Lagaviti ehf., ID No. 650624-2620, Nýlendugata 14, 101 Reykjavík (also referred to as the “Company” or “we”), is committed to ensuring the reliability, confidentiality, and security of personal data processed within the Company.

​

This Privacy Policy applies to personal data relating to individuals who use the Company’s website (www.lagaviti.is), individuals who are customers of the Company, individuals who contact the Company, contact persons acting on behalf of legal entities in business relations with the Company, as well as other contacts (hereinafter collectively referred to as the “Customer” or “you”).

​

The purpose of this Privacy Policy is to inform you about what personal data the Company collects, how such personal data is used, and who may have access to it.

​

If you are uncertain as to how this policy applies to you, please contact the Data Protection Officer for further information. Contact details are provided at the end of this policy.

​

1. Purpose and legal basis

​

Lagaviti seeks at all times to comply with applicable data protection legislation. This policy is based on Act No. 90/2018 on Data Protection and the Processing of Personal Data (the “Data Protection Act”).

​

2. What are personal data?

​

For the purposes of this policy, personal data refers to any information relating to an identified or identifiable natural person, i.e. information that can be directly or indirectly linked to a specific individual. Data that cannot be linked to an individual is not considered personal data.

​

3. Personal data processed by Lagaviti

​

We collect and retain various types of personal data about our customers. The type of personal data collected may vary depending on whether you are an individual customer or act on behalf of a legal entity in business relations with the Company.

​

Where Lagaviti provides services to individuals, the Company may collect the following information:

​

• contact details, such as name, address or place of residence, telephone number, and email address;

• national identification number;

• creditworthiness information;

• information arising from communications; and

• billing information, including VAT number and specific invoicing preferences.

 

Where the customer is a legal entity, Lagaviti collects certain information about its representatives, primarily:

​

• contact details, such as name, telephone number, and email address; and

• communication history.

 

The Company may also collect information relating to political exposure of individuals who fall within a risk category under legislation on anti-money laundering and counter-terrorist financing (the “AML Act”). This category includes individuals who are or have been entrusted with prominent public functions, their immediate family members, and known close associates.

​

In addition to the above, Lagaviti may process other information voluntarily provided by customers or their representatives, as well as information necessary for the Company’s operations, including its core activities of software development and professional advisory services. Personal data is processed primarily in order to enter into and perform formal and informal user, project, and service agreements with customers, as well as to fulfill other obligations arising from customer services. Processing may also be based on the Company’s legitimate interests in ensuring high-quality customer service. Certain processing may furthermore be based on legal obligations, independent of the services provided, such as obligations under AML legislation or accounting laws.

​

As a general rule, Lagaviti collects personal data directly from customers or their contacts. Personal data may also be obtained from third parties, such as Creditinfo, public authorities, courts, customer service providers, counterparties, or others. Personal data may also be collected from publicly available sources on the internet, including websites, social media, and databases. Where personal data is obtained from third parties in other cases, the Company will seek to inform customers accordingly.

​

Personal data relating to customers and their representatives collected in connection with the establishment of a business relationship is retained for four (4) years following the end of the relationship. Data subject to accounting legislation is retained for seven (7) years following the end of the relevant financial year. Personal data related to the Company’s core software development or services may generally be retained for a longer period where necessary for the establishment, exercise, or defense of legal claims, in accordance with applicable limitation periods, which may extend up to fourteen (14) years. Data may, however, be deleted earlier for operational reasons.

​

4. Processing relating to other contacts and website visitors

​

When individuals contact the Company, Lagaviti generally processes their contact details and communication history.

​

Processing of personal data relating to job applicants is governed by a separate privacy policy, which applicants receive during the recruitment process.

​

When individuals visit the Company’s website, certain data may be processed through the use of cookies. Such processing is governed by Lagaviti’s Cookie Policy, available on the Company’s website. Lagaviti uses only strictly necessary cookies, based on the Company’s legitimate interests, and collects non-identifiable statistical information regarding website usage.

