We collect and process the following categories of personal data depending on the services you use, for the purpose of providing you with our services and improving our products and services.

• Identity and contact information such as name, date of birth/national ID number, gender, age, address, country of residence, email address and phone number.

• Information relating to your booking and stay, such as booking dates, service preferences, travel arrangements and booking history.

• Health information or requests for additional assistance, where you have provided such information voluntarily.

• Payments are processed exclusively through a secure payment provider. We receive payment confirmation from the payment provider but do not see or store your card details.

• Technical data such as IP address, browser type, operating system, device identifier, pages visited, duration of visits and how you use our services and website.

• Marketing and communications data if you have requested to receive newsletters, offers or other notifications, as well as our communications with you, enquiries, feedback and complaints.

• Cookies and tracking — data collected in connection with the use and functionality of our website, e.g. for statistical analysis, to improve our website and tailor content to your needs. See our Cookie Policy.

• CCTV cameras are in operation at selected locations for the purpose of ensuring guest safety and protecting property. The monitoring is based on our legitimate interests. Guests are notified by signs in areas where cameras are in use. Footage is retained in accordance with applicable laws and regulations. Recordings are not kept for more than 30 days unless they relate to potential legal matters, such as accidents.

The collection and processing of personal data depends on the services provided and may be used to:

• Process bookings and deliver products and services.

• Handle accounting, invoicing and other operational matters.

• Make your stay personal and enjoyable.

• Communicate with you, provide information about the services you have booked, and gather reviews and feedback to develop and improve our products and services.

• Respond to enquiries, requests and feedback submitted through our website or by email.

• Provide third-party services when you specifically request them.

• For marketing and promotional purposes where you have consented to receive such content.

• Ensure your safety and make contact in emergency situations.

• Fulfil legal obligations, e.g. relating to accounting, tax matters or regulatory compliance.

The processing of contact details, booking information, payment information and similar data is based on contractual necessity. The processing of communications, feedback and similar data may be based on contractual necessity, your consent or our legitimate interests in ensuring good service or handling requests relating to individuals' rights. The processing of health information, marketing and communications data and similar data is based on your explicit consent, which may be withdrawn at any time.

In some cases, the processing of personal data is also based on a legal obligation, such as Icelandic accounting legislation. In exceptional cases it may be necessary to process personal data to protect your vital interests, for example in the event of an emergency.

We do not knowingly collect personal data from children under the age of 13. If such data is received, parents should contact us to have it removed without delay.

We may share personal data with processors in order to provide services, analyse usage and improve them. Processors may handle IT, cloud or payment services, as well as other services connected to our operations.

These parties only have access to your personal data to carry out specific tasks on our behalf and may not use it for any other purpose. They may be located outside Iceland. We will not, however, transfer personal data outside the European Economic Area unless permitted by applicable data protection legislation — for example on the basis of Standard Contractual Clauses, your consent or an adequacy decision by the Icelandic Data Protection Authority recognising countries that provide adequate protection for personal data.

We may share your personal data with third parties on the basis of your consent, for example in connection with the purchase of accommodation, transport, activities or additional services, for the purpose of providing information and services.

We reserve the right to disclose personal data if required by law, court order or public authorities. We also provide our legal advisers with access to information in order to defend our legal rights and those of our staff should such situations arise.

We may also engage processors to assist with analytics on our website and to display relevant marketing content to visitors, on the basis of your consent or our legitimate interests, as applicable. Further information can be found in our Cookie Policy.

Personal data shared with external parties is always treated confidentially.

Third-Party Data Sharing with Us

This Privacy Policy applies when a third party, such as a travel agency or booking service, shares personal data with us on your behalf in connection with a booking or order.

Other service providers who deliver part of your service, stay or trip are independent data controllers under data protection law. You can obtain information about their privacy policies directly from them.

We employ security measures including security standards, regular security testing and updates, secure hosting and backups, as well as access controls and staff training.

Payments are processed through Planet or Teya. Payments are protected and certified under PCI DSS (Payment Card Industry Data Security Standard) to ensure the secure handling of payment card data. Our website is secured with SSL certificates and provides encrypted communications between the website and your browser.

Personal data, with the exception of security camera footage, may be stored with processors who are obligated to comply with applicable data protection laws and regulations and to maintain appropriate security measures to prevent data from being leaked, lost or damaged. Security camera footage and data is stored within the company itself and is access-controlled so that only designated individuals can access it.

In the event of a personal data breach, we will notify the Icelandic Data Protection Authority without undue delay and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you as soon as possible, unless otherwise required by law.

Personal data is retained for as long as necessary in connection with the purpose of the processing, or as required by law. Accounting records are retained for up to 7 years in accordance with Article 20 of Act No. 145/1994 on Accounting. Security camera recordings are not kept for more than 30 days unless they relate to potential legal matters, such as accidents.

Data protection legislation grants you various rights, which you can exercise by sending a request to info@reykjabod.is. We may ask you to provide appropriate proof of identity.

Access, Rectification and Erasure

You have the right to obtain information about your personal data and to have it corrected if inaccurate. Processing may be restricted if you contest the accuracy of the data, if processing is unlawful, or if we no longer need the data but you do not wish it to be erased.

You may request erasure of your personal data if it is no longer necessary, if consent has been withdrawn or if processing was unlawful. An exception applies where the law requires data to be retained, for example under Act No. 145/1994 on Accounting.

Right to Object and Restriction of Processing

You always have the right to object to the processing of your personal data for direct marketing purposes. You may also object to processing, on grounds relating to your particular situation, where processing is based on legitimate interests — unless Reykjaböð has compelling legitimate grounds that override your interests. You have the right to request that processing of your personal data be restricted if you believe the data is inaccurate, if processing is unlawful, or if the data is no longer needed but you require it for the establishment, exercise or defence of legal claims.

Right to Data Portability and Automated Decision-Making

In certain cases where processing is based on a contract or consent, you may have the right to receive a copy of the personal data you have provided in a structured, commonly used and machine-readable format. You may also request that the data be transferred directly to a third party.

Reykjaböð does not use automated decision-making or profiling that produces legal or similarly significant effects for you.

Withdrawal of Consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

Complaints to the Data Protection Authority

You have the right to lodge a complaint with the Icelandic Data Protection Authority (www.personuvernd.is) if you believe your data protection rights have been violated.

We use cookies to ensure website functionality, improve the user experience, analyse usage and personalise content. Users can accept or decline non-essential cookies before they are placed.

• Necessary cookies — to ensure website functionality

• Analytics cookies such as Google Analytics — to improve our services

• Marketing cookies such as Meta Pixel — to display personalised content

Further information is available in our Cookie Policy.

We may update this policy to reflect changes in legislation, our operations or services. Changes, additions or deletions take effect immediately upon publication of the updated version and apply to all new bookings, purchases, enquiries and website visits made thereafter. Significant changes will be announced on our website or by email. The date of the most recent revision appears at the bottom of this page.