Privacy Policy

Boreas Center AB
Org. Nr.: 559520-2085
Kardis 217, 98492 Pajala, Sweden
Email: info@boreas.center
Phone: +46 73 231 90 83
Website: https://boreas.center
Hosting provider (processor): All-Inkl.com, Germany

1. Who we are

We are Boreas Center AB, an experience agency in Pajala, Lapland, offering accommodation and outdoor activities. We operate this website and act as the data controller for the processing explained here, unless otherwise stated.

2. What personal data we collect and why (legal bases)

  • Website usage & server logs (Art. 6(1)(f) GDPR – legitimate interests: security & performance). Our host automatically processes IP address, date/time, URL, referrer, user agent and similar technical data to provide the site securely. Logs are typically retained for a short period and then deleted automatically.
  • Enquiries / contact (WPForms) (Art. 6(1)(b) GDPR – steps prior to a contract; or Art. 6(1)(f) – legitimate interest in responding). If you contact us (e.g., via a form or email), we process the data you provide (name, email, message) to handle your request.
  • Bookings via partners (Booking.com, Airbnb, Expedia) (their privacy policies apply; we act on Art. 6(1)(b) GDPR to manage your stay). We receive only the information required to confirm and manage your reservation. These platforms are independent controllers.
  • Activities by partner agencies (independent controllers). When you book activities via our partners or with a voucher code, your data is processed by the respective provider under their own privacy notice.
  • Visitor statistics (WP Statistics) (Art. 6(1)(f) GDPR – legitimate interest in analysing website use). We use the WordPress plugin “WP Statistics” to measure visits. The plugin works without cookies and stores anonymised IP addresses locally on our server. Data is not shared with third parties and is deleted automatically after a limited time.
  • Live chat (3CX Live Chat) (Art. 6(1)(a) GDPR – consent; Art. 6(1)(f) GDPR – legitimate interest in customer support). When you use our chat widget, technical information (IP address, browser, operating system, time of access) and the data you enter (name, email, chat messages) are processed. Chat transcripts may be stored to follow up on your request. If 3CX cloud servers are used, data may be transmitted to 3CX (provider: 3CX Ltd., Cyprus) under a processing agreement.

3. Cookies & embedded services

  • Essential cookies (Art. 6(1)(f) GDPR). We use strictly necessary cookies for basic site functions (e.g., session, preferences). These cannot be switched off in our systems.
  • Cookie banner (Complianz). We use a consent banner to inform you about cookies and, where applicable, obtain consent (Art. 6(1)(c) GDPR compliance; Art. 6(1)(a) consent). Your choices are stored in a consent cookie.
  • Google Fonts – locally hosted. We host required font files locally (via OMGF / theme settings). No connection to Google’s servers is made for fonts.
  • Google Maps (only when displayed). When a map is embedded, Google Ireland/LLC may receive your IP & device data (Art. 6(1)(a) GDPR – consent). See Google’s policy: policies.google.com/privacy.
  • YouTube (only when embedded). Playing a video may transmit data to Google/YouTube (Art. 6(1)(a) GDPR – consent). We recommend “privacy-enhanced mode” where possible.
  • Facebook & WhatsApp buttons/plugins. If share or chat buttons are present, these providers may receive technical data when you interact (Art. 6(1)(a) GDPR – consent). Please see the providers’ privacy notices.

You can manage your choices at any time via the consent banner link in the footer.

4. Payments

We do not process payments on this website. Payments are handled by Booking.com, Airbnb or Expedia under their terms. We do not store or process credit card data on our servers.

5. Recipients & processors

  • Hosting & infrastructure: All-Inkl.com (Germany) processes server logs and hosts our website on our behalf (Art. 28 GDPR data processing agreement).
  • WordPress plugins/services: Elementor (site rendering), WPForms (contact forms), Complianz (consent management), OMGF (local fonts), WP Statistics (local analytics). These operate within our hosting environment; where applicable we have data processing terms in place.
  • Chat service provider: 3CX Ltd. (Cyprus) may process chat data if their cloud infrastructure is used. A data processing agreement is in place. If the chat runs locally on our hosting, data remains on our servers.
  • Independent controllers: Booking.com, Airbnb, Expedia and external activity partners act under their own privacy notices and responsibilities.

6. Data retention

  • Server logs: automatically deleted by the host after a short period (typically 7–14 days), unless needed for incident investigation.
  • Enquiries: kept only as long as necessary to process and document your request; legal retention may apply.
  • Booking-related data: retained as required by Swedish accounting/tax law and then deleted or anonymised.
  • Consent records: stored until you withdraw or the record is no longer required for compliance.
  • Visitor statistics: anonymised and deleted automatically after a defined retention period (usually 6 months).
  • Chat data: stored for as long as necessary to respond to your request and then deleted, usually within 6 months, unless legal retention applies.

7. Your rights under GDPR

You have the right to access, rectify, erase or restrict processing of your personal data, the right to data portability and to object to processing (Art. 15–21 GDPR). Where we rely on consent, you can withdraw it at any time with future effect. To exercise these rights, contact us at info@boreas.center.

8. Supervisory authority

If you believe your rights are infringed, you may lodge a complaint with the Swedish Authority for Privacy Protection (IMY): https://www.imy.se.

9. Security

We implement appropriate technical and organisational measures to protect your data (e.g., TLS encryption, access control, least-privilege administration) and work with reputable hosting providers in the EU.

10. Children

Our website and services are not directed to children. We do not knowingly collect data from children.

11. Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The current version is published on this page. Last updated: September 2025.

Scroll to Top