Privacy Policy

Last updated: December 16, 2025.

1. Introduction

Vestra AI ehf. ("we", "us", or "our") operates fot.is (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), Icelandic data protection laws, and other applicable privacy regulations.

Data Controller:
Vestra AI ehf.
Reykjavík, Iceland
Email: vestra@vestra.is

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when you:

  • Create an account: Email address, username, password, display name
  • Create listings: Item descriptions, photos, prices, location information
  • Update your profile: Bio, avatar, preferences, sizes
  • Contact us: Name, email, message content
  • Make purchases: Shipping information (when provided to sellers)

2.2 Automatically Collected Information

When you use the Platform, we automatically collect:

  • Device information: IP address, browser type, device type, operating system
  • Usage data: Pages viewed, search queries, items clicked, time spent on pages
  • Location data: Approximate location based on IP address (if you enable precise location, we collect that)
  • Cookies and tracking: Session cookies, preferences, analytics data

2.3 Information from Third Parties

We use Clerk for authentication, which may provide us with information from your social media accounts if you choose to sign in using those services (e.g., name, email, profile picture).

3. How We Use Your Information

We use your information for the following purposes:

3.1 Providing Services

  • Create and manage your account
  • Process and display your listings
  • Enable communication between buyers and sellers
  • Provide customer support
  • Send transactional emails (order confirmations, account updates)

3.2 Improving the Platform

  • Analyze usage patterns and trends
  • Develop new features and functionality
  • Conduct research and testing
  • Optimize search and recommendation algorithms

3.3 Safety and Security

  • Detect and prevent fraud, spam, and abuse
  • Enforce our Terms of Service
  • Protect against security threats
  • Resolve disputes

3.4 Marketing (with consent)

  • Send promotional emails about new features
  • Provide personalized recommendations
  • Show relevant advertisements

3.5 Legal Obligations

  • Comply with legal requirements
  • Respond to lawful requests from authorities
  • Enforce our legal rights

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

  • Contractual necessity: To provide the Platform services you've requested
  • Legitimate interests: To improve our services, prevent fraud, and ensure security
  • Consent: For marketing communications and optional data collection
  • Legal obligation: To comply with applicable laws and regulations

5. How We Share Your Information

5.1 With Other Users

When you create listings or interact on the Platform, certain information becomes visible to other users:

  • Your username and display name
  • Your profile information (bio, avatar)
  • Your listings and item details
  • Your ratings and reviews
  • Your approximate location (city level)

Seller Contact Information: To facilitate transactions, sellers can optionally provide contact information that becomes visible to interested buyers:

How Contact Information Sharing Works

  • Sellers set their contact information in account settings (email, phone number, social media accounts)
  • Sellers control visibility with a toggle to show or hide their contact information
  • Buyers view contact information by clicking "Contact Seller" on item listings
  • Daily view limits apply: Buyers can view up to 5 different sellers' contact information per day
  • All contact views are logged for safety, abuse prevention, and dispute resolution

What Contact Information May Be Shared

Sellers can choose to share any combination of the following:

  • Contact email: A business or transaction-specific email address (can be different from account email)
  • Phone number: A phone number for calls or text messages
  • Social media accounts: Handles for platforms like Instagram, Facebook, Twitter, TikTok, Snapchat, WhatsApp, LinkedIn, or others

Note: You have complete control over what contact information to provide. You can update or remove your contact information at any time in your account settings. If you disable contact information sharing, buyers will not be able to view your details.

Protection and Limitations

  • Rate limiting: The 5 views per day limit helps prevent abuse and excessive data collection
  • View logging: We track who views whose contact information and when
  • Account enforcement: Users who abuse the contact system may have their accounts suspended
  • Reporting: You can report misuse of your contact information to us

Safety Recommendations

  • Use business or secondary contact information rather than personal details
  • Consider creating transaction-specific email addresses or phone numbers
  • Review buyer profiles and ratings before responding to inquiries
  • Never share passwords, social security numbers, banking credentials, or other sensitive information
  • Be cautious of scams and verify buyer legitimacy before shipping items or accepting payment
  • Report suspicious users or inappropriate contact attempts to us immediately

Important: Once you provide contact information in your settings and a buyer views it, that information is outside our Platform's direct control. While we implement rate limiting and logging to protect you, we cannot prevent users from using your publicly shared contact information in ways you did not intend. Only share contact information you are comfortable making available to potential buyers.

