Smiðja
Kaupa gjafabréf

Persónuverndarstefna

Last updated 24 June 2026.

Smidigt ehf. ("Smiðja", "we", "us") operates smidja.gift, where you can buy, gift, and redeem gift certificates for Icelandic artisan studios. This policy explains what personal data we collect, why, who we share it with, and the rights you have.

We process personal data in accordance with the Icelandic Data Protection Act no. 90/2018 and the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

1. Who we are

The data controller is:

  • Smidigt ehf. (brand: Smiðja)
  • Company ID (kennitala): 550526-0420
  • Email: smidja@smidja.gift

If you have any questions about privacy or want to exercise your rights, contact us at the email above.

2. What we collect

We collect only what we need to run the service.

When you buy a gift certificate

  • About you (the buyer): name and email address.
  • About the recipient (optional): name, email address, your personal message, and a delivery time if you schedule it. You decide whether to give us recipient details; if you do, you are responsible for being allowed to share them with us.
  • Shipping details (only for a printed card): name, street address, postal code, and town.
  • Order details: amount, number of certificates, delivery method, and which version of our terms you accepted at checkout.

Payment

Card payments are handled by a licensed payment provider. We never store your card number or security code. We only receive confirmation of payment and a transaction reference. If you pay by bank transfer, we receive the information contained in the bank transaction.

If you have an account (studios and administrators)

  • Email, name, and a hashed password.
  • Two-factor authentication data.
  • Technical sign-in information, including IP address and browser/device details, used to protect the account.

Collected automatically

  • Usage analytics: we use cookieless web analytics (Umami) that collect anonymous, aggregate statistics such as visit counts and which pages are viewed. This data is not linked to you as an individual.
  • Apple Wallet (optional): if you add a certificate to Apple Wallet, we store a device identifier so we can push balance updates.

We do not intentionally collect sensitive personal data, and we ask that you not enter such data into free-text fields (e.g. the personal message).

3. Why we use it, and our legal basis

We use your data for the following purposes, each with its legal basis under the GDPR:

  • Process purchases, create and deliver certificates, and redeem them — performance of a contract (Art. 6(1)(b)).
  • Send confirmations, receipts, and service notifications — performance of a contract (Art. 6(1)(b)).
  • Ship printed cards via a delivery service — performance of a contract (Art. 6(1)(b)).
  • Manage and protect accounts (e.g. two-factor authentication, sign-in security) — legitimate interests (Art. 6(1)(f)).
  • Send marketing emails (news and offers) — only if you opt in — consent (Art. 6(1)(a)).
  • Meet accounting and legal obligations — legal obligation (Art. 6(1)(c)).
  • Improve the service using anonymous statistics — legitimate interests (Art. 6(1)(f)).
  • Prevent fraud and abuse — legitimate interests (Art. 6(1)(f)).

4. Who we share it with

We never sell your personal data. We share it only with the following parties, and only to the extent necessary:

  • Studios (our partners): when a certificate is redeemed at a studio, the studio receives the information needed to verify and complete the redemption. The studio is responsible for the goods or experience it provides in exchange for the certificate.
  • Payment provider: to process card payments.
  • Delivery service (Dropp): name and address when a printed card is shipped.
  • Email service (Resend): to send certificates, receipts, and service emails.
  • Hosting and database providers (Vercel, Neon): they run the website and database on our behalf as processors.
  • Apple: if you use Apple Wallet, to push balance updates to your device.

All processors act only on our instructions and are bound by contracts requiring confidentiality and data security.

We may also disclose information to public authorities where we are legally required to do so, or to protect our rights.

5. Transfers outside the EEA

Some of our processors (e.g. hosting and email) operate servers in the United States. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission.

6. Marketing emails

We send marketing emails (such as news and offers) only to people who have explicitly opted in — for example, by ticking the marketing box at checkout. This box is never pre-ticked. You can withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at smidja@smidja.gift. Withdrawing consent does not affect service emails we need to send you, such as order confirmations and receipts.

7. Cookies and analytics

We use cookieless web analytics that do not collect personally identifiable information for marketing purposes. We use essential browser storage (e.g. to keep you signed in and remember your preferences) that is necessary for the site to function.

8. How long we keep it

We keep personal data only as long as necessary for the purpose:

  • Purchase and certificate data is kept for the validity period of the certificate and afterwards for as long as accounting and tax law require (generally seven years).
  • Account data is kept while the account is active.
  • Anonymous statistics are kept indefinitely, as they are not linked to individuals.

After that, data is deleted or anonymised.

9. Security

We use appropriate technical and organisational measures to protect your data against loss, misuse, and unauthorised access, including encryption of data in transit, hashed password storage, and two-factor authentication for administrators. No transmission over the internet is completely secure, however, and we cannot guarantee absolute security.

You play an important role too: never share your password, and tell us immediately if you suspect unauthorised access.

10. Your rights

Under data protection law you have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: ask us to delete your data, subject to legal retention obligations.
  • Restriction and objection: ask us to restrict processing, or object to processing based on legitimate interests.
  • Portability: receive your data in a machine-readable format.

To exercise your rights, contact smidja@smidja.gift. We will respond as soon as possible and within one month at the latest.

If you believe our processing breaches the law, you may lodge a complaint with the Icelandic Data Protection Authority, Persónuvernd (personuvernd.is).

11. Children

The service is intended for individuals aged 18 and over. We do not knowingly collect personal data about children. If you believe a child has provided us with data, contact us and we will remove it.

12. Changes to this policy

We may update this policy to reflect changes to our service or legal requirements. The latest version is always published on this page with the date of the last update. We will notify you of material changes by appropriate means.

13. Contact

Questions about this policy or your personal data can be sent to smidja@smidja.gift.