Solstrand Privacy Policy

Last updated: 12 February 2026

Personal data is information that can be linked to you as an individual. It is important that you know which personal data Solstrand processes about you so that you can exercise your rights under data protection legislation.

This privacy policy explains when and how Solstrand Hotel & Bad AS processes personal data.

Data controller: Solstrand Hotel & Bad AS, org. no. 985 617 635

We process personal data as part of operating the hotel, and we are the data controller for the processing described in this policy. We always process personal data lawfully and responsibly, and only for explicitly stated and legitimate purposes.

We do not disclose personal data to other businesses for their own purposes. However, we may share personal data with our data processors (service providers) when this is necessary to operate the hotel and to provide services to you, as well as when we have a legal obligation to provide information to public authorities.

We store personal data for as long as necessary for the purpose, and for as long as we have a legitimate need and/or a legal basis for doing so.

Contact Solstrand

You may exercise your rights or ask questions about this policy by contacting us:

Email: hotel@solstrand.com
Address: Solstrand Hotel & Bad AS, P.O. Box 54, 5201 Os, Norway

We respond to enquiries without undue delay and no later than within one month.

Complaints: If you believe that our processing of personal data is not in accordance with applicable regulations, you may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): www.datatilsynet.no

When does Solstrand collect personal data about you?

We process personal data, among other things, when:

• you send us an enquiry, request, complaint or booking
• you book accommodation
• you book spa treatment
• you apply for a job with us
• you visit our website www.solstrand.com
• you visit us on social media (Facebook, Instagram, LinkedIn etc.)

We may also receive information about you from others when:

• a job applicant lists you as a reference
• you are registered as a participant at an event
• you are listed as a guest in a group staying with us

IT and systems

We use external suppliers for the operation and maintenance of IT services (booking system, accounting system, payment, etc.).

Hotel/reservation system: Solstrand uses Opera Cloud (Oracle) as its hotel, reservation and guest management system.

Much of the infrastructure and data is located within the EU/EEA or in countries approved by the European Commission. If a supplier or sub-processor processes data outside the EU/EEA, we ensure a lawful transfer mechanism in accordance with GDPR Chapter V (for example, the EU Standard Contractual Clauses).

Visits to our website – cookies

We use cookies to ensure functionality and to understand how the website is used. To read more about how and which cookies we collect, you can click the round cookie icon at the bottom left of www.solstrand.com. You can see which services store cookies, and why, under the categories functional, statistical and marketing.

Legal basis:

• Necessary cookies are processed on the basis of legitimate interests (GDPR Article 6(1)(f)).
• Statistical and marketing cookies are used only if you consent (GDPR Article 6(1)(a)).

You can opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout

Social media

Data you post on our social media pages (comments, likes, photos, public messages, etc.) is published by the platform and is not used by us for purposes other than communication and public engagement.

Legal basis: legitimate interests (GDPR Article 6(1)(f)).

We recommend that you do not share sensitive personal data via social media (for example, health data). If you need to share such information, please contact us by email or telephone.

Hotel reservations, stays, spa treatments and events

When you book a hotel room, attend an event or use the spa/other services, we process personal data in order to administer the booking and your stay. The data is also shared with certain system sub-suppliers to enable the full guest journey—for example, booking spa treatments and offering digital check-out.

Legal basis: necessary for the performance of a contract (GDPR Article 6(1)(b)).

Solstrand has many returning guests over long periods in connection with anniversaries, weddings, confirmations, milestone birthdays and other annual traditions. We may therefore have a long-term guest relationship where storing certain information is necessary in order to provide good service over time, take care of guest preferences and ensure predictable customer dialogue for future stays.

Retention period: Solstrand may store guest profiles for an extended period in order to meet guests’ needs during future stays. Guest profiles are automatically deleted 10 years after the last profile activity.

In connection with stays and food service, we may receive information about food allergies, intolerances, health-related needs, or requirements for accessibility/assistance (for example due to disability).

