Skip navigation

Data Protection Policy

Effective Date: April 1st 2026
Owner: CTO
Approved By: Executive Management
Applies To: All employees, contractors, and third parties processing personal data for or on behalf of Advise ehf.

Purpose

This policy sets out how Advise ehf. ("Advise", "we", "our", "us") protects personal data in compliance with the General Data Protection Regulation (GDPR 2016/679) and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018. Depending on the context of the processing, Advise may act as a Data Processor or as a Data Controller.

Advise is committed to processing personal data lawfully, fairly, and transparently while respecting the rights and freedoms of all data subjects.

Scope

When we act as a Data Processor

When providing the Advise Platform, we typically act as a Data Processor, processing personal data solely on behalf of our customers ("Controllers") and in accordance with their documented instructions. In this capacity, we do not determine the purposes and the means of the processing. Our responsibilities and obligations as a Processor are defined by our agreement with each customer and by applicable data protection laws.

When we act as a Data Controller

In certain situations, we act as a Data Controller. This occurs when we determine the purposes and the means of processing personal data ourselves, for example when handling payment information, managing billing and account administration, ensuring platform security, or using cookies and similar technologies for analytics, service improvement, or marketing (where legally permitted).

When acting as a Controller, we are responsible for ensuring that the processing complies with GDPR and other applicable privacy laws, including providing transparency, identifying appropriate legal basis, and upholding data subject rights.

This Privacy Policy applies to Advise in its capacity as a Data Controller.

Categories of Data Subjects

When acting as a Controller, we process personal data relating to the following categories of data subjects:

  • Customer Representatives — Individuals who act on behalf of Customers and engage with us for contract management, billing, support, or communications.
  • Platform Users (Controller Capacity Only) — Individuals who access or use the platform where we process certain data for our own purposes, for example, authentication logs, security monitoring, usage analytics, or service improvement data.
  • Billing and Payments — Individuals whose personal data is processed to manage payments, invoicing, subscriptions and financial administration.
  • Website Visitors — Individuals who visit our website or interact with our online services, including those whose data is collected through cookies, analytics or consent-based marketing technologies.
  • Prospective Customers/Leads — Individuals who express interest in our services, such as by requesting a demo or signing up for newsletters.
  • Support Requesters — Individuals who contact us for assistance, technical support, or general inquiries.

Categories of Personal Data

When acting as a Data Controller, we may collect and process the following categories of personal data, depending on how individuals interact with our website, platform and services.

  • Customer Representatives
    • Name
    • Job title and role
    • Business email address
    • Business phone number
    • Account preferences and settings
    • Communications with us
  • Platform Users (Controller Capacity Only)
    • Login timestamps and activity logs
    • IP address and device information
    • Browser type and operating system
    • Usage metrics and interaction logs
    • Error logs
    • Security events
  • Billing and Payments
    • Billing contact information
  • Website Visitors
    • IP address and device/browser information
    • Browser settings and language preferences
    • Cookie identifiers and tracking technologies
    • Analytics data
    • Marketing attribution data (where legally permitted)
    • Log data generated automatically by the server
  • Prospective Customers/Leads
    • Name and contact details
    • Marketing preferences and consent records
    • Interaction history
  • Support Requesters
    • Name and contact details
    • Content of support tickets, emails or chat messages
    • Technical information necessary to resolve issues
    • Any additional information voluntarily provided by the requester.

Lawful Bases for Processing

When acting as a Data Controller, we process personal data under one or more lawful bases defined in Article 6 of the GDPR, including:

  • Performance of a contract
    • Creating and managing customer accounts
    • Providing and administering access to the Advise Platform
    • Communicating about service usage, updates and maintenance
    • Delivering customer support related to account or platform functionality
    • Managing billing invoicing and subscription renewals
  • Compliance with legal obligations
    • Financial recordkeeping, tax and accounting obligations
    • Responding to lawful requests from regulators or authorities
  • Legitimate interests pursued by Advise or a third party, provided these do not override individual rights
    • Ensuring the security, integrity and availability of the Advise Platform
    • Detecting and preventing fraud or misuse
    • Improving service performance, reliability and user experience
    • Communicating with existing customers about relevant service updates
  • Consent, where explicitly obtained (e.g., marketing communications)
    • The use of non-essential cookies such as analytics and marketing cookies
    • Marketing communications (when required by law).

For personal data that customers submit to the Advise Platform or otherwise instruct us to process, Advise acts solely as a Data Processor. In this role:

  • Advise processes personal data only on the documented instructions of the customer (the Data Controller)
  • Advise does not determine the purposes or lawful basis of the processing
  • The customer is responsible for ensuring a valid lawful basis

Data Subject Rights

You have certain rights over your personal data, with some exceptions. In its role as Data Controller, Advise supports the following rights under Articles 12–23 GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
    • When we rely on legitimate interests to process your personal data, you have the right to object to such processing. You may also object at any time to the use of your data for marketing communications or targeted advertising, for example by using the "unsubscribe" option in our emails.
  • Rights relating to automated decision-making
  • Withdraw Consent
    • If we rely on your consent to process your personal data, you may withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.

Requests are managed through a documented internal procedure and are normally responded to within 30 days.

Data Retention and Disposal

We retain personal data only for as long as necessary to provide our services, comply with legal obligations or resolve disputes. Once personal data is no longer needed, we will securely delete or anonymize it.

Security of Processing

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. These measures include, but are not limited to:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication
  • Audit logging and continuous monitoring of security-relevant events
  • Regular vulnerability scanning and incident response processes
  • Daily backups and tested disaster-recovery procedures

International Data Transfers

We protect your personal data in accordance with this Privacy Policy, regardless of where it is processed. We do not transfer personal data outside the European Economic Area unless such transfers comply with applicable data protection laws.

Where we or any of our sub-processors process or otherwise transfer personal data to a country that does not benefit from an adequacy decision issued by the European Commission, we ensure that such transfer is subject to appropriate safeguards in accordance with Article 46 of GDPR. These safeguards may include:

  • the SCCs adopted or approved by the European Commission; or
  • any other lawful transfer mechanism recognised under the Data Protection Legislation.

Cookies and Tracking Technologies

At Advise.is, we use cookies to analyse and improve the experience of visitors on our website. Cookies are small text files stored on your device that help us provide and improve our services.

Strictly Necessary Cookies (Exempt from Consent)

Cookies classified as "Strictly Necessary" are essential for the website to function properly. These cookies enable core functionality such as page loading, navigation, session management and security features.

Analytics Cookies

Analytics cookies are used to gather information about the use of the website to improve the user experience.

Marketing Cookies

Marketing cookies are used to customize marketing content for website visitors and display it on social media and search engines. These cookies may track visitors across websites to deliver tailored advertisements and may involve third parties such as Google and Meta/Facebook.

Managing Your Cookie Preferences

You have the right to accept or reject cookies. When you visit our website for the first time, you are presented with a cookie consent banner allowing you to accept or reject non-essential cookies. Most web browsers also allow users to manage cookies directly.

Please note that if you choose to decline cookies, some features of our website may not function properly.

Changes to this Data Protection Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

Contact and Complaints

Data-protection inquiries may be sent to:
Email: privacy@advise.is

Complaints may also be lodged with the Icelandic Data Protection Authority (Persónuvernd) or the supervisory authority in the data subject's EU member state.