Moving to Iceland

Privacy Policy

MovingToIceland.com
Last updated: 22 Feb 2026
Effective: 22 Feb 2026

At a Glance

We know privacy policies are long. Here's what matters most, in plain language:

  • Your data, your control. You can export all your data, edit your profile, or delete your account at any time - right from your dashboard.

  • We don't sell your data. We never sell personal information to third parties. Period.

  • Partners only get what you send them. When you submit a car or apartment inquiry, the partner dealership or landlord receives only the details from that form. They don't get access to your account or browsing data.

  • Analytics are consent-gated. Third-party analytics tools (Google Analytics, Microsoft Clarity) are never loaded unless you opt in via our cookie banner.

  • Your database lives in the EU. Our primary database is hosted in Germany. We use appropriate safeguards for any US-based service providers.

  • Account deletion is real. When you delete your account, your personal data is permanently removed after a 14-day grace period.

  • No kids. The platform is for adults (18+). We do not knowingly collect data from minors.

The full details follow below. If you have questions, email us at [email protected].

1. Who We Are

MovingToIceland.com is Iceland's dedicated relocation platform, helping people plan, carry out, and settle into life in Iceland. For the purposes of data protection law, we are the data controller for the personal data described in this policy.

Field

Details

Operator

MovingToIceland.com

Contact email

[email protected]

Data Protection Officer

[email protected]

Website

https://movingtoiceland.com

2. Personal Data We Collect

We collect personal data only when it is necessary to provide the services you use on our platform. Below is a complete overview of what we collect, why, and the legal basis under GDPR.

2.1 Account Registration

  • Email address, password (bcrypt-hashed, never stored in plaintext), and display name.

  • Optional: Google OAuth sign-in, which imports your Google profile name and avatar URL.

  • Legal basis: Contract - necessary to provide the service.

2.2 User Profile

  • Display name (editable) and avatar (optional upload).

  • Your email address is set at registration and cannot be changed through the interface.

  • Legal basis: Contract.

2.3 Apartment Inquiries

  • Full name, email, phone number, budget range, preferred locations, bedrooms, furnished preference, pet status, property type, relocation timeline, kennitala status, household size, must-haves, and any additional notes you provide.

  • Tracking metadata: UTM source/medium/campaign, referrer URL, and IP address (for rate limiting only; not stored long-term).

  • Legal basis: Consent - you actively submit the inquiry form.

  • Shared with: Our housing partners (landlords, property managers) receive your name, email, phone, and inquiry details via email. Partners process this data as independent data controllers under their own privacy policies.

2.4 Car Inquiries

  • Full name, email, phone number, budget range, car type preference, preferred location, purchase timeline, usage types, must-have features, and additional notes.

  • Tracking metadata: UTM parameters, referrer, IP address (rate limiting only).

  • Legal basis: Consent.

  • Shared with: Our dealership partners, who receive your name, email, phone, and inquiry details via email. Partners process this data as independent data controllers.

2.5 Insurance Quotes (Coming Soon)

  • Age, driving experience, accident history, vehicle details, coverage types, and annual mileage.

  • Legal basis: Consent.

  • May be shared with: Insurance partners via email.

2.6 Store Orders (Coming Soon)

  • Email, customer name, and shipping address (for physical items).

  • Guest checkout is supported (no account required). Payment processing will be handled by a third-party payment provider.

  • Legal basis: Contract - necessary for order fulfilment.

2.7 Job Employer Profiles

  • Company name, email, website, description, location, company size, industry, type, and logo.

  • Company profiles and job listings are publicly displayed on the jobs board.

  • Legal basis: Contract.

2.8 Newsletter Subscription

  • Email address only.

  • You can unsubscribe at any time via the link in every email.

  • Legal basis: Consent - explicit opt-in.

2.9 Contact Form

  • Name, email, subject (optional), and message.

  • Messages are emailed to our team but not stored in the database.

  • Legal basis: Legitimate interest - responding to your inquiry.

2.10 Personal Notes

  • Note title, rich-text content, tags, and optional links to jobs, apartments, cars, or events.

  • Retained until you delete the note or your account.

  • Legal basis: Contract.

2.11 Checklist Progress

  • Checklist item completion status, timestamps, and optional item-level notes.

  • Legal basis: Contract.

2.12 Event RSVPs

  • RSVP status (interested or going) and timestamps.

  • Legal basis: Contract.

2.13 Car Marketplace Listings

  • Vehicle details (make, model, year, mileage, fuel type, transmission, etc.), price, city, optional contact email and phone, and listing photos.

  • Listings are publicly displayed on the marketplace.

  • Legal basis: Contract.

2.14 Apartment Preferences & Applications

  • Budget, preferred locations, bedrooms, furnished preference, pet status, move-in dates, viewing requests, and application messages.

  • Legal basis: Contract.

2.15 Reflections & Journal Entries

  • Prompted reflection responses triggered by relocation journey milestones.

