This Privacy Policy (“Policy”) applies to the processing of personally identifiable data by Spesía eignastýring hf., ID No. 430924-0440, Grandagarður 16, 101 Reykjavík (hereinafter referred to as “Spesía”).

Spesía is legally required to protect the personally-idendifiable data of its users and takes this responsibility seriously. Trust is a key element in all of Spesía’s operations, and therefore the Company places great emphasis on ensuring this Policy is followed in compliance with applicable legal requirements. In fact, Spesía goes beyond the legal requirements to ensure that personally-identifiable data are handled safely, ethically, and responsibly.

This Policy explains how Spesía collects, uses, shares, and protects its users’ personally-identifiable and financial information. Its purpose is to inform users about the security and processing of personally identifiable data within Spesía, the purpose and legal basis for such processing, and to ensure transparency in accordance with applicable data protection legislation.

Scope and Processing of personally identifiable data

Spesía undertakes to process personally identifiable data only in the manner described in this Policy and in accordance with Act No. 90/2018 on Data Protection and the Processing of personally identifiable data and Regulation (EU) 2016/679 (GDPR).

More specifically, this Policy applies to all of Spesía’s activities relating to services where personally identifiable data are processed, to all personally identifiable data you provide to Spesía, and/or that Spesía collects about you via the website, mobile app, and other communication channels such as email and other applications (“Service”). This Policy applies only to individuals and not to legal entities. It does not cover third-party online services for which a third party is responsible, even if the service links to them.

Please read this Privacy Policy carefully. If you do not agree with its contents, you may stop using the services at any time.

Controller and Processor

Spesía is the controller of personally identifiable data processing and is responsible for ensuring that processing complies with data protection law at all times and for being able to demonstrate such compliance. The controller determines the purposes of processing and the means used.

A processor is a party that processes personally identifiable data on behalf of the controller under a data processing agreement. Where Spesía engages processors, it enters into data processing agreements with them.

In some cases, there may be more than one controller, in which event processing is carried out by two or more parties. In those cases, each party is responsible for defined aspects of the processing, and they are considered joint controllers. If Spesía undertakes such processing together with another party, a joint controller arrangement will be in place.

What Information Do We Collect?

To provide efficient and personalised services, Spesía collects various types of information about you, both the information you provide directly and information obtained from other sources in connection with the services. This includes, in particular:

• Contact details provided when you register with Spesía, such as name, address, email, phone number, or identifying details such as a national ID number (í. kennitala), or electronic identification.
• Personal information you provide to Spesía in connection with its services, including your investment goals and purposes, as well as information on your investment knowledge and experience and your attitude towards risk.
• Technical information about how you use the services, such as the browser, device, or app you use to access the service, the origin of your visit, and which features you use most, collected to improve the services and products. This helps us identify what works best and how to improve accessibility and functionality for the benefit of all users.

The above is not an exhaustive list of personally identifiable data collected. Spesía may collect other information about you when necessary, depending on the nature of the business relationship or communications at any given time. If accurate information is not provided, this may affect Spesía’s ability to provide you with appropriate services.

Why Do We Collect This Information?

Spesía collects, stores, and analyses data for the following purposes:

1. To provide personalised services

To deliver appropriate services, Spesía requests certain information from you. Such data are processed based on your consent and is used to adhere to the contract about the services with you. In some cases, processing is required to fulfil legal obligations that Spesía is bound by.

2. To develop and maintain the product

Spesía analyses your use of its mobile apps, website or online services to improve and further develop them. This analysis includes monitoring how often you log in, which features you use, and which devices or systems you use to access the service. Feedback received via email, social media, or user testing may also be used. Such processing is based on your consent, contractual necessity, and Spesía’s legitimate interests.

3. To provide you with comparisons

Spesía may use your information to create anonymised, statistical, or demographic summaries showing, for instance, how your behaviour or circumstances compare with aggregated averages of other users. Such processing is based on your consent and the performance of our service agreement with you.

