LifePass Privacy Policy

This Privacy Policy explains how LifePass ("LifePass", "we", "us", "our") collects, uses, shares, and protects personal data when you use our website and mobile application. We are committed to protecting your privacy and processing your data in compliance with the EU/EEA General Data Protection Regulation (GDPR) and Icelandic data protection laws.

By using LifePass, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our services.

• Company: Sporta ehf.
• Registration number: 4909251470
• Address: Hverfisgata 88, 101 Reykjavík, Iceland
• Email: support@lifepass.is

Sporta ehf. is the data controller responsible for your personal data. We determine the purposes and means of processing your personal information.

We collect the following categories of personal data.

A. Information you provide

• Account information: full name, email address, optional phone number, and encrypted password.
• Identification number (kennitala):your Icelandic kennitala, which we collect and verify through our identity-verification partner Kenni (auðkenni) when you start a subscription or activate an employer-paid benefit. We use it to confirm your identity, prevent fraud and duplicate or shared memberships, and (for company plans) match you to your employer's authorised-employee list. See Section 4.F for how the verification works and Section 3 of our Terms for why it is required. We rely on Article 12 of the Icelandic Data Protection Act No. 90/2018, which permits use of a kennitala where there is an objective reason to identify a person reliably.
• Profile data: language preference, nationality (optional; required before booking at certain third-party reservation venues — see Section 4.B), and account settings.
• Communications: messages you send to us, support requests, feedback, and reviews.

B. Payment information

• Transaction history, purchase amounts, and subscription details.
• Payment tokens from Kling. We do not store full card numbers, CVV, or complete card details.
• Billing address where required.

C. Usage data

• Subscription information: plan type, credit balance, subscription status, and commitment period dates.
• Booking data: activities booked, booking times, cancellations, headcount, and (for third-party reservation venues) a booking reference issued by the reservation platform.
• Check-in records: venue visits, check-in timestamps, and location of check-in.
• Favourites: venues and activities you save.

D. Technical data

• IP address, browser type and version, and operating system.
• Device identifiers and type.
• Pages visited, time spent, referring URLs, error logs, and performance data.

E. Cookie data

• Session identifiers and authentication tokens.
• Preferences and settings.
• Analytics data, with your consent.

F. Location and device permissions

• Precise location (GPS):if you use the "find venues near me" feature on the map, your browser or device asks your permission to share your precise location. We use it only, in the moment, to centre the map and sort venues by distance — we do not store your GPS coordinates or track your location in the background. You can decline, or revoke the permission later in your browser or device settings; the map still works without it.
• Camera: checking in at a Venue uses your device camera to scan a QR code. We process the scan to validate your booking; we do not record, store, or transmit camera images. You can decline camera access and ask Venue staff to check you in manually.
• Map tiles: map features load tiles and styles from Mapbox (see Section 4.D), which receives the technical request data necessary to serve the map.

We do not intentionally collect special category data such as health data or biometric data. Please do not submit sensitive personal information in free-text fields such as reviews or support messages.

We process personal data for the following purposes.

3.1 Marketing communications

We send marketing emails (newsletters, offers) only if you have actively opted in — the opt-in is unticked by default and you choose to enable it. We record when you gave or declined consent and which version of this notice applied at the time. You can withdraw your consent and stop marketing emails at any time, either by clicking the unsubscribe link in any marketing email or by changing the setting in your profile; this does not affect marketing we sent before you withdrew.

Transactional messages that are part of the service — booking confirmations, receipts, cancellation and renewal notices, password resets, and similar — are not marketing and are sent on the basis of our contract with you regardless of your marketing preference.

3.2 No solely-automated decisions

We do not make decisions that produce legal effects for you, or similarly significantly affect you, based solely on automated processing. Matching your verified kennitala to an employer's authorised-employee list, and granting or expiring credits, are rule-based steps carried out to perform our contract with you; they do not involve profiling that significantly affects you, and our team can review any outcome on request (see Section 8).

We share your personal data with the following categories of recipients.

A. Partner venues

When you check in at a venue, we share:

• your name, for identification;
• membership status and validity;
• booking details for the specific activity.

Venues use this information solely to validate your access and provide services.

B. Third-party reservation platforms (Bokun)

Certain partner venues — currently including Forest Lagoon and Vök Baths, with others potentially added over time — manage their live booking inventory through Bokun, an online reservation platform operated by Tripadvisor LLC (400 1st Avenue, Needham, MA 02494, USA), with an EU representative at Tripadvisor Ireland Limited, Dublin.

When you complete a booking at a Bokun-integrated venue through LifePass, we transmit the following personal data to Bokun so that Bokun can create the reservation on the venue's behalf and issue the entrance ticket:

• first name;
• last name;
• email address;
• nationality (defaulted to Iceland if not otherwise provided);
• venue, date, time, and headcount of the booking;
• a LifePass booking reference.

We do not share your kennitala, password, payment details, LifePass subscription state, credit balance, check-in history at other venues, or any other information beyond what is strictly necessary to confirm the reservation.

Bokun's role.Bokun (Tripadvisor LLC) acts as an independent data controller for the booking data it receives — it determines its own purposes and means of processing under its own privacy policy, which includes further sharing with the Tripadvisor group of companies, Bokun's own service providers, and direct marketing subject to your rights to object. Your GDPR rights (access, rectification, erasure, restriction, objection, portability) therefore apply against Bokun directly for the data Bokun holds, and can be exercised at info@bokun.is. Please refer to Bokun's Privacy Policy for full details of how they process your data.

