Book direct · Hosts keep 100% · No fees
Icelandic Summerhouses

Privacy Policy

How we handle your personal data

Last updated: May 2026

Version 0.1 · May 2026

This Privacy Policy explains how LeaseMate ehf., a company registered in Iceland (kt. [• registration number], registered office at [• address]), trading as Iceland Summerhouses ("LeaseMate", "we", "us", "our"), collects and uses personal data when you visit icelandicsummerhouse.com (the "Site") or contact a host through it.

We are the controllerof the personal data described below for the purposes of Regulation (EU) 2016/679 ("GDPR") and the Icelandic Act No. 90/2018 on Data Protection and the Processing of Personal Data. We can be contacted at hello@icelandicsummerhouse.com for any privacy question, including to exercise the rights set out in section 9.

What we are and what we are not. Iceland Summerhouses is a directory. We list independent Icelandic summerhouses and forward enquiries to the host who owns each property. We do not take bookings, take payment from guests, hold funds, run a chat or messaging system, or operate reviews. Once your enquiry reaches the host, your conversation continues directly with the host, off our platform.

1. Quick summary

  • The only personal data you actively provide to us is what you enter into the "Contact host" enquiry form (your name, email, an optional phone number, dates, party size, and your message).
  • We use that information to forward your enquiry to the host by email (and, where the host has opted in, a brief SMS notification). The host then replies to you directly.
  • We use a small number of cookies and a single browser-storage entry to keep the site working and to credit influencers who refer you. These do not contain your name, email or address.
  • We use Vercel Analytics, which collects aggregate, anonymised traffic information.
  • We do not know whether you booked a stay, when, or for how much. We deliberately avoid collecting that information.
  • We do not sell your personal data and do not use it for advertising.

2. The personal data we collect

2.1 Information you give us

Host enquiries.When you submit the "Contact host" form on a listing page or the trip-planner contact page, we collect:

  • your name;
  • your email address;
  • a phone number, if you choose to provide one;
  • the dates or rough timing of your visit (free text), the size of your party, and (optionally) the number of nights;
  • your free-text message to the host;
  • an optional link to your Airbnb, Booking.com or VRBO profile, if you choose to share one as a trust signal for the host.

We also receive, alongside your enquiry, the host's contact details and the listing you enquired about — these are operational fields, not information about you.

General contact. If you email us at hello@icelandicsummerhouse.com — for example via the contact page or a footer link — we receive your email address and the contents of your message.

Hosts and prospective hosts.If you contact us to list a property (including via the "List your house" page when live), we collect the information you provide — typically your name, email, phone number, the property name and region, an optional website, and your message. Where you go on to become a listed host, we process your data under a separate Terms for Hosts agreement.

2.2 Information collected automatically

When you visit the Site, our hosting and infrastructure providers receive standard request information, including:

  • your IP address;
  • your browser type, language, operating system and device;
  • the page you requested and the page you came from (referrer);
  • the date and time of the request.

These are written to platform logs by our hosting provider (Vercel) for the operation, security and debugging of the Site. We do not store this in our own database, and we do not link it to your name or email.

When you submit an enquiry, our enquiry endpoint additionally records a short application log entry containing the listing identifier, the email address you submitted, and a one-way SHA-256 hash of your IP address (the raw IP itself is not stored). This is used to investigate delivery failures and abuse. It is retained for the period set out in section 8.

2.3 Cookies and local storage

We use a small set of first-party cookies and one browser-storage entry. We do not use third-party advertising or cross-site tracking cookies.

  • lm_session_id — a randomly generated identifier (UUID) set when you arrive on the Site. It lets us count distinct visitors and credit referrals. It does not contain your name, email or IP and is not shared with third parties. HTTP-only, SameSite=Lax, expires after 30 days.
  • lm_ref and lm_ref_ts — set if you arrive at the Site via a tracked link from one of our influencer or content partners (a URL with a ?ref= parameter). They store the partner's short identifier and a timestamp so that, if you later submit an enquiry, we can credit the partner who referred you. HTTP-only, SameSite=Lax, expire after 30 days.
  • lm_cookie_consent — a value stored in your browser's localStoragewhen you click "Accept all" or "Essential only" on the cookie banner, so we don't show the banner again. It is not sent to any server.

See our Cookie Policy for more detail and for instructions on managing or deleting cookies in your browser.

