Privacy policy for Aha.is and the Aha.is app

1. General

The privacy policy of Aha (Netgengid ehf.) informs you on how we store and process your personal information at Aha. The treatment of personal information is in accordance with the provisions of the European Union's Data Protection Regulation (GDPR), which is implemented in Icelandic law by the Act on Personal Protection and Processing of Personal Information. Aha is the responsible party for the data generated during transactions and use of the Aha.is website and Aha app for smartphones.

This policy applies to both the Aha.is app, available on the App store for iOS and the Google Play Store for Android and the aha.is website.

This policy is available in both English and Icelandic, in case of any ambiguity the Icelandic version shall apply.

By registering on the site, you confirm that you are 13 years of age or older.

You can update your information on the "My account" section of Aha.

2. What personal information do we store, for what purpose and on what legal basis do we process it.

Personal information is any information that can be used to identify an individual. Personal information does not include data that cannot be traced back to individuals.

Aha stores the following personal information:

  • Customer information. This refers to information that is created when creating access and ordering, e.g. name, address, telephone number and information about orders, as well as the last 4 digits of the payment card, expiry date, card type and card ID from the card company. Payment card numbers without the last 4 digits are never stored in Aha's databases. We store this information in order to process orders and store order history, i.a. for the convenience and simplicity of customers, due to warranty for purchased items and to protect the company in the event of a dispute. Payment card information is encrypted.

  • Personal information generated during communication. This refers to information that is generated during the customer's communication with Aha, e.g. via e-mail, phone calls (calls may be recorded), use of chat windows and communication via social media. We work with personal data in order to contact customers and provide the best possible service, as well as to defend the company in the event of a dispute on individual issues.

  • Technical information. This refers to technical information about the use of the Aha website, e.g. IP address, browser information, number of visits and duration, which pages are viewed, time settings and other useful information that can be read from the computers of users who visit the Aha website. This data is used to maintain the website, protect against computer attacks and fraud and to ensure security. Technical information that is generated during a visit to the site and may be personally identifiable is stored for a maximum of 6 months.

  • Footage from surveillance cameras. We store footage from surveillance cameras in the reception and in the car park. They are stored for security and asset protection purposes for up to 90 days.

  • Marketing data. This refers to data based on your purchasing behavior. We process this data to give customers the opportunity to take advantage of Aha's offers and participate in marketing events such as games organized by Aha, but also to manage the content and advertisements that appear on the site, in the newsletter and on social media and to measure the effectiveness and understand the impact of advertising. We send regular newsletters if the customer has agreed to be registered on the company's mailing list and has not withdrawn that consent. However, customers can always unsubscribe from the Aha newsletter and opt out of further targeted mail by clicking on the dedicated link at the bottom of all targeted emails from the company. However, unsubscribing from the newsletter does not affect Aha's other communications with customers, e.g. due to orders. Aha does not sell personally identifiable information to third parties.

  • Aha uses customer information, technical information and marketing information to ensure the proper functioning of the Aha website, to control the content of advertisements displayed to our customers (e.g. on Facebook) and to measure and understand the impact of the company's advertisements. This information is stored on the basis of consent as well as legitimate interests, which in our case is to provide the best customer service, develop the services we offer and protect the company against fraud and external attacks. We also use this information to send marketing materials to customers and the processing of that data is based on customer consent or on the basis of legitimate interests.

  • Aha partners and employees (delivery drivers) who are contracted by Aha to deliver orders will have to enable location services, including the access of background location data, when delivering orders. This is to ensure that the Aha management, customer and sellers can track the delivery of their order in real time. This data may be stored and is subject to the terms of the contract between Aha and the individual.

  • Customers, using the app or website can choose to enable location services to allow the app to show them the nearest Aha sellers. Realtime location data or tracking location data of other users than delivery drivers is never stored by Aha and is only used to enhance the customer experience and service reliability. Customers can disable this feature at any time in the app settings. Only delivery drivers (not customers) are asked specifically to enable background location services.

Sensitive personal information

Aha does not store any sensitive information about its customers. Sensitive personal data according to the GDPR is data that contains information about gender, race, religion, sexual behavior, political opinions, trade union membership information, health information or genetic and biotechnology information.

