+354 625 0200

WhatsApp us

Follow us:

Navigation map background
Icebike Adventures Logo

Rent a bike

Navigation map background
Icebike Adventures Logo

Rent a bike

Navigation map background
Icebike Adventures Logo
Hero Icebike Adventures background

Legal

Privacy Policy

Icebike Adventures ehf.

Dælustöðvarvegur 8, 270 Mosfellsbær, Iceland

Kennitala: 670312-1000

Version 2.0

Last updated: April 2026

This Privacy Policy explains how Icebike Adventures ehf. ("Icebike Adventures", "we", "us", "our") collects, uses and protects your personal data when you book a tour, visit our website at icebikeadventures.com, or otherwise communicate with us. We are committed to handling your information lawfully, transparently and responsibly.

1. Who we are

Icebike Adventures ehf. is a licensed tour operator and travel agency registered in Iceland. We act as the data controller for personal data processed in connection with our services.

Iceland applies the EU General Data Protection Regulation (GDPR) through its EEA membership, implemented domestically by Act No. 90/2018 on Data Protection and the Processing of Personal Data. Your rights and our obligations are governed by this Act and the GDPR.

For privacy enquiries, contact: info@icebikeadventures.com

2. What personal data do we collect

We collect only the information needed to provide our services safely and efficiently. Depending on how you interact with us, this may include:

Booking and identity information

  • Full name, email address, phone number and country of residence

  • Date of birth (required for certain tours and guide safety records)

  • Passport or ID details where required by Icelandic law or our insurance providers

Health and fitness information

  • Self-declared fitness level and relevant tour experience

  • Any medical conditions, allergies or accessibility needs you choose to share with us so we can deliver the activity safely

This is treated as special category data under Article 9 GDPR. We process it only with your explicit consent (Article 9(2)(a)) and, where necessary, to protect your vital interests during the tour (Article 9(2)(c)).

Payment information

  • Payment card details, processed directly by Teya. We do not store full card numbers or CVV codes on our systems

  • Billing address and transaction records

Website and communication data

  • IP address, device and browser information collected via cookies (see Section 8)

  • Enquiry, booking and correspondence records

  • Marketing preferences, where you have opted in

Photographs from tours

  • Photographs taken during your tour for delivery to participants. See Section 7 for how these are handled.

Liability waivers

Before joining a tour, you sign an electronic liability waiver via Smartwaiver. The waiver captures:

  • Your full name, date of birth and contact details

  • Emergency contact details

  • Self-declared health, fitness and medical disclosures relevant to safe participation

  • Your electronic signature, the date and time of signing, and the IP address used

Where the waiver includes health or medical disclosures, this is treated as special category data under Article 9 GDPR and processed on the basis of explicit consent (Art. 9(2)(a)) and vital interests (Art. 9(2)(c)).

3. How and why we use your data

We process your personal data only for specific, legitimate purposes:

  • Processing your booking and managing your reservation via Planyo. Legal basis: performance of a contract (Art. 6(1)(b)).

  • Processing payment via Teya. Legal basis: performance of a contract (Art. 6(1)(b)).

  • Sending booking confirmations, pre-trip information and post-trip follow-up. Legal basis: performance of a contract (Art. 6(1)(b)).

  • Processing health and fitness information for safe activity delivery. Legal basis: explicit consent (Art. 9(2)(a)) and vital interests (Art. 9(2)(c)).

  • Maintaining participant safety and incident records. Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

  • Meeting accounting, tax, insurance and other legal obligations. Legal basis: legal obligation (Art. 6(1)(c)).

  • Sending marketing emails and newsletters. Legal basis: consent (Art. 6(1)(a)), withdrawable at any time.

  • Improving our website and services through analytics. Legal basis: consent for non-essential cookies (Art. 6(1)(a)); legitimate interests for aggregate, non-identifying analysis (Art. 6(1)(f)).

  • Collecting and storing signed liability waivers via Smartwaiver, to confirm participation, manage risk and meet our insurance and legal obligations. Legal basis: performance of a contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)). Where waivers include health information, also explicit consent under Art. 9(2)(a) and vital interests under Art. 9(2)(c).

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Children's data

Some of our tours are suitable for families. Where a participant is under 18, the booking and any health information must be provided by a parent or legal guardian, who is responsible for confirming consent on the child's behalf. We do not knowingly collect personal data directly from children under 13 through our website or marketing channels. If you believe we have collected such data, please contact us and we will delete it.

5. Third-party processors and recipients

We work with a small number of carefully selected providers who process personal data on our behalf under data processing agreements. They are required to handle your data securely and in line with GDPR.

Planyo (booking platform)

Operated by Xtreeme Sagl (Switzerland). Reservations and customer records are stored on AWS servers located in Zurich, Switzerland. Switzerland holds an EU adequacy decision, so transfers do not require additional safeguards. Privacy details: planyo.com/privacy.

Teya (payment processing)

Licensed payment service provider regulated within the EEA. Teya processes card data under its own GDPR-compliant privacy notice. Privacy details: teya.com/legal/privacy-policy.

Smartwaiver (digital waivers)

Operated by Smartwaiver, LLC, based in Bend, Oregon, USA. Smartwaiver collects, processes and stores your signed liability waiver on our behalf. Data is hosted on Smartwaiver's US infrastructure and is therefore transferred outside the EEA. To safeguard this transfer, we have a Data Processing Agreement with Smartwaiver incorporating the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor), supported by appropriate technical and organisational measures including encryption in transit and at rest and strict access controls. Waivers are accessible only to authorised Icebike Adventures staff. More information at smartwaiver.com/legal/privacy-policy.

