Privacy
Short version: we keep almost nothing about you personally. No name, no account, no payment data. We do keep anonymous product analytics so we can tell which features are useful. We don't sell anything because there isn't anything to sell.
1 · Who we are
Icebreaker ehf. is a private limited company registered in Reykjavík, Iceland. We make the Icebreaker app ("Icebreaker", "the app"). You can reach us at hello@thetouristtrapp.com.
2 · What we collect
Your location, if you grant the permission
When you grant the iOS or Android location permission, the app reads your latitude and longitude to show you what's nearby (cafés, bars, events, fuel stations) and to give Vinur context when you chat with him. Your coordinates stay on your device and are sent to our server only as part of a Vinur chat request, never logged.
The text of your Vinur chats
When you talk to Vinur, your messages are sent to our API server, which forwards them to OpenAI to generate a reply. We do not store chat logs. We retain the request only as long as it takes to produce an answer, then drop it.
Your IP address, at the API server
Our API server logs the IP address of every request for
rate-limiting and abuse prevention (so a single visitor can't
loop requests and burn through our OpenAI budget). The IP is
masked before it is written to logs: for IPv4 we drop the last
octet (203.0.113.x), for IPv6 we keep only the
first four hextets. The full address lives in memory long
enough to evaluate the rate-limit window, then is discarded.
Anonymous product analytics — inside the app (PostHog)
We use PostHog inside the app to understand how it is used in aggregate: which features people open, how long the app is in the foreground, which screens get touched, and whether common flows fail. PostHog stores:
- Anonymous events (the screen you opened, the button you tapped, etc.).
- Device-level metadata (OS version, app version, screen size, language, country at IP-level).
- A randomly-generated install ID, a UUID created the first time you open the app. It is not tied to your name, email, phone number or any account, because Icebreaker has no accounts.
We do not enable PostHog session replay, do not capture form input, and do not attach your name, email, or any contact information to events. Icebreaker has none of those to attach. PostHog data is hosted in PostHog Cloud's EU region. You can opt out of analytics from inside the app's settings.
Anonymous web analytics — on icebreakerapp.is (Google Analytics 4)
The website at icebreakerapp.is uses Google Analytics 4 to count pageviews and to attribute visits to the QR codes, print ads, and referrers that brought them in. GA4 stores:
- The page you visited, when, and how long you stayed.
- Device and browser type, screen size, language, country at IP-level (Google truncates the IP before storage).
- UTM tags from the URL — the tracking labels on our own QR codes and campaign links, so we can tell which channel a visit came from.
- A randomly-generated client ID cookie, so a single visit isn't counted as many.
Google Analytics loads with consent set to denied by
default. Nothing is sent until you click "OK, count
me" on the consent banner. Click "No thanks" and the site
works exactly the same — Google just never hears from you.
You can change your mind by clearing cookies for
icebreakerapp.is, or by opening browser dev-tools and
running localStorage.removeItem('icebreaker-consent').
The app itself is unaffected either way: it does not use
Google Analytics.
3 · What we don't collect
- Your identity. No name, email address, phone number, account, sign-in, or social login. Icebreaker has no accounts.
- Your payment details. The app doesn't take payments. Any booking happens on the venue's own site or in person.
- Advertising IDs or cross-app tracking. We do not read your IDFA / GAID. We do not run ads and do not share data with ad networks, data brokers, or marketing pixels (no Meta SDK, no Google Ads). The website uses Google Analytics 4 for anonymous headcount only, and only if you opt in — see §2 above.
- Session recordings, form input, or content of your typing. PostHog session replay is disabled.
- Children's data. Icebreaker is not designed for users under 13. We don't knowingly collect data from anyone we have reason to believe is a child.
4 · Who we share data with
We do not sell your data. We don't share it with advertisers because we don't run ads. The only third parties that ever see any of it:
- OpenAI: when you chat with Vinur, your message text passes through our server to OpenAI's chat completions API. OpenAI's handling is governed by their Privacy Policy.
- Apple and Google: if you install Icebreaker through the App Store or Google Play. Their handling is governed by their respective privacy policies.
- Google (Analytics): when you browse icebreakerapp.is and have opted in via the consent banner, GA4 receives the anonymous pageview + UTM data described in §2. Governed by Google's Privacy Policy. The app never sends anything to Google Analytics.
- Fly.io: hosts our API server in the EU region. Operates as a data processor on our behalf.
- PostHog: receives the anonymous product analytics described in §2 (events, device metadata, install ID). Hosted in PostHog Cloud's EU region. Their handling is governed by their Privacy Policy.
- Weather, road and fuel APIs: when relevant in-app screens load, we fetch data from OpenWeatherMap, Vegagerðin and Gasvaktin. These requests don't include anything that identifies you; weather requests carry only a coarse latitude/longitude.
5 · How long we keep things
- Vinur chat messages: not stored. Held in memory only during the request.
- Rate-limit / abuse counters: in-memory on our server. Rate-limit window resets each hour; abuse cooldown lasts up to 30 minutes. Everything is lost on server restart and is never written to disk.
- Server access logs: include the masked IP, request path, status code and response time. Never message bodies or coordinates. Retained at most 7 days, then deleted.
6 · Where data is processed
Our API server runs in Fly.io's Amsterdam region (EU). PostHog analytics events stay in PostHog Cloud's EU region. Vinur chat messages are forwarded to OpenAI, which processes them according to its own terms; OpenAI's infrastructure spans multiple regions including the US. By using Vinur, you accept this cross-border transfer.
7 · Your rights under GDPR
Because Icebreaker is built by an Icelandic company and EU / EEA visitors use the app, the GDPR applies to us regardless of where you live. Your rights:
- Right of access: ask what we hold about you. (In almost every case the honest answer is "nothing tied to your identity".)
- Right to erasure: ask us to delete whatever we do hold.
- Right to object to processing.
- Right to data portability, where it applies.
- Right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) or with the supervisory authority of your own EU / EEA country.
To exercise any of these rights, email hello@thetouristtrapp.com. We respond within 30 days.
8 · Children's privacy
Icebreaker is intended for adults visiting Iceland and is not directed to children under 13. We do not knowingly collect personal information from children. If you are a parent or guardian and you believe your child has provided us with personal information, contact us and we'll address it.
9 · Security
Our API server is served exclusively over HTTPS with HSTS. Standard transport security applies to every request your device makes to us, and from us to OpenAI / weather / road / fuel APIs. No system is perfectly secure, but the absence of accounts, payment data and stored chat history means there is very little to leak in the first place.
10 · Changes to this policy
When something material changes, we update this page and bump the "Last updated" date at the top. If a change meaningfully expands what we collect, we'll surface a notice in the app the next time you open it.
11 · Contact
Icebreaker ehf.
Reykjavík, Iceland
hello@thetouristtrapp.com