Welcome to the Privacy Policy of the Icelandic Center for Artificial Intelligence ehf (“ICAI”) website at http://www.icai.is/ (“Website”). We would like to explain how we collect personal data when you use our website and services, as well as our upcoming AI education program (collectively the “Service”). We value your privacy, and we want you to understand how your personal information will be used and shared.

BY USING THE SERVICE, YOU PROMISE US THAT

• YOU HAVE READ, UNDERSTOOD AND AGREED TO THIS PRIVACY POLICY; AND

• YOU ARE/HAVE REACHED THE AGE OF MAJORITY (OR HAVE HAD YOUR PARENT OR GUARDIAN READ AND AGREE TO THIS PRIVACY POLICY FOR YOU).

If you do not agree or you are unable to make this promise, you must not use the Service. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

TABLE OF CONTENTS

1. PERSONAL DATA CONTROLLER

2. CATEGORIES OF PERSONAL DATA WE COLLECT

3. FOR WHAT PURPOSES WE PROCESS PERSONAL DATA

4. AUTHORISED REQUIREMENT FOR