Privacy policy

1. General

This policy applies to personal data (“data”) collected on (the “site”, “we,” or “us”) and the General Data Protection Regulation (“GDPR”).

This policy explains which data we collect from you for which purpose. This policy explains your rights and the choices you have about the way your information is collected and used and how you can access, amend or erase your personal data. 

We encourage you to periodically review this Privacy Policy to keep up to date on how we are handling your personal data.


2. Responsibility

The company responsible for data collection, processing and usage of your personal data within the meaning of the GDPR and other data protection regulations is Hrímnir / Trostan ehf, Leirvogstunga 29, 270 Mosfellsbær, Island, Telefon: 00354-861-4000,


3. Collection, processing and utilization of personal data

3.1. Personal data

Personal data is understood to include all details that enable identification of a person. This can be name, address, telephone number, e-mail address, payment information and the IP address that identifies the device used to visit our site.

3.2. Collected personal data

You can access all pages on without having to give any personal details.
Your device automatically sends data to us when you access our site. We need this data to make our online shop available to you. See 3.3.2 below for more information on how we process and use this data. Personal data is only recorded by us if you advise us voluntarily by registering a customer account, submitting an order, signing up for our newsletter or contacting our customer service by email or our contact form.  

3.3. Utilization of personal data
3.3.1. Legal rights for processing personal data

If we get the permission from you to process your personal data, article 6 paragraph 1 lit. a GDPR is the legal basis for processing your personal data.
For processing personal data needed to perform a contract which you are a party to, article 6 paragraph 1 lit. b GDPR is the legal basis. This applies as well to processing transactions needed to perform pre-contractual measures. 
If processing of personal data is necessary to fulfil a legal obligation on our part article 6 paragraph 1 lit. c GDPR is the legal basis. 
If such processing is necessary to protect our rights and legal interests, except where such interest is overridden by your interests or fundamental rights and liberties, which require protection of personal data, then article 6 paragraph 1 lit. f GDPR is the legal basis. 
Which personal data we use for which specific purpose/s is detailed below. 

3.3.2 Website access

Your device sends data when you access our website. This data includes the operating system of your computer or mobile device, the browser type you use to visit our site, the date, time and duration of your visit, the country from which you access our site, the access status and which link, if any you used to access our site. These data sets do not contain any personal data. On access, the IP address is communicated but this does not permit identification of any person as it is not stored together with any other personal data. This data is only available to us in form of statistics, which ensures no individual person can be identified. This data is only saved to make our website available and to improve it. As collection and processing of this data ensures website availability, its processing cannot be denied.

These purposes constitute our interest in data as described in article 6 paragraph 1 lit. f GDPR. 

3.3.3 Customer account registration

We may collect your name, email address, mailing address, post code and telephone number if you create a customer account on our site. This information will be used to help you to keep track of your orders, to save and edit your shopping cart, to facilitate checkout during purchases, to keep you updated about special offers or updates related to the site, to create wish lists and to sign-up for e-mail notifications when sold out products are back in stock. When registering you agree to the usage of your personal data as defined in this privacy policy within the meaning of the GDPR. Entering your personal data for registration is voluntary if you do not intend to make a contract of sale with us. 
The legal basis for this processing of data is article 6 paragraph 1 lit. a GDPR. 

To prevent misuse, kindly keep your access data secret. We do not accept any liability for any unauthorized third party using your customer account. 
The customer account remains in existence for as long as you wish. You can cancel your registration and have your personal data deleted if no longer needed by us to meet legal or contractual obligations, such as contract performance or handling complaints under guarantee and the law does not dictate otherwise. You can demand deletion of your account at any time by e-mail to

3.3.4. Orders on

When placing an order on you enter in a contract of sale with us. We may collect your name, billing address, shipping address, email address, telephone number, credit card number and expiration date when you make a purchase. This information is used to provide the products and services that you have ordered or requested, to process and ship orders, to send order and shipping confirmations (or other transactional information) and/or to provide customer service. We need this information to process your order, notify you about its status and manage possible returns.

Your address data is sent to our parcel service GLS to create the shipment of the order. Further information on our parcel service and shipping and forwarding agent is given under 4.2 below. Your payment information is passed on to our payment service company who then debits your card or bank account. Further information on our payment services company is given in 4.3 below.

