Privacy Policy

Novamedia ehf. is the data controller for personal data processed in connection with the Cartico platform. For questions or requests relating to your personal data, contact us at cartico@cartico.com.

We collect the following categories of personal data:

We use personal data for the following purposes:

• Providing the Service: Creating and managing your account, processing subscriptions, operating your online store, and enabling features you use.
• Billing and payments: Processing subscription payments, sending invoices, and managing billing records.
• Communication: Sending service-related notifications (e.g. account alerts, subscription renewals, trial expiry reminders), responding to support enquiries, and sending product updates (with your consent where required).
• Security and fraud prevention: Detecting, investigating, and preventing fraudulent activity and security incidents.
• Service improvement: Analysing usage patterns to improve the platform, fix bugs, and develop new features.
• Legal compliance: Complying with applicable laws and regulations, including tax and accounting obligations.

We process personal data under the following legal bases (GDPR Article 6):

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our contract with you (e.g. account management, subscription billing, store operations).
• Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement, and direct marketing to existing customers.
• Legal obligation (Art. 6(1)(c)): Compliance with Icelandic and EU laws (e.g. tax and accounting records).
• Consent (Art. 6(1)(a)): Marketing communications to non-customers and optional cookies (see Cookie Policy).

We do not sell your personal data. We share personal data only with trusted third parties in the following circumstances:

• Payment processors: Teya (Borgun/SaltPay) for subscription payments. Card data is transmitted directly to Teya and is not stored on our servers.
• Hosting and infrastructure: We use cloud infrastructure providers to host the Service. Your data is stored on servers within the European Economic Area (EEA).
• Email delivery: A transactional email provider is used to deliver account and notification emails.
• Analytics: Aggregated or pseudonymised usage data may be processed for internal analytics.
• Legal requirements: We may disclose personal data if required by law, court order, or regulatory authority.

All third-party processors are contractually bound to process personal data only as instructed by us and in accordance with GDPR.

We primarily store and process data within the European Economic Area (EEA). Iceland is part of the EEA and subject to GDPR. Where we engage third-party services that process data outside the EEA, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses).

We retain personal data for as long as necessary to provide the Service and fulfil the purposes described in this Policy:

• Active account data: Retained for the duration of your account and subscription.
• Billing records: Retained for 7 years to comply with Icelandic accounting and tax law.
• Deleted account data: After account deletion or termination, personal data is deleted within 30 days, except where longer retention is required by law.
• Log data: Retained for up to 12 months for security purposes.

Under GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at cartico@cartico.com. We will respond within 30 days. You also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is.

Cartico uses cookies and similar technologies. For full details, see our Cookie Policy.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), encryption at rest for sensitive data, access controls, and regular security reviews.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals as required by GDPR.

Cartico is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the platform. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions or requests: