Privacy policy

Privacy policy

Privacy notice (CUSTOMERS)

Kalev SPA, OÜ Kalevi Veekeskus (hereinafter ‘we’) highly values the privacy of every customer (hereinafter ‘you’). In this privacy notice, we will explain what kind of data we collect about you, why we do it, what we do with your data and how we treat it.

Who are we?

The processor of personal data is Kalev SPA, OÜ Kalevi Veekeskus, Harjumaa, Tallinn, 18 Aia Street, 10111. Reg. code 11053554

Kalev Spa offers relaxing and active holidays through various well-being services, provided at the heart of Tallinn, in a spacious and modern spa hotel, water park and fitness centre.

We implement the necessary technical, physical and organisational safety measures to protect your personal data against loss, destruction and unauthorised access.

If you have any questions regarding the information provided in this privacy notice or if you wish to amend the data or request that the data no longer be processed, please contact us:

Hotel +3726493300

Water park and fitness centre +3726493370

We will reply to your letters within two working days. 

What data do we collect about you and who provides the data?

We collect the following data about you:

  • personal data: such as given name and surname, date of birth/national identification number, number of the identity document, language of communication
  • contact details: such as home address, phone number, e-mail address
  • bank details: bank, bank account number
  • company’s data: company name, registry code, location, position/occupation
  • transactional data: data relating to customer purchases
  • data relating to personal habits, preferences and contentment: e.g. data relating to how actively services are used as well as used services and customer satisfaction, also complaints data
  • visitor’s card data: data on the users of accommodation services required under the Tourism Act of Estonia, such as citizenship as well as the name, date of birth and citizenship of a spouse or a minor accommodated with the visitor, the period of provision of the accommodation services, car’s plate number etc.
  • credit card data: such as card number, name of the owner, period of validity
  • security camera footage: if you visit our accommodation facilities or other rooms that for security reasons have been equipped with video or other electronic or digital surveillance systems or devices
  • website usage and terminal equipment (computer, mobile, tablet etc.) data.

As a rule, we obtain the data directly from you when you make a booking or enquiry on our website, by phone or via email, or when you buy services on the spot.

Your data will be transmitted to us by our contractual partners/companies, online channels partners.

Your data is also transmitted to us by travel agents, booking agencies and other accommodation agents with whom you have booked your accommodation and/or other services with us. If we have not obtained the data directly from you, we will send you a privacy notice as soon as possible after obtaining the data.

Why do we need your data? What happens when you do not provide the data?

We use your data to provide the services you have requested or purchased, as well as to comply with the obligations imposed on us by the laws governing our activities. We also use it for general business purposes such as:

  • personal data  we need these data to identify you, which is important to ensure that the service is available for and provided to the person who ordered it and to ensure benefits/offers based on membership status. We also need these data to organise and manage the provision of pre-paid and periodic services and to comply with the obligations arising from the cooperation contracts. We use the personal data to protect our infringed or contested rights and to comply with our legal obligations.
  • contact details  we need these data to contact you and for direct marketing purposes (and to send promotional materials). First and foremost, we contact you by phone or e-mail, but in certain cases it may be necessary to use your home address (e.g. in case we cannot reach you by other means).
  • bank details  we need these data to comply with the obligations arising from the contractual relationship between us as well as from settlement obligations.
  • company’s data  we have an obligation to request these data due to the necessity arising from the conclusion of the contract.
  • transactional data  we need these data to better understand customers’ expectations and to offer customer services that are suitable and of high quality
  • visitor’s card data  we have an obligation to request these data pursuant to the Tourism Act. The aim is to avoid any danger stemming from illegal immigration, for example.
  • credit card data  we need these data because providing you with an accommodation service gives us the right to withhold a certain amount of money from your credit card to cover the cost of services or other expenses incurred by you. We also need these data to carry out an electronic payment during a website session (the payment is carried out in a safe environment for payments of the respective bank or service provider)
  • data relating to personal habits, preferences and contentment  if we ask for these data or you choose to disclose such data to us, we use them to provide you with a better service based on your wishes and interests.
  • website usage and terminal equipment data (also IP address)  the data are used to identify actions and habits on the website and to create a user profile based thereon for analytical purposes.

If you do not provide us with your personal data, we cannot provide you with the pre-paid, ordered or periodic services. In that case, we also cannot offer you the benefits based on the membership status.