2.4 Influencer / referral attribution events

When you arrive via a tracked partner link, view a listing's map, click an external partner card (for example a tour or car-hire link), or submit an enquiry, we record an event in our database containing:

  • the partner's identifier (the short slug from the URL);
  • your lm_session_id;
  • the listing or content the event relates to;
  • a timestamp.

These events do not contain your name, email, IP address or any free-text content. They are pseudonymous, and we do not merge them with your enquiry contents. We use them only to pay influencer partners and to understand which content is useful.

We deliberately do not record whether an enquiry led to a booking, when a stay took place, or what was paid. Doing so would compromise both your privacy and our regulatory posture (see section 12).

2.5 Information we do not collect

We do not collect special-category data (health, religion, politics, biometrics, etc.). We do not run reviews, ratings or chat. We do not process payment for any stay and never see card or bank details for bookings. We have no booking calendar that could tell us whether a stay actually occurred.

3. How we use your personal data, and our legal basis

Under GDPR we rely on the following legal bases:

  • To forward your enquiry to the host. Legal basis: steps taken at your request prior to entering into a contract with the host (Art. 6(1)(b) GDPR), and our legitimate interest (Art. 6(1)(f)) in operating a directory that connects guests with hosts.
  • To run, secure and debug the Site (server logs, abuse prevention, and the IP-hash log on the enquiry endpoint). Legal basis: our legitimate interest in keeping the Site available and free of abuse (Art. 6(1)(f)).
  • To set the strictly necessary cookies and the influencer attribution cookies described in section 2.3. Legal basis: our legitimate interest in measuring whether our partner programme works (Art. 6(1)(f)) and, where required by the Icelandic Electronic Communications Act (Act No. 70/2022) for any non-essential cookies, your consent given via the cookie banner (Art. 6(1)(a)).
  • To produce aggregate traffic analytics via Vercel Analytics. Legal basis: our legitimate interest in understanding how the Site is used (Art. 6(1)(f)). Vercel Analytics is designed to be cookieless and to collect only aggregate, anonymised information.
  • To respond to questions you send to hello@icelandicsummerhouse.com. Legal basis: our legitimate interest in responding to people who contact us (Art. 6(1)(f)), or pre-contractual steps where you are a prospective host (Art. 6(1)(b)).
  • To comply with our legal obligations — for example, tax, accounting, or responding to lawful requests from public authorities. Legal basis: Art. 6(1)(c).

We do not use your personal data for automated decision-making with legal or similarly significant effects, and we do not profile you for advertising.

4. Who we share your personal data with

4.1 The host you contact

The contents of your enquiry form (your name, email, optional phone, dates, party size, message and any profile link you provide) are sent to the host of the listing you enquired about, by email — and where that host has opted in to SMS notifications, a short SMS containing your name and the listing title. The host's reply will go to the email address you provided. From that point on, your conversation with the host is between you and them; we are no longer involved.

Hosts are independent of LeaseMate and act as their own data controllers in respect of the enquiries they receive from you. Their own privacy practices are their responsibility.

4.2 Service providers (processors)

We use the following third parties to provide the Site. Each is bound by a written agreement and processes personal data only on our instructions:

  • Vercel Inc. (United States) — hosting, serverless functions, request and application logs, and Vercel Analytics.
  • Supabase Inc. (managed Postgres database and storage; region [• EU/US]) — stores listings, referral events and host records.
  • Resend, Inc. (United States) — transactional email delivery; processes the contents of enquiry emails to hosts.
  • Twilio Inc. (United States), where SMS host notifications are enabled — receives the host phone number and a short notification body containing your first name and the listing title.
  • Cloudflare, Inc. (United States) — when our anti-bot captcha is active, your IP address is sent to Cloudflare Turnstile for verification.
  • Map and routing providers — when a map is shown, your browser requests map tiles from CARTO / OpenStreetMap. Where we show driving directions, our server queries the public OSRM project with coordinates only.
  • Adobe Fonts (optional)— if configured, Neue Haas Grotesk may load from Adobe's font CDN (use.typekit.net). We do not use Google Analytics, Google Ads, or Google Tag Manager.

4.3 Other recipients

  • Professional advisers (lawyers, accountants, auditors) under duties of confidentiality, where strictly necessary.
  • Public authorities where we are legally required to disclose information (for example a valid court order or a request from Skatturinn within the lawful scope of its powers).
  • A buyer or successor of all or part of our business, subject to equivalent confidentiality obligations.

We do not sell or rent your personal data, and we do not share it with advertising networks, data brokers, or social media platforms for advertising or profiling.

