NORDICPATHBack to home

Privacy Policy

Last updated: May 29, 2026

1. Introduction

Welcome to NordicPath ("we," "our," or "us"), operated at plan.iceland-trip.com. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered travel itinerary service.

2. Data Controller

NordicPath is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@iceland-trip.com. For security-related reports, contact security@iceland-trip.com.

3. Personal Data We Collect

We collect and process the following categories of personal data:

  • Account Information: Email address, optional phone number, full name, and profile picture (if you upload one or sign in with a provider that supplies one).
  • Trip Preferences: Travel dates, flight arrival and departure times, party composition (including the number and ages of any children in your party, as supplied by the adult account holder), transport choice, accommodation preferences, activity preferences, pre-booked items, and any free-text notes or links you choose to attach to your trip.
  • Generated Content: The AI-generated itinerary (destinations, schedule, recommendations) we create for you.
  • Collaboration Data: Email addresses of collaborators you invite to a trip, and your status on trips you have been invited to.
  • Communication Data: Email delivery and engagement events (sent, delivered, opened, clicked, bounced) for emails we send you, and your unsubscribe state.
  • Usage and Technical Data: IP address (used only for rate-limiting and abuse prevention; never stored in raw form alongside trip data), browser and device information, pages visited, hashed IP for trip-view analytics, affiliate-link clicks, PDF downloads, and cookies.
  • Authentication Data: One-time passcodes (OTPs) for email verification, retained only for the brief verification window.
  • Gmail Inbox Data (optional, opt-in): If you connect Gmail to auto-fill your booking tracker, we request the gmail.readonly scope and read only messages that match booking-confirmation criteria (specific senders or subject keywords) within a window around your trip dates. We extract structured fields (vendor, confirmation number, dates, amount) and store a short snippet for display. We do not store the full email body, and you can revoke access at any time from your Google account permissions.

We do not knowingly collect special-category data (e.g., health, religion, political opinion). Please do not include such data in the free-text fields of your trip preferences.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Creating and managing your account, generating itineraries, storing your trips, sending transactional emails (OTP, welcome, invitations, booking-related).
  • Consent (Art. 6(1)(a)): Non-essential cookies (analytics, marketing), and any marketing communications you opt in to. You can withdraw consent at any time via our cookie banner, the unsubscribe link in every marketing email, or by deleting your account.
  • Legitimate Interests (Art. 6(1)(f)): Improving our AI itinerary generation, preventing fraud and abuse, securing the service, low-volume product nurture emails to new users (a 4-email sequence that you can opt out of at any time via the unsubscribe link).
  • Legal Obligations (Art. 6(1)(c)): Complying with applicable laws, including responding to lawful requests from public authorities.

5. How We Use Your Data

  • Create and manage your account
  • Generate personalized AI travel itineraries
  • Save, retrieve, refine, share, and export your trip plans
  • Send service-related communications (OTP codes, welcome emails, trip-share invitations, booking-related emails)
  • Send a short product nurture sequence to new users (you can unsubscribe one-click at any time)
  • Improve our service, AI prompts, and user experience
  • Detect, prevent, and respond to abuse, fraud, or security incidents
  • Comply with our legal obligations

6. Sub-Processors and Third Parties

We rely on the following service providers (sub-processors) to operate the service. Each one is contractually bound by a Data Processing Agreement and processes data only on our instructions.

  • Vercel Inc. (United States) — application hosting, edge functions, key-value cache, and performance analytics.
  • Supabase Inc. (United States; database region per project configuration) — authentication, primary database, and storage of your account and trip data.
  • Google LLC (United States) — (a) Gemini API for AI itinerary generation (your trip preferences are sent as input); (b) Google Maps, Places, and Directions APIs for location data, photos, and route geometry; (c) Google Tag Manager and Google Analytics for usage analytics, loaded only with your cookie consent.
  • Resend, Inc. (United States) — transactional and product emails (sent from plan.iceland-trip.com), email delivery events.
  • Unsplash, Inc. (United States) — optional location imagery; we send keyword queries, not your personal data.
  • OSRM Project (community-operated, hosted in the EU) — public routing service used as a fallback for driving-time estimates; we send coordinate pairs only, never your identity.
  • Affiliate partners (Booking.com Affiliate Programme, Viator) — when you click an affiliate booking link, the partner receives standard referral parameters (our affiliate ID, the page you came from). We do not transmit your account email or profile to them.

We do not sell your personal data to anyone.

7. International Data Transfers

Several of our sub-processors are based in the United States. Your data may therefore be transferred to and processed outside the European Economic Area. Where this happens, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where appropriate (encryption in transit and at rest, access controls, sub-processor audits). We do not transfer data to jurisdictions for which no valid transfer mechanism exists.

8. Data Retention

We retain your personal data only as long as we have a basis to do so:

  • Account profile and trips: retained while your account is active. Deleted within 7 days of you triggering account deletion (see Section 9).
  • OTP codes: deleted upon successful verification, or expire automatically within minutes.
  • Email delivery events: retained up to 90 days for deliverability analysis.
  • Affiliate clicks, PDF downloads, trip views: retained up to 24 months for product analytics, then aggregated or deleted.
  • Application logs: retained up to 30 days for incident response.
  • Backups: rotating backups are retained for up to 30 days; data deleted from production is purged from backups within that window.

Where law requires us to retain data longer (e.g., tax records for affiliate revenue), we keep only the minimum needed, separated from your profile.

9. Your Rights Under GDPR — Self-Service

You have the following rights regarding your personal data, and you can exercise the most important ones directly from your account:

  • Right of Access & Data Portability (Art. 15, 20): Download a complete, machine-readable JSON copy of your data at any time from your My Trips page → "Privacy & your data" → "Download my data".
  • Right to Erasure (Art. 17): Permanently delete your account and all associated data from the same panel → "Delete my account". The deletion is irreversible and runs immediately.
  • Right to Rectification (Art. 16): Edit your profile and trip details from your account, or email us if a correction is not possible in-product.
  • Right to Withdraw Consent (Art. 7): Unsubscribe from marketing emails using the one-click link in every email, or revoke cookie consent via the cookie banner.
  • Right to Restriction and Objection (Art. 18, 21): Contact us at privacy@iceland-trip.com.
  • Right to Lodge a Complaint: You may lodge a complaint with your local supervisory authority. A list of EU authorities is available on the European Data Protection Board website.

For any request that cannot be completed in-product, we respond within 30 days as required by GDPR.

10. Cookies and Consent

We use a small number of essential cookies to keep you signed in and to remember your cookie preferences. Analytics and marketing cookies (Google Tag Manager, Google Analytics) are loaded only after you opt in via our cookie banner. You can change your choices at any time by clearing your cookies and returning to the site, or via your browser settings.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), encryption at rest (managed by Supabase and Vercel), database row-level security, per-user authentication, rate limiting, input sanitisation, and dependency monitoring. We review our security posture periodically. To report a vulnerability, email security@iceland-trip.com.

12. Children's Privacy

Our service is intended for adults aged 16 or over. We do not knowingly create accounts for children. If your trip includes children traveling with you, you may enter their ages as part of trip preferences; that information is processed solely to tailor the itinerary and is not used for any other purpose. If you believe a child has registered an account, please contact us and we will delete the account promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email or by a notice in the product before they take effect.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, contact us:

Privacy: privacy@iceland-trip.com
Security reports: security@iceland-trip.com