PRIVACY POLICY

Last updated: 20 March 2026

This privacy policy explains how we collect, use and protect your personal data when you use shop.icelandmusic.is.

WHO WE ARE

Your data is controlled by:

Tónlistarmiðstöð - Iceland Music Austurstræti 5 101 Reykjavík, Iceland Email: shop@icelandmusic.is Phone: +354 588 6620

WHAT DATA WE COLLECT

Account registration

When you create an account, we collect your first name, last name, email address and password. Your password is stored securely using industry-standard hashing (Argon2) and is never stored in plain text. You may also optionally subscribe to our newsletter.

Profile information

You may optionally add your Icelandic ID number (kennitala) to your profile.

Orders and checkout

When you place an order, we collect your billing address (name, company, VAT number, email, phone, street address, city, postal code and country) and, if different, your delivery address. We also store your order details including items purchased, amounts, currency, order status and any comments you provide.

Downloads

We keep a record of digital products you have purchased and downloaded.

Login activity

We record login attempts (including your IP address) to protect your account from unauthorised access. After 3 failed login attempts, your account is temporarily locked for 10 minutes.

HOW WE USE YOUR DATA

We use your personal data to:

  • Process and fulfil your orders
  • Manage your account
  • Send order confirmations and shipping notifications by email
  • Protect our website from fraud and abuse
  • Improve our services

We do not sell your personal data to third parties.

COOKIES

We use the following cookies:

Strictly necessary cookies — these are required for the website to function and cannot be switched off:

  • Session cookie (dual_session) — maintains your browsing session. Expires after 2 hours of inactivity.
  • CSRF cookie (dual_csrf_cookie) — protects forms against cross-site request forgery. Expires after 2 days.
  • Google reCAPTCHA — protects forms from automated spam and abuse.

Functional cookies — these remember your preferences:

  • Language preference (preferred_language) — remembers your chosen language. Expires after 1 year.
  • Remember me (dual_frontend_remember_code) — keeps you logged in between sessions. Expires after approximately 1 day.

Analytics cookies — these help us understand how visitors use our website:

  • Google Analytics (via Google Tag Manager) — collects anonymous usage statistics such as pages visited, time spent on site and referring websites. These cookies (including _ga and _gid) are set by Google. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

THIRD-PARTY SERVICES

We share your data with the following third-party services, solely for the purposes described:

  • QuickPay (payment processing) — processes your card payments securely. We never see or store your credit card details; these are handled entirely by QuickPay.
  • SendGrid (email delivery) — delivers transactional emails such as order confirmations and password reset messages. Receives your name, email address and order details.
  • Google Tag Manager & Google Analytics (analytics) — collects anonymous website usage data.
  • Google reCAPTCHA (spam protection) — receives your IP address and interaction data to verify you are not a bot.
  • Google Fonts (typography) — loads fonts from Google servers, which may receive your IP address.
  • Bugsnag (error monitoring) — receives technical error reports which may include request context. Used solely to identify and fix bugs.
  • Brevo (newsletter) — if you subscribe to our newsletter, your email address and name are shared with Brevo for mailing list management.

PAYMENT SECURITY

All card payments are processed securely through QuickPay. Your credit or debit card details are entered directly on QuickPay's secure payment page and are never transmitted to or stored on our servers.

DATA RETENTION

We retain your account data for as long as your account is active. Order records are kept for accounting and legal purposes. You may request deletion of your account and personal data at any time by contacting us.

YOUR RIGHTS

Under the General Data Protection Regulation (GDPR) and Icelandic data protection law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your personal data
  • Data portability — request your data in a machine-readable format
  • Restriction — ask us to restrict processing of your data
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, please contact us at shop@icleandmusic.is.

You also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd).

CONTACT

If you have any questions about this privacy policy or how we handle your data, please contact us:

Tónlistarmiðstöð - Iceland Music Austurstræti 5 101 Reykjavík, Iceland Email: shop@icleandmusic.is Phone: +354 588 6620