How we look after your personal data

At The Lodge, we take the privacy of our guests, employees and partners seriously. This policy explains what personal data we collect, how we use it, how we protect it, what rights you have, and how to get in touch with us on data protection matters.

This policy was last updated on 17 April 2026.

1. Data controller

The controller of your personal data is:

Väderkullen The Lodge AB
Swedish company registration number: 559244-4888
Södra Ugglarp 621
247 98 Genarp, Sweden
Phone: +46 46 24 89 05
Email: info@thelodge.se

2. Our Data Protection Officer

If you have any questions about how we process your personal data, or wish to exercise any of your rights under GDPR, please contact our Data Protection Officer, Mikael Goldner:

Email: dpo@thelodge.se

We will respond as soon as possible, and within one month at the latest.

3. What personal data we collect

The data we collect depends on your relationship with us.

Guests and bookers

Name, address, phone number, email address
Booking history, dates of stay, room type, preferences
Payment information (handled by our payment partner)
Any requests or notes you choose to share with us in free-text fields

Spa guests

The same basic information as for hotel bookings
Health information you choose to share ahead of a treatment, such as allergies, pregnancy or medical conditions that are relevant for us to deliver the treatment safely

Conference and corporate guests

Contact details of the person making the booking
Company name and invoicing details
Participant lists you share with us

Newsletter subscribers

Name and email address
Information about when you subscribed and how you have engaged with our newsletters

Job applicants

CV, cover letter and contact details
Any other information you choose to share through Teamtailor

Employees

Contact details, personal identity number, bank details, emergency contact
Information related to your employment (contract, salary, schedule, absence)

Suppliers and partners

Contact details of the people we work with at supplier companies
Invoicing information

Visitors to our website and social media

Information collected through cookies and similar technologies, including IP address and device information
Messages you send us via Facebook, Instagram or LinkedIn
Reviews you publish on Tripadvisor or Google where you identify yourself by name

4. Why we process your data and our legal basis

Under GDPR, every processing of personal data must have a lawful basis. These are the main ones we rely on:

Contract

When you book a room, spa, restaurant visit or conference, we need your data to fulfil the booking. The same applies to agreements with suppliers and employees.

Legal obligation

The Swedish Accounting Act requires us to keep records of invoices and payroll for seven years. Tax and labour law place similar requirements on how we handle employee data.

Consent

We rely on your consent when we send you newsletters, when we process health information you share ahead of a spa treatment, and for certain cookies on our website. You can withdraw your consent at any time.

Legitimate interest

We have a legitimate interest in following up on enquiries from potential guests, improving our service through guest surveys via Loopon, communicating with you when you write to us by email or on social media, and responding to reviews. In each case we have carefully balanced our interest against your privacy.

5. How long we keep your data

We only keep your data for as long as we need it for the purpose we collected it for.

Booking records and invoices: seven years, as required by the Swedish Accounting Act.
Guest profiles not tied to invoicing: up to two years after your most recent stay, after which the data is deleted or anonymised.
Newsletter subscriptions: until you unsubscribe.
Guest surveys via Loopon: 24 months.
Recruitment data: 24 months in Teamtailor, after which the data is deleted if you are not employed.
Employee records: during employment and for as long as required by law afterwards (typically up to ten years for certain documents).
Health information ahead of a spa treatment: deleted after the treatment has been carried out.
Cookies and web analytics: varies, see the cookie tool on the website.

6. Who we share your data with

We only share your data for the purposes it was collected for. The parties that receive data on our behalf are our data processors, and they may only process the data according to our instructions and under a valid data processing agreement.

Our main data processors are:

Spectra Systems AB – booking system for hotel, spa, restaurant, conference and gift cards
Anpassen Nordic AB (Apsis) – newsletter service
Loopon AB – guest surveys
Nets Denmark A/S – payment terminals
Microsoft Ireland Operations Ltd – email and file sharing
Google Ireland Ltd – web analytics, advertising and email for conference bookings
Meta Platforms Ireland Ltd – messages through Facebook and Instagram, and advertising
LinkedIn Ireland Unlimited Company – messages and engagement on LinkedIn
Tripadvisor LLC – review platform

In addition, we work with a small number of other suppliers who process a limited amount of personal data on our behalf, such as point-of-sale systems in the restaurant, recruitment software, external accounting and payroll services, laundry and cleaning. All of them are covered by data processing agreements.

We may also need to share data with authorities when we are required to do so by law.

7. Transfers outside the EU and EEA

Some of our processors, in particular Google, Meta, Microsoft and LinkedIn, are groups with operations outside the EU and EEA. This means your data may in some cases be processed in what is called a third country, most often the United States.

When that happens, we make sure the transfer is covered by the European Commission’s Standard Contractual Clauses (SCC) or another valid transfer mechanism under Chapter V of GDPR, so that your privacy is protected at a level equivalent to EU standards.

8. Cookies and web analytics

Our website uses cookies to improve your experience, to measure visitor statistics and to show you relevant ads. We use Cookiebot to manage your consent.

The first time you visit thelodge.se, you choose which categories of cookies you want to allow. You can change your choice at any time through the link in the footer of the website.

Necessary cookies that are required for the site to function do not need your consent. Other cookies, such as analytics and marketing cookies, are only used with your consent.

9. Your rights

GDPR gives you a number of rights when we process your personal data. You have the right to:

Be informed about what data we process about you and how.
Access a copy of the data we hold about you.
Rectification of incorrect data.
Erasure of your data where we are not required by law to keep it.
Restrict processing while we look into an objection or request for rectification.
Data portability, where the processing is based on consent or contract.
Object to processing based on legitimate interest, including direct marketing.
Withdraw your consent where processing is based on consent.

To exercise any of these rights, send an email to dpo@thelodge.se. We may ask you to verify your identity so that we do not release data to the wrong person.

10. If a personal data breach occurs

If something happens to your data, such as unauthorised access or accidental loss, we will document the incident and notify the Swedish Authority for Privacy Protection (IMY) within 72 hours if the breach poses a risk to you. Where the risk is high, we will also inform you directly.

11. Complaints to the supervisory authority

If you believe we are processing your personal data in breach of applicable data protection law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm, Sweden
Email: imy@imy.se
Website: www.imy.se

We would appreciate the chance to answer your questions first, before you contact IMY, so that we can clear up any misunderstandings directly.

12. Changes to this policy

We update this policy when we change how we process personal data or when the law changes. The latest version is always available on this page, with the date of the most recent update at the top.