Legal basis.We rely on Article 6(1)(b) GDPR (performance of a contract) to share this data with Bokun: completing a reservation at a Bokun-integrated venue cannot be performed without transmitting these identifying details to the venue's reservation platform.

C. Payment processors

Kling processes all payments. Kling is PCI-DSS compliant and acts as an independent data controller for payment data. See Kling's Privacy Policy.

D. Service providers

• Hosting and database: Supabase for cloud infrastructure and data storage.
• Email services: Resend for transactional and marketing emails.
• Identity verification: Auðkenni ehf. (Kenni) — verifies your kennitala (see Section 4.F).
• Maps: Mapbox — renders the venue map; receives your approximate location and map-tile requests when you use the map.
• Analytics: privacy-focused analytics tools.

All service providers are bound by data processing agreements and must comply with GDPR.

E. Legal and regulatory

We may disclose data when required by law, court order, or to protect our legal rights.

F. Identity verification (Kenni / auðkenni)

When you start a subscription or activate an employer-paid benefit, we verify your identity through Kenni, an electronic-identity verification service operated by Auðkenni ehf. (Iceland). To do this we redirect you to Kenni's secure flow, where you authenticate with your Icelandic electronic ID. Kenni confirms your identity and returns your verified kennitala and name to us.

We rely on Article 6(1)(b) GDPR (performance of a contract) and Article 12 of the Icelandic Data Protection Act No. 90/2018 for this processing: a verified identity is necessary to provide a subscription, to prevent fraudulent or shared memberships, and to match company-plan employees to their employer's authorised list. Auðkenni processes your authentication data under its own privacy policy and as our processor for the verification result we receive. We do not receive or store your electronic-ID credentials or PIN.

G. Employers (company plans)

If you join LifePass through an employer's company plan, there is a two-way exchange of limited personal data between LifePass and your employer:

• From your employer to us: your employer provides us with a list of authorised employees (by kennitala, and sometimes name) so we can grant the agreed credits to the right people. We use this list only to match activations and grant benefits.
• From us to your employer: through a company dashboard, your employer (and its authorised company administrators) can see which of their authorised employees have activated their LifePass benefit, the activation date, and aggregate usage information such as the number of unused credits and the most-booked venues across their workforce. Your employer is shown enough to administer and reconcile the benefit they are paying for. Your individual booking history, check-in records, and the specific venues you personally visit are not exposed to your employer through this dashboard.

For the employee list your employer supplies to us, and for the activation and usage data we make available back to your employer, your employer is an independent data controller and processes that data under its own privacy notice and its employment relationship with you. We rely on Article 6(1)(b) GDPR (performance of a contract) with the employer, and our legitimate interest and your employer's legitimate interest in administering a benefit, as the legal basis for this exchange. If you do not want your employer to know whether you have activated the benefit, you can choose not to activate the company plan and instead use a personally-paid subscription or pay-as-you-go bookings.

H. Public reviews and ratings

If you submit a review or rating of a Venue, the review text, the rating, and your profile name are displayed publicly on the Platform (including on Venue pages and, where applicable, in search-engine results and structured data) and can be seen by anyone. Do not include information in a review that you do not want to be public. You can ask us to remove a review you have posted by contacting support@lifepass.is.

We do not sell your personal data to third parties, and we do not use your personal data for third-party advertising.

Our primary data processing occurs within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs);
• adequacy decisions by the European Commission;
• supplementary technical and organizational measures.

Bokun (Tripadvisor LLC). Where we share booking data with Bokun as described in Section 4.B, that data may be stored or transferred to Tripadvisor LLC in the United States and to other Tripadvisor affiliates outside the EEA. These transfers are covered by the EU Standard Contractual Clauses adopted by the European Commission, together with supplementary measures Bokun describes in its own privacy policy.

We use cookies and similar technologies as follows.

You can manage cookie preferences through our cookie banner or your browser settings.

We retain your data for the following periods.

Note on third-party reservation platforms. Once a booking reference and the associated data have been transmitted to Bokun (Section 4.B), retention of that data at Bokun is governed by Bokun's own privacy policy, not by the periods above. Deleting your LifePass account does not automatically delete data Bokun has already received; to exercise your rights against Bokun, contact them directly at info@bokun.is.

As a data subject, you have the following rights.

• Right of access: request a copy of your personal data.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements.
• Right to restriction: limit how we process your data.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: withdraw consent at any time (does not affect prior lawful processing).
• Right not to be subject to automated decisions: request human review of automated decisions that significantly affect you.

How to exercise your rights: email us at support@lifepass.is with your request. We will respond within 30 days. For data held by Bokun as a result of a booking at a Bokun-integrated venue, please also contact Bokun directly at info@bokun.is.

Right to complain: you may lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at www.personuvernd.is or postur@personuvernd.is.

We implement appropriate technical and organizational measures to protect your data:

• encryption in transit (TLS/HTTPS) and at rest;
• secure password hashing;
• access controls and least-privilege principles;
• regular security assessments;
• incident response procedures;
• employee training on data protection.

No system is perfectly secure. In the event of a data breach, we will notify you and relevant authorities as required by law.

LifePass is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at support@lifepass.is.

We may update this Privacy Policy from time to time. When we make material changes:

• we will update the "Last updated" date at the top of this policy;
• we will notify you via email or in-app notification;
• continued use of LifePass after changes take effect constitutes acceptance.

For questions, requests, or concerns about this Privacy Policy or your personal data:

Sporta ehf.
Hverfisgata 88, 101 Reykjavík, Iceland
Email: support@lifepass.is
Website: www.lifepass.is