Privacy policy

1. Who we are

Sóley is operated by Cognia ehf (kennitala 670421-0900), a company registered in Iceland. We are the data controller for personal data processed through the Sóley platform — the website at soley.travel, the Sóley MCP server, and the WhatsApp concierge.

Contact: privacy@soley.travel

2. What data we collect

2.1 MCP server (AI agent access)

When AI agents connect to api.soley.travel/mcp, we collect:

• IP address and request metadata, for rate limiting and abuse prevention
• Tool calls and parameters, for service delivery and debugging
• OAuth2 tokens and client identifiers, for authenticated access

Intelligence tools — weather, road conditions, safety alerts, flights, aurora, earthquakes, bus schedules, fuel prices, air quality, exchange rates, avalanche conditions, news — require no authentication and no personal data.

2.2 Booking and account data

When you book through Sóley, we collect:

• Full name (to identify you to the operator)
• Email address (for confirmation and follow-up)
• Phone number (for WhatsApp and operator contact)
• Booking details: dates, guest count, special requests, operator and service selected

2.3 What we do not collect

• Payment card details — payments go directly through the operator's payment provider (Valitor / Teya). Sóley never sees, transmits, or stores card data.
• Passport or identity-document numbers
• Conversation content from AI agents — we log tool calls, not surrounding chat

3. How we use your data

• Service delivery. Processing bookings, sending confirmations, enabling operator communication.
• Platform operations. Rate limiting, abuse prevention, debugging, performance.
• Legal compliance. Fulfilling obligations under Icelandic and EEA law.

We don't sell personal data. We don't use it for advertising. We don't profile users for marketing purposes.

4. Legal basis (GDPR Article 6)

• Contract performance — Art. 6(1)(b). Processing booking data to fulfil the reservation between you and the operator.
• Legitimate interest — Art. 6(1)(f). Platform security, rate limiting, abuse prevention, service improvement.
• Legal obligation — Art. 6(1)(c). Compliance with Icelandic tax and business record-keeping requirements.

5. Data sharing

We share personal data only with:

• Tourism operators. Your name, contact details, and booking are shared with the operator you book with. The operator is an independent data controller for the data they receive.
• Infrastructure providers. Neon (PostgreSQL, EU region), Upstash (Redis cache, EU region), Railway (application hosting), Vercel (portal hosting), Twilio (WhatsApp), Clerk (authentication).
• AI model providers. Anthropic (Claude API) processes anonymised conversation context for AI responses, under a Data Processing Agreement.

All sub-processors are bound by data processing agreements. We don't transfer data outside the EEA without appropriate safeguards (Standard Contractual Clauses where applicable).

6. Data retention

• MCP tool-call logs. 90 days, then anonymised.
• Booking records. Retained for the period required by Icelandic tax law (7 years for financial records).
• Account data. Retained until you request deletion.
• Redis cache. TTL-based, typically 15 minutes to 24 hours.

7. Your rights

Under the GDPR, as an EEA resident or visitor, you can:

• Access. Request a copy of your personal data.
• Rectify. Correct inaccurate data.
• Erase. Request deletion ("right to be forgotten").
• Port. Receive your data in a machine-readable format.
• Restrict. Limit how we process your data.
• Object. Object to processing based on legitimate interest.

To exercise any of these, email privacy@soley.travel. We respond within 30 days.

8. Cookies

The Sóley portal uses essential cookies only: authentication session (Clerk), locale preference, and CSRF protection. No analytics cookies, no advertising cookies, no third-party tracking.

9. Security

Data is transmitted over TLS. Database connections use TLS encryption. Access to production systems is restricted to authorised personnel. We follow security best practices — rate limiting, input validation, structured logging without PII.

10. Children

Sóley is not directed at children under 16. We don't knowingly collect personal data from children. If you believe we have, contact us immediately.

11. Changes to this policy

We may update this policy. Material changes are communicated via the platform. The "last updated" date at the top reflects the most recent revision.

12. Supervisory authority

If you believe your rights have been violated, you can lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd): personuvernd.is.