If you do not provide your visitor’s card data, we cannot provide you the accommodation service.

What is the legal basis for the processing of your data?

We process your data on the basis of various legal grounds:

  • the need to enter into a contractual relationship with you or to conclude a contract with you
  • your consent − if the processing of your data is based on your consent, be aware that you have the right to withdraw your consent at any time
  • the need to comply with our legal obligations (e.g. filling in and maintaining a visitor’s card for two years pursuant to the Tourism Act)
  • the need to exercise our legitimate interests, including corporate governance and the implementation of general business activities; detection of law abuses and frauds.
  • the need to protect your or anyone else’s vital interests (e.g. by disclosing information about you to emergency services in the case of an accident)
  • in other situations provided for in the law.

Whom do we share your data with?

We do not share the data you entrust to us, except in the limited cases described below and if it is necessary for the purposes described in this privacy notice:

  • Service providers: like many other companies, we may order data processing services from trusted third-party service providers such as IT;
  • Public authorities and government bodies: we may share our data with such authorities when we are obliged to do so by law or when it is necessary to protect our rights;
  • Professional counsellors and other advisers: we may share your information with professional advisers such as auditors, lawyers and other professionals providing counselling services;
  • Third parties in connection with corporate deals; A company with whom we have concluded a cooperation contract for offering benefits to the company’s employees/members. Occasionally, we may share your data with third parties when closing corporate deals, e.g. when selling the company or a part thereof to another company. Similarly, in the framework of the restructuring of the company, the creation of a joint venture or a merger, as well as the transfer of the company’s assets or shares.

If we share your data with the above mentioned parties, we guarantee the protection of your data in the data-processing contract concluded between us and the other party.

We will not transfer your data to a foreign country. Your personal data will also not be stored in or transferred to outside the European Economic Area or to countries about which the data protection adequacy decision pursuant to Article 25 (6) of Directive 95/46/EC or pursuant to its successor document Article 45 (1) of Regulation (EU) 2016/679 has not been made.

For how long shall we store your data?

We store your data for as long as it is needed to achieve various data-processing objectives.

The company is guided by the following criteria when storing personal data:

  • we will store the data for as long as it is needed to provide our services
  • if a person has a user account or a membership card tied to the company, we will store their data for as long as the account/card is valid or for as long as such data is needed to provide services to them
  • if the company has a statutory, contractual or other similar obligation to store personal data, we will store the data for as long as it is necessary to perform such an obligation
  • after the termination of a contractual relationship, we will store certain data for as long as the person (data subject) or the company itself has the right to file claims against the other party on the basis of the contract

For example, pursuant to the requirements of the Tourism Act, we store the visitor’s card data for two years as of the date the card was completed. Credit card data is stored only until the accommodation contract between us has been properly completed, then they are archived.

If you have given us consent to send you direct marketing materials, we will store your contact data until you withdraw your consent. 

What are your rights in relation to your data?

As a data subject, you have the following rights:

  1. Right of access  you have the right to know what data are stored about you and how they are processed.
  2. Right to rectification  you have the right to request the rectification of your personal data if they are inaccurate.
  3. Right to erasure (‘right to be forgotten’)  in certain cases you have the right to request that we erase your personal data (for example, if we no longer need them, you withdraw your consent for processing the data, etc.).
  4. Right to restriction of processing  in certain cases you have the right to prohibit or restrict the processing of your personal data for a specific period (for example, when you have objected to the processing of data).
  5. Right to object  on grounds relating to your particular situation, you have the right to object to the processing of your personal data when processing is based on our legitimate interest or in the public interest. You can object to the data processing done for direct marketing purposes at any time.
  6. Right to data portability  you have the right to receive the personal data you have provided to a us in a machine-readable format. You also have the right to have the personal data transmitted directly to another data controller, but only if it is technically feasible. The right to portability applies only to the data that we process on the basis of your consent or to perform the contract concluded with you.
  7. Automated decision making (including profile analysis) − if we have informed you that we are making decisions based on automated processing (including profile analysis) that produces legal effects concerning you or similarly significantly affects you, then you can request not to be subject to a decision based solely on automated processing.


We shall do our best to address your requests and wishes in a timely manner and free of charge, except in cases where this would result in a disproportionate cost. If you are not satisfied with the answer provided by us, you can file a complaint with the Data Protection Inspectorate.