Reykjavík Shuttle (“we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data with transparency and care, in full compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Icelandic data protection law.

This Privacy Policy explains what personal data we collect, how we use it, and what rights you have. If you have any questions, please contact us using the details at the bottom of this page.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

Reykjavík Shuttle (operated by HN Transfer)
Iceland
Website: https://reykjavikshuttle.is

2. What Personal Data We Collect

We only collect the personal data that is necessary to provide our transfer services. This may include:

  • Contact information: Name, email address, phone number
  • Booking details: Pickup/drop-off locations, travel dates and times, number of passengers, flight number
  • Payment information: Processed securely via third-party payment processors; we do not store full card details
  • Technical data: IP address, browser type, device information, pages visited, and time spent on the website (collected via cookies — see Section 7)
  • Communications: Messages or enquiries you send us via contact forms or email

3. Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR Article 6:

PurposeLegal Basis
Processing and fulfilling your bookingPerformance of a contract (Art. 6(1)(b))
Sending booking confirmations and service updatesPerformance of a contract (Art. 6(1)(b))
Responding to enquiriesLegitimate interests (Art. 6(1)(f))
Improving our website and servicesLegitimate interests (Art. 6(1)(f))
Sending marketing communications (where opted in)Consent (Art. 6(1)(a))
Analytics and performance cookiesConsent (Art. 6(1)(a))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

4. How We Use Your Data

We use your personal data to:

  • Confirm, manage, and fulfil your transfer booking
  • Communicate with you before, during, and after your transfer
  • Monitor flights and adjust pickup times accordingly
  • Process payments securely
  • Respond to your questions or complaints
  • Improve our website usability and service quality
  • Comply with legal, regulatory, and tax obligations

We will never sell your personal data to third parties, and we do not use it for automated decision-making or profiling that produces legal effects.

5. Data Sharing & Third Parties

We only share your data with trusted third parties where strictly necessary:

  • Payment processors (e.g., Stripe or similar) to handle transactions securely
  • Booking/scheduling systems used to manage reservations
  • Analytics providers (e.g., Google Analytics) subject to your cookie consent
  • Our drivers, who receive only the information necessary to carry out your transfer (name, pickup details, passenger count)
  • Legal authorities, if required by law or in response to a lawful request

Any third-party processors we work with are bound by data processing agreements in compliance with GDPR Article 28.

6. International Transfers

Some of our third-party service providers (such as analytics tools or payment processors) may be based outside the European Economic Area (EEA). In such cases, we ensure that adequate safeguards are in place — such as the European Commission’s Standard Contractual Clauses (SCCs) — to protect your data to EEA standards.

7. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience, analyse site traffic, and improve our services. Cookies are small text files stored on your device.

Types of cookies we use:

  • Strictly necessary cookies: Essential for the website to function. These cannot be disabled.
  • Analytics cookies: Help us understand how visitors use our site (e.g., Google Analytics). Only set with your consent.
  • Functional cookies: Remember your preferences to provide a better experience. Only set with your consent.
  • Marketing cookies: Used to show relevant advertising. Only set with your consent.

Manage your cookie preferences at any time by clicking the fingerprint button located at the bottom-left corner of the page. You can withdraw or update your consent for non-essential cookies whenever you choose. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

8. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

  • Booking records: Retained for up to 7 years for tax and legal compliance
  • Marketing communications: Until you unsubscribe or withdraw consent
  • Cookie/analytics data: As defined by each service provider (typically 13–26 months)
  • General correspondence: Up to 2 years after the last interaction

Once the retention period expires, your data is securely deleted or anonymised.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. You may exercise them free of charge by contacting us (see Section 11):

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”), where applicable
  • Right to restriction of processing (Art. 18): Ask us to limit how we use your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing

We will respond to all valid requests within 30 days. In complex cases, we may extend this by up to two further months, and we will inform you if this is necessary.

If you believe your data rights have been violated, you also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd): www.personuvernd.is, or with the supervisory authority in your country of residence within the EU/EEA.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These include:

  • HTTPS encryption on all website pages
  • Restricted access to personal data on a need-to-know basis
  • Secure payment processing through PCI-DSS compliant providers
  • Regular review of our data security practices

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours in accordance with GDPR Article 33, and inform affected individuals where required under Article 34.

11. Contact Us

For any questions about this Privacy Policy, to exercise your data rights, or to raise a concern, please contact us using our contact form, or to [email protected]

We aim to respond to all data-related enquiries within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We encourage you to review this page periodically.