Privacy Policy

Last updated: 8 June 2026

Breidd ehf, operating under the brand Car Rental Selfoss ("we", "us", "our"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have under the EEA General Data Protection Regulation (GDPR) and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018.

This policy applies to our website, our online booking and rental system, and any rental of a vehicle from us.

1. Data controller and contact details

The data controller responsible for your personal data is:

Breidd ehf (brand: Car Rental Selfoss)
Hrísmýri 3, 800 Selfoss, Iceland
Phone: (+354) 482-4040
Email: info@carrentalselfoss.is

If you have any questions about this policy or wish to exercise your rights, please contact us using the details above.

2. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

  • Identification data — your full name, date of birth, and national identity number (kennitala) where required for the rental agreement or for legal reasons.
  • Driving licence and identity documents — your driving licence number and a copy or scan of your driving licence, and where necessary a copy of your passport or other identity document. We are required to verify your driving licence before a vehicle is handed over.
  • Contact details — your postal address, email address, and telephone number.
  • Payment and card data — your payment card details are collected and processed directly by our payment processor (Rapyd) in a secure environment. We do not store your full card number on our own systems. With your separate authorisation, a card may be securely stored ("card on file") by our payment processor so that we can charge it for damage, fuel, fines, or other amounts due under the rental agreement, in accordance with our terms and applicable card-scheme rules.
  • Booking and rental data — details of your reservation and rental, including pick-up and return dates, times and locations, the vehicle assigned and its registration number, additional drivers, selected extras and insurance options, the rental agreement itself, mileage, and any records of damage, fuel level, fines, or incidents.
  • Vehicle location data — where a vehicle is fitted with a tracking or telematics device, we may process the vehicle's location data. We use this only where necessary, for example to recover a vehicle, to investigate accidents, theft, or misuse, or where required by law or insurance.
  • Website and cookie data — technical data such as your IP address, browser type, device information, and information collected through cookies and similar technologies (see Section 9).
  • Correspondence and marketing data — the content of messages you send us and, where you have given consent, your marketing preferences.

3. Purposes of processing

  • To take and manage your reservation and to prepare, conclude, and perform the vehicle rental agreement.
  • To verify your identity and the validity of your driving licence before handing over a vehicle.
  • To process payments, deposits, and any post-rental charges (for example damage, fuel, fines, or cleaning) and to manage refunds.
  • To provide customer service and respond to your enquiries.
  • To operate, maintain, secure, and improve our website and booking system.
  • To comply with our legal and accounting obligations.
  • To establish, exercise, or defend legal claims, to investigate damage, accidents, theft, or fraud, and to protect our property.
  • To send you marketing communications where you have consented.

4. Legal bases for processing

We rely on the following legal bases under the GDPR and Act No. 90/2018:

  • Performance of a contract (Art. 6(1)(b)) — processing necessary to enter into and perform your rental agreement, including taking your booking, identifying you, providing the vehicle, and handling payment and returns.
  • Compliance with a legal obligation (Art. 6(1)(c)) — for example retaining accounting and transaction records under the Icelandic Act on Bookkeeping (Bókhaldslög) No. 145/1994, and verifying a renter's driving licence in line with Icelandic rules on the rental of motor vehicles (including Regulation No. 840/2015).
  • Legitimate interests (Art. 6(1)(f)) — where necessary for our legitimate interests, provided these are not overridden by your rights: investigating and recovering damage to vehicles, recovering unpaid amounts, preventing and detecting fraud and misuse, securing our website and systems, and establishing or defending legal claims. Where we rely on legitimate interests, you have the right to object (see Section 8).
  • Consent (Art. 6(1)(a)) — for marketing communications and for any non-essential cookies. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5. Recipients and processors

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

  • Rapyd — our payment service provider, for processing payments, deposits, refunds, and securely storing card data on file where authorised.
  • Hosting provider — the provider that hosts our website and booking system infrastructure.
  • Brevo — our email service provider, for transactional emails (such as booking confirmations) and, where applicable, marketing emails.
  • Booking system operator — the provider that develops and operates our online reservation and rental management system on our behalf.
  • Google Maps — for displaying maps and location information on our website; your interaction with embedded maps may involve a transfer of data to Google.
  • Authorities, insurers, and advisers — public authorities (for example tax authorities, the police, or Samgöngustofa), our insurers, debt-collection agencies, and legal advisers, where necessary to comply with the law, enforce our terms, or establish or defend legal claims.

Where these recipients act as our data processors, we have in place a written data processing agreement (DPA) as required by Article 28 of the GDPR, obliging them to process your data only on our instructions and to apply appropriate security measures.

6. International transfers

We aim to keep your personal data within the European Economic Area (EEA). Some of our processors may process data outside the EEA. Where this happens, we ensure that appropriate safeguards are in place as required by the GDPR — for example an adequacy decision by the European Commission, or the European Commission's Standard Contractual Clauses together with any necessary additional measures. You may contact us for more information about these safeguards.

7. Data retention

  • Operational and marketing data — booking and customer-service records that are not required for legal or evidential purposes, and marketing data, are kept only as long as needed for the relevant purpose and are then deleted or anonymised. Marketing data is deleted when you withdraw your consent or object.
  • Accounting and transaction documents — records that form part of our bookkeeping (including rental agreements and payment records) are retained for 7 years from the end of the relevant financial year, as required by the Icelandic Act on Bookkeeping No. 145/1994, and longer where a longer statutory period applies.
  • Driving licence scans and identity documents — retained for a defined, limited period that is no longer than necessary for the rental, for legal verification, and for the establishment or defence of legal claims, after which they are securely deleted.
  • Data needed for legal claims — where data is needed to establish, exercise, or defend a legal claim, we may retain it until the relevant limitation periods have expired.

8. Your rights

Under the GDPR and Act No. 90/2018, you have the following rights regarding your personal data:

  • Right of access — to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure — to have your data deleted in certain circumstances. This right does not apply where processing is necessary for compliance with a legal obligation to which we are subject (Art. 17(3)(b) GDPR) — for example, accounting records we must retain under Act No. 145/1994. In such cases we will explain why we cannot delete the data.
  • Right to restriction of processing — to ask us to limit our processing of your data in certain circumstances.
  • Right to data portability — to receive the data you provided to us, where processing is based on consent or contract and carried out by automated means, in a structured, commonly used, machine-readable format.
  • Right to object — to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct marketing.
  • Right to withdraw consent — where processing is based on consent, to withdraw it at any time.

To exercise any of these rights, contact us at info@carrentalselfoss.is. We may need to verify your identity before responding, and we will respond within the time limits set by law.

Providing your data. Some personal data (such as your name, driving licence and payment details) is necessary to enter into and perform the rental agreement and to meet our legal obligations. If you do not provide it, we will not be able to rent a vehicle to you.

Automated decision-making. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing, and we do not carry out profiling of this kind.

9. Cookies

Our website uses cookies and similar technologies. Strictly necessary cookies are required for the website and booking system to function. We use non-essential cookies (for example analytics or maps) only with your consent, which you can give or refuse, and later change, through our cookie banner or your browser settings. Disabling some cookies may affect how the website works.

10. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve the matter. You also have the right to lodge a complaint with the Icelandic Data Protection Authority:

Persónuvernd (Data Protection Authority)
Laugavegur 166, 4th floor, 105 Reykjavík, Iceland
Website: personuvernd.is
Email: postur@personuvernd.is

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The current version will always be available on our website, and the date of the most recent update is shown at the top of this policy. We encourage you to review it periodically.