This Privacy Policy explains how Ruka Northern Lights Tours ("we", "us", "our"), a tour operator based in Kuusamo, Finland, collects, uses and protects your personal data. We are committed to handling your information in accordance with the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection law. If you have any questions, please contact us before submitting your data.
Who We Are
The data controller responsible for your personal data is:
- Business name: Ruka Northern Lights Tours
- Address: Ouluntaival, Ruka, 93600 Kuusamo, Finland
- Email: bookings@rukanorthernlightstours.com
- Telephone: +358 465 630 404
- Website: https://rukanorthernlightstours.com
We operate under Finnish law and are subject to the supervision of the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu).
What Data We Collect
Booking Data
When you make a booking or enquiry, we collect:
- Full name
- Email address
- Phone number
- Booking dates, tour preferences and group size
- Any special requirements or accessibility needs you choose to share
- Payment transaction reference (we never store raw card numbers — card data is processed exclusively by Stripe and never touches our servers)
Contact Form Enquiries
If you contact us via our enquiry form or by email, we collect your name, email address and the content of your message.
Analytics Data
We may use Google Analytics 4 (GA4) to understand how visitors interact with our website. If enabled, GA4 may collect:
- Anonymised IP address
- Browser type and device type
- Pages visited, time on site, referral source
- General geographic region (country/city level only)
Analytics cookies are optional. You can decline them at any time — see our Cookie Policy for details.
How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Process and fulfil your booking | Name, email, phone, booking details, payment reference | Performance of a contract (Art. 6(1)(b)) |
| Send booking confirmations, itinerary updates and pre-tour information | Name, email, phone | Performance of a contract (Art. 6(1)(b)) |
| Respond to enquiries and provide customer support | Name, email, message content | Legitimate interest (Art. 6(1)(f)) |
| Maintain financial records as required by Finnish law | Name, booking details, payment reference | Legal obligation (Art. 6(1)(c)) |
| Improve our website and services via analytics | Anonymised usage data (GA4) | Legitimate interest / Consent (Art. 6(1)(a) or (f)) |
| Send you follow-up satisfaction messages or re-booking offers (only if you have booked with us) | Name, email | Legitimate interest (Art. 6(1)(f)) — you may opt out at any time |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
Legal Basis Under GDPR
We rely on the following legal grounds as permitted by GDPR Article 6:
- Contract (Art. 6(1)(b)): Processing is necessary to fulfil a booking you have made or to take steps at your request before making a booking.
- Legal obligation (Art. 6(1)(c)): We are required to retain certain financial and booking records under Finnish accounting and tax law.
- Legitimate interest (Art. 6(1)(f)): We have a legitimate interest in responding to enquiries, improving our services, and communicating with past guests, provided that interest does not override your fundamental rights.
- Consent (Art. 6(1)(a)): Where we rely on consent — for example for optional analytics cookies — you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
How Long We Keep Your Data
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking records (name, contact, tour details, payment reference) | 3 years from tour date | Finnish accounting law; dispute resolution |
| Email and contact enquiries | 12 months from last contact | Customer support and follow-up |
| Analytics data (GA4) | 30 days (retained in GA4 at aggregated level thereafter) | Service improvement; data minimisation |
| Marketing opt-out records | Indefinitely | To honour your opt-out preference |
When data is no longer needed we securely delete or anonymise it.
Third Parties We Share Data With
We do not sell your personal data. We share data only where necessary with the following trusted processors:
Stripe (Payment Processing)
Stripe, Inc. processes payment card information on our behalf. Your card details are entered directly on Stripe's secure, PCI-DSS-certified platform and never pass through or are stored on our servers. Stripe's privacy policy is available at stripe.com/privacy. Where Stripe operates outside the EEA, it relies on Standard Contractual Clauses approved by the European Commission.
Google Analytics (Website Analytics)
We may use Google Analytics 4. Data is processed by Google Ireland Limited (EEA) and may be transferred to Google LLC (USA) under Standard Contractual Clauses. We have enabled IP anonymisation. Analytics cookies are optional — you can decline them via our cookie banner. Google's privacy policy: policies.google.com/privacy.
Email Service Provider
We use a professional email provider to send booking confirmations. They process your email address and name solely to deliver messages on our behalf and are bound by a data processing agreement.
We do not share your data with any other third parties, advertisers or data brokers. We will disclose data to public authorities only if required by Finnish or EU law.
Your Rights Under GDPR
As a data subject under the GDPR you have the following rights. You can exercise any of them by contacting us at the details below — we will respond within 30 days.
Request a copy of all personal data we hold about you (Art. 15).
Ask us to correct inaccurate or incomplete data (Art. 16).
Request deletion of your data where we have no overriding legal reason to retain it (Art. 17).
Receive your data in a structured, machine-readable format and transfer it to another controller (Art. 20).
Object to processing based on legitimate interest, including direct marketing (Art. 21).
Ask us to restrict processing while a dispute or objection is being resolved (Art. 18).
Withdraw any consent you have given (e.g. for analytics cookies) at any time without penalty.
Complain to the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe we have mishandled your data.
Cookies & Tracking
Our website uses a small number of cookies. Strictly necessary cookies (required for the booking flow and secure session management) are set automatically. Optional analytics cookies are only set with your consent via our cookie banner.
For full details of every cookie we use, how to manage preferences and how to opt out of Google Analytics, please read our Cookie Policy.
Data Requests & Contact
To exercise any of your rights, or if you have any question about this Privacy Policy, please contact our data controller directly:
Ruka Northern Lights Tours — Data Controller
Email: bookings@rukanorthernlightstours.com
Phone: +358 465 630 404
Address: Ouluntaival, Ruka, 93600 Kuusamo, Finland
We will acknowledge your request within 5 working days and respond in full within 30 days as required by GDPR Article 12. If your request is complex we may extend this by a further two months — we will notify you if so.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
Website: tietosuoja.fi | Email: tietosuoja@om.fi | Tel: +358 29 566 6700
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page will always indicate when the most recent revision was made. For significant changes we will notify active customers by email.