Privacy Policy

Last updated: [insert date on publication]

This Privacy Policy explains which personal data we process when you visit and use getmoza.com, for what purposes, and what rights you have.

1. Controller

The controller for the data processing on this website is:

Artiq ehf.
Efstaland 5
270 Mosfellsbær
Iceland
Managing Director: Daniel Hakon Fridgeirsson
Email: artiq@artiq.is
Phone: +354 692 9448

No data protection officer is appointed, as none is required. As Artiq ehf. is established in the European Economic Area, namely in Iceland, no EU representative under Art. 27 GDPR is required.

2. General

We process personal data exclusively in accordance with the General Data Protection Regulation, Regulation (EU) 2016/679, and applicable data protection laws.

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, name, email address, shipping address, IP address, order data and photos you upload.

3. What data we process

When you visit and use getmoza.com, the following data in particular may be processed:

3.1 Order data

When you place an order, we process the data required to handle your order. This includes in particular: name; email address; phone number, if provided; shipping address; billing and order data; order contents; payment and order references.

3.2 Uploaded photos and generated files

To create your mosaic we process the photos you upload to getmoza.com, as well as the preview, production and print files generated from them. This data is used to create your mosaic, provide you with a preview, process your order and, where applicable, carry out printing and shipping.

3.3 Payment data

The entry and processing of your payment data takes place directly via the respective payment provider. We ourselves do not store full card or payment data. We receive only information about whether a payment was successful, along with payment references that we need to match to your order.

3.4 Automatically collected technical data

When you visit our website, technical data is processed automatically. This includes in particular: IP address; date and time of access; pages accessed; browser type and version; operating system; device data; referrer URL; server logs. This data is technically necessary to provide the website, ensure its security and analyse errors.

3.5 Usage, analytics and marketing data

We process analytics and marketing data only if you have consented via our cookie banner. This may include in particular: page views; clicks; session duration; technical device information; approximate location based on the IP address; conversion events, for example completed orders; cookie and tracking IDs.

4. Purposes of processing and legal bases

4.1 Performance of a contract

We process your data to handle your order, create your mosaic, provide you with previews or download links, produce and ship physical products, and communicate with you about your order. Legal basis: Art. 6(1)(b) GDPR.

4.2 Compliance with legal obligations

We must retain certain data, in particular invoice, payment and order data, on the basis of tax and commercial law. Legal basis: Art. 6(1)(c) GDPR.

4.3 Consent

We use analytics and marketing tools that are not technically necessary only with your consent. Legal basis: Art. 6(1)(a) GDPR. You can withdraw or change your consent at any time with effect for the future.

4.4 Legitimate interests

We process certain technical data to operate our website securely, stably and reliably, prevent abuse and fraud, analyse errors and protect our systems. Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable operation of our website and services.

5. Recipients and processors

To provide our website and process orders, we work with external service providers. They process personal data only to the extent necessary for the respective service.

Cloudflare — We use Cloudflare for content delivery, security functions, proxy services, and database and object storage functions such as R2 and D1. Technical access data, server requests, and stored upload and production files may be processed. Where configurable, data is stored in the EU, in particular in Frankfurt. Cloudflare Inc. is a US company; a transfer to the USA cannot be entirely excluded.

Render — We use Render for hosting our application. Technical data, server logs, application data and order data may be processed. The application is hosted in the Frankfurt/EU region. Render is a US company; a transfer to the USA cannot be entirely excluded.

MailerSend / MailerLite — We use MailerSend / MailerLite to send order, service and transactional emails. In particular your email address, name, order data and the contents of the respective email are processed. MailerLite is a provider based in Lithuania. Depending on the technical processing, sub-processors in third countries may be used.

Straumur — We use Straumur to process card payments. Straumur processes payment information, payment references and the data required to process the payment. We ourselves do not store full card data. Straumur is based in Iceland / the European Economic Area.

WhiteWall / Avenso GmbH — If you order a physical print product, we use WhiteWall, operated by Avenso GmbH, for production and shipping. In particular your name, shipping address, order data and the print file required for printing are transmitted. WhiteWall / Avenso GmbH is based in Germany.

