Privacy Policy – Layover Ehf.

(In accordance with Icelandic Act No. 90/2018 on Data Protection and the Processing of Personal Data)

This Privacy Policy explains how Layover Ehf. ("Layover," "we," "our," "us") collects, processes, stores, and safeguards personal data. Act No. 90/2018 implements the General Data Protection Regulation (GDPR) in Iceland, and Layover complies fully with all obligations under this law.

By using our website or making a booking, you agree to the processing of personal data as described below.

1. Data Controller

The data controller for all personal data processed by Layover Ehf. is:

Layover Ehf. Álfheimar 62, Reykjavík, Iceland Kennitala: 4703241120 Email: contact@layover.is

We determine the purposes and means of the processing of personal data in accordance with Act No. 90/2018.

2. Personal Data We Collect

We only collect personal data necessary to provide online booking services and customer support. This includes:

  • Basic identification and contact details: name, email address, phone number (optional)
  • Booking information: selected tours, dates, participant details required by the tour operator
  • Login information: a secure one-time login link sent to your email—no passwords are stored
  • Technical data: limited device and usage information required for website functionality and security
  • Payment information: processed through a secure third-party payment gateway; Layover does not store credit card details
  • Review data: if you leave a review, we may display your name and feedback on our website under legitimate interest (Article 6(1)(f)) to help future customers make informed decisions

We minimize data collection and do not process data beyond what is necessary for service delivery or required by law.

3. Purposes of Processing

Layover processes personal data for the following lawful purposes:

  • To complete and manage online bookings
  • To send confirmations, updates, and essential service communications
  • To provide secure login via email link
  • To maintain website functionality and prevent misuse
  • To comply with accounting, reporting, and legal obligations
  • To improve our services in a limited and privacy-respecting manner
  • To display customer reviews and testimonials

We do not use personal data for profiling that produces legal or significant effects, nor do we sell or disclose data for unrelated purposes.

4. Legal Basis for Processing

Under Act No. 90/2018 and GDPR, Layover relies on the following legal bases:

  • Article 6(1)(b): Processing necessary for the performance of a contract (e.g., booking a tour).
  • Article 6(1)(c): Compliance with legal obligations (e.g., accounting documentation).
  • Article 6(1)(f): Legitimate interests, such as ensuring website functionality, preventing fraud, and displaying customer reviews.
  • Article 6(1)(a): Consent, where required (e.g., optional cookies).

5. Sharing of Personal Data

Personal data is shared only when required to fulfil a booking or comply with law:

  • Tour Operators: to deliver the service you purchased
  • Payment providers: to process secure online payments
  • Technical infrastructure partners: hosting, email, and encrypted data storage

All third parties are contractually obligated to comply with Act No. 90/2018 and maintain appropriate security measures.

6. Use of Cookies and Limited Tracking

Our website uses basic cookies necessary for:

  • Core website functionality
  • Security and fraud prevention
  • Smooth booking processes

We may use simple analytics tools to understand general website usage patterns, but we limit tracking to what is strictly necessary and do not process identifiable behavioral data unless explicitly permitted by law.

Users may control or disable cookies through their browser settings.

7. Data Security

Layover implements strict technical and organizational measures to protect personal data, including:

  • Encryption of all stored client data
  • Secure encrypted transmission (HTTPS/TLS)
  • No password storage (email login links only)
  • Restricted internal access based on role and necessity
  • Secure data handling, retention, and deletion procedures

Data breaches, if they occur, will be handled according to Icelandic law and supervisory authority requirements.

8. Data Retention & Deletion

Personal data is retained only as long as necessary for the purpose it was collected or to fulfill statutory requirements, including:

  • Accounting and tax obligations
  • Dispute resolution
  • Operational record-keeping

When data is no longer needed, it is securely deleted, anonymized, or destroyed in accordance with Act No. 90/2018.

9. Your Rights

Under Icelandic privacy law, you have the following rights:

  • Right of access to your personal data
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"), where legally permissible
  • Right to restriction of processing
  • Right to object to certain processing activities
  • Right to data portability, where applicable
  • Right to withdraw consent for processing based on consent

Requests may be submitted by email. We may require identity verification to ensure data is protected.

10. Transfers of Data Outside Iceland/EEA

If personal data is transferred outside the EEA, such transfers occur only under legally approved safeguards, including:

  • Standard Contractual Clauses
  • Adequacy decisions
  • Equivalent protection mechanisms permitted under Icelandic law

We ensure the same level of protection as required by Act No. 90/2018.

11. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly process children's data.

12. Amendments to This Policy

Layover may update this Privacy Policy to reflect changes in law or how we provide our services. The latest version will always be available on our website. Continued use of our services constitutes acceptance of the updated terms.

13. Contact Information

For questions or to exercise your rights:

Layover Ehf. Álfheimar 62, Reykjavík, Iceland Email: contact@layover.is

Last updated: March 2026