Privacy policy

Privacy Policy

Lavish ehf.

Last updated: June 16, 2026

 

1. Introduction

Lavish ehf., reg. no. 430226-1180, VAT no. 160518, located at Fjöruklöpp 4, 250 Suðurnesjabær, Iceland (hereinafter "Lavish", "we", or "us"), operates the online store lavish.is and is the data controller for personal data collected through it.

This privacy policy describes how we collect, use, store, and share your personal data when you visit our online store, shop there, or communicate with us. The policy is established in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679 (GDPR).

By using our service, you accept the processing of personal data described in this policy.

2. What personal data do we collect?

We collect the following personal data depending on how you use our service:

2.1 Information you provide to us

•        Name, address, phone number, and email (e.g. when placing an order or registering).

•        Payment information you enter through the Teya payment gateway (we do not store card numbers).

•        Delivery information, including the delivery location you select with Dropp.

•        Communications with us, e.g. enquiries by email or through contact forms.

2.2 Information collected automatically

•        Device information such as browser type, operating system, and IP address.

•        Use of the website, including which pages you visit, how you navigate the site, and how long you stay.

•        Cookies and similar technology (see section 7).

3. Purpose of processing and legal basis

We process your personal data on the following grounds:

Performance of a contract (GDPR 6(1)(b)): To process and deliver your orders, handle payments through Teya, arrange shipping with Dropp, and provide customer service.

Legal obligation (GDPR 6(1)(c)): To meet bookkeeping and tax obligations under Icelandic law, including issuing invoices through the Payday accounting system and retaining data for seven years.

Legitimate interests (GDPR 6(1)(f)): To improve our service, analyse use of the website, prevent fraud, and protect security.

Consent (GDPR 6(1)(a)): To send marketing material by email or set non-essential cookies, only if you have given consent. You can withdraw your consent at any time.

4. Sharing of personal data

We share your personal data with third parties only when necessary to provide you with our service:

•        Shopify: Hosting the online store and processing order information. Shopify may transfer data to countries outside the EEA.

•        Teya: Payment processing and handling of card payments.

•        Dropp: Delivery and distribution of goods.

•        Payday: Accounting system and issuing of invoices.

All of these service providers are processors within the meaning of the GDPR and process personal data only on our instructions and on the basis of data processing agreements.

We never sell your personal data to third parties.

5. Transfer of data to countries outside the EEA

Shopify operates servers that may be located outside the European Economic Area (EEA). When data is transferred outside the EEA, Shopify ensures appropriate safeguards, such as the European Commission's Standard Contractual Clauses. Further information can be found in Shopify's privacy policy at privacy.shopify.com.

6. Retention period

We retain your personal data in accordance with the following:

•        Order and invoice information: For seven years from the transaction, in accordance with the Icelandic Act on Bookkeeping (No. 145/1994).

•        Customer communications: For as long as necessary to resolve enquiries, but never longer than two years after the last contact.

•        Marketing communications: Until you unsubscribe from the mailing list.

•        Cookie data: See section 7.

When the retention period expires, we delete the information or make it anonymous.

7. Cookies

The online store uses cookies and similar technology. Cookies are small text files stored on your device.

Essential cookies: These are necessary for the online store to function correctly, e.g. to keep track of your cart and login. These cookies do not require consent.

Analytics cookies: These help us understand how the website is used, e.g. Google Analytics. These are only activated with your consent.

Marketing cookies: These are used to display relevant advertisements. These are only activated with your consent.

You can change your cookie settings at any time through the cookie banner on the website.

8. Your rights

Under the GDPR and Icelandic data protection law, you have the following rights:

•        Right of access: You have the right to obtain confirmation of whether we process personal data about you and to access it.

•        Right to rectification: You have the right to have incorrect or incomplete personal data corrected.

•        Right to erasure: You have the right to have your personal data deleted, unless a legal obligation prevents it (e.g. the seven-year retention requirement for bookkeeping data).

•        Right to restriction: You have the right to request restriction of processing in certain cases.

•        Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

•        Right to object: You have the right to object to processing based on legitimate interests.

•        Right to withdraw consent: If processing is based on your consent, you can withdraw it at any time.

To exercise your rights, you can contact us (see section 11). We respond to requests within 30 days.

9. Children

Our service is not intended for children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete the information.

10. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Payments are handled by Teya through a secure and encrypted payment gateway, and we never store card numbers.

No security measure is, however, perfect, and we cannot guarantee absolute security. We encourage you to use strong passwords and to exercise caution when sharing sensitive information.

11. Contact Us

If you have questions about this privacy policy or wish to exercise your rights, you can contact us:

Lavish ehf.
Fjöruklöpp 4, 250 Suðurnesjabær, Iceland
Email: info@lavish.is
Phone: +354 422 7474

12. Complaints to the Data Protection Authority

If you are dissatisfied with the processing of your personal data, you have the right to file a complaint with the Icelandic Data Protection Authority (Persónuvernd, personuvernd.is).

13. Changes to the Privacy Policy

We reserve the right to update this privacy policy at any time. If significant changes are made, we will notify you in an appropriate manner, e.g. on our website or by email. The latest version always applies, and the date of the last update is stated at the top of the document.

This privacy policy was last updated on June 16, 2026.

© 2026 Lavish ehf. All rights reserved.