By placing an order on, you agree to us using your personal data to process the order and to save it to ensure our legal and contractual duties, such as for example handling complaints under guarantee.
Article 6 paragraph 1 lit. b GDPR is the legal basis for us to process your personal data when entering a contract of sale with us. 
This data will be automatically erased after ten years unless legal requirements dictate otherwise. Premature blocking or anonymization of your data is possible if the data is no longer needed to meet contractual or legal duties. To anonymize your personal order data please contact .

3.3.5 Customer service

You can contact our customer service with any queries, requirements or suggestions by e-mail to or the contact form on When you use the contact form on you will have to agree to your personal data being processed.f your request is connected to your customer account, your personal data can be collected and stored to enable our customer service to handle your request properly and verify your identity. If you use any other form of communication with us, the data you provide may be saved. Please note that we may ask for further details if such are needed to handle your request or to verify your identity.

In the case of orders, your personal data may be sent on to our service providers to process your order as described in 4.1 and 4.2 and 4.3.
The legal basis for data processing when you contact is article 6 paragraph 1 lit. a GDPR. If your request is connected to entering a contract of sale with us, the processing of personal data is also in compliance with article 6 paragraph 1 lit. b GDPR.
Personal data collected by our customer service or other information acquired in customer contacts must by law be retained for ten years and then automatically be deleted. All personal data collected by us after you contacted us will be deleted upon your request sent to unless the law dictates otherwise.

3.3.6. Newsletter

You must enter your e-mail address and check the agreement box in the sign-up form for our newsletter on to receive our free newsletter. We need your e-mail address to be able to send the newsletter to you.
The legal basis for us sending you a newsletter and the associated processing of your personal data, is article 6 paragraph 1 lit. f GDPR, given that your interests or fundamental rights and liberties are not overriding, taking into consideration your reasonable expectations based on your relationship with us and overriding legitimate interest per recital 47 GDPR.
We use a double opt-in procedure for confirming your newsletter subscription. You will only receive our newsletter when checking the box during sign-up to agree to us saving and processing your personal data and then confirming your registration by clicking on a confirmation link that we send in an email to the email-address entered by you.

The personal data we collect when you subscribe to our newsletter is saved for the duration of your subscription. Your data won’t be used or processed to send you a newsletter once you cancel your newsletter subscription. We then delete your data from our newsletter protocols, unless the law dictates otherwise.
If you wish to cancel your newsletter subscription you can do at any time by clicking the cancellation link that every newsletter contains or by contacting

3.3.7 Contests or prize draws

When you participate in a contest or prize draw held by us we will request you to provide us with your personal data that is necessary to take part in the contest or prize draw. Depending on the kind of competition or prize draw that data may include your first and last name, e-mail address, post address and/or telephone number. The rules of each relevant competition will be according to the protection of your personal data as described in this privacy policy.

3.3.8 Comments and entries on blog page

Making a comment or entry on our blog page is voluntary and you need to provide us with your name and e-mail address. Using the comment function, you agree to your data being collected and processed and your entry being displayed on our site. The data will only be used for this purpose.
The legal basis for using and processing your personal data related to comments or entries on our site is article 6 paragraph 1 lit. a GDPR. 
You can request the erasure of your comments or entries by sending an email to


4. Personal data and service providers

We do not forward personal data to any unauthorized third parties. To process your order at we must forward your personal data to our contracted service providers such as our warehouse service provider, payment service provider and our parcel service provider. We guarantee that we only forward personal data that is properly and appropriately designated and that our entrusted service providers will only use your personal data to process the specific task related to your order. Personal data is forwarded in the cases listed below. 

