Privacy Policy

Lakita AB — the legal entity operating Lakita Lodge — is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and applicable Swedish data protection law.

Lakita AB
Registration No. 559455-6283
Bäcklunda 110, 923 99 Storuman, Sweden
contact@lakitalodge.com
+46 70 294 27 08

For any question relating to this policy or to your personal data, please contact us directly. We will acknowledge your request within 72 hours and respond in full within one calendar month.

We collect personal data only when it is necessary for a specific, lawful purpose. Depending on your interaction with us, this may include:

• Booking and guest data — full name, email address, telephone number, travel dates, guest composition (including ages and the number of children), dietary requirements and food allergies, and flight details for airport transfers.
• Health and safety data — medical conditions, physical limitations, or allergy information that you disclose to enable safe participation in our activities. This is special category data under GDPR Art. 9 and is processed only with your explicit consent.
• Financial records — payment confirmations and invoice details, required for accounting and legal compliance. Card data is handled exclusively by our payment processor; we do not store card numbers at any stage.
• Communications — correspondence you send us by email, contact form, or other means, and any preferences or requests expressed therein.
• Website analytics — anonymised, aggregated data on how visitors use our site (pages visited, session duration, device type), collected through our own system. We do not use third-party analytics platforms that track individuals across the web.

We process your personal data only where a clear lawful basis exists under GDPR. Each purpose is mapped below.

• Contract performance — Art. 6(1)(b): All processing necessary to manage your booking and deliver your stay — guest communications, activity coordination, dietary arrangements, transfers, and invoicing. Without this data, we cannot fulfil the services you have engaged us to provide.
• Legal obligation — Art. 6(1)(c): Retention of financial and accounting records as required by Swedish law (Bokföringslagen), and compliance with any other applicable statutory obligation.
• Legitimate interests — Art. 6(1)(f): Anonymised website analytics to improve our services, security logging to protect our systems, and responding to enquiries from prospective guests. In each case we have assessed that our interests do not override your rights and freedoms.
• Consent — Art. 6(1)(a): Any marketing or promotional communications we send you. You will always be asked explicitly before being added to any mailing list. Consent may be withdrawn at any time by contacting us or using the unsubscribe link in any email we send.
• Explicit consent — Art. 9(2)(a): Health information and any other special category data you share with us for the purposes of activity safety. You may withdraw this consent at any time; however, doing so may limit our ability to confirm your safe participation in certain activities.

Information you provide about food allergies, medical conditions, or physical limitations constitutes special category data under GDPR Art. 9, and is handled with the highest level of care.

We process it solely to ensure your safety and the quality of your experience. It is shared only with the team members directly involved in your stay, retained no longer than six months after departure, and never used for commercial purposes. We will always seek your explicit, informed consent before recording this information.

Please note that Lakita Lodge operates in a remote area of Swedish Lapland where emergency services response times may be significantly longer than in urban settings. If you carry an epinephrine auto-injector or similar device, we ask that you inform our team on arrival so its location can be noted — a precaution we take seriously.

We retain each category of personal data only for as long as its purpose requires. The periods below apply across our operations.

• Booking records and financial data — 7 years from the close of the calendar year in which the booking was made, in accordance with Swedish accounting law (Bokföringslagen 2:10).
• Guest profiles and stay details — 3 years from the date of your last stay, to allow continuity of service and resolution of any disputes that may arise.
• Health and special category data — deleted within 6 months of your departure, unless you request earlier erasure.
• Marketing consent and communication records — until you withdraw consent, then deleted within 30 days. Consent records (date, channel, and scope) are retained for 3 additional years for accountability purposes.
• Enquiry data (no booking confirmed) — 12 months from your last contact with us.
• Website analytics (anonymised) — 13 months on a rolling basis.
• Security and server logs — 90 days.

At the end of each retention period, data is securely deleted or irreversibly anonymised. We do not retain personal data beyond what each purpose requires.

