Persónuvernðarstefna
Privacy Policy
Last Updated: 19.03.2025
FreelancePay (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our services. It also describes your rights under the EU General Data Protection Regulation (“GDPR”) and applicable Icelandic laws.
1. Who We Are
• Controller: FreelancePay is the data controller responsible for processing your personal data under this Privacy Policy when providing invoicing, accounting, or related services (“Service”) to entrepreneurs, freelancers, or single-person companies.
• Contact Details: If you have any questions or concerns, please contact us at:
Email: email protected
Address: [Insert Physical Address]
2. Personal Data We Collect
2.1 Data You Provide Directly
• Account Information: When you register an account, we collect your full name, email address, phone number, and address.
• Identification: We collect your personal identification number (Kennitala) for authentication and legal compliance.
• Invoicing & Financial Data: You may also provide information related to invoices, business transactions, or other financial details to use our Service.
2.2 Data Collected Automatically
• Usage Data (Future): We plan to collect and analyze certain data about how you and others use our services, such as IP addresses, device identifiers, browser types, pages visited, and time spent, for usage analytics and service improvement.
2.3 Cookies and Tracking Technologies
• We use cookies or similar technologies to recognize you and/or your device(s) on our website or platform, remember your preferences, and enhance your experience.
• Types of Cookies We Use:
• Essential Cookies: Necessary for the website or platform to function.
• Analytics Cookies: Help us understand how users interact with our website, so we can improve it.
• You can control or disable cookies through your browser settings, but some features of our Service may not function properly if you do so.
3. How We Use Your Data
We process your personal data for the following purposes:
1. Providing the Service: Creating and managing your account, verifying your identity, facilitating invoicing, bookkeeping, and related support.
2. Compliance: Fulfilling legal obligations, such as tax, accounting, or anti-money laundering requirements in Iceland.
3. Analytics & Improvements (Future): Understanding how users interact with our Service, diagnosing technical issues, and improving our offerings.
4. Marketing & Lead Generation: With your personal data (name and contact info), we may send you offers or newsletters relevant to the Service. We may also prepare to share or sell certain data in the future (see Section 5).
5. Security: Ensuring the security of our platform (e.g., fraud prevention, incident detection).
6. Potential Automated Decision-Making (Future): We may implement automated tools in the future to assist with risk assessment, fraud detection, or analytics. We will update you if this substantially affects your rights.
4. Legal Bases for Processing
Under GDPR, we rely on one or more of the following legal bases:
• Performance of a Contract: Processing is necessary for us to provide the Service you signed up for.
• Legitimate Interests: We have a legitimate interest in processing data for business operations, analytics, lead generation, and certain marketing activities, provided these interests are not overridden by your fundamental rights.
• Legal Obligations: We process data where required by Icelandic/EU financial, tax, and other laws.
Your Right to Object: Where we rely on our legitimate interests (e.g., for marketing or data sharing), you have the right to opt out or object at any time. (See Section 9 for details.)
5. Data Sharing and Potential Sale
5.1 Operational Sharing
We may share your data with:
• Affiliated Companies or Subcontractors who assist in providing our Service (e.g., accounting/tax software, authentication providers, data storage services like Supabase).
• Legal or Government Authorities when required to comply with law, regulation, or valid legal requests.
5.2 Selling or Sharing Data with Third Parties
In the future, we may sell or share certain user data (e.g., names, contact details, aggregated usage data) for:
• Lead Generation
• Direct Marketing by Third Parties
• Data Analytics
• Research Purposes
We will ensure any such transfer complies with GDPR, and we will provide you with notice and an opt-out opportunity where required by law. If the data sharing is based on our legitimate interest, you can also exercise your right to object (see Section 9).
6. International Data Transfers
Currently, we do not transfer personal data outside the European Economic Area (“EEA”). If in the future we use a service provider or store data in a country outside the EEA, we will ensure an adequate level of protection by using Standard Contractual Clauses (SCCs) or other safeguards in accordance with GDPR.
7. Data Retention
We retain personal data as long as necessary to fulfill the purposes described in this Policy or to comply with legal, accounting, or tax obligations, including:
• Financial & Accounting Records: Required to be kept for the period mandated by Icelandic laws, which may exceed a user’s desire to erase data.
• User Accounts: We generally retain your account data until you request deletion or discontinue using our Service. However, if legal obligations require us to keep certain information (e.g., financial transaction records), we will retain that data for the legally required period.
8. Data Security
We are committed to safeguarding your personal data. Our primary data storage is provided by Supabase, which implements:
• Encryption at Rest and in Transit: Your data is encrypted while stored and while transferred.
• Access Controls & Row-Level Security Policies (RLS): We limit who can access specific data and logs.
• Audits & Certifications: We plan to conduct regular security audits and aim to achieve and maintain an ISO 27001 certification, with annual external reviews.
Despite our efforts, no system is 100% secure. If we become aware of a data breach that may pose a high risk to your rights, we will notify you and the relevant supervisory authority as required by law.
9. Your GDPR Rights
Under GDPR (and Icelandic data protection laws), you have the right to:
• Access: Request a copy of personal data we hold about you.
• Rectification: Ask us to correct or update inaccurate or incomplete data.
• Erasure (“Right to be Forgotten”): Request deletion of personal data that is no longer necessary or if processing is unlawful.
• Restriction of Processing: Ask us to restrict how we process certain data.
• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Object to Processing: Object to processing based on our legitimate interests, including direct marketing and data selling/sharing activities.
• Withdraw Consent: If you initially gave consent for a specific process, you may withdraw it at any time (note: we generally rely on legitimate interests, but if consent was given, you may revoke it).
How to Exercise Rights: Send us an email at email protected with your request. We may ask for proof of identity to protect your account and personal data.
If you believe we have infringed your rights, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) or your local supervisory authority in the EEA.
10. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will provide a prominent notice (e.g., by email or within the Service). The “Last Updated” date at the top indicates when this Policy was last revised.
11. Contact Us
If you have questions about how we use your personal data or wish to exercise any of your rights, please contact us at:
• Email: info@freelancepay.is
We value your privacy and aim to respond to all valid requests within one month. In some cases, we may extend this period by two further months if your request is complex or if we receive a high volume of requests.
