varhugi

Privacy policy

Last updated: 27 April 2026.

This text is a draft and is pending legal review before launch.

Varhugi respects user privacy. This policy explains what personal data we collect, why, and how you control it. It is based on Icelandic Act No. 90/2018 on the Protection of Privacy and the EU General Data Protection Regulation (GDPR).

Data controller

The data controller is Varhugi (Icelandic company ID pending registration with the company registry). You can reach us at the address shown on the Contact page.

What we collect

We collect only the data needed to provide the service: name, email, training results and issued certificates; the organisation's kennitala when applicable; payment data (handled by our payment provider, not Varhugi); and technical usage data (sign-in timestamps, IP, browser) used for security and operations.

Purpose of processing

Providing the service, issuing and verifying certificates, generating audit reports for your workplace, communicating with users (including sign-in emails and reminders), and keeping the website secure and operational.

Third parties (sub-processors)

We use European sub-processors to deliver the service: Vercel (hosting), Neon (database, Frankfurt), Resend (transactional email), and Stripe (payments, when on a paid plan). Each receives only the data needed for its function. No personal data is transferred outside Europe unless an exception is documented here in advance.

Retention

Training data is kept while the account is active. Certificates are retained indefinitely so anyone can later verify them on the public verification page, this is core to the service. When an account is deleted, personal data is removed within 30 days unless law requires otherwise (accounting records: 7 years).

Your rights

You have the right to access the data we hold on you, to correction, to erasure, to restriction of processing, to data portability, and to object to processing. Send requests to the address on the Contact page. You may also file a complaint with the Icelandic Data Protection Authority (personuvernd.is) if you believe we have not complied with the law.

Cookies

We use only essential cookies to keep you signed in and to remember your language. No marketing or third-party analytics cookies are used on varhugi.is.