4.1 Order processing is operated and offered by the software Magento 1 from the company Magento ,54 North Central Avenue Campbell, CA 95008, All orders placed on are processed by our partner Panalpina Welttransport (Deutschland) GmbH, Carl-Zeiss-Str. 5, 64331 Weiterstadt, Germany, For processing your order, we need to share all order and invoice details with Panalpina who uses your data for this purpose only in compliance with articles 32-36 GDPR. 
The legal basis for processing your data to perform a contract of sale is article 6, paragraph 1 lit. b GDPR. In all other cases mentioned above explicit agreement is required and article 6, paragraph 1 lit. a GDPR is the legal basis for doing so.
All other data collected during your visit at without same being expressly entered as described in 3.3.2 will be transmitted anonymized and not saved together with personal data to ensure that no conclusion on any specific natural person can be drawn.
Technical logs containing an IP address are kept for a maximum of six months for evaluation and detection purposes and support of investigative authorities concerning criminal activities. Events of significance to data protection are kept in central data protection log files for a maximum duration of one year. 
All data collected via the online shop are saved as the law requires and then automatically erased. 
You always have the option of having your personal data blocked and anonymized if we no longer require it to meet contractual or legal obligations, such as performance of a contract of sale and the law does not dictate otherwise. Please contact if you want your personal data to be blocked.

4.2. Order shipments

All orders placed on are shipped with General Logistics Systems Germany GmbH & Co. OHG, hereinafter called “GLS”, Straße 1 – 7, 36286 Neuenstein, Germany,

To perform your contract of sale with us we need to share your first and last name, shipping address and telephone number with GLS. GLS needs this personal data to deliver the ordered items and the data transmission to GLS is justified within the meaning of article 6 paragraph 1 lit. b GDPR.
As rendering postal goods and services does not constitute processing orders within the meaning of article 28 GDPR, GLS is considered an independent responsible legal person who needs to process sender and consignee addresses and contract and delivery data to be able to render postal goods and services. GLS is subject to specific obligations where postal confidentiality and particularly data protection law are concerned. The data protection management of GLS complies with the GDPR.
You may directly contact GLS regarding all matters concerning personal data processing by GLS as an independent responsible legal person by email to

4.3. Order payments

Order payments are placed in a save Payment Gateway form from TeleCash GmbH & Co. KG, Marienbader Platz 1, 61348 Bad Homburg, Germany.

TeleCash GmbH & Co. KG, hereinafter called "TeleCash“, is a company that markets software for banks and leading service providers that ensures safe and secure financial transactions. TeleCash is regularly security audited to make sure that your online payments are safe and secure.

All data you enter during payment in the checkout process on is forwarded to TeleCash. To ensure highest security of your payment data we do not save it ourselves but have it saved in encoded form by TeleCash. The credit card payment on meets the Payment Card Industry Data Security Standard (PCI DSS) requirements.

The legal basis for transmitting your data to TeleCash is article 6 paragraph 1 lit. f GDPR.
By paying by credit or debit card you agree to your personal data being sent to TeleCash. The data is automatically deleted from their systems after 24 months.


5. Cookies

Our website uses cookies. A cookie is a small text file up to 4KB created by a website that is stored in the user's computer, either temporarily for that session only, or permanently on the hard disk. Cookies enable the website to recognize you and to track your online behavior. Cookies may be stored every time you access a website online. They contain text files that identify the browser when it is used to access a website again.
There are two different kinds of cookies. Session cookies are only valid for a single session since they get deleted once the browser is closed. Session cookies are used for purely technical reasons to ensure the proper functioning of the site. Permanent cookies, on the other hand, are stored on your hard disc for a longer time to make your use of our site easier. Permanent cookies for example ensure that your browser remembers products you have placed in a shopping basket for days or weeks. Each permanent cookie has an individual expiry date which may be days, weeks or years in the future.

We use cookies to make your use of as easy and convenient as possible. For technical reasons, some functions of our online shop require the browser to be identifiable after a change of page. We also use cookies enabling us to analyze the surfing behavior of visitors, as for example number of page hits or products and categories viewed.

This cookie data collected for analytical purpose is anonymized and no natural person can be identified. This data is never saved together with other personal data. 
If you visit our online shop an information banner opens to tell you that the site uses cookies and your attention is drawn to our data protection declaration.

The legal basis for processing personal data using cookies is article 6 paragraph 1 lit. f GDPR. 

By adjusting the settings in your device you have full control of the use of cookies and can manage them by yourself. In your browser settings you can delete saved cookies at any time. You can also use your browser to control the use of cookies and permit or block them. You can permit only cookies from a specific site to be used or blocked or you can have all cookies automatically deleted after every browser session. More information on cookie management is given in the help file of your browser. Please note that deactivating cookies means that not all functions of can be fully used.


