Effective Date: March 13, 2026
TORI EHF (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data in compliance with applicable data protection laws, including Regulation (EU) 2016/679 (the General Data Protection Regulation – “GDPR”) and Icelandic Act No. 90/2018 on Data Protection and the Processing of Personal Data.
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you visit our website hugspil.is (the “Website”), interact with our services, contact us, or otherwise provide us with information.
1. Who we are – Data Controller
Company name: TORI EHF Registration number: 620126-2760 VAT number: 160236 Registered address: Dunhagi 18, Reykjavík, 107, Iceland Email: info@hugspil.is
We act as the data controller for the personal data we process, unless otherwise stated.
2. What personal data we collect
We may collect the following categories of personal data:
- Identity and contact data: name, email address, phone number, postal address (e.g., when you contact us, subscribe to a newsletter, create an account, or place an order).
- Technical and usage data: IP address, browser type and version, device information, operating system, time zone setting, referring/exit pages, clickstream data, pages visited, time and date of visits, and other diagnostic data collected via cookies and similar technologies.
- Account data: username, password (hashed), profile information (if you register on the Website).
- Communication data: messages, emails, or other correspondence you send to us.
- Marketing and preferences data: your preferences in receiving marketing from us and your communication preferences.
- Payment data (if applicable): billing details processed securely via third-party payment providers (we do not store full card details ourselves).
- Other data: any personal data you voluntarily provide (e.g., in forms, reviews, comments, or support requests).
We do not intentionally collect special categories of personal data (sensitive data such as racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.) unless you explicitly provide it and we have a lawful basis.
3. How we collect your personal data
We collect data:
- Directly from you (forms, emails, account registration, purchases, inquiries).
- Automatically through your use of the Website (cookies, server logs, analytics tools).
- From third parties (e.g., analytics providers, advertising partners, social media plugins – where permitted).
4. Purposes and legal basis for processing
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Personal data categories | Legal basis (GDPR Article) |
|---|---|---|
| Provide and maintain the Website | Technical/usage, identity | Legitimate interests (Art. 6(1)(f)) |
| Process orders/payments (if applicable) | Identity, contact, payment | Contract (Art. 6(1)(b)) |
| Manage user accounts/registration | Identity, contact, account | Contract (Art. 6(1)(b)) |
| Respond to inquiries/support | Identity, contact, communication | Legitimate interests / Contract |
| Send newsletters/marketing (direct) | Identity, contact, preferences | Consent (Art. 6(1)(a)) |
| Comply with legal obligations | All relevant categories | Legal obligation (Art. 6(1)(c)) |
| Prevent fraud/security | Technical, usage, identity | Legitimate interests (Art. 6(1)(f)) |
| Improve services/analytics | Technical, usage | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have conducted a balancing test to ensure your rights do not override our interests.
5. Cookies and similar technologies
Our Website uses cookies and similar tracking technologies. You can manage preferences via browser settings.
6. Sharing your personal data
We may share your personal data with:
- Service providers (processors): hosting providers, email services, analytics (e.g., Google Analytics), payment processors, IT support – all under strict data processing agreements.
- Professional advisors (lawyers, accountants, auditors).
- Public authorities when required by law.
- Business transfers (e.g., merger, acquisition).
We do not sell your personal data.
7. International transfers
If we transfer personal data outside the EEA (e.g., to US-based providers), we ensure appropriate safeguards such as:
- Adequacy decision,
- Standard Contractual Clauses (SCCs),
- Binding Corporate Rules, or
- Other approved mechanisms.
8. Data retention
We retain personal data only for as long as necessary for the purposes outlined above or to meet legal obligations. Typical periods:
- Account data: duration of account + reasonable period after closure.
- Marketing data: until consent withdrawn.
- Technical logs: up to 26 months (or as per provider policy).
- Legal claims: up to statutory limitation periods (usually 10 years in Iceland).
9. Your rights under GDPR
You have the following rights (subject to legal limitations):
- Access your data (Art. 15)
- Rectification (Art. 16)
- Erasure (“right to be forgotten”) (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21), including direct marketing
- Withdraw consent at any time (where processing is based on consent)
- Not be subject to automated decision-making (Art. 22, if applicable)
To exercise these rights, contact us at info@hugspil.is. We respond within one month (extendable in complex cases). You may also lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd): Website: https://www.personuvernd.is/ Email: postur@personuvernd.is
10. Data security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, destruction, or damage (e.g., encryption, access controls, regular security assessments).
11. Children’s privacy
Our Website is not intended for children under 16. We do not knowingly collect data from children under 16 without parental consent. If we become aware of such collection, we will delete the data.
12. Changes to this Privacy Policy
We may update this policy from time to time. Changes will be posted here with an updated effective date. Significant changes may be notified via email or prominent notice on the Website.
13. Contact us
For questions about this Privacy Policy or our data practices: Email: info@hugspil.is Postal: TORI EHF, Dunhagi 18, Reykjavík, 107, Iceland
Thank you for trusting us with your personal data.