  • Legal basis: Contract - part of the gamified relocation journey feature.

3. Relocation Journey (Gamification)

The platform includes an optional gamification feature called the "Relocation Journey." It tracks engagement across the platform to help you stay organised and motivated during your move.

What is tracked

  • XP (experience points) earned from activities such as completing checklist items, reading articles, playing language games, RSVPing to events, writing notes, and submitting reflections.

  • Streaks: consecutive days of activity, with streak freezes available.

  • Tier progression: Newcomer → Explorer → Planner → Prepared → Settler → Local → Icelander at Heart, based on cumulative XP.

  • Achievements and badges triggered by specific accomplishments.

  • Weekly challenges auto-generated by tier.

  • Daily XP caps to prevent abuse.

Your control

  • Opt out at any time: You can disable gamification entirely from your dashboard settings. When disabled, XP is not tracked and the journey interface is hidden.

Legal basis: Contract (feature of the service), with opt-out available.

4. Automated Tracking & Analytics

4.1 Server-Side Page View Analytics (First-Party)

We operate our own lightweight, first-party analytics system to understand how people use the site.

  • Data collected: page path, locale, device type (from user agent), referrer hostname (external only), user agent string.

  • IP handling: IP addresses are never stored in plaintext. We use a SHA-256 hash with a daily-rotating salt, making cross-day correlation impossible.

  • Raw page views are purged after 90 days. Only aggregated, non-personal statistics are kept longer.

  • Legal basis: Legitimate interest.

4.2 Third-Party Analytics (Consent Required)

The following tools are only loaded if you explicitly opt in via our cookie banner:

  • Google Analytics 4 (GA4): Website usage analytics. Processed by Google LLC (US). Covered by the EU-US Data Privacy Framework.

  • Microsoft Clarity: Session heatmaps and click analytics. Processed by Microsoft Corporation (US). Covered by the EU-US Data Privacy Framework.

4.3 Article Read Tracking

  • For logged-in users, we record when you read an article (article identifier, user ID, timestamp) for XP awards and your reading history.

  • Each article is tracked only once per user.

  • Legal basis: Contract (part of the gamification system).

4.4 Outbound Link Click Tracking

  • When you click an external link within an article, we record the article, link URL, link text, domain, IP hash, and user agent for content quality analysis.

  • Legal basis: Legitimate interest.

4.5 Partner Click Tracking (Marketing Consent Required)

  • Click events on partner and affiliate links, including partner ID, session ID, link type, page URL, and user agent.

  • Only active if you have consented to "Marketing" cookies.

  • Legal basis: Consent.

5. Cookies & Local Storage

5.1 Strictly Necessary (No Consent Required)

  • Supabase authentication session cookies (JWT-based, refreshed on every request).

  • CSRF tokens for form security.

  • Auth redirect cookie (temporary, 600-second TTL) to prevent open redirects during OAuth flows.

5.2 Functional (No Consent Required)

  • Dashboard layout preferences (stored in browser localStorage).

  • Weather city selection, theme preference (dark/light mode), and cookie consent choices.

  • These are never sent to our servers unless you take an explicit action.

5.3 Analytics Cookies (Consent Required)

  • Google Analytics cookies (_ga, ga*) and Microsoft Clarity cookies are set only if you consent to the "Analytics" category in our cookie banner.

5.4 Marketing Cookies (Consent Required)

  • Partner attribution tracking cookies are set only if you consent to the "Marketing" category.

Cookie consent mechanism

Our cookie banner provides separate toggles for Analytics and Marketing categories. You can change your preferences at any time. Consent choices are logged (action type, category selections, locale, device type, IP hash, page URL, timestamp) for proof-of-consent purposes and retained for 12 months.

6. Third-Party Data Processors

We use the following service providers to operate the platform. Each processes data on our behalf under a data processing agreement.

Processor

Purpose

Location

Supabase (Supabase Inc.)

Database, authentication, file storage

EU

Resend (Resend Inc.)

Transactional email delivery

US (EU-US DPF)

Google LLC (GA4, GTM)

Website analytics (consent-gated)

US (EU-US DPF)

Microsoft Corp. (Clarity)

Session analytics (consent-gated)

US (EU-US DPF)

Open-Meteo

Weather data (no personal data)

EU

Independent data controllers

When you submit an inquiry form, the relevant partner receives your inquiry details. These partners process your data under their own privacy policies and are independent data controllers:

  • Housing partners: Landlords and property managers who receive apartment inquiry data.

  • Car dealership partners: Dealerships who receive car buying inquiry data.

7. International Data Transfers

  • Our primary database (Supabase) is hosted in Germany within the European Union. No international transfer clauses are required for core data storage.

  • Resend (email delivery), Google, and Microsoft are US-based providers. All are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

  • We do not transfer personal data to countries without adequate protection unless appropriate safeguards are in place.