6. Google Analytics

We use Google Analytics on to constantly improve the site and your shopping experience. This analytic service is provided by Google LLC, herein after called “Google”, Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (

The legal basis for using Google Analytics is article 6 paragraph 1 lit. GDPR.

With help of cookies, Google generates information about your usage of that gets transmitted to a Google server in the USA and is stored there. Google processes the gained information on our behalf to evaluate the use of by users, to make reports on the activities within the site and to provide us with further services related to the optimization of the site.

We further reserve the right to use Google Analytics for displaying advertisements within Google and its affiliate advertising services to users who have shown an interest in our online offer or users with certain characteristics, such as specific topics or product views.

We only use Google Analytics with activated IP anonymization where the IP address of the users gets shortened by Google within EU-member states or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address is sent to a Google server in the US and gets shortened there.

Your IP address is not merged with other data provided by Google.

You can prevent the storage of cookies by adjusting your browser settings. You can also prevent the collection and processing of your personal data by Google by installing the browser plug-in that is available here:

For more information about Google's data usage, hiring and opt-out options, you can visit the following Google websites:


7. Google Adwords

We reserve the right to use Google Adwords retargeting technology to send visitors of who are already interested in our products personalized advertising. Ads are displayed based on a cookie-based analysis of your previous behavior, whereby no personal data is stored. In the case of retargeting, a cookie is stored on your device that ensures ads being displayed that most probably correspond to your interests.

You can prevent the use of cookies for advertising permanently by downloading and installing the browser plug-in available for this purpose: .

We reserve the right of operating advertisements via Google Adwords and of using conversion tracking as a part of Google Adwords. The cookie for conversion tracking is set when you click on an ad delivered by Google. Should you visit certain pages of the website before the cookie expires then both Google and us can tell that you reached our site by clicking on the ad. This information is used to draft conversion statistics for AdWords customers who have opted into conversion tracking. We are told the total number of users who clicked on the ad but do not receive any information that can be used to personally identify you. If you do not want to participate in tracking, you can change your browser settings and disable the Google Conversion Tracking cookie. Further information on Google data protection rules can be found on


8. Social plugins 

8.1. Facebook

We use social plugins of the social network, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland, herein after called “Facebook”. These plugins are interaction elements and can be recognized by one of the Facebook logos, such as a white "f" or a white thumb on a blue tile or the term "like”. You can see the list and appearance of Facebook Social Plugins here:

Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (

The legal basis for using the Facebook plug-in is article 6 paragraph 1 lit. f. GDPR.

When you click on a Facebook plugin button on or use a feature that includes a Facebook plugin, your device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to your device and your user profile can be created from the processed data. We have no influence on the amount of data that Facebook collects with the help of the plugin and inform you according to our current knowledge.

If you are logged in to your Facebook account, Facebook can assign your visit. When you interact with the plugin as for example press the Like button or leave a comment, the information is transmitted from your device directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook finds out and saves their IP address.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options for protecting your personal data can be found in Facebook's privacy policy:

If you are a Facebook member but do not want Facebook to collect data about you on and link it to your member data stored on Facebook, you must log out of Facebook and delete its cookies before visiting our site. Other settings and inconsistencies regarding the use of data for advertising purposes are possible within the Facebook profile settings:  or via the US-American site or the EU page  

8.2 Twitter

We use a social plugin of the service Twitter on that is provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

The legal basis for using the Twitter plug-in is article 6 paragraph 1 lit. f. GDPR.

By using the plugin, the page you are visiting on is linked to your Twitter account and posted to other users. By doing so, data will be transmitted to Twitter. We do not have any information about the contents of transmitted data or the further use of such information by Twitter. For more detailed information, please check the Privacy Policy of Twitter The privacy settings of your Twitter account can be adjusted under

8.3. Google+

We use a social plugin for Google+ on that is provided by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

The legal basis for using the Google+ plug-in is article 6 paragraph 1 lit. f. GDPR.