Google — We use Google Analytics 4 and Google Tag Manager only with your consent. Usage data, technical device information, IP address, cookie IDs, page views and conversion data may be processed. The provider is Google Ireland Limited. A transfer to Google LLC in the USA cannot be excluded.

Microsoft Clarity — We use Microsoft Clarity only with your consent. Microsoft Clarity helps us understand how visitors use our website. Usage data, clicks, scroll behaviour, technical device information and session data may be processed. The provider is Microsoft Ireland Operations Limited. A transfer to Microsoft Corporation in the USA cannot be excluded.

Meta Pixel — We use Meta Pixel only with your consent. Meta Pixel serves to measure advertising campaigns and conversions. Usage data, technical device information, cookie IDs, page views and conversion events may be processed. The provider is Meta Platforms Ireland Limited. A transfer to Meta Platforms Inc. in the USA cannot be excluded.

6. Transfers to third countries

Some of the service providers we use are based outside the European Economic Area, or belong to corporate groups based outside the European Economic Area, in particular in the USA.

Where personal data is transferred to a third country, this is done only where the requirements of Art. 44 et seq. GDPR are met. This may be based in particular on an adequacy decision, a certification under the EU-US Data Privacy Framework, the European Commission's Standard Contractual Clauses, or other appropriate safeguards.

7. Cookies, tracking and consent

Our website uses cookies and similar technologies.

We use strictly necessary cookies and comparable technologies to provide the website, enable orders, ensure security and store your cookie settings. These cookies are required to operate the website and are set without consent.

We use analytics and marketing tools only if you have consented via our cookie banner. These include in particular: Google Analytics 4; Google Tag Manager; Microsoft Clarity; Meta Pixel.

On your first visit to our website you can decide whether to accept or reject analytics and marketing tools. The default setting for non-essential services is "rejected". You can change or withdraw your consent at any time via "Cookie settings" in the footer of our website.

8. Retention

We store personal data only as long as necessary for the respective purposes or as long as statutory retention obligations exist.

Order and invoice data. We retain order, invoice and payment-reference data for the duration of the statutory tax and commercial retention periods.

Uploaded photos and generated files. We store photos you upload, and the preview, production and print files generated from them, to process your order. After the order is completed we keep these files for up to a further 30 days, so that we can handle queries, complaints, technical problems or reprints. They are then deleted, unless a legal obligation or a legitimate reason for longer storage exists. Uploads that are not linked to a completed order are deleted regularly. Download links expire after 7 days.

Server logs. We store technical server logs only as long as necessary for the security, error analysis and stability of the website. They are then deleted or anonymised, unless longer storage is required to investigate abuse, fraud or security incidents.

Analytics and marketing data. Analytics and marketing data is stored according to the settings of the respective providers and your consent. You can withdraw your consent at any time.

9. Security

We take technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction. Our website is served over an encrypted connection, SSL/TLS. Access to personal data is limited to persons and service providers who need this data to perform their tasks.

10. Your rights

Under the GDPR you have the following rights: right of access (Art. 15); right to rectification (Art. 16); right to erasure (Art. 17); right to restriction of processing (Art. 18); right to data portability (Art. 20); right to object (Art. 21); right to withdraw a consent given (Art. 7(3)).

To exercise any of these rights, you can contact us at any time: artiq@artiq.is.

If you believe that the processing of your personal data violates data protection law, you also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Persónuvernd (Icelandic Data Protection Authority), personuvernd.is

You may also contact the data protection supervisory authority of your place of residence.

11. Withdrawal of consent

Where we process personal data on the basis of your consent, you can withdraw that consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out before the withdrawal. You can change or withdraw your cookie consent at any time via "Cookie settings" in the footer of our website.

12. Objection to processing based on legitimate interests

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you can object to the processing at any time on grounds relating to your particular situation. We will then no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

13. Changes to this Privacy Policy

We may amend this Privacy Policy if our data processing, our website, our service providers or the legal situation change. The current version is always available at getmoza.com.