Google (Analytics, Tag Manager, Ads) and Meta (Pixel)

With your consent, we use Google Analytics, Google Tag Manager, Google Ads and the Meta Pixel to measure website performance and marketing effectiveness. These services may transfer data to the United States. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework (where the recipient is certified) as the safeguard for these transfers. You can withdraw consent at any time via our cookie banner. Google Analytics opt-out: tools.google.com/dlpage/gaoptout.

Other recipients

  • Local guides and partners, limited to the information needed to deliver your tour safely (name, contact, experience level, relevant health info)

  • Public authorities, where we are legally required to disclose information

We do not sell, rent or trade your personal data to any third party for marketing purposes.

6. How long do we keep your data

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

  • Booking and tour records: 7 years (Icelandic accounting and tax law).

  • Payment records: 7 years (financial record-keeping obligations).

  • Safety and incident records: 10 years (insurance and liability requirements).

  • Signed liability waivers: 10 years (insurance and liability requirements, aligned with safety and incident records).

  • Marketing data: until you withdraw consent or unsubscribe, with a maximum dormancy of 24 months from your last engagement.

  • Website enquiries and correspondence: 3 years from last contact.

  • Tour photographs: 12 months in our private gallery, then deleted unless retained with consent for marketing.

7. Photographs from tours

Our guides may take photographs during tours and share them with participants through a private gallery link (hosted on Picflow). Galleries are accessible only to people who were on that specific tour and expire after a defined period.

We do not publish identifiable photographs of participants on our website, social media or other marketing channels without your separate, explicit consent. You can ask us at any time to remove photographs of you by emailing info@icebikeadventures.com.

8. Cookies and tracking technologies

What are cookies?

Cookies are small text files sent by a website and saved on the end device (computer, tablet, smartphone) that you use while browsing pages. They allow the site to recognise your browser and remember certain information between visits.

Consent management via the cookie banner

During your first visit to our website, a banner informing you about cookies is displayed. You have the option to voluntarily consent to all cookies, reject them (except for essential ones), or adjust your preferences. You can change these settings at any time from our website. Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it.

List of technologies and cookies used on the website:

  • Essential cookies: Necessary for the proper functioning of the website and the booking flow, and for remembering your cookie banner preferences. These cannot be disabled.

  • Planyo (booking platform): Session and security cookies needed to load and operate the online tour booking system.

  • Google Analytics 4 / Google Tag Manager / Google Search Console: Used for traffic tracking, aggregate statistics and monitoring website performance in search results.

  • Google Ads / Meta Pixel: Used to promote Icebike Adventures, tailor advertisements on Google, Facebook and Instagram, and measure their effectiveness.

  • Framer Analytics: Analytical tooling built into the platform that hosts our website, used to measure site performance.

  • Smartwaiver: Session cookies needed to load and operate the digital waiver during your booking.

International transfers

Some of the providers above (Google, Meta, Smartwaiver) transfer data to the United States. Where the recipient is certified under the EU-US Data Privacy Framework (Google, Meta), we rely on the Framework. For other providers (Smartwaiver), we rely on Standard Contractual Clauses supported by appropriate technical and organisational measures. See Section 5 for processor-by-processor detail.

How to disable cookies in your browser

Regardless of the banner on our website, you can manage cookies directly in your browser settings. Instructions for the most popular browsers:

For Google Analytics specifically, you can install the Google Analytics opt-out add-on.

You can also find general information about cookies online, for example at allaboutcookies.org.

Blocking essential cookies will break parts of the site, including the booking flow.

9. Data security

We use appropriate technical and organisational measures to protect your information against unauthorised access, loss or misuse. These include:

  • TLS/SSL encryption for data in transit

  • Encrypted storage and restricted access controls for booking and customer data

  • Regular backups and security reviews

  • Payment data handled exclusively by Teya using industry-standard encryption and tokenisation

  • Booking data stored on Planyo's secure, GDPR-compliant servers in Switzerland

In the event of a personal data breach likely to affect your rights and freedoms, we will notify Persónuvernd within 72 hours and inform affected individuals by email without undue delay.

10. Your rights

Under the GDPR and Icelandic Act No. 90/2018, you have the right to:

  • Access the personal data we hold about you

  • Rectification of inaccurate or incomplete data

  • Erasure of your data where we have no legitimate reason to continue holding it

  • Restriction of processing in certain circumstances

  • Data portability in a structured, machine-readable format

  • Object to processing based on our legitimate interests, or to direct marketing at any time

  • Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at info@icebikeadventures.com. We will respond within 30 days. We may need to verify your identity before acting on your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Icelandic Data Protection Authority:

  • Persónuvernd

  • Rauðarárstígur 10, 105 Reykjavík, Iceland

  • Web: personuvernd.is

  • Phone: +354 510 9600

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The current version will always be available on our website. Where changes are material, we will notify existing customers by email.

A summary of changes will be maintained at the foot of this page.

12. Contact us

For any questions about this Privacy Policy or how we handle your personal data:

Icebike Adventures ehf.

Dælustöðvarvegur 8, 270 Mosfellsbær, Iceland

Email: info@icebikeadventures.com

Web: icebikeadventures.com