Legal basis: GDPR Article 6(1)(b) (contract) and GDPR Article 9(2)(a) (consent), where necessary.

Information included in accounting documentation is stored for 5 years in accordance with the Norwegian Bookkeeping Act.

Payment and payment information

When you pay for a stay or services, payment information is processed to complete the transaction.

We only process what is necessary for payment and invoicing. Solstrand normally does not store complete card details itself. Card information is primarily processed by our payment service providers, which are subject to strict security requirements.

Legal basis: GDPR Article 6(1)(b) (contract) and Article 6(1)(c) (legal obligation for accounting/bookkeeping).

Opera Cloud PMS (Oracle) – GDPR in the hotel/reservation system

Solstrand uses Opera Cloud PMS (Oracle) as its hotel and reservation/guest management system. The system is used to administer bookings, stays, payment, invoicing and customer communication.

Legal basis (GDPR Article 6):

• Article 6(1)(b) – contract (booking/stay)
• Article 6(1)(c) – legal obligations (accounting/bookkeeping and reporting)
• Article 6(1)(a) – consent (marketing/campaigns)
• Article 6(1)(f) – legitimate interests (assessed on a case-by-case basis)

Access control: Access is managed through user accounts and role-based permissions. Only employees with a work-related need have access.

Logging: The system logs, among other things, changes to profiles, as well as viewing/printing of profile information and information about allergies and special needs and requests. Such information is not stored longer than necessary for the purpose, unless the guest asks for the information to be stored.

Deletion and anonymisation: Solstrand has settings in Opera Cloud (“Opera Controls”) that support GDPR compliance, including routines for automatic deletion of profiles after 10 years without activity.

Marketing and consent

Solstrand carries out very limited paid marketing of our services. If you have been a guest with us, we may send you relevant information about our services. You may opt out at any time by contacting hotel@solstrand.com.

Marketing beyond this is based on consent. Consents are documented and retained for as long as necessary to demonstrate that consent has been given or withdrawn.

Mailchimp: Solstrand collects email addresses with consent via Mailchimp. At present, no newsletters are sent, but if this changes, mailings will be carried out in accordance with consent, and you may withdraw your consent at any time via the link in the email or by contacting us.

Sub-processors / data processors

We may share personal data with suppliers that provide services to Solstrand. Examples include the provider of the hotel/reservation system, payment provider, IT operations and marketing platform.

Where required, we enter into data processing agreements and set requirements for information security and access control.

CCTV surveillance (ITV)

The hotel premises are monitored by CCTV in order to prevent and investigate crime. Recordings are stored for 7 days and are then deleted, unless recordings are preserved in connection with an incident/investigation. Recordings may be disclosed to the police in criminal cases.

Legal basis: legitimate interests (GDPR Article 6(1)(f)).

Job applicants

When you apply for a job, we process information to assess the application, conduct interviews and contact references. If you are hired, we retain application information for as long as the employment relationship lasts.

General applications are deleted/destroyed within 180 days. Applications with the status hired or interviewed are deleted/destroyed within 365 days.

Applicants who may be relevant for future positions are stored only with consent, for a maximum of 365 days.

Data retention (overall overview)

Typical retention periods:

• general enquiries: while the matter is ongoing and for a period afterwards, normally up to 12 months after the case has been closed
• reservations/stays: up to 10 years
• accounting documentation: 5 years
• CCTV surveillance: 7 days
• job applications: 180/365 days

Children and young people

Solstrand offers services to families, but we do not direct marketing towards children, and bookings/communication related to stays normally take place via parents/guardians/adults. If we receive personal data about children (for example as accompanying guests), such data is processed only to the extent necessary to administer the stay.

Your rights

You have the right to:

• access your personal data
• rectification
• erasure (in certain cases)
• restriction of processing
• object to processing based on legitimate interests
• data portability (where relevant)

You also have the right to withdraw consent when processing is based on consent. Withdrawal does not affect the lawfulness of processing before the consent was withdrawn.

Automated decision-making and profiling

Solstrand does not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you, pursuant to GDPR Article 22.