Privacy Policy
Last updated: 3 June 2026
1. Data Controller
Drauma Ferðalag Ísland ehf.
Kennitala: 611125-1510
Reykjanesbær, Iceland
Email: erin@dreamtraveliceland.com
2. What Personal Data We Collect
We collect only the data needed to provide and confirm your booking. At checkout we collect your name and email address - used to confirm your booking, send your invoice PDF, and create your consultation appointment. We also store your service selection, along with payment proof in the form of an authorisation code, transaction ID, amount, and booking reference; full card details are never transmitted to or stored by us, as all card processing is handled entirely by Teya.
Messages submitted via the contact form (name, email, subject, and message text) are sent directly to our Gmail inbox. We also store the email address, source, and capture timestamp in our own database (Cloudflare D1) to distinguish contact enquiries from newsletter consented subscribers. If you subscribe to the newsletter, your email address and subscription date are stored in D1 as the authoritative consent record and synced to Brevo for campaign sending. See our Cookie Policy for details on browser storage. We do not collect phone numbers, passport details, date of birth, or any special-category data.
3. Legal Basis for Processing (GDPR Art. 6)
Name and email are processed for the performance of contracted services (Art. 6(1)(b)). They are necessary to deliver the booked service and issue your invoice. Financial records are retained under legal obligation (Art. 6(1)(c)). Icelandic accounting law requires a 7-year retention period (Lög um bókhald, nr. 145/1994 §12). Newsletter subscription and non-essential cookies are processed on the basis of your consent (Art. 6(1)(a)).
4. How We Use Your Data
We use your data to confirm your booking and send your payment receipt via email, to create your Google Meet appointment, to respond to contact form enquiries, and - if you subscribed - to send newsletters. We do not use your data for automated decision-making or profiling.
4a. Anonymous Analytics
We record anonymous interaction data — pages visited, buttons clicked, and booking form steps completed — using a random session identifier stored temporarily in your browser's session storage (see our Cookie Policy). This identifier is a randomly generated number unrelated to your identity. We collect the action name (e.g. "service selected") and the service product name (e.g. "30-minute consultation"), but no personal data whatsoever — no names, email addresses, IP addresses, or device fingerprints. This data cannot be linked to you as an individual and exists solely to help us understand how visitors use the site so we can improve our service. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
5. Data Retention
| Data | Retention | Reason |
|---|---|---|
| Name, email address | Until erasure request | Service delivery |
| Authorisation code, transaction ID, amount, booking ID | 7 years from booking date | Icelandic accounting law (Lög um bókhald, nr. 145/1994); anonymised on request (kept for financial audit) |
| Contact form messages (content) | As long as kept in email inbox | No separate database storage for message body |
| Contact form email capture metadata (email, source, timestamp) | Until erasure request | Operational source tracking and list segmentation |
| Newsletter email | Until you unsubscribe | Consent-based; unsubscribe link in every email. Record of consent kept permanently as audit trail. |
6. Third-Party Data Processors
We share data only with the processors below, all operating under GDPR-compliant terms. We do not sell your personal data to any third party.
Teya (Reykjavík, Iceland) — payment processing. Teya handles all card data under their own PCI-DSS compliance. We receive only an authorisation code and transaction reference. Teya Privacy Policy
Cloudflare, Inc. (USA) — website hosting, content delivery, and the database where booking records are stored. Cloudflare is certified under the EU–US Data Privacy Framework. Cloudflare Privacy Policy
Google LLC (USA) — Gmail for booking confirmation emails and invoice delivery, and Google Calendar for consultation appointments. Google is certified under the EU–US Data Privacy Framework. Google Privacy Policy
Brevo SAS (Paris, France) — newsletter sending platform, if you subscribe. Your email address is synced to Brevo to enable campaign sending. Brevo is an EU-based processor. Brevo Privacy Policy
7. Your Rights (GDPR Art. 15–22 / Lög nr. 90/2018)
You have the right to access a copy of the personal data we hold about you, to have inaccurate data corrected, and to request erasure of your name and email from our records. Note that financial records (amount, booking ID) must be retained for 7 years by law and cannot be deleted on request, though they will be disassociated from your identity. You may also request restriction of processing, receive your data in a machine-readable format, object to processing based on legitimate interest, or withdraw newsletter consent at any time via the unsubscribe link in any email.
To exercise any of these rights, email erin@dreamtraveliceland.com with your name and booking reference (if applicable). We will respond within 30 days.
8. Supervisory Authority
If you believe we have handled your data incorrectly, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is or postur@personuvernd.is.
9. Cookies
See our Cookie Policy for details on the cookies we use and how to manage your preferences.
10. Changes to This Policy
We may update this policy from time to time. The latest version will always be available on this page with the updated date above.