfil legal obligations, or improve your experience. Categories of data we may collect include:
- Identity data: first and last name, date of birth, nationality, passport or ID number (where legally required at check-in).
- Contact data: email address, postal address, phone number.
- Reservation data: arrival and departure dates, room type, special requests, accompanying guests.
- Payment data: card type, last four digits, billing address. Full card data is processed by our PCI-DSS-compliant payment provider and is not stored on our servers.
- Preference data: dietary requirements, accessibility needs, marketing preferences, language.
- Technical data: IP address, browser type, device identifiers, pages viewed, referral source.
- CCTV imagery: recorded in public areas of the property for security purposes.
3. Legal Basis for Processing
Under GDPR, we process personal data only when we have a valid legal basis:
- Contract: to fulfil your reservation and provide hospitality services.
- Legal obligation: registration of guests, tax records, anti-money-laundering rules.
- Legitimate interest: security, fraud prevention, internal analytics, service improvement.
- Consent: for marketing communications, optional cookies, and certain non-essential processing.
4. How We Use Your Data
Personal data is used to:
- Confirm, modify, or cancel your reservation;
- Personalise your stay and tailor on-site experiences;
- Process payments and issue invoices;
- Comply with legal and regulatory requirements (e.g. guest registration);
- Communicate with you about your booking, services, and (where you have consented) special offers and events;
- Improve the performance, security, and content of our website;
- Respond to enquiries, complaints, or feedback.
5. Sharing Your Data
We do not sell personal data. We may share data with carefully selected third parties only when necessary, including:
- Booking and channel-management partners;
- Payment service providers (Stripe, Adyen, or similar PCI-DSS-certified processors);
- Email and CRM platforms used for guest communication;
- IT, hosting, and analytics providers operating within the EU/EEA;
- Authorities and law enforcement, where required by Finnish or EU law.
All third-party processors are bound by data-processing agreements that ensure equivalent levels of protection.
6. International Transfers
Your personal data is primarily stored within the European Economic Area (EEA). In the rare event that data needs to be transferred outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
7. Data Retention
We retain personal data only as long as necessary for the purpose collected:
- Reservation records: up to 6 years after stay (Finnish accounting law);
- Marketing data: until you withdraw consent;
- CCTV footage: maximum 30 days, unless required for an investigation;
- Website analytics: up to 14 months in anonymised form.
8. Your Rights Under GDPR
As a data subject, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten") where applicable;
- Restrict or object to certain processing activities;
- Withdraw consent at any time, where consent is the legal basis;
- Data portability — receive your data in a structured, machine-readable format;
- Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).
To exercise any of these rights, please contact [email protected]. We will respond within 30 days.
9. Security Measures
We apply industry-standard technical and organisational measures to safeguard personal data, including encryption in transit (TLS), restricted-access servers, role-based authentication, regular security audits, and staff training on data protection.
10. Children's Privacy
Our services are not directed at children under 16. We do not knowingly collect personal data from children without parental consent. Bookings by minors must be made by a parent or legal guardian.
11. Changes to This Policy
We may update this Privacy Policy to reflect operational, legal, or regulatory changes. Significant changes will be communicated via our website or by email when appropriate.
12. Contact
If you have questions about this policy or how we handle your data, please reach out to our Data Protection Officer at [email protected] or write to us at the address above.