We work with a small number of carefully selected service providers who act as data processors on our behalf. Each is bound by a data processing agreement and required to meet GDPR-compliant standards. Our current categories of processors are as follows.

• Cloud hosting and content delivery — our website and administrative systems are hosted on infrastructure subject to EU-equivalent data protection guarantees.
• Email delivery infrastructure — a dedicated mail service handles the delivery of booking confirmations, invoices, and administrative correspondence. No marketing profiling is performed by this provider on our behalf.
• Payment processing — payments are handled by a PCI-DSS certified provider. We do not receive or store full card details at any stage of the transaction.
• Booking and guest management — our internal reservation system, accessible exclusively to authorised members of our team.

We do not engage third-party advertising networks, social media data brokers, or cross-site behavioural analytics platforms. We will update this section if our processor arrangements change in a way that is material to your rights.

We aim to process all personal data within the European Economic Area (EEA). Where a service provider operates outside the EEA — such as cloud infrastructure hosted in the United States — we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, supplementary technical and organisational measures.

You may request details of the specific safeguards applicable to any transfer by contacting us at contact@lakitalodge.com.

As a data subject under GDPR, you hold the following rights. We take each of them seriously and will always respond substantively, not procedurally.

• Right of access (Art. 15) — you may request a copy of the personal data we hold about you, together with information on how it is used and the basis on which it is retained.
• Right to rectification (Art. 16) — if any data we hold is inaccurate or incomplete, you may ask us to correct it without undue delay.
• Right to erasure (Art. 17) — also known as the right to be forgotten, you may request deletion of your personal data where there is no longer a lawful basis to retain it.
• Right to restriction of processing (Art. 18) — in certain circumstances, you may ask us to suspend processing while a dispute or objection is resolved, without requiring full deletion.
• Right to data portability (Art. 20) — where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format for transfer to another controller.
• Right to object (Art. 21) — you may object at any time to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling grounds that override your interests, rights, and freedoms.
• Rights in relation to automated decision-making (Art. 22) — we do not make automated decisions about you, nor do we engage in profiling. This right is noted here for completeness.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please write to us at contact@lakitalodge.com. Include sufficient detail for us to locate your data accurately. We will respond within one calendar month; complex or multiple concurrent requests may require up to three months, in which case we will notify you without delay.

Cookies are small text files placed on your device when you visit a website. Under the EU ePrivacy Directive and GDPR, any cookie that is not strictly necessary for the site to function requires your prior, freely given, and informed consent before being set.

What we currently use: The Lakita Lodge website uses only strictly necessary cookies — those essential for the site to load and operate correctly (for example, maintaining session state). These do not require consent and cannot be declined without disrupting basic site functionality.

What we do not use: We do not currently deploy advertising cookies, social media tracking pixels, or third-party analytics cookies that identify or follow individuals across websites. We do not use Google Analytics or any equivalent cross-site tracking service.

Should this change: If we introduce non-essential cookies in the future — for analytics, personalisation, or any other purpose — we will implement a compliant consent mechanism before setting those cookies, in accordance with EU ePrivacy rules. This policy will be updated accordingly, and your consent will be sought afresh for any new category of cookie. You may also manage or delete cookies at any time through your browser settings; disabling strictly necessary cookies may affect site functionality.

We do not engage in automated decision-making or profiling of any kind. No decision with a legal or similarly significant effect on you is made by automated means alone. Every guest interaction at Lakita Lodge involves a member of our team.

If you believe we have not handled your personal data in accordance with applicable law, we encourage you to contact us first — we would welcome the opportunity to address your concern directly and promptly.

If you remain unsatisfied after contacting us, you have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
+46 8 657 61 00
www.imy.se

If you are resident in another EU member state, you may alternatively contact the supervisory authority in your country of residence.

We may update this Privacy Policy from time to time — to reflect changes in our operations, legal requirements, or best practice. The date at the top of this page indicates when the policy was last revised.

Where a change materially affects how we process the personal data of a guest with an active or upcoming booking, we will notify that guest directly rather than relying solely on a general update to this page.