Privacy Policy

1. Introduction

Guide Connect ("we", "our", or "us") is a professional, commission-free platform connecting qualified tour guides in Iceland with travel companies (Agencies) for staffing and tour management.

We are committed to protecting your privacy and personal data. This Policy outlines how we collect, use, and safeguard your data in compliance with the General Data Protection Regulation (GDPR) and relevant Icelandic data protection laws, as Iceland has incorporated GDPR into its national law.

2. Information We Collect

We collect information necessary to provide, maintain, and improve the Guide Connect platform.

2.1 Information You Provide

• Pre-Registration/Early Access Data: Name, Email Address, Role (Guide/Agency/Other), Company Name (for agencies), and Primary Region (for guides). This data is collected to provide updates about the platform's launch and will be used to automatically create your Guide or Agency account upon public launch for user conversion.
• Newsletter Subscription: When you subscribe to our newsletter through the website footer, we record your email address, the date and time of your consent, the IP address from which the request originated (including any proxy chain forwarded via X-Forwarded-For), and your browser's user-agent string. This information is retained as proof of consent under GDPR Article 7 and is accessed only by authorised staff for compliance purposes. You can withdraw consent at any time via the unsubscribe link in every newsletter or through the preference center at /email-preferences.
• Account and Profile Data (Guides): Name, Email, Password (hashed), Phone Number (optional), Primary Area/Region (e.g., South Iceland, West Fjords), Profile Picture (optional), Languages spoken, Certifications, Professional Licences (e.g., glacier guiding, specific tour types), Bio and Years of Experience (optional).
• Account and Profile Data (Agencies): Company Name, Operating License Number, Contact Person Name, Contact Person Email and Phone Number, Business Address, Billing Information processed through our payment partner Straumur for subscription management (see our Sub-Processors page for details).
• Communication Data: Records of messages exchanged between Guides and Agencies via the platform's messaging features, and communications with our support team.
• Availability Data: Real-time and future availability information provided by Guides via the calendar/availability feature.
• External Booking Data: When you submit a booking request through a guide's booking page, we collect your name, email address, phone number, company name, and booking details (dates, group size, location) to process your request.
• Support Requests: When you contact support, we collect your description, contact information, and any attachments you provide to resolve your issue.
• Employment & Education: Guides may optionally provide employment status and education history for professional profile completion.
• Account Registration Consent Records: When you create an account, we record the IP address from which the registration was submitted (including any proxy chain forwarded via X-Forwarded-For) and your browser's user-agent string against each consent you give at signup (Terms of Service, Privacy Policy, and, where applicable, Marketing communications). This audit trail is required by GDPR Article 7(1), which obliges us as controller to demonstrate that consent was given. These records are stored alongside a timestamp for each individual consent, are accessed only by authorised staff for compliance purposes, and are included in your data export on request (see Section 7).
• Login History: Every successful login to your account is recorded with the IP address (including any proxy chain forwarded via X-Forwarded-For) and your browser's user-agent string. We rely on this under GDPR Article 6(1)(f) (legitimate interest) for account-security purposes: detecting unfamiliar or anomalous logins, supporting fraud prevention, and powering the recent-logins view available inside your account. Retention of this log follows the 90-day period described in Section 6. You may access this information at any time via your account or through the data export described in Section 7.
• Password Reset Requests: When you request a password reset, the IP address that initiated the request is included in the security-notification email we send to your account address so that you can verify the request was legitimate. This IP is used only in that single email and is not retained in a separate database record beyond the email itself.

