Privacy Policy



This privacy policy tells you about the information we collect from you when you use our website. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.

1. Who are we?

We are Ferðaþjónusta bænda hf. You might know us by our brands Hey Iceland or Bændaferðir. We are a travel agency that offers both inbound and outbound tours and our office is located in Reykjavík, Iceland. You can read more about us here.

If you have any questions or comments, or if you have a concern about the way in which we have handled any privacy matter, please use our contact form to send us a message [linkur]. You may also contact us by postal mail or email at:

Ferðaþjónusta bænda hf.
Attn. Privacy Officer
privacy@heyiceland.is
Sidumuli 2
108 Reykjavik
Iceland


2. When you use our website

When you use our website to browse our products and services and view the information we make available, a number of cookies are used by us and by third parties to allow the website to function, to collect useful information about visitors and to help to make your user experience better.

For more information about our use of cookies, please see our cookie policy.

3. When you submit a general enquiry via our website

When you submit a general enquiry via our website, we ask you for your name and email address.

We use this information to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale.

Your enquiry is stored and processed in our email inboxes in the cloud. Your information might be shared with our suppliers if the enquiry is regarding their service. If the enquiry turns into a purchase, please see our purchase clause of the policy (see clause 4).

We do not use the information you provide to make any automated decisions that might affect you.

We keep enquiry emails for two years, after which they are deleted. When we delete them CRM records are kept for three years after the last contact with you.

4. When you purchase a product from our website

When you purchase products from us online, we ask you for your name, contact telephone number, email address, nationality, flight details, special requests and credit card information.

We will use your information to verify your credit card details for your purchase, process your order and to send your booking details. We will also send you a receipt via email and we may use your telephone number to contact you regarding your purchase or for safety while travelling.

We require this information in order to process your payment, deliver your products or services and fulfil our contract with you.

Your information is stored in our website management system, on our local server and on our cloud server, all of which are based within the European Union. Your credit card details are passed to a third-party payment processor which is based in Iceland and is certified with PCI DSS (Payment Card Industry Data Security Standard) which requires effective safeguards for your information. We do not retain your credit card information.

We share your information with the relevant suppliers that fulfil the service or product that is purchased.

We do not use the information you provide to make any automated decisions that might affect you.

We keep your order information for 7 years after the date of your last purchase. After that, we delete personal information linked to the purchase but keep unidentified sales data for sales history purposes. We are required to keep sales records for 7 years according to Icelandic bookkeeping laws no. 145 / 1994.

5. When you send us a request regarding accommodation, guided tours or activity

When you send us a request for accommodation, guided tours or activities we ask you to provide us with information so we can process the request. We ask you for your name, contact phone number, email address, country of residence, counts of travellers in age groups and product preferences.

We require this information to carry out the request and find you the suitable product and service.

Your request is stored and processed in our email inboxes in the cloud and in our website management system, both of which are based within the European Union. Your information might be shared with our suppliers if the request is regarding their service. If the request turns into a purchase, please see our purchase clause of the policy (see clause 4).

We do not use the information you provide to make any automated decisions that might affect you.

We keep request emails for two years, after which they are deleted. When we delete them CRM records are kept for three years after the last contact with you.

6. When you send us a request regarding a customised tour

When you send us a request for a customised tour we ask you to provide us with information so we can process the request. We ask you for your name, contact phone number, email address, country of residence, counts of travellers in age groups, flight detail, product preferences and any information you want to disclose about the travellers or the tour that will help us tailor make your tour.

We require this information to carry out the request and find you the suitable product and service.

Your request is stored and processed in our email inboxes in the cloud and in our website management system, both of which are based within the European Union. Your information might be shared with our suppliers if the request is regarding their service. If the request turns into a purchase, please see our purchase clause of the policy (see clause 4).

We do not use the information you provide to make any automated decisions that might affect you.

We keep request emails for two years, after which they are deleted. When we delete them CRM records are kept for three years after the last contact with you.

7. Your rights as a data subject

By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.

If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information.

If we are processing your personal data for reasons of consent or legitimate interest, you can request that your data be erased.

You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.

Finally, in some circumstances, you can ask us not to reach decisions affecting you using automated processing or profiling.

To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the Who Are We section of this policy.

8. Your right to complain

If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint. However, you can also contact the Icelandic Data Protection Authority via their website at https://www.personuvernd.is/information-in-english/ .

9. Updates to this privacy policy

We regularly review and, if appropriate, update this privacy policy from time to time, and as our services and use of personal data evolves. If we want to make use of your personal data in a way that we haven’t previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.

We will update the date of this document each time it is changed.

Published May 14, 2018