Aha uses the information that the company stores exclusively for the purpose for which it is intended, i.e. to deliver products and services, ensure the best possible functioning of the Aha website and to protect the interests of the company as well as marketing where applicable. For more information, please send an email to gdpr@aha.is

3. How does Aha store personal data?

Aha stores personal data that customers provide themselves (e.g. by registering on Aha, filling in forms on the Aha.is website or by sending us an email). Aha also automatically stores data when using Aha through the use of cookies or similar technologies. Here you can find information about the use of cookies.

4. Forwarding of personal information

In certain cases, Aha has to share personal information with third parties.

  • To our sellers so that orders can be processed. Aha sellers are sent information about the name of the person ordering, the content of the order and the address/phone number if needed.

  • To external software companies that provide Aha services, e.g. e-mail address to the newsletter service provider and payment information to the service provider that handles accounting software. If the company is located outside the EEA, information is only forwarded if the company complies with the protection of personal data according to GDPR regulation.

  • Aha reserves the right to transfer information about its customers to another company in the event of a merger or sale of the company.

We require that all parties to whom we forward personal data value and ensure the security of the data in accordance with Personal Protection Act. These parties are only allowed to process the data for specific purposes and according to our instructions.

5. Data security

Aha follows security procedures that are supposed to ensure that personally identifiable data is not lost, changed or gets into the hands of unauthorized parties. Only those employees and partners who need to have access to the information due to their work have it. The staff members have signed a confidentiality statement regarding the information they are exposed to in their work.

Processes are in place in the company that should ensure the correct handling of a case if there is a suspicion of misuse of personally identifiable information.

6. Storage of data

Information about customers and business history is stored in the Aha systems until the company no longer deems it necessary. Accounting-related data is stored for 7 years in accordance with relevant law.

In certain cases, data is transformed so that it is no longer personally identifiable and it is further processed for research and statistical purposes without the customer being specifically informed of this.

7. Your Rights

According to GDPR, customers have the right to get access to all the personal data that companies store about them, can request a copy of the data and request corrections to it or that it be forwarded or that it be deleted. However, it is not possible to change or delete data that companies are obliged to store according to law.

Personal information provided during registration as well as transaction information can be accessed by logging in to "My Account".

To request the deletion of data or other personal information, you must contact Aha by e-mail at gdpr@aha.is and present personal identification so that the data can be handed over or deleted or request such deletion through the app. You can also always contact Aha via email to gdpr@aha.is to access more information about the company's privacy policy. Customers are not charged for services for accessing personal information the first time it is requested, but Aha reserves the right to charge a fee for repeated requests. Attempts are made to comply with requests for access to data within four weeks of the request being received.

If a customer is dissatisfied with the handling of personal information by Aha, he has the right to file a complaint with The Data Protection Authority. However, Aha kindly requests that the company be contacted first in an effort to resolve the matter before taking the matter to the The Data Protection Authority.

8. Links to third-party websites and the buyer's relationship with the seller.

On the Aha website you can find links to websites of third parties (e.g. to websites of individual sellers). Aha does not manage the websites of these parties and is not responsible for their privacy policies. We encourage our customers to check the privacy policy of the respective company when browsing outside the Aha site.

When buying through Aha, in certain cases, a business relationship with a third party is created, i.e. between the buyer and seller of the relevant product. Aha shares only the minimum information needed to process an order with its vendors. All personal information given by the customer directly to the retailer (through Aha) is governed by privacy policy of the relevant vendor.

9. Cookies

Cookies are text files stored in the user's computer memory. They are used to analyze site traffic, improve the user experience and ensure security. This data is only stored for a short period of time and the information is non-personally identifiable as far as possible, since most cookies are used for technical purposes in order to be able to use the Aha website. However, Aha reserves the right to use this data to trace cyberattacks and suspected card fraud.

You can set your browser so that it does not support the use of cookies or that it warns you when a website uses cookies. Note, however, that by rejecting cookies, certain parts of the Aha website may become inaccessible or stop working properly. More information about cookies on Aha can be found here.

10. Changes

Changes may be made to the privacy policy, e.g. due to changes in laws, rules or official requirements regarding the handling of personal information. Customers are encouraged to regularly monitor policy updates here on the website.

11. Get in touch

If you have any questions or requests related to the privacy policy or how we handle your information, please contact us via gdpr@aha.is.

Last updated on November 27th, 2023.