At Ferðaþjónustan Hoffell ehf., we are committed to protecting your privacy and ensuring that your personal data is processed in a transparent, secure, and lawful manner.
Ferðaþjónustan Hoffell ehf., company registration no. 680703-2560, Hoffell 2, 781 Höfn í Hornafirði, Iceland (“we”, “us”, or “our”), operates Hoffell Guesthouse – Glacier World, including its accommodation facilities and related services.
This Privacy Policy explains how we collect, use, disclose and otherwise process your personal data, the purposes for which your personal data is processed, the legal bases on which we rely, and your rights in relation to the processing of your personal data.
For the purposes of Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”), Ferðaþjónustan Hoffell ehf. is the data controller responsible for the processing of your personal data as described in this Privacy Policy.
We process personal data primarily to provide and improve our services, communicate effectively with our customers, protect the safety and security of our premises, guests, employees, and property, and to market our products and services where permitted by law.
We will only process your personal data where we have a lawful basis for doing so under Article 6 of the GDPR and, in the case of special categories of personal data, where the additional requirements under Article 9 of the GDPR are met.
2.1 Accommodation and Related Services
When you book a room at Hoffell Guesthouse – Glacier World, we collect the personal data necessary to provide the services you have requested.
The personal data we may collect includes:
2.2 Inquiries
When you submit a request, inquiry, complaint or feedback to us, we process your contact details and any other information you provide in order to respond to your inquiry and, where necessary, process and resolve your request.
2.3 Analytics and Market Research
We may use information derived from personal data that has been anonymized for analytics, market research, and statistical purposes to help us improve our products and services.
2.4 Our Website
When you visit our website, we may collect information about the use of the website through cookies and similar technologies. This information is used to provide website functionality, analyze website usage, and, where you have provided your consent, support marketing activities.
Detailed information about the cookies and similar technologies we use, including their purposes, providers, and retention periods, is available in our Cookie Declaration, which can be accessed through our cookie banner.
2.5 CCTV
We use CCTV cameras at our premises for security purposes and to protect the safety of our guests, employees, and property. Access to CCTV recordings and other information collected through CCTV is strictly controlled, and only specifically authorized employees have access to such information.
CCTV recordings are not retained for longer than 30 days unless they are required to be retained in connection with potential legal matters, such as accidents, theft, or other incidents requiring further review.
We process personal data based on one or more lawful bases under the GDPR, depending on the nature of the processing activity.
We process personal data based on the following lawful bases:
We do not sell personal data.
We may share personal data with processors who provide services to us or provide services to our customers on our behalf where this involves processing personal data on our instructions. This may include, for example, providers of IT services, cloud solutions, payment services, and other services necessary to support our operations.
An example of a processor is our parent company, Blue Lagoon Ltd., which provides us with various support services, including IT, human resources, management, and finance services.
Where third parties act as data processors on our behalf, we ensure that appropriate data processing agreements are in place, requiring personal data to be handled securely, confidentially, and only for the purposes we specify. Processors only have access to the personal data necessary to perform their specific tasks and are prohibited from using it for any other purpose.
Some of these third parties may be located outside Iceland. We will not transfer personal data outside the European Economic Area (EEA) unless permitted under applicable data protection laws, for example where the European Commission has adopted an adequacy decision for the destination country or where appropriate safeguards are in place, such as Standard Contractual Clauses.
We may also disclose personal data:
In addition, we may use third-party providers to assist us with website analytics, marketing, and improving our services. Depending on the service provided, these providers may act as our processors or as independent controllers. We only use non-essential cookies and similar technologies where you have provided consent. Further information about the cookies and technologies used on our website, including their purposes and providers, is available in our Cookie Declaration, which can be accessed through our cookie banner.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required to comply with applicable legal obligations.
The length of the time we retain personal data may be determined by legal obligations that apply to us. For example, accounting records may be required to be retained for seven years from the end of the relevant financial year under applicable accounting legislation, and certain information relating to hotel guests may be required to be retained for a period of one year under applicable accommodation legislation.
When the retention period ends, we securely delete personal data or anonymize it so that it can no longer be used to identify you.
Where you have authorized a third party, such as a travel agency or booking service, to share your personal data with us (for example, to make a booking on your behalf), this Privacy Policy applies to our processing of that personal data once we receive it.
Where other service providers provide part of your service, stay, or travel arrangements, those providers are responsible for their own processing of personal data carried out by them. Their privacy policy and information about their processing activities should be available from those providers.
Payments are processed through our payment service provider, Planet. Payment transactions are protected using appropriate security measures and are processed in accordance with the PCI DSS (Payment Card Industry Data Security Standard) to help ensure the secure handling of payment card information.
Our websites are secured using SSL certificates and encryption technologies designed to protect communications between our websites and your browser.
Under the GDPR, you have the following rights in relation to your personal data:
To exercise any of the rights listed above, please contact us at [email protected].
Please note that these rights are not absolute and may be subject to limitations under the GDPR, including where we are required to retain information to comply with legal obligations or where exercising a right would adversely affect the rights and freedoms of others.
We may provide services to families and may process personal data relating to children in connection with bookings or visits to our premises. We do not knowingly collect personal data from children under the age of 13 without appropriate involvement or authorization from a parent or legal guardian.
If a parent or legal guardian becomes aware that personal data has been provided by a child under the age of 13 without appropriate authorization, they should contact us immediately. If we become aware of such collection or use, we will take appropriate steps to address the situation, including deleting such data where required.
If you apply for a position with us, we will process the personal data you provide as part of your application, such as your name, contact details, CV, cover letter, qualifications, interview notes, references, and any other information relevant to the recruitment process.
We process this information for the purpose of managing the recruitment process, assessing your suitability for employment, and taking steps at your request prior to entering into an employment contract.
We retain applicant data only for as long as necessary for the recruitment process and, where you have provided your consent, for a limited period thereafter to consider you for future employment opportunities.
Applicants also receive separate information describing how we process personal data during the recruitment process.
In the event of a personal data breach, we will notify the Icelandic Data Protection Authority (Persónuvernd) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly without undue delay, unless otherwise required by applicable law.
If you have any questions about this Privacy Policy or how we process your personal data, please contact us at:
Email: [email protected]
Mail: Hoffell 2, 781 Höfn í Hornarfirði, Iceland
If you believe that our processing of your personal data does not comply with applicable data protection laws, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd). Further information is available on its website: www.island.is/en/o/the-data-protection-authority
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or our services.
Any changes will become effective when the updated Privacy Policy is published on our website.
Last updated: July 3, 2026