header logo
Privacy policy

Aftra Privacy Policy

Effective Date: 19.06.2025
This privacy policy applies to the processing of personal data directly provided by you or
collected as a result of you visiting this website. If we process your personal data in a different
context or circumstances a separate notice will apply.

Who are we?
Information We Collect
How We Use Your Information
Data Retention and Deletion
Who Might Access or Receive Your Personal Data?
Marketing
International Operations
Compliance and Certifications
Security Measures
Your Rights and Responsibilities
Cookies and Tracking Technologies
Data sharing
Data Breach Response
Contact Information
Changes to this Privacy Policy

 

Who Are We?

We are Aftra ehf. (“Aftra,” “we,” “our,” or “us”), a limited liability company, incorporated in Iceland (reg. no. 571023-2020), whose registered office is at Borgartúni 37, 105 Reykjavík, Iceland.

We at Aftra recognize the importance of security and privacy and one of our main priorities is the privacy of our users and the protection of their personal data. We highly value the trust you place in us when you share your personal data, and we are dedicated to protecting it. This Privacy Policy describes how we process your personal data and outlines your rights in accordance with the Icelandic Regulation about Persónuvernd og vinnslu persónuupplýsinga nr. 90/2018 and the EU General Data Protection Regulation (GDPR) no. 2016/679 and other applicable data protection laws.

Aftra acts as a data controller within the meaning of Act No. 90/2018 on Data Protection and the Processing of Personal Data for the personal data necessary to provide our services, information gathered through customer support interactions, and data collected when you visit our website or interact with us on social media. Our approach to data privacy is centered on transparency, security, and giving you control over your information.

We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Policy as we undertake new personal data practices or adopt new privacy policies or practices. By using our services, you agree to the practices described in this Privacy Policy.

Information We Collect

As a result of you visiting our website, we may collect or otherwise process your personal data in the following ways:

  • Information you provide directly:

    • When you provide your personal data on a contact form (e.g., name, email address, company).

    • When you contact us by other means, such as email or telephone (e.g., name, email address, phone number, and any information you choose to provide in your communication).

  • Anonymized Customer Data:
    Aftra ensures that all customer data is anonymized and cannot be directly linked to individuals unless explicitly required as part of real-time scanning or customer-defined actions.

  • Employee-Specific Data:
    Our real-time scanning features may collect data related to employees of customer organizations, such as exposure of employee credentials in breaches. It is the customer's responsibility to obtain consent from their employees where required by applicable law.

  • Internal Network Configuration:
    To identify vulnerabilities and protect customer networks, we may collect internal network configurations and scan systems as part of our services. This data is handled securely and is not shared outside the scope of our agreement with the customer.

  • Public Data From OSINT Databases:
    We collect DNS, domain information, and other publicly available data from Open-Source Intelligence (OSINT) databases. No sensitive or private data is collected through these sources.

  • Information collected automatically:

    • Information provided by your web browser (e.g., browser type, language).

    • Information collected through the use of cookies and similar technologies (e.g., IP address, browsing behavior, website usage data). See the "Cookies and Tracking Technologies" section below for more details.

How We Use Your Information

Any personal data that you provide to us may be retained by us to provide a requested service, or for our legitimate interests as a business. You do not have to give us any of your personal data in order to use most of the website. However, if you wish to take advantage of some of the services we provide on our website, you will need to provide certain information. In general, our legal basis for processing your personal data is that it is in our legitimate interests to do so, although we would refrain from doing so if our legitimate interests were overridden by your interests or fundamental rights and freedoms. We have an interest in operating our business in the most customer-focused and professional way, and our processing of personal data is done in accordance with this.

 

Data Retention and Deletion

Customer data is retained for up to three (3) months after the termination of a customer’s agreement. All customer data is automatically deleted upon account termination unless otherwise required by applicable laws or regulations.

Upon termination of the agreement of service, and at your choice, we will delete or return all personal data to you and delete existing copies. If the return of data requires substantial work on our part, such work will be subject to a service fee in accordance with our then-current price list.

 

Who Might Access or Receive Your Personal Data?

Aftra does not sell personal or customer data. Recipients of personal data provided as a result of your visiting this website will generally only consist of our employees who require access to fulfill their job duties. In certain circumstances, we may share anonymized or aggregated data under the following conditions:

 

  • Service Providers: We may share your data with trusted third-party service providers who assist us in operating our website, conducting our business, serving you or to perform essential services on our behalf, such as:

    • Cloud hosting providers.

    • Analytics providers.

    • Marketing platforms.

  • Legal and Regulatory Authorities: We may be compelled to provide information we hold to third parties, such as regulatory or law enforcement authorities, to comply with applicable laws, regulations, government requests, or legal processes. We would only do so in compliance with the law and where strictly necessary.

  • With Consent: When explicitly authorized by the customer.

Marketing

If you have requested services or updates, we may occasionally send you emails that you have requested. In accordance with applicable marketing laws, we may also send you information that we feel may interest you and/or are relevant to your business. Such mailings may include details of our products, newsletters, updates, and invitations to our various events. We will only send you such marketing communications if you have opted in to receive them, or as otherwise permitted by law, and we will always offer you the option to opt out of any future marketing communications.

 

 

International Operations

We serve customers globally, ensuring compliance for each customer with local regulations.

 

Compliance and Certifications

We are committed to security and privacy and, as such, comply with the GDPR and other applicable data privacy laws. Aftra is ISO 27001 certified under its parent company and is actively pursuing certification under its own name to further solidify its commitment to security and privacy. We have implemented and maintain appropriate technical and organizational measures to protect your personal data against unauthorized access, use, or disclosure. We have implemented industry-leading practices, including encryption of sensitive and anonymized data at rest and in transit, regular vulnerability assessments, penetration testing and security audits.

