Privacy Policy

1. Who We Are

Soley is operated by Cognia ehf (kennitala: 670421-0900), a company registered in Iceland. We are the data controller for the personal data processed through the Soley platform, including the website at soley.travel, the Soley MCP server, and the WhatsApp concierge service.

Contact: privacy@soley.travel

2. What Data We Collect

2.1 MCP Server (AI Agent Access)

When AI agents connect to the Soley MCP server at api.soley.travel/mcp, we collect:

• IP address and request metadata (for rate limiting and abuse prevention)
• Tool calls and parameters (for service delivery and debugging)
• OAuth2 tokens and client identifiers (for authenticated access)

Intelligence tools (weather, road conditions, safety alerts, flights, aurora forecast, earthquakes, bus schedules, fuel prices, air quality, exchange rates, avalanche conditions, news) require no authentication and no personal data.

2.2 Booking and Account Data

When you create a booking through Soley, we collect:

• Full name (to identify the guest to the operator)
• Email address (for booking confirmation and communication)
• Phone number (for WhatsApp communication and operator contact)
• Booking details: dates, guest count, special requests, operator and service selected

2.3 What We Do NOT Collect

• Payment card details — payments are processed directly by the operator's payment provider (Valitor/Teya). Soley never sees, transmits, or stores payment credentials.
• Passport or identity document numbers
• Conversation content from AI agents (we log tool calls, not the surrounding conversation)

3. How We Use Your Data

• Service delivery: Processing bookings, sending confirmations, enabling operator communication
• Platform operations: Rate limiting, abuse prevention, debugging, performance monitoring
• Legal compliance: Fulfilling obligations under Icelandic and EEA law

We do not sell personal data. We do not use personal data for advertising. We do not profile users for marketing purposes.

4. Legal Basis (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): Processing booking data to fulfil the reservation between you and the tourism operator
• Legitimate interest (Art. 6(1)(f)): Platform security, rate limiting, abuse prevention, service improvement
• Legal obligation (Art. 6(1)(c)): Compliance with Icelandic tax and business record-keeping requirements

5. Data Sharing

We share personal data only with:

• Tourism operators: Your name, contact details, and booking information are shared with the operator you book with. The operator is an independent data controller for the data they receive.
• Infrastructure providers: Neon (PostgreSQL database, EU region), Upstash (Redis cache, EU region), Railway (application hosting), Vercel (portal hosting), Twilio (WhatsApp messaging), Clerk (authentication)
• AI model providers: Anthropic (Claude API) processes anonymised conversation context for AI responses. A Data Processing Agreement is in place.

All sub-processors are bound by data processing agreements. We do not transfer data outside the EEA without appropriate safeguards (Standard Contractual Clauses where applicable).

6. Data Retention

• MCP tool call logs: Retained for 90 days for debugging, then anonymised
• Booking records: Retained for the duration required by Icelandic tax law (7 years for financial records)
• Account data: Retained until you request deletion
• Redis cache: Automatically expires (TTL-based, typically 15 minutes to 24 hours)

7. Your Rights

Under the GDPR, as an EEA resident or visitor, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest

To exercise any of these rights, email privacy@soley.travel. We will respond within 30 days.

8. Cookies

The Soley portal uses essential cookies only: authentication session (Clerk), locale preference, and CSRF protection. We do not use analytics cookies, advertising cookies, or third-party tracking.

9. Security

All data is transmitted over TLS (HTTPS). Database connections use TLS encryption. Access to production systems is restricted to authorised personnel. We follow security best practices including rate limiting, input validation, and structured logging without PII.

10. Children

Soley is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the platform. The "last updated" date at the top reflects the most recent revision.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd): personuvernd.is