Ósk Privacy Policy: Our Commitment to Data Stewardship

At Ósk, we understand that trust is the foundation of every successful event, particularly when managing sensitive contributions and guest logistics. We operate with a transparent and methodical approach to privacy, ensuring that you retain control over your data. Our platform is designed with data privacy standards in line with GDPR requirements (Regulation (EU) 2016/679) and the Icelandic Act on Data Protection (Lög nr. 90/2018 um persónuvernd og vinnslu persónuupplýsinga). We are committed to data minimization — keeping only what is essential for coordinating your Ferming, wedding, or milestone celebration. Contact for privacy matters: privacy@osklist.is

To provide you with our event management and contribution tools, we process specific categories of data: Information You Provide: When you create an event, we collect information necessary for event administration — including host details, event goals, guest lists, and RSVP responses. We avoid collecting unnecessary personal information that does not directly serve the utility of your event. Automated Data Collection: We collect technical metadata necessary to facilitate contribution processing and site functionality — such as session identifiers and browser/device information for analytics purposes. Payment Data: We do not store sensitive payment card information directly on our servers. Card handling is managed by a licensed payment processor using PCI-DSS-aligned processing standards.

Processing of your data is conducted under strictly defined lawful bases as outlined in the Icelandic Data Protection Act and GDPR: - Contract Performance: We process personal data primarily to perform the contract of providing you with an event-funding platform. - Legal Obligations: Where necessary for compliance with applicable Icelandic and EU legal obligations, including payment service requirements and data protection law. - Legitimate Interests: For improving platform functionality and preventing fraud, where this does not override your fundamental rights. We do not engage in data monetization or unsolicited marketing without explicit consent.

Our payment processing is designed to align with PCI-DSS security standards. By using standardized payment processing architecture, we ensure that sensitive financial details are handled with appropriate encryption. This approach minimizes the surface area of vulnerability, keeping your contributions secure from the moment they are initiated until they are allocated to your event goal. Ósk adheres to applicable GDPR data protection standards in its architecture; however, full compliance remains a shared responsibility dependent on user configuration and data management practices.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with applicable Icelandic law. Upon request, or when the purpose for processing is satisfied, we execute data erasure procedures in compliance with the Right to Erasure as defined in GDPR (Article 17) and the Icelandic Data Protection Act. Event data, guest lists, and contribution records are retained for the duration of the event plus a defined reconciliation period, after which they are deleted unless legal retention obligations apply.

You maintain full authority over your data. Under GDPR and the Icelandic Data Protection Act, you have the right to: - Access your personal data - Correct inaccurate data - Request deletion of your account and data (Right to Erasure) - Export your data (Data Portability) - Object to processing for marketing purposes - Lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd — personuvernd.is) To exercise any right, contact: privacy@osklist.is For Ferming events involving minors under 16, account management requires active parental or guardian oversight to ensure compliance with Icelandic data protection and consent regulations.

Ósk integrates with specialized third-party services to facilitate payment processing infrastructure. We ensure these partners adhere to strict security protocols to maintain the integrity of your event data. Platform payment services are subject to third-party payment provider terms and availability. We do not store full card numbers or sensitive payment credentials. Analytics providers receive only anonymized, aggregated usage data. We do not sell your personal data to any third party.

We may update this policy to reflect changes in our practices or applicable law. We will notify you by email or in-app notice for material changes, with a minimum of 14 days' notice before changes take effect. Last updated: May 2026.