DRAFT for early access — not yet reviewed by an Icelandic lawyer. Last updated 10 June 2026.

Privacy Policy

Applicable law: GDPR as implemented in Iceland by lög nr. 90/2018 um persónuvernd og vinnslu persónuupplýsinga; supervisory authority: Persónuvernd (personuvernd.is).

Controller: the Skattaskýr maintainers [legal entity to be fixed before public launch]. Contact during early access: buzondefede@gmail.com (privacy@skattaskyr.is once the domain is live).

1. Design principle: the calculator needs no identity

Skattaskýr is built data-minimal by architecture, not by policy promise:

• No accounts, no login, no profiles in the early-access product.
• Your inputs (salary, municipality, household shape, employer months) are sent to the calculation API, processed in memory, and discarded. They are not written to a database. They are not associated with you.
• Financial inputs are never stored server-side in the EA product; salaries and household composition are sensitive in the colloquial sense, and the architecture treats them accordingly even where GDPR would not require it.
• No advertising, no third-party trackers, no data sale — ever. Analytics, if enabled, is self-hosted and aggregate-only (page counts, no cross-site identifiers, no fingerprinting), or absent.
• Standard web-server logs (IP, user agent, timestamp) are retained at most 30 days for security/abuse purposes (legitimate interest, art. 6(1)(f)), then deleted.

2. Research case submissions (opt-in only)

During early access we invite — never require — users to share real documents (payslips, álagningarseðlar, framtöl) to validate the engine.

• Explicit, informed, written opt-in per submission (consent, art. 6(1)(a)); withdrawable at any time, with deletion of the source documents.
• Source documents are stored outside the code repository, access limited to the maintainers, and never committed to version control.
• Published validation memos are anonymised before writing: no names, no kennitölur, no employer or pension-fund names, no addresses; document references use neutral case IDs. This protocol is already in force.
• Retention: source documents deleted at the earlier of (a) consent withdrawal, (b) publication of the derived anonymised memo + anchor tests, (c) 12 months.

3. Your rights

Under GDPR / lög 90/2018 you have the rights of access, rectification, erasure, restriction, portability and objection, and the right to lodge a complaint with Persónuvernd. Note that for the stateless calculator there is typically nothing to access or erase — we hold no record keyed to you.

4. Scaling path (so growth never breaks privacy)

When the platform adds optional accounts/saved scenarios, the following are pre-commitments, recorded now so product decisions don't foreclose them:

1. Core stays anonymous. Every calculation feature must remain usable without an account; identity is only ever for saving, not computing.
2. DPIA before accounts ship (art. 35 — systematic processing of financial data makes this prudent even if not strictly mandatory).
3. EEA data residency for any stored user data; encryption at rest and in transit; per-user export and one-click erasure built in the first iteration, not retrofitted.
4. Retention schedule and records of processing (art. 30) drafted with the account feature, not after it.
5. No silent scope creep: any new data category (e.g. fetched RSK data via user authorisation) gets its own consent purpose and its own deletion path.
6. Lawyer / Persónuvernd-guidance review before public (non-EA) launch.

5. Changes

Material changes to this policy will be dated, kept in version history, and announced in-app before taking effect.