2.2 Information Collected Automatically

• Usage Data: Information about how you use the platform, including pages viewed, features used (e.g., search queries, filter applications), and frequency of access.
• Technical Data: IP address, browser type, operating system, device identifiers, access times, and referring website addresses.
• Cookies and Tracking Technologies: We use cookies to maintain your session, store preferences, and analyze platform usage to improve service.
• Location Data: Approximate location derived from your IP address to show relevant local opportunities. If you use the Guide Connect mobile app, we collect precise GPS location data (latitude, longitude, speed, heading, altitude, and accuracy) from your device during active tour sessions, including in the background while the app is closed or not in use, for guide safety monitoring and tour operations. See Section 2.3 below for full details.
• Error Reports: Error reports including user identifiers for debugging purposes, retained for 90 days. Processed on our self-hosted error tracking system.
• Login History: Login records including IP address, device information, and timestamp for security auditing, retained for 90 days.
• Email Delivery Logs: Email delivery records including recipient, subject, and delivery status for troubleshooting, retained for 1 year. Email body content is not stored in these logs.
• Contact View Records: Records of who viewed your contact information for privacy auditing, retained for 90 days.
• Profile Views: Anonymised profile view counts for analytics purposes, retained for 90 days.
• Product Analytics: Product analytics events (page views, feature usage, session data) processed via PostHog, subject to your analytics consent preference.
• Engagement Metrics: Engagement metrics including last active date, login frequency, and feature usage for product improvement, deleted with your account.
• Onboarding Progress: Onboarding step completion timestamps for product improvement, deleted with your account.

2.3 Mobile App Location Data

The Guide Connect mobile app collects precise location data from tour guides during active tour sessions. This section explains what location data we collect, why, how it is used, and how you can control it.

What Location Data We Collect

• Precise GPS coordinates (latitude and longitude) from your mobile device
• Associated movement data: speed, heading, altitude, and GPS accuracy
• Location data collected in the foreground while you are actively using the app
• Location data collected in the background (when the app is closed or not in use) during active tour sessions
• Arrival coordinates when you reach tour stops (check-in verification)
• Route deviation data (your distance from the planned tour route)

When Location Data Is Collected

• Background location tracking begins only when a tour session transitions to an active status (e.g., when you check in to a tour or start guiding)
• Background location tracking stops automatically when the tour session ends or is completed
• Location is NOT tracked outside of active tour sessions. The app does not collect your location when you are not actively performing a tour.
• Check-in location is recorded when you check in at a tour departure point (if location permissions are enabled)

Why We Collect Location Data

• Guide Safety Monitoring: To monitor guide safety during tours, particularly in remote, rural, or hazardous locations across Iceland. This is the primary purpose of background location tracking.
• Tour Operations: To verify check-in at tour departure points, track tour progress, and provide real-time operational awareness to the employing agency.
• Incident Reporting: To attach location context to incident reports filed during a tour, enabling faster emergency response.
• Route Calculation: To calculate routes between tour stops and provide navigation assistance using third-party mapping services (OpenRouteService, Valhalla).

How Location Data Is Shared

• The employing agency may see your position, speed, heading, and movement status during an active tour in real time via the agency dashboard, for operational and safety purposes
• Location data is processed by our self-hosted route-matching service (Valhalla) to align your GPS track with known roads for accuracy
• Location data is shared with mapping service providers (OpenRouteService, MapTiler) solely for route calculation and map rendering
• Location data is never shared with third parties for advertising, analytics, or marketing purposes
• Location data is never sold to any third party

Your Control Over Location Data

• Before background location tracking begins, the app displays a prominent in-app disclosure explaining what data will be collected, why, and how it will be used
• You must explicitly grant location permission through your device's operating system before any location data is collected
• You can revoke location permission at any time through your device's Settings app
• Revoking location permission does not affect your ability to use other features of the Guide Connect app or web platform
• You may request deletion of your location data at any time by contacting privacy@guideconnect.is

Location Data Retention

• Background tracking data (GPS coordinates, stop visits, route deviations): Retained for 30 days after recording for safety review and operational purposes, then automatically deleted
• Incident report locations: Retained as part of the tour incident record for the lifetime of the associated tour record (indefinitely while your account is active, deleted upon account deletion)
• On-device location queue: Up to 10 location points may be temporarily stored on your device until successfully transmitted to our servers. Cleared on transmission, logout, or tour completion.
• Route and navigation data: Tour stop coordinates and planned routes are stored as part of tour records. Real-time navigation calculations (ETA, distance) are computed on-device and not transmitted.

