Legal

Privacy Policy

Plain language. We collect very little, use it only for what you'd expect, and never sell it.

Effective 9 April 2026

1 — Who we are

The data controller for this website is Hyalin ehf. (kt. 541215-0930), a curated gourmet shop based in Reykjavík, Iceland.

Skólavörðustígur 4a, 101 Reykjavík, Iceland
hyalin@hyalin.is

Iceland is a member of the European Economic Area (EEA). This policy is written in accordance with the General Data Protection Regulation (GDPR) as applied in Iceland through the Personal Data Protection Act (lög nr. 90/2018).

2 — What we collect and why

Email address (newsletter)

If you sign up to our newsletter, we collect your email address. We use it to send you news about the store, new arrivals, and occasional promotions.

Lawful basis: Consent — you provide your email voluntarily and can withdraw at any time. Every email we send includes an unsubscribe link.

Processor: Your email address is stored in Shopify (Shopify Ireland UC, Dublin). Shopify acts as a data processor on our behalf and is GDPR-compliant. We do not sell or share your email with any other third party.

Retention: We keep your email address for as long as you remain subscribed. If you unsubscribe or request deletion, we will remove it promptly.

Order data

When you place an order, Shopify processes your name, delivery address, and payment information. Payment card data is handled entirely by Shopify's payment partners and never stored by us.

Lawful basis: Performance of a contract — we need this data to fulfil your order.

Retention: Order records are retained for seven years to comply with Icelandic accounting law.

3 — Cookies

This site uses only two categories of cookies, neither of which requires your consent.

Strictly necessary

Shopify sets cookies to maintain your shopping cart and manage your session. These are essential to operating the store and are exempt from consent requirements under the ePrivacy Directive.

Analytics

We use Vercel Web Analytics to understand how pages are used. It is cookieless — no tracking cookies are set and no personal data is collected. Traffic figures are aggregated and anonymous.

We do not use advertising cookies, tracking pixels, or any third-party profiling tools.

4 — Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased (the "right to be forgotten")
  • Restrict how we process your data
  • Withdraw consent at any time, without affecting the lawfulness of prior processing
  • Lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at personuvernd.is

To exercise any of these rights, email us at hyalin@hyalin.is. We will respond within 30 days.

5 — Changes to this policy

If we make material changes — for example by adding new data collection — we will update the effective date above and, where appropriate, notify subscribers by email.

Shop the range →·Contact