By clicking on the Google+ button you may publish information worldwide. Via the Google+ button you and other users receive person-related contents from Google. Google stores the information that you have rated and the information about the website that you visited the moment you clicked the Google+ button. Your Google+ preferences may be published or displayed together with your profile name and your picture at Google services, such as search results, your Google profile or in other places on certain websites. Google records information about your Google+ activities to improve its services. To be able to use the Google +1 button you need a globally visible, public Google profile which must contain at least the user name chosen for this profile. Your personal details provided are treated according to the current Google data protection regulations on


9. Embedded services of third parties

9.1. YouTube

On, we use the service of video streaming provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, hereinafter called “YouTube”.
By visiting a page on that contains a YouTube plugin, your browser will set up a direct connection with the YouTube servers. By linking the plugin, YouTube receives the information that you have visited the corresponding page of our website. If you are logged in to your YouTube account, YouTube can associate your visit to your personal account. You can prevent this by logging out of your YouTube account. Please find more detailed information on YouTube data sharing and data privacy at

9.2 Google Maps

The store locator on uses Google Maps API from Google to show the location of Hrímnir dealers worldwide on an interactive map. When using Google Maps on our site, your information and your IP address will be transferred and stored on Google's servers in the USA. According to its data protection policy, Google does not pass this information on to third parties, but does make exceptions to this rule. This means that data collected in this way may be provided to third parties where such is required under USA legislation or where such data is processed by third parties on Google's behalf. You can read more about Google Inc.'s data protection policy here:

You can also disable Google Maps to stop your personal data from being transmitted to Google at any time. To do so, please disable Java Script in your browser. Please note that doing so means that it will no longer be possible to use our store locator.

 9.3 Google ReCaptcha

For the prevention of spam and abuse, is protected with the reCaptcha feature of Google. This function is primarily used to distinguish whether an input is made by a natural person or abusive by automated processing. The service includes the sending of your IP address and possibly other data required by Google for the reCaptcha service to Google. Additional information about Google reCaptcha and Google's privacy policy can be found at:


10. Personal data protection

We want to protect your personal data as we want you to enjoy visiting our online shop.
State-of-the-art technical and organizational measures are taken to ensure your data is safe. An example of this is the encoded transmission of your data using SSL encoding in our online shop. This ensures that unauthorized persons cannot view or change it.
Our safety and security measures are oriented on article 5 paragraph 1 lit. f GDPR, article 32 paragraph 1 GDPR and all the other data protection requirements in the GDPR. 


11. Your rights

11.1. Right of access

You can request us to confirm whether we process personal data from you and we are obligated to tell you which data is processed, the purpose of the said data processing, who receives your data and why and how long your personal data is saved.

You have the right to demand information on whether your personal data in question will be sent to a third country or an international organization. In this context, you may demand to be informed of suitable guarantees per article 46 GDPR where such transmission is concerned.

11.2. Right of rectification

You have a right of rectification and/or completion with respect to if your personal data processed is incorrect or incomplete. We will carry out any rectifications immediately.

11.3. Right to restriction of any data processing

You have the right for restriction of the processing of data concerning you when you dispute the accuracy of your personal data, the processing is unlawful, we do not need the data any longer for processing but you need it for the assertion, or you exercise legal claims. If you have objected to processing per article 21 paragraph 1 GDPR and it is not yet certain whether our justified reasons outweigh yours.

11.4. Right to deletion

You have the right to request the deletion of your personal data. We are obliged to delete your personal data when it is no longer necessary for the purpose for which it was collected or processed, you revoke your consent to the processing according to article 6 paragraph 1 lit. a GDPR or article 9 paragraph 2 lit. a GDPR and there is no other legal basis for the processing, you object according to article 21 paragraph 1 GDPR to the processing and there are no overriding justified grounds for the processing, or you submit an objection according to article 21 paragraph 2, the data concerning you has been illegally processed.

You have no right to deletion when the processing is necessary to fulfil a legal obligation to which we are subject to or to exercise or defend legal claims.

11.5. Right to objection

You have the right to object at any time to the processing of your personal data that is carried out in accordance with article 6 paragraph 1 lit. e GDPR. We will then stop to process the personal data that concerns you unless we can prove compelling reasons worthy of protection for the processing that outweigh your interests, rights and liberties, or the processing serves to assert, exercise or defend any legal claim. 

11.6. Right of revocation  

You have the right at any time to revoke your data protection declaration of consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its revocation. 


Last updated: Mai 2018