 

Security Measures

We take data security seriously and implement industry-leading practices, including:

  • Encryption of sensitive and anonymized data at rest and in transit.

  • ISO 27001 compliant processes and policies to manage risk.

  • Security audits.

  • Regular vulnerability assessments, penetration testing, and security audits.

  • Access controls to restrict access to personal data to authorized personnel.

Your Rights and Responsibilities

The European Union’s GDPR and other countries’ privacy laws provide certain rights for data subjects. Depending on your location and the applicable laws, you may have the following data subject rights under GDPR regarding your personal data:

  • Right of access: You have the right to obtain confirmation as to whether or not we process your personal data and, where that is the case, to access the personal data.

  • Right to rectification: You have the right to request the correction of inaccurate or incomplete personal data we hold about you.

  • Right to erasure ("right to be forgotten"): You have the right to request the deletion of your personal data under certain circumstances.

  • Right to restriction of processing: You have the right to request the restriction of the processing of your personal data under certain circumstances.

  • Right to object: You have the right to object to the processing of your personal data, including processing for direct marketing purposes.

  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

  • Right to withdraw consent: If we are processing your personal data based on your consent, you have the right to withdraw your consent at any time.

  • Right to lodge a complaint: You have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) if you believe that our processing of your personal data infringes applicable data protection laws.

If you are a customer using Aftra’s real-time scanning features, it is your responsibility to obtain consent from any employees whose data may be collected as part of our services.

Cookies and Tracking Technologies

Aftra’s website uses cookies to enhance your browsing experience, monitor website performance, collect analytical data, analyze site traffic, and improve your interaction with our site. This section clarifies how we do this and how cookies are managed.

But what are cookies? Cookies are small text files placed on your device (computer, tablet, or mobile phone) by websites you visit. They are used to store information, including your preferences and the pages you have accessed, and serve various functions such as enabling core website features, remembering your preferences, and optimizing your experience by customizing web page content based on your browser type or visited pages. Some of these cookies are necessary for the full functionality of the web pages and for you to use all available features. Cookies are also crucial for maintaining the security and integrity of your browsing session and for analyzing potential threats or vulnerabilities related to website interactions.

 

  • How we use cookies:

  •  

    • Necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms.

    • Analytics cookies: These cookies help us to understand how visitors engage with the website. We may use a set of cookies to collect information and report site usage statistics. In addition to reporting site usage statistics, data collected may also be used, together with some of the advertising cookies described, to help show more relevant ads across the web and to measure interactions with the ads we show.

    • Marketing Cookies: We use cookies to make our ads more engaging and valuable to site visitors. Some common applications of cookies are to select advertising based on what’s relevant to a user; to improve reporting on ad campaign performance; and to avoid showing ads the user has already seen.

    • Functional Cookies: We use a set of cookies that are optional for the website to function. They are usually only set in response to information provided to the website to personalize and optimize your experience as well as remember your chat history.

    • Session Cookies: These cookies are temporary and expire when you close your browser.

    • Other Third-Party Cookies: We also use cookies from HubSpot for analytics, customer communication, and marketing purposes.

  • Our use of cookies:

    • When you visit our website, Aftra collects and processes your personal data with cookies to ensure the proper function of the website and enhance your online experience. These cookies are also used for statistical and marketing purposes, including optimizing our website and supporting our marketing efforts.

    • By using cookies, Aftra processes statistical data, marketing data, user preferences, and authentication information.

    • The legal basis for these processes is your consent and Aftra’s legitimate interest in generating statistics and analyzing website usage to optimize our website and services, in accordance with Art. 6(1)a and Art. 6(1)f of the GDPR.

  • Your choices: You have control over your cookie preferences. You can manage cookies directly through your browser settings, choosing to block all cookies, receive notifications before they're placed, or clear them whenever you wish. Instructions are typically found in your browser's 'Help' or 'Settings' menu. Additionally, you can always adjust your preferences specifically for our website. Please note that disabling certain cookies might affect the functionality of our website and services. For general information on managing cookies, you can visit resources like About Cookies website.

  • For users located in the European Union, further information on the use of these types of cookies by advertisers, along with options to opt out, is available at Your Online Choices.

 

The specific cookies we use are:

 

  • Google Analytics

  • Google Ads

  • CookieHub

  • HubSpot

 

Data Sharing
Aftra does not sell personal or customer data. We may share anonymized or aggregated data under the following conditions:

 

  • Service Providers: With trusted providers (e.g., cloud hosting, analytics) to perform essential services on our behalf. These providers are contractually obligated to protect your data and only use it for the purposes we specify.
  • Legal Compliance: When required by applicable laws, regulations, or government requests.
  • With Consent: When explicitly authorized by the customer.

Data Breach Response

We have implemented a comprehensive incident response plan to address data breaches. In the event of a data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority and affected individuals, as required by applicable law.

 

Data Breach Response

For any questions or concerns regarding this Privacy Policy or your data, you are very welcome to reach us at:

Email: security@aftra.io
Aftra ehf.
Borgartúni 37,
105 Reykjavík, Iceland

 

Changes to Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal obligations. We will post any changes to this Privacy Policy on our website and, where appropriate, notify you by other means (e.g., email). The updated Privacy Policy will be effective as of the date indicated at the top of the notice. We encourage you to review this Privacy Policy periodically.

Unlock proactive security

Book a demo to see Aftra in action and get tailored pricing that meets your requirements.

Book a demo