8. Data Retention

We keep your data only as long as necessary for the purposes described. Here is a summary:

Data Category

Retention

Account data

Until deletion + 14-day grace period

Gamification data

Cascade-deleted with account

Personal notes

Until you delete or account deletion

Checklist progress

Cascade-deleted with account

Store orders

Anonymised on account deletion (user_id set to null)

Inquiries (car/apt)

Anonymised on account deletion

Insurance quotes

Anonymised on account deletion

Raw page view analytics

90 days, then aggregated

Cookie consent logs

12 months

Newsletter subscription

Until you unsubscribe

Admin audit logs

Indefinite (security requirement)

9. Account Deletion

You can request account deletion from your profile settings at any time.

How it works

  • Submit a deletion request from your profile settings.

  • Confirm by re-entering your password (email/password users) or typing "DELETE" (OAuth users).

  • A 14-day grace period begins. During this time, you can cancel by logging back in.

  • After 14 days, the following happens automatically:

  • All personal data is permanently deleted (profile, notes, preferences, journey data, checklists, language progress, saved items, event RSVPs, applications).

  • Store orders, inquiries, and insurance quotes are anonymised (user_id set to null) rather than deleted, for legal, tax, and partner record purposes.

  • All uploaded files (images, documents) are removed from storage.

  • Your authentication record is permanently deleted.

  • A confirmation email is sent to your email address.

You may optionally provide a reason for leaving (max 500 characters), but this is never required.

10. Data Export

You can download a complete export of your data at any time from your profile settings.

  • Format: ZIP archive containing JSON files.

  • Rate limit: One export per 24 hours.

  • Contents include: Profile data, events and RSVPs, car listings and inquiries, apartment data, saved jobs, store orders, language learning progress, checklists, dashboard preferences, insurance quotes, personal notes, full journey data (XP, transactions, achievements, milestones, challenges, articles read, reflections), and export history.

Administrators can also trigger an export of any user's data in response to a formal Subject Access Request. All admin exports are logged.

11. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) as implemented in Iceland, you have the following rights:

  • Right of access (Article 15): Request a copy of your personal data. Use the self-service export in your profile settings, or contact us.

  • Right to rectification (Article 16): Correct inaccurate data. You can edit your profile, notes, and preferences at any time.

  • Right to erasure (Article 17): Delete your account and personal data. See Section 9 above.

  • Right to restrict processing (Article 18): Contact our Data Protection Officer at [email protected].

  • Right to data portability (Article 20): Export your data in a machine-readable JSON format. See Section 10 above.

  • Right to object (Article 21): Opt out of gamification tracking, withdraw cookie consent at any time, or unsubscribe from newsletters.

  • Right to withdraw consent (Article 7): Cookie preferences can be changed anytime. Newsletter subscriptions can be cancelled. Account deletion is available at any time.

  • Right to lodge a complaint: You may file a complaint with Persónuvernd (the Icelandic Data Protection Authority), Rauðarárstígur 10, 105 Reykjavík, Iceland, or with your local supervisory authority.

12. Security Measures

We take the security of your data seriously. The following measures are in place:

  • All data is transmitted over HTTPS with HSTS (2-year max-age, preloaded).

  • Passwords require a minimum of 12 characters with complexity requirements (per NIST SP 800-63B) and are bcrypt-hashed by our authentication provider. Passwords are never accessible to the application.

  • Row-Level Security (RLS) is enabled on all sensitive database tables, ensuring users can only access their own data.

  • Admin access is protected by CSRF validation, role-based access control, and audit logging of every action.

  • Rate limiting is applied on all public endpoints to prevent abuse.

  • Content Security Policy (CSP) headers restrict script sources, frame embedding, and form actions.

  • IP addresses are never stored in plaintext (SHA-256 hashed with daily-rotating salt).

  • Security headers include X-Frame-Options DENY, X-Content-Type-Options nosniff, and strict Referrer-Policy.

  • Camera, microphone, geolocation, and payment APIs are disabled via Permissions-Policy.

  • File uploads have EXIF metadata stripped, file types validated via magic bytes, and SVG files are blocked.

  • Suspended or banned users cannot access the platform and may appeal through a formal process.

13. Children

MovingToIceland.com is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes, we will notify you by posting a prominent notice on the website and, where practical, by email to registered users.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

15. Governing Law & Supervisory Authority

This privacy policy is governed by Icelandic law, including the Icelandic Act on Data Protection (lög um persónuvernd og vinnslu persónuupplýsinga nr. 90/2018), which implements the GDPR in Iceland as a member of the European Economic Area.

Supervisory authority: Persónuvernd (Icelandic Data Protection Authority), Rauðarárstígur 10, 105 Reykjavík, Iceland. Website: www.personuvernd.is

16. Contact Us

If you have questions about this privacy policy, your personal data, or wish to exercise any of your rights, please contact us:

Privacy Policy - Movingtoiceland.com | Moving to Iceland