Privacy Policy
Last updated: May 2026
Kodiak Travel ehf. ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and Icelandic data protection law.
1. Who We Are
Kodiak Travel ehf.
Langalína 2, 210 Garðabær, Iceland
Email: [email protected]
We are the data controller for the personal data you provide through this website.
2. What Data We Collect
We collect the following personal data when you submit a booking request or contact form:
- Identity data: Full name
- Contact data: Email address, phone number
- Address data: Street address, city, postal code, country
- Travel data: Pickup date, return date, flight number (optional)
- Transaction data: Booking details, selected extras, insurance choice, pricing
- Communications: Messages sent via our contact form
- Technical log data: IP address, browser type (user agent), pages visited, and timestamps — collected automatically by our server for security purposes
We do not collect payment card details directly — payments are processed via PayPal's secure platform.
3. How We Use Your Data
We use your personal data for the following purposes:
- Contract performance: To process your booking request, confirm availability, send payment links, and provide the rental service.
- Communications: To respond to your enquiries and send booking-related emails (confirmation, payment link, pickup details).
- Legal obligations: To comply with applicable laws, tax requirements, and vehicle rental regulations in Iceland.
- Legitimate interests: To maintain records of rentals for safety, insurance claims, and dispute resolution purposes.
We do not use your data for marketing purposes without your explicit consent. We do not sell your data to third parties.
4. Legal Basis for Processing
- Contract: Processing is necessary to perform the rental contract (Article 6(1)(b) GDPR).
- Legitimate interests: Maintaining business records and responding to enquiries (Article 6(1)(f) GDPR).
- Legal obligation: Compliance with Icelandic law (Article 6(1)(c) GDPR).
5. Data Retention
We retain booking records for 7 years following the rental in accordance with Icelandic accounting and tax law. Contact enquiries are retained for 2 years unless a longer retention period is required. After these periods, data is securely deleted.
6. Data Sharing
We share your data only as necessary:
- PayPal: Your booking details are shared with PayPal to process payment. PayPal acts as a separate data controller. See PayPal's privacy policy for details.
- Microsoft (email): We use Microsoft 365 to send and receive emails. Microsoft processes email data as a data processor under appropriate safeguards.
- Legal authorities: Where required by Icelandic law or a court order.
7. International Transfers
Your data may be processed in the European Economic Area (EEA) by our technology providers. Any transfers outside the EEA are protected by appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
8. Your Rights
Under GDPR you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your data where there is no legal reason to retain it.
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Cookies and Local Storage
Our website uses only essential functional storage (browser localStorage) to remember your booking progress and language preference. We do not use tracking cookies, advertising cookies, or third-party analytics of any kind.
All fonts and assets are self-hosted on our server. No data is sent to Google or any other third party as a result of loading this website.
During the payment process, PayPal may set cookies on your device. These are strictly necessary to complete the transaction and are governed by PayPal's Privacy Policy.
10. Security and Server Logs
We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. All data is transmitted over encrypted HTTPS connections.
For website security, our server automatically logs each request, recording the visitor's IP address, browser type, page accessed, and timestamp. This data is used solely to detect and block malicious activity (such as automated attacks, SQL injection attempts, and scanning bots). IP addresses are personal data under GDPR; we process them on the basis of our legitimate interests in protecting the security and integrity of this website (Article 6(1)(f) GDPR).
Security logs are retained for a maximum of 90 days, after which they are automatically and permanently deleted. They are not shared with third parties and are not used for any purpose other than security.
11. Complaints
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd): www.personuvernd.is
12. Changes to This Policy
We may update this Privacy Policy from time to time. The current version is always available on this page with the date of the last update.
13. Contact
For any privacy-related questions:
Kodiak Travel ehf.
Langalína 2, 210 Garðabær, Iceland
Email: [email protected]