4. To maintain good communication

Spesía values open communication with users, to inform you about updates, new features, or important changes, and to make it easy for you to provide feedback or suggestions. Such data are processed based on your consent, our contract with you, and Spesía’s legitimate interests.

How Do We Store Personally Identifiable Data?

The security of your personally identifiable data is a key element of Spesía’s operations. Spesía implements various security measures to protect your information and to meet its legal obligations regarding data security. These measures are intended to prevent unauthorised use, duplication, access, or disclosure to third parties, and to avoid loss, inaccuracy, or misuse of data. Examples of such measures include data encryption, the use of pseudonyms, and extensive security testing. 

Spesía retains personally identifiable data only for as long as necessary to provide the services available at any given time and/or in accordance with the company’s legal obligations. In some cases, data are anonymised so that they are no longer identifiable as personal information.

How Do We Share Personally Identifiable Data?

Personally identifiable data may be shared with third parties to the extent necessary to provide services to users. Spesía ensures that such service providers offer adequate protection of personally identifiable data in accordance with this Policy.

What Rights Do You Have?

In accordance with data protection law, you have certain rights intended to safeguard your interests in relation to the processing of personally identifiable data. These rights include: 

• Right to information: to receive information about the data being processed about you so that you can exercise your other rights under data protection law.
• Right of access: to know whether your personally identifiable data are being processed and, if so, to receive confirmation, a copy of the data being processed, and other information about the processing, such as its purpose and the consequences for you.
• Right to object: to object to the use of your personally identifiable data for specific purposes, such as for marketing.
• Right to data portability: to obtain the personally identifiable data you have provided to the controller in a usable format, e.g., if you wish to reuse them with another service or controller.
• Right to rectification and erasure: to have inaccurate or incorrect personally identifiable data about you rectified or deleted.
• Right to be forgotten: in certain cases, to have all personally identifiable data about you erased where they are no longer necessary in light of the original purpose of the processing. 
• Right to information: You have the right to be informed about what data are being processed about you so that you can exercise your rights.

In some situations, exceptions to your rights may apply, for example, where other legal provisions require otherwise or where the rights of others take precedence. The general rule, however, is that your rights apply.

You may withdraw your consent to the processing of personally identifiable data at any time without affecting the lawfulness of processing based on consent before its withdrawal, for example, by deleting your Spesía account or by contacting Spesía to have your account closed. If you withdraw your consent, it may mean that you can no longer use the services in whole or in part, or that certain features will not function as intended.

Processing of Children’s Data

Spesía may process children’s personally identifiable data when necessary to provide requested services. If a child under the age of 13 uses the services or products, Spesía will always obtain the consent of a parent or guardian in accordance with data protection laws.

Changes to the Privacy Policy

Spesía reserves the right to update this Policy to reflect changes in business practices or legal requirements. Any updates will be published on Spesía’s website and will be considered accepted through continued use of the services. If significant changes are made, you will be notified before they take effect.

Contact and Remedies

If you have questions about this Policy or the processing of your personally identifiable data, you may contact Spesía’s Data Protection Officer (DPO). The DPO acts as the point of contact for data subjects, provides advice regarding their rights, and is responsible for monitoring Spesía’s compliance with data protection law.

If you believe your rights have been infringed, please contact us. All inquiries, comments, or suggestions regarding privacy matters may be sent to privacy@spesia.is 

​​If a dispute arises concerning the processing of personally identifiable data, you may lodge a complaint via email with the Icelandic Data Protection Authority (Persónuvernd) at postur@personuvernd.is or by regular post to: Persónuvernd, Rauðarárstígur 10, 105 Reykjavík. See further information at www.personuvernd.is 

Version and Responsibility

The CEO of Spesía is responsible for this Policy, which shall be reviewed annually or more frequently if necessary.

This Privacy Policy was last reviewed in October 2025.