Privacy Policy
**Version 1.0** | **Effective date: [to be completed]**
1. Data Controller
The controller of your personal data is **GastroBridge**, with its registered office at **[ADDRESS, Reykjavík, Iceland]**, kennitala: **[KENNITALA]** ("Controller", "we").
Contact for data protection matters: **info@gastrobridge.com**
2. What data we collect
2.1 User account data
First and last name, email address, phone number (optional), password (stored exclusively as a cryptographic hash in the Firebase Authentication system - the Controller has no access to passwords in plain text).
2.2 Organisation data
Legal company name, kennitala (company identification number), VAT number (VSK), registered address, delivery address, warehouse address, bank account number (IBAN), organisation email address, organisation phone number, invoice email address, payment terms, shipping configuration.
2.3 Operational data
Login history, account configuration, actions performed in the dashboard (e.g. placing orders, managing catalogues), order and enquiry metadata.
2.4 Billing data
Subscription information, payment history for the Service, invoice data relating to subscriptions. Payments are processed by Stripe - the Controller does not store full payment card details.
2.5 Technical data
IP address, browser headers (user agent), cookies, error logs, Google Analytics data (if you give consent - see section 9).
3. Purposes and legal bases of processing
Processing is carried out on the basis of Regulation (EU) 2016/679 (GDPR), applicable in Iceland under the Agreement on the European Economic Area, and Icelandic Act No. 90/2018 on the protection of personal data (lög um persónuvernd og vinnslu persónuupplýsinga).
| Purpose | Legal basis | Description |
|---|---|---|
| Providing the service | Art. 6(1)(b) GDPR | Performance of a contract - account registration, order management, communication with Sellers, catalogue management |
| Accounting and taxes | Art. 6(1)(c) GDPR | Legal obligation - issuing invoices for Service subscriptions, maintaining the Controller's accounting records, fulfilling the Controller's tax obligations |
| Security and fraud prevention | Art. 6(1)(f) GDPR | Legitimate interest - protection against unauthorised access, fraud detection, security logs |
| Analytics and service improvement | Art. 6(1)(a) GDPR | Consent - Google Analytics, performance measurement, usage analysis (only after consent is given via cookie consent) |
| Marketing of own services | Art. 6(1)(a) GDPR | Consent - newsletter, information about new features, offers (only after voluntary consent is given, revocable at any time) |
4. Data recipients
Your data may be shared with the following categories of recipients, only to the extent necessary to fulfil the purposes described in section 3:
| Recipient | Purpose | Headquarters | Data storage region |
|---|---|---|---|
| Google Cloud Platform | Application hosting (Cloud Run) | USA | EU (europe-west1 / europe-north1) |
| Firebase Authentication (Google) | User authentication | USA | EU |
| MongoDB Atlas (MongoDB Inc.) | Application database | USA | EU (europe-west1) |
| SendGrid (Twilio Inc.) | Transactional email delivery | USA | EU |
| Stripe Inc. | Payment and subscription processing | USA | EU |
| Google Analytics (Google LLC) | Usage analytics (with consent) | USA | EU |
All entities process data on the basis of data processing agreements and in accordance with the Controller's instructions.
Additionally, data may be disclosed to public authorities entitled under applicable law (e.g. Skatturinn, Ríkisskattstjóri).
The Controller does not sell personal data and does not share it for third-party advertising purposes.
5. Data transfers outside the EEA
The data processors listed in section 4 are headquartered in the United States. Data is stored on servers in the EU region; however, due to the processors' headquarters, access to data from US territory may occur.
Iceland is a member of the European Economic Area (EEA). Legal basis for data transfers to the USA: the European Commission's adequacy decision under the EU-US Data Privacy Framework (decision of 10 July 2023), also adopted by the EEA Joint Committee. All listed entities are certified under this programme.
Additionally, as a supplementary safeguard, we use EU Standard Contractual Clauses (SCCs) with data processors.
6. Data retention periods
| Data category | Retention period | Basis |
|---|---|---|
| Account data | Duration of the contract + 4 years after termination | General limitation period under Icelandic law (Act No. 150/2007) |
| Invoice and tax data | 7 years from the end of the tax year | Icelandic tax law (Act No. 90/2003, Art. 40) |
| Technical and security logs | Up to 12 months | Legitimate interest |
| Backups | Up to 30 days | Business continuity |
| Marketing data | Until consent is withdrawn | User consent |
| Analytics data (Google Analytics) | Up to 14 months | GA4 configuration, user consent |
After retention periods expire, data is deleted or anonymised.
7. Your rights
Under the GDPR and Icelandic Act No. 90/2018, you have the following rights:
- **Access** - you may request information about processed data (Art. 15)
- **Rectification** - you may correct inaccurate data (Art. 16)
- **Erasure** - you may request deletion of data, subject to legal obligations (Art. 17). GastroBridge provides a self-service account deletion feature in the application settings with email confirmation.
- **Restriction of processing** - you may request restriction in certain situations (Art. 18)
- **Data portability** - you may receive data in a structured format (Art. 20)
- **Objection** - you may object to processing based on legitimate interest (Art. 21)
- **Withdrawal of consent** - you may withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal (Art. 7(3))
You may submit requests regarding your rights to: **info@gastrobridge.com**. We will respond within 30 days.
Complaint to a supervisory authority
You have the right to lodge a complaint with the Icelandic data protection authority:
**Persónuvernd** Rauðarárstígur 10, 105 Reykjavík, Iceland www.personuvernd.is
If you are established in another EEA state, you may also lodge a complaint with the supervisory authority in your country.
8. Data security
We apply the following data protection measures:
- Transport encryption (TLS/HTTPS)
- Encryption at rest
- Role-based access control (RBAC)
- Passwords stored exclusively as cryptographic hashes (Firebase Auth)
- Regular backups
- Security monitoring and updates
9. Cookies
9.1 Essential (no consent required)
| Cookie | Purpose | Lifetime |
|---|---|---|
| __session | User session maintenance | Session |
| gb_cookie_consent | Storing cookie preferences | 12 months |
9.2 Analytical (consent required)
| Cookie | Purpose | Lifetime |
|---|---|---|
| _ga | Google Analytics - user identification | 14 months |
| _ga_[ID] | Google Analytics - session state | 14 months |
Analytical cookies are loaded only after consent is given via the cookie consent banner. You may change your preferences at any time by clicking "Cookie settings" in the page footer.
10. Children's data
The GastroBridge service is a B2B platform intended for business entities. It is not directed at persons under 16 years of age and we do not knowingly collect data from such persons.
11. Changes to the Privacy Policy
We reserve the right to amend this Policy. We will inform you of material changes by:
- Notification in the Service
- Email to the address associated with your account
Material changes (e.g. new processing purposes, new data recipients) may require renewed consent. Continued use of the Service after minor editorial changes take effect constitutes acceptance thereof.
The current version of the Policy is always available at: [URL]/privacy
12. Contact
**GastroBridge** Email: **info@gastrobridge.com**