5.2 With Service Providers

We share information with third-party service providers who help us operate the Platform:

  • Clerk: Authentication and user management
  • Vercel: Hosting and infrastructure
  • Vercel Blob: Image storage
  • PostgreSQL providers: Database hosting
  • Analytics providers: Usage analytics and performance monitoring

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.3 For Legal Reasons

We may disclose your information if required by law or in response to:

  • Court orders or legal process
  • Law enforcement requests
  • Protection of our legal rights
  • Prevention of fraud or security threats
  • Protection of user safety

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Specifically:

  • Account information: Until you delete your account, plus 90 days for backup purposes
  • Listings: Until you delete them, or your account is closed
  • Transaction records: 7 years for accounting and legal purposes
  • Communications: Until resolved, plus 1 year
  • Analytics data: Aggregated data retained indefinitely; individual data for 2 years

We may retain information longer if required by law or to protect our legal rights.

7. Your Rights (GDPR)

Under GDPR and Icelandic law, you have the following rights regarding your personal data:

7.1 Right to Access

You can request a copy of the personal data we hold about you.

7.2 Right to Rectification

You can update or correct your personal information through your account settings or by contacting us.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to certain exceptions (e.g., legal obligations).

7.4 Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances.

7.5 Right to Data Portability

You can request a copy of your data in a structured, machine-readable format.

7.6 Right to Object

You can object to processing of your data based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at www.personuvernd.is.

To exercise these rights, please contact us at vestra@vestra.is. We will respond within 30 days.

8. Protecting Your Privacy

While we take measures to protect your data on our Platform, you also play an important role in protecting your privacy. Here are some best practices:

8.1 When Sharing Information with Other Users

  • Only share contact information when you are ready to complete a transaction
  • Verify user profiles and ratings before sharing sensitive information
  • Be cautious of requests for unusual payment methods or personal details
  • Use secure payment methods and avoid wire transfers to unknown parties
  • Keep transaction communications within the Platform when possible
  • Report suspicious behavior to us immediately

8.2 Account Security

  • Use a strong, unique password for your account
  • Enable two-factor authentication if available
  • Never share your account credentials with anyone
  • Log out from shared or public devices
  • Review your account activity regularly
  • Contact us immediately if you suspect unauthorized access

8.3 Recognizing Scams

Be aware of common marketplace scams:

  • Requests to complete transactions outside the Platform
  • Buyers/sellers who pressure you to act quickly
  • Requests for payment via gift cards or cryptocurrency
  • Offers that seem too good to be true
  • Requests for sensitive personal information (e.g., social security numbers)
  • Fake payment confirmations or shipping notifications

If something feels wrong, trust your instincts. Contact us at vestra@vestra.is if you encounter suspicious activity.

9. Cookies and Tracking Technologies

9.1 What We Use

We use cookies and similar tracking technologies to:

  • Essential cookies: Necessary for the Platform to function (authentication, security)
  • Functional cookies: Remember your preferences and settings
  • Analytics cookies: Understand how you use the Platform
  • Advertising cookies: Deliver relevant advertisements (with consent)

9.2 Your Choices

You can control cookies through your browser settings. Note that disabling certain cookies may affect Platform functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure authentication (via Clerk)
  • Regular security audits
  • Access controls and authentication
  • Rate limiting to prevent abuse
  • Input validation and sanitization

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. International Data Transfers

We are based in Iceland (part of the European Economic Area). However, some of our service providers may be located in other countries, including the United States.

When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Privacy Shield certification (where applicable)
  • Adequacy decisions by the European Commission

12. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification (for significant changes)

Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Vestra AI ehf.
Reykjavík, Iceland
Email: vestra@vestra.is

For data protection inquiries specifically, you can also contact our Data Protection Officer at the same email address with the subject line "Data Protection Inquiry."

15. Additional Information for EEA/UK Residents

15.1 Data Controller

Vestra AI ehf. is the data controller responsible for your personal data.

15.2 Supervisory Authority

The Icelandic Data Protection Authority (Persónuvernd) is our lead supervisory authority:

Persónuvernd
Reykjavík, Iceland
Website: www.personuvernd.is

← Back to HomeView Terms of Service →