5. International transfers

Some of our service providers (notably Vercel, Resend, Twilio and Cloudflare) are based in the United States or operate global infrastructure. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR — typically the European Commission's Standard Contractual Clauses (2021/914), and for transfers to the United States, the EU–US Data Privacy Framework where the recipient is certified.

You can ask us for a copy of the relevant safeguards by emailing hello@icelandicsummerhouse.com.

6. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), encryption at rest at our managed-database provider, server-side input validation, restricted administrative access protected by secret-based authentication, and the principle that personal data is collected only where it is needed for a specific purpose set out in this policy.

No system can be guaranteed perfectly secure. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Icelandic Data Protection Authority (Persónuvernd) within 72 hours and, where required, notify you directly.

7. Children

The Site is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has submitted information to us, please contact hello@icelandicsummerhouse.com and we will delete it.

8. How long we keep your personal data

We keep personal data only for as long as necessary for the purposes set out in this policy. Indicative retention periods:

  • Enquiry contents in our email provider (Resend).The enquiry email is delivered to the host. A copy is retained in our email provider's outbound logs in line with their retention policy (typically up to [• 30 days / provider default]). We do not currently store a copy of the enquiry body in our own database.
  • Application log of an enquiry submission (listing ID, your email, hashed IP, delivery success). Up to [• 90 days], then deleted by our hosting provider in the normal course of log rotation.
  • Hosting platform request logs (IP, User-Agent, requested URL). Retained by Vercel per their standard log retention, typically up to [• 30 days].
  • Cookies (lm_session_id, lm_ref, lm_ref_ts) — 30 days from your most recent visit, or until you clear them in your browser.
  • Referral attribution events in our database — retained for up to [• 24 months] for the purpose of paying partners and reviewing the partner programme, then deleted or aggregated.
  • Host records and host onboarding leads — for the duration of the listing relationship and for [• 7 years] afterwards to meet Icelandic accounting and tax retention obligations, then deleted.
  • Email correspondence with us — for as long as needed to handle the matter and a reasonable period afterwards (typically up to [• 24 months]).

Where retention periods above are shown in brackets, they will be finalised on the advice of our Icelandic adviser before launch.

9. Your rights

Subject to the conditions and exemptions in the GDPR and the Icelandic Data Protection Act, you have the right to:

  • Access the personal data we hold about you and receive a copy of it;
  • Rectify personal data that is inaccurate or incomplete;
  • Eraseyour personal data (the "right to be forgotten") where one of the grounds in Article 17 applies;
  • Restrict processing of your personal data in the circumstances set out in Article 18;
  • Object to processing based on our legitimate interests;
  • Data portability — receive a structured, commonly-used and machine-readable copy of personal data you provided to us, where processing is based on consent or contract and is carried out by automated means;
  • Withdraw consent at any time, where we rely on your consent (this does not affect the lawfulness of processing before withdrawal); and
  • Lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd, Rauðarárstígur 10, 105 Reykjavík, personuvernd.is) if you consider our processing infringes data-protection law.

To exercise any of these rights, email hello@icelandicsummerhouse.com. We may need to ask you to verify your identity before responding. We will respond within one month of receipt; we may extend this by up to two further months for complex or numerous requests, in which case we will tell you within the first month.

10. Cookies and how to manage them

See our Cookie Policy for full detail of each cookie. You can clear or block cookies at any time in your browser settings. Doing so may stop us crediting an influencer who referred you, but will not stop you using the Site or contacting a host.

11. Third-party links

The Site contains links to third-party websites — for example, tour and car-hire partners, host-recommended businesses, or external articles. We are not responsible for the privacy practices of those sites. When you follow such a link you leave the Site and are subject to that site's own privacy policy.

12. A note on bookings

We deliberately do notlearn whether your enquiry led to a booked stay, when you stayed, or what you paid. We have no booking calendar, no payment processor for stays, no booking-confirmation webhook, and no "did this convert?" flag. This is a considered design choice for both your privacy and our compliance with Icelandic Regulation No. 1664/2024 implementing the OECD Model Reporting Rules for Digital Platforms (DAC7). It also means that, if you ask us whether or what you booked, the honest answer is that we don't know — only you and the host do.

13. Changes to this policy

We may update this policy from time to time. The date at the top of this page shows when it was last revised. If we make material changes — for example, adding a new processor or a new purpose for which we process personal data — we will give you a clear notice on the Site and, where appropriate, by email.

14. How to contact us

Privacy questions, requests, and complaints:

If you are not satisfied with our response, you may complain to Persónuvernd at the address in section 9.