Privacy & Cookies 
Your right to privacy is very important to Brúa. We place great emphasis on maintaining strong practices in how we handle personal data, whether it is collected and stored electronically, on paper, or in any other comparable manner.
Brúa may use cookies to improve user experience and enhance the level of service provided to visitors of the website. The policy below explains in more detail how this is done, how cookies are used, and how they are managed.
Privacy Policy of Brúa Lending Company
This privacy policy is based on Article 17 of Act No. 90/2018 on Data Protection and the Processing of Personal Data, cf. Articles 13 and 14 of the same Act, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
This policy explains which personal data Brúa collects, for what purpose, how long the data is retained, to whom it may be disclosed, and how the security of the data is ensured. The objective is that employees, customers, and other relevant parties are aware of how the company collects and processes personal data.
Brúa processes personal data in accordance with applicable data protection laws.
Responsibility
The data controller is Brúa Lending Company, which provides student loans to its customers.
Brúa ehf. is registered in the company register, limited liability company register, and business name register.
Further information about the company is available on its website, www.brua.is. Written inquiries regarding the processing of personal data may be sent to brua@brua.is.
Types of Personal Data
Brúa processes, among other things, financial information, personal data, and general contact information for the purpose of providing the services requested by its customers.
The processing of personal data may be necessary on the basis of:
a contract with the customer,
legal obligations,
the customer's consent, and
Brúa's legitimate interests.
Customers choose to provide personal data. If such data is not provided, it may affect Brúa's ability to provide the requested service, i.e. student loans.
Purpose and Legal Basis for Processing Personal Data
The purpose of processing personal data is to provide customers with the services requested and offered by the company.
If personal data is obtained from parties other than the individual concerned, this is done on the basis of the individual's authorization, and the source of the data is disclosed.
Data Retention Period
Personal data is stored for the duration of the business relationship or for as long as necessary in light of the purpose of processing and contractual terms, unless laws or regulations require a longer retention period.
For example, data subject to accounting laws is retained for seven (7) years from the end of the relevant financial year.
When data is no longer necessary to fulfill contractual or legal obligations, it is deleted.
Disclosure of Personal Data
Transfer of Personal Data Outside the European Economic Area (EEA)
Brúa will not disclose personal data unless required by law, for example to supervisory authorities, law enforcement authorities, or other parties legally authorized to receive such data. Personal data may also be disclosed if ordered by a court or required in criminal investigations
Customers may authorize the company to disclose personal data about them.
In certain cases, data may be shared with processors who handle personal data on behalf of Brúa or perform related services for the company. Any recipients of information concerning customers' business or personal matters are bound by confidentiality obligations equivalent to those applicable to Brúa's employees.
Brúa may use services located in the United States solely for customer communications, which may involve transferring personal data outside the EEA. Brúa is responsible for ensuring that appropriate safeguards are in place to provide adequate protection of such data.
Security of Personal Data
Brúa is obligated to ensure the security of the personal data it processes. The company seeks to implement appropriate technical and organizational measures to protect personal data.
These security measures primarily relate to access control, employee training, and secure communications.
Customer Rights
An individual has the right to obtain confirmation from Brúa as to whether personal data concerning them is being processed and, if so, to access that data.
An individual has the right to receive certain personal data they have provided in a structured, commonly used, and machine-readable format. Where applicable, the individual also has the right to request that Brúa transfer such data to another data controller, where technically feasible.
An individual has the right to have inaccurate personal data corrected and, in certain cases, deleted.
An individual may object to the processing of personal data for direct marketing purposes and to processing based on legitimate interests due to specific personal circumstances. Following such objections, the data will not be processed further unless there are lawful grounds to do so.
Customers have the right to lodge a complaint with the Data Protection Authority if they believe Brúa's processing of their personal data violates applicable law.
If a customer objects to the processing of personal data, such processing will cease unless Brúa can demonstrate a legal obligation or overriding legitimate interests.
Contact Information
Brúa can be contacted by email at brua@brua.is. Customers may also request a phone call by sending an email to the same address.
Revisions
Brúa reserves the right to amend or update this privacy policy at any time without prior notice. Such changes may be made, for example, to ensure compliance with applicable laws and regulations on data protection.
All changes will be published on www.brua.is and communicated to customers in a secure manner, such as by email.
What are cookies?
Cookies are small text files that are placed on your computer or smart device when you visit a website. When you revisit the website on the same device, the cookies remember who you are and how you previously used the site.
Cookies are used to improve website functionality, analyze website traffic, and enhance user services. Most cookies are stored only for a short period of time, while others may be stored for longer durations.
Cookies enable a website, or other websites, to recognize the device you use on your next visit. Most cookies do not collect information that directly identifies you; instead, they gather general information such as how users arrive at the website, how they use it, or general information about the user's location.
Managing Types of Cookies
Brúa may use both first-party cookies and third-party cookies.
First-party cookies are created by the website you are visiting, in this case Brúa's websites.
Some of these cookies are necessary for the proper functioning of the website, where applicable, and to enable you to use all features available on the site, such as access to secure areas. If cookies are rejected, the functionality of the website may be reduced.
Brúa may also use Google Analytics and Facebook Pixel cookies, which collect anonymous information and generate reports on website activity without identifying individual users or collecting personal data. Brúa reserves the right to display advertisements to users through Google and Facebook remarketing systems. Users who do not wish to see such advertisements may disable cookies.
Necessary cookies may be essential to ensure the website operates as expected. These cookies may be used to enable login to Brúa's systems, monitor website performance and functionality, and identify specific areas of the website related to the user's visit.
Users may configure their web browsers at any time to disable the use of cookies. This can be done either by preventing cookies from being stored or by requiring the browser to request user consent before storing cookies.