Privacy Policy

1. Introduction

Grand Casino Hotel ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our hotel services and website.

Important: Grand Casino Hotel is a luxury hospitality establishment providing accommodation, dining, spa, and entertainment services.

2. Information We Collect

2.1 Information You Provide

• Reservation information (name, contact details, dates, preferences)
• Guest registration details and identification
• Payment information for bookings and services
• Special requests and accessibility needs
• Feedback and survey responses
• Loyalty program information

2.2 Information Automatically Collected

• Device information (device type, operating system, browser type)
• Website usage data (pages visited, time spent, features used)
• Technical data (IP address, cookies, log files)
• Location data (with your consent)
• Analytics data through Microsoft Application Insights
• Google Analytics data (if you consent to analytics cookies)

2.3 Cookies and Tracking Technologies

We use essential cookies for booking functionality and may use analytics and marketing cookies with your consent. See our Cookie Policy for detailed information.

3. How We Use Your Information

We use your information to:

• Process hotel reservations and provide accommodation services
• Manage check-in/check-out processes
• Provide dining, spa, and entertainment services
• Process payments and manage billing
• Communicate about your stay and services
• Improve our hotel services and guest experience
• Send promotional offers and loyalty program benefits
• Ensure security and prevent fraud
• Comply with legal obligations and regulations
• Analyze usage patterns and performance (with consent)

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract: To fulfill hotel reservations and provide services
• Legitimate Interest: To improve services and ensure security
• Legal Obligation: To comply with hospitality regulations and tax requirements
• Consent: For marketing communications and analytics cookies

5. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: With trusted third parties who help us operate our hotel (payment processors, booking systems, cleaning services)
• Legal Requirements: When required by law or to protect our rights and guest safety
• Business Partners: With tour operators, travel agencies, and event organizers (with your consent)
• Emergency Services: When necessary for guest safety and security
• Business Transfers: In connection with a merger, sale, or acquisition

6. International Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA) and Finland, including:

• United States: Microsoft Azure services, Google Analytics 4, payment processors
• Canada: Microsoft Application Insights
• Ireland: Google Analytics 4 data processing
• Netherlands: Content delivery networks

6.1 GDPR Safeguards for International Transfers

We ensure appropriate safeguards are in place for international data transfers through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: European Commission adequacy decisions where applicable
• Microsoft Azure: EU Data Boundary compliance and SCCs
• Google Analytics 4: EU data processing agreement and SCCs
• Data Processing Addendums (DPAs): With all third-party processors
• Privacy Shield Successor: EU-US Data Privacy Framework (where applicable)

6.2 Finland-Specific Data Processing

As a Finnish company, we comply with:

• Finnish Personal Data Act (Henkilötietolaki 1050/2018)
• Finnish Consumer Protection Act (Kuluttajansuojalaki 38/1978)
• Finnish Electronic Communications Act (Sähköisen viestinnän palvelulaki 917/2014)
• Finnish Hotel and Restaurant Act (Majoitus- ja ravitsemistoimintalaki 308/2006)
• Tietosuojavaltuutettu (Finnish Data Protection Ombudsman) guidelines

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Security measures include:

• SSL/TLS encryption for data transmission
• Secure cloud hosting with Microsoft Azure
• PCI DSS compliance for payment processing
• Regular security assessments and audits
• Access controls and staff training
• Physical security measures at hotel premises

8. Your Rights and Choices (GDPR)

Under GDPR, you have the right to:

• Access: Request information about the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Request a copy of your data in a portable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to certain processing of your data
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at: privacy@grandcasinohotel.com

We will respond to your request within 30 days as required by GDPR.

9. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Guest Records: 7 years (Finnish tax and hospitality regulations)
• Reservation Data: 3 years after stay completion
• Payment Information: As required by PCI DSS and tax law
• Analytics Data: 26 months (Google Analytics standard)
• Marketing Communications: Until you unsubscribe
• CCTV Footage: 30 days (security purposes)

10. Third-Party Services

Our hotel may use third-party services that have their own privacy policies:

• Microsoft Application Insights: Analytics and performance monitoring (Canada/EU)
• Google Analytics 4: Website analytics with EU data processing (Ireland)
• Microsoft Azure: Cloud hosting and data storage (EU regions)
• Payment Processors: Secure payment processing (PCI DSS compliant)
• Booking Systems: Third-party reservation platforms
• Email Services: Marketing and communication platforms

10.1 Data Processing Locations

• Primary hosting: Microsoft Azure EU regions (Ireland, Netherlands)
• Analytics: Google Analytics 4 with EU data processing
• Application monitoring: Microsoft Application Insights (Canada)
• CDN: Content delivery networks in EU/EEA
• Payment processing: EU-based secure payment gateways

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending email notification for significant changes
• Displaying a prominent notice on our website
• Notifying guests during check-in for major changes

12. Contact Information

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

12.1 Data Controller

Grand Casino Hotel Oy (Data Controller)
Business ID: FI-87654321
Address: 123 Luxury Boulevard, Helsinki, Finland
Email: legal@grandcasinohotel.com
Phone: +358 9 1234 5678

12.2 Data Protection Officer (DPO)

Email: dpo@grandcasinohotel.com
Response Time: 72 hours for DPO inquiries
Languages: Finnish, English
GDPR Article 37: DPO appointed for data protection compliance

12.3 Contact Details

• Privacy Email: privacy@grandcasinohotel.com
• General Support: info@grandcasinohotel.com
• Reservations: reservations@grandcasinohotel.com
• Response Time: 48-72 hours for privacy inquiries
• Finnish DPA: Tietosuojavaltuutettu (tietosuoja.fi)
• EU DPA Network: European Data Protection Board