Privacy Policy

Last updated: November 2025

Endurgjald ehf., ID no. 640725-0950, Síðumúli 27, 108 Reykjavík (“Endurgjald”, “we”, “us”, “our”) is committed to protecting your privacy and handling personal data responsibly and lawfully.

This Privacy Policy explains what personal data we collect, how we use it, the legal basis for our processing, how long we retain data, your rights under applicable data protection law (including Act No. 90/2018 on Data Protection and the Processing of Personal Data), and how you may contact us.

We understand that most people do not enjoy reading privacy policies — but protecting your personal data is extremely important to us. We therefore aim to provide clear and accessible information about the data we collect and why.

1. What Constitutes Personal Data and Personal Data Processing?

“Personal data” means any information that can be linked to an identifiable individual, such as name, ID number, address, email, phone number, financial information, IP address, and more.

“Special categories of personal data” are sensitive data receiving special protection in law, such as data concerning race, political opinions, trade-union membership, genetic or health information, or sexual life.

“Processing” means any operation carried out on personal data, including collection, recording, storage, alteration, use, access, or deletion.

2. Purposes for Collecting Personal Data

Endurgjald processes personal data for the following purposes:

• To fulfil contractual obligations, e.g., towards customers and partners

• To provide and operate the Skreppa mileage logbook service

• To enable customers to recover mileage reimbursement

• To automate and improve services

• To ensure fair and efficient reimbursement of mileage

• To develop our products and tailor them to customer needs

• To safeguard our legitimate interests

• To comply with legal obligations

• To establish, exercise, or defend legal claims

We never sell customer data to third parties.
We never use driving data collected through the Skreppa app for assessing fault in accidents or incidents.

3. Legal Bases for Processing

Endurgjald processes personal data on the following legal bases:

• Consent

• Performance of a contract

• Compliance with legal obligations

• Legitimate interests

• Establishment, exercise, or defence of legal claims

4. How Endurgjald Processes Personal Data

We process personal data lawfully, fairly, securely, and only for clear and legitimate purposes. We apply the following core principles:

• Data is collected for specified and lawful purposes

• Only data strictly necessary for each purpose is collected

• Data is kept accurate and up-to-date

• Data is not retained longer than necessary

• Data is secured through appropriate technical and organisational measures

5. Categories of Individuals and Data Collected

5.1 Customers and Prospective Customers

When you use the Skreppa app, we may collect:

• Name, ID number, home address, phone number, email

• Vehicle identification and registration information

• Bank and payment card details

• Information about interest in our services

• Communication records (emails, messages, calls)

• Transaction and account information

• Website usage data

• Technical system logs

5.2 Driving Data Collected by the Skreppa App

The Skreppa mobile application uses sensors available in smartphones to generate mileage logs:

• Accelerometer (detects motion and start of trip)

• Magnetometer (used to evaluate vehicle acceleration)

• GPS data (origin, destination, distance travelled, trip duration)

Driving data is processed by our technical partner DriveQuant (France).
To protect your privacy:

• Endurgjald sends only an anonymised identifier to DriveQuant — never any personal data

• DriveQuant processes trips linked only to this anonymised identifier

• Endurgjald receives processed trip summaries without any link to your identity

• No data on traffic violations is collected or stored

• All driving data is stored in non-identifiable formats in our systems and hosted within the EEA

5.3 Employers Using Skreppa

If an employer has a service agreement with Endurgjald, we may process additional information:

• Approved or rejected trips

• Mileage reimbursement amounts

• Annual reimbursement summaries

5.4 Other Data Subjects

We also process personal data relating to:

• Staff and job applicants

• Contractors and business partners

• Individuals who provide authorisation/representation on behalf of customers

• Visitors captured by CCTV at our premises

6. Data Retention

We retain personal data only as long as necessary or required by law.

Examples:

• Contractual data: retained for the duration of the business relationship, unless statutes of limitation require longer retention

• Mileage reimbursement data: retained for minimum 7 years under the Icelandic Accounting Act No. 145/1994

• Driving data: retained for at least 7 years; stored only in de-identified form

• Marketing data: retained for up to 12 months unless the individual becomes a customer

• CCTV footage: retained according to security regulations and necessity

When data is no longer required, it is deleted or irreversibly anonymised.

7. Automated Decision-Making

Endurgjald may perform automated assessments (e.g., risk evaluation related to payment behaviour) to determine service eligibility and pricing. These assessments rely on objective criteria such as payment history.

No automated decisions are taken without safeguards required by law.

8. Sources of Personal Data

We primarily collect data directly from you.
We also collect data from:

8.1 Registers and Public Authorities

• Registers Iceland (Þjóðskrá) – to verify identity, address, family status

• The Vehicle Registry (Samgöngustofa) – to verify vehicle ownership and inspection status

Endurgjald is legally required to keep a log of certain queries in the Vehicle Registry for at least two years.

8.2 Electronic Identification and Signing

We use Dokobit for electronic authentication and signature services.
Electronic ID functions as official digital identification and is equivalent to presenting ID in person.

9. Confidentiality and Information Security

• All Endurgjald employees sign confidentiality agreements

• Access to personal data is strictly controlled

• Only employees who require access for their job are permitted to view data

• Breaches of confidentiality may lead to termination and legal action

• Our security specialists continuously monitor and protect data systems

10. Sharing Personal Data with Third Parties

We may share personal data with:

• Service providers

• Agents

• Contractors

Such third parties act as data processors and may only process data according to our explicit instructions. All processors must sign a data processing agreement ensuring confidentiality and data security.

We may also share data where required by law.

11. International Data Transfers

Endurgjald does not transfer personal data outside the EEA unless:

• A valid legal basis exists under Act No. 90/2018

• Appropriate safeguards are in place (e.g., Standard Contractual Clauses)

Currently, Endurgjald only shares de-identified driving data with DriveQuant (France, within the EEA).

12. Your Data Protection Rights

You may have the following rights under Act No. 90/2018:

• Right to access your personal data

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restriction of processing

• Right to data portability

• Right to object to processing

• Right to withdraw consent at any time (without affecting prior lawful processing)

These rights may be subject to conditions or legal limitations.

13. Contact Information

Endurgjald MGA ehf.

Síðumúli 27, 108 Reykjavík
Email: skreppa@skreppa.is
Phone: 420 4020

Data Protection Officer (DPO)

Dattaca Labs Iceland ehf.
Kalkofnsvegur 2, 101 Reykjavík
Email: dpo@dattacalabs.com
Phone: 517 3444

14. Complaints to the Supervisory Authority

If you believe that Endurgjald is processing your personal data unlawfully, you have the right to file a complaint with:

Persónuvernd — The Icelandic Data Protection Authority

15. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time in compliance with legislative or operational changes. Updated versions will be published at www.skreppa.is and take effect upon publication.