Legal Basis

• Contract performance (GDPR Article 6(1)(b)): Location tracking is part of the tour execution and safety monitoring service that guides and agencies rely on.
• Legitimate interest (GDPR Article 6(1)(f)): Guide safety in remote and potentially hazardous touring environments across Iceland. We have assessed that this interest does not override guides' rights, given that tracking is limited to active tour sessions and guides are clearly informed before it begins.
• Consent (GDPR Article 6(1)(a)): Guides must grant device-level location permission before any location data is collected. This permission can be withdrawn at any time.

3. How We Use Your Information

We use your information for the following specific and legitimate purposes:

• Platform Operation (Contract): To provide, operate, and maintain the platform, including creating and managing your Guide or Agency account, and enabling the core functions of search, filtering, and direct contact.
• Guide Matching and Staffing (Contract): To enable Agencies to find, filter, and contact suitable Guides for tours based on their licences, languages, specializations, and availability.
• Communication: To send administrative information (e.g., account updates, security alerts, service changes) and, based on your consent, send promotional or platform updates.
• Billing and Subscriptions (Contract/Legal Obligation): To process subscription payments and comply with tax and accounting regulations.
• Platform Improvement (Legitimate Interest): To monitor and analyze usage trends, troubleshoot issues, and improve the efficiency and features of the platform.
• Security and Fraud Prevention (Legitimate Interest/Legal Obligation): To detect, prevent, and respond to potential fraud, abuse, or illegal activities.
• Location-Based Safety and Tour Operations (Contract/Legitimate Interest): To monitor guide safety during active tours, verify check-in at departure points, enable incident location reporting, and provide route calculations. Background location is collected only during active tour sessions and is never used for advertising or analytics.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract: Processing is necessary for the performance of the contract with you, specifically to provide the Guide Connect service (e.g., account management, profile display, direct communication facilitation).
• Consent: We rely on your explicit consent for certain activities, such as receiving marketing/promotional communications or for the use of specific optional cookies.

  For pre-registration, we rely on your consent to use your Name/Email for updates and automatic account creation upon launch. You have the right to withdraw this consent at any time.

• Legitimate Interest: Processing is necessary for the purposes of our legitimate interests or those of a third party, provided those interests do not override your fundamental rights and freedoms. This includes improving our service, platform security, and internal administrative purposes.
• Legal Obligation: Processing is necessary for compliance with a legal or regulatory obligation (e.g., tax law, data protection law, responding to lawful requests from authorities).

5. Data Sharing and Disclosure

We will only share your data as described in this policy:

• With Other Users: We share Guide profile data (name, professional qualifications, availability, contact details) with registered Agencies, and Agency contact information with engaged Guides, as necessary to facilitate the platform's core function of direct connection and negotiation.
• Service Providers: We use third-party service providers (processors) for hosting, payment processing, analytics, and infrastructure support. These providers are subject to strict data processing agreements and are only authorized to use your data as necessary to provide services to us. View our complete list of sub-processors.
• Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation or protect the rights, property, or safety of Guide Connect or its users.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred, subject to the new entity respecting this Privacy Policy.
• Data Controller Roles: Guide Connect is the Data Controller for all data processed on the platform. Agencies accessing Guide data act as independent data controllers and are responsible for their own compliance with GDPR and applicable data protection laws when processing any Guide data they receive through the platform. View our Data Processing Agreement.
• Agency Tags on Guides: Agencies may apply internal tags or notes to guide profiles for their operational use (e.g., language preferences, scheduling notes). These tags are included in your data export upon request.
• External Guide Contacts: Agencies may store contact details of external guides who are not registered on the platform for tour staffing purposes. The agency is the data controller for this information and is responsible for informing these individuals about the processing of their data.

We do not sell your personal data to any third parties.

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. Different categories of data have different retention periods based on legal requirements, operational necessity, and your choices. Anonymization means irreversibly removing or replacing all personal identifiers so the data can no longer be linked to an individual.

7. Your Data Protection Rights (GDPR)

Under GDPR, you have the following rights concerning your personal data:

• Right of Access: To request confirmation and a copy of the personal data we hold about you.
• Right to Rectification: To request the correction of inaccurate or incomplete data.
• Right to Erasure ('Right to be Forgotten'): To request the deletion of your data when there is no compelling reason for us to continue processing it.
• Right to Restrict Processing: To limit the way we use your data.
• Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format and have it transmitted to another controller.
• Right to Object: To object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: To withdraw any consent you have previously given at any time.