​

5. Direct marketing

​

Lagaviti regularly sends newsletters and invitations to events and training sessions to its customers, customer contacts, and other individuals who have specifically subscribed to the Company’s mailing list. Processing of email addresses for these purposes is based on the Company’s legitimate interests in marketing and in providing high-quality service.

​

You may unsubscribe from Lagaviti’s mailing list at any time by completing the relevant form available on the Company’s website. The Company also regularly reminds recipients of their right to unsubscribe.

​

6. Disclosure to third parties

​

Lagaviti may disclose your personal data to third parties, for example in connection with contractual relationships, software development, or the provision of services to you or the entity you represent. This may include disclosure to debt collection agencies, external advisors, consultants, or contractors.

​

Personal data may also be disclosed where permitted or required by law or regulation, including to public authorities, courts, counterparties in disputes, witnesses, customer partners, or other stakeholders. Data may also be disclosed in response to lawful requests such as searches, subpoenas, or court orders.

​

Furthermore, personal data may be shared with third parties providing IT services or other operational support services to the Company.

​

Such third parties may be located outside Iceland. Lagaviti will not transfer personal data outside the European Economic Area unless permitted under applicable data protection legislation, such as through standard contractual clauses, your consent, or adequacy decisions issued by the Data Protection Authority.

​

7. Security of personal data

​

Lagaviti implements appropriate technical and organizational measures to protect personal data, taking into account its nature. These measures are designed to prevent accidental loss or alteration of data and to protect against unauthorized access, copying, use, or disclosure. Security measures include, among other things, access controls and activity logging within the Company’s systems.

​

8. Updates and corrections of personal data

​

It is important that the personal data processed by Lagaviti is accurate and up to date. You are therefore requested to notify the Company of any changes to your personal data.

​

You have the right to have inaccurate personal data corrected. Taking into account the purpose of processing, you also have the right to have incomplete personal data completed, including by providing additional information.

​

9. Your rights regarding personal data

​

You have the right to obtain confirmation as to whether personal data relating to you is being processed and, if so, to access such data and information about the processing. You may also, in certain circumstances, request a copy of the data or request that data you have provided be transmitted directly to a third party.

​

In certain cases, you may request the erasure of your personal data without undue delay, for example where the data is no longer necessary for the purposes for which it was collected or where you withdraw your consent and no other legal basis applies. Where processing is based on consent, you may withdraw such consent at any time.

​

If you do not wish for your data to be erased but want to prevent further processing, you may request a restriction of processing.

​

Where processing is based on the Company’s legitimate interests, you also have the right to object to such processing.

​

These rights are not absolute. The Company may be required by law to refuse certain requests or may refuse requests in order to protect its own rights (e.g. intellectual property) or the rights of others (e.g. privacy), where such rights outweigh your interests.

​

If a request cannot be fulfilled, the Company will seek to explain the reasons for refusal, subject to legal limitations.

​

10. Inquiries and complaints

​

If you wish to exercise your rights under Sections 8–9 of this policy, or if you have any questions regarding this Privacy Policy or the processing of your personal data, please contact the Data Protection Officer as referred to in Section 11.

​

If you are dissatisfied with the Company’s processing of your personal data, you may submit a complaint to the Icelandic Data Protection Authority (www.personuvernd.is).

​

11. Contact details

​

The Company has appointed a Data Protection Officer to oversee compliance with this Privacy Policy:

​

Jóhannes Eiríksson
Email: johannes@lagaviti.is
Phone: +354 777 1528

 

Company contact details:

 

Lagaviti ehf.
Nýlendugata 14
101 Reykjavík
Iceland

 

12. Review

​

Lagaviti may amend this Privacy Policy from time to time in response to changes in data protection legislation or changes in how personal data is processed.

​

Any amendments shall take effect upon publication of an updated version on the Company’s website.

​

This Privacy Policy was adopted on 17 June 2024.