Vetrarakstur

Privacy Policy

Last updated: 1 January 2025

1. Introduction

Vetrarakstur ("we", "us", or "our") operates the website at https://www.vetrarakstur.com (the "Site"). We are committed to protecting your personal data and processing it in compliance with the General Data Protection Regulation (GDPR), the Icelandic Act on Data Protection and the Processing of Personal Data (No. 90/2018), and all other applicable data protection legislation.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to your data.

Data controller: Vetrarakstur, Reykjavík, Iceland. Contact: privacy@vetrarakstur.com.

2. Data we collect

2.1 Data you provide directly

  • Contact form submissions: When you submit our contact form, we collect your name, email address, subject, and message content. This data is stored in our database and used to respond to your enquiry.
  • Newsletter sign-up: If you subscribe to our newsletter, we collect your email address. We use this solely to send you our newsletter. You can unsubscribe at any time via the link in any newsletter email.

2.2 Data collected automatically

  • Log data: Our hosting provider automatically collects standard server log data, including your IP address, browser type, referring pages, and pages visited. This data is retained for up to 30 days and is used for security and performance monitoring.
  • Analytics: We use Google Analytics 4 (GA4) to understand how visitors use our Site. GA4 collects anonymised usage data including pages viewed, session duration, device type, and approximate geographic location. IP addresses are anonymised before storage. For details, see Google's Privacy Policy at policies.google.com/privacy.
  • Advertising: We display Google AdSense advertisements. Google uses cookies to serve ads based on prior visits to our Site or other websites. You can opt out of personalised advertising at adssettings.google.com. For more information, see our Cookie Policy.
  • Cookies: We use cookies as described in our Cookie Policy.

3. Legal basis for processing

We process your personal data only where we have a lawful basis under GDPR:

  • Consent (Article 6(1)(a)): For newsletter subscriptions and non-essential cookies (analytics, advertising). You may withdraw consent at any time.
  • Legitimate interests (Article 6(1)(f)): For server log data collected for security monitoring, and for analytics to improve our Site, where our interests do not override your rights and freedoms.
  • Performance of a contract / pre-contractual steps (Article 6(1)(b)): When you contact us via the contact form, we process your data to respond to your enquiry.

4. How we use your data

We use the data we collect to:

  • Respond to contact form enquiries
  • Send newsletters to subscribers (where you have subscribed)
  • Analyse Site performance and improve our content
  • Serve relevant advertising
  • Detect and prevent fraudulent or abusive activity
  • Comply with legal obligations

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5. Data sharing and third parties

We share data with the following categories of third party:

  • Hosting provider: Our website is hosted on infrastructure that processes server logs. Data is stored in the EEA (European Economic Area) or with providers offering equivalent safeguards.
  • Google Analytics: Usage data is shared with Google Ireland Limited for analytics purposes under appropriate data processing agreements.
  • Google AdSense: Advertising data is processed by Google Ireland Limited and, in some cases, Google LLC (US). Standard Contractual Clauses apply for any transfers outside the EEA.
  • Email service provider: If we send you a newsletter or transactional email, your email address is processed by our email delivery provider under a data processing agreement.

We do not transfer your personal data to countries outside the EEA unless appropriate safeguards are in place (such as Standard Contractual Clauses approved by the European Commission).

6. Data retention

  • Contact form data: Retained for up to 2 years from the date of submission, or until you request deletion.
  • Newsletter subscriptions: Retained until you unsubscribe.
  • Server logs: Retained for up to 30 days.
  • Analytics data: Retained in Google Analytics per Google's default retention settings (up to 14 months for user and event data).

7. Your rights under GDPR

As a data subject, you have the following rights, subject to applicable exemptions:

  • Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances.
  • Right to restriction (Article 18): You have the right to request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, machine-readable format.
  • Right to object (Article 21): You have the right to object to processing based on our legitimate interests.
  • Rights related to automated decision-making (Article 22): We do not use fully automated decision-making or profiling with significant legal effects.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at privacy@vetrarakstur.com. We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is, or with the supervisory authority in your country of residence.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include HTTPS encryption, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure.

9. Children's privacy

Our Site is not directed at children under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised "Last updated" date. We encourage you to review this policy periodically.

11. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

Vetrarakstur
Reykjavík, Iceland
Email: privacy@vetrarakstur.com