To exercise these rights, please contact us at legal@guideconnect.is.

You also have the right to lodge a complaint with your supervisory authority, which in Iceland is Persónuvernd (The Icelandic Data Protection Authority).

8. Data Security and International Transfers

Security

We implement appropriate technical and organizational measures (e.g., encryption, secure servers, access controls) to protect your personal data from unauthorized access, disclosure, alteration, or destruction.

Audit & Change Records

• We maintain administrative action logs for security auditing purposes, retained for 365 days. These logs record system changes and may include IP addresses and user agent information.
• We maintain change history records for account and professional data for audit purposes, retained for 1 year (7 years for financial records). This helps ensure data integrity and supports your right to know what changes were made.

International Transfers

All personal data is stored securely in EU-based servers (Frankfurt, Germany). In the event your data is transferred to a country outside the EEA (e.g., to a third-party service provider's administrative access), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to guarantee a comparable level of data protection.

9. Cookies

We use necessary, analytical, and marketing cookies. You can manage your cookie preferences through the settings in your browser or through our platform's cookie consent manager.

10. Professional Documents & Sensitive Personal Data

Guide Connect allows Guides to upload professional documentation for verification and staffing purposes. These documents are treated with the highest level of data protection.

Types of Documents

• Professional certificates and training records
• Driver's licenses and similar identification documents
• Curriculum Vitae (CV) and cover letters

Purpose of Processing

• Verification: Platform administrators review documents to verify professional qualifications and certifications.
• Staffing: Documents may be shared with Agencies solely at the Guide's explicit request, to support evaluation for specific tour opportunities.

Access and Visibility

• Documents are private by default — only accessible to the Guide and platform administrators
• Agencies may only receive documents if the Guide explicitly chooses to share them
• Documents are never publicly visible or automatically shared

Guide Control

Guides have full control over their documents:

• Upload or delete documents at any time
• Choose whether to share specific documents with specific Agencies
• Remove shared access at any time

Legal Basis

• Explicit consent (GDPR Article 6(1)(a)): For sharing documents with Agencies — only at the Guide's request.
• Performance of contract (GDPR Article 6(1)(b)): For administrative verification of professional qualifications.

Restrictions on Agencies

Agencies who receive shared documents agree that they:

• May only use documents for evaluating Guides for specific tour opportunities
• May NOT download, store, copy, share, or reuse documents outside the platform without separate explicit consent from the Guide
• May NOT use document data for marketing, profiling, or any unrelated purpose

Document Security

• Encrypted storage with private, time-limited access URLs
• Access control requiring authentication
• Audit logging of document access activity

Document Retention

• Documents are stored only while the Guide's account is active
• Guides may delete individual documents at any time
• All documents are permanently deleted upon account deletion

Special Category Data (GDPR Article 9)

Certain optional profile fields constitute special category data under GDPR Article 9, which requires your explicit consent before processing. We collect this data only when you voluntarily provide it, and you maintain full control over its visibility.

• Gender Identity: Gender identity is special category data under GDPR Article 9 (data concerning sex life or sexual orientation). We collect it only with your explicit consent via the special category consent mechanism. You control visibility through your profile settings (default: not visible to agencies). Withdrawing consent immediately clears this field from your profile.
• Trade Union Membership: Trade union membership is explicitly listed as special category data under GDPR Article 9(1). The same explicit consent, visibility controls, and withdrawal mechanism apply. Whether you are a union member and your union name are never shared without your active choice to make them visible.
• Pronouns: Pronouns may reveal gender identity and are therefore treated as special category data. They are included in the same consent mechanism. Default visibility is not visible to agencies, consistent with all other sensitive fields.

For all special category fields: (a) explicit consent is required and recorded, (b) visibility defaults to off -- you must actively enable sharing, (c) withdrawing consent immediately and permanently clears the data, (d) your choice is respected regardless of any agency request.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and/or sending you an email notification.

12. Contact Us

For questions about this Privacy Policy or our data practices, please contact our Data Protection Team at:

legal@guideconnect.is

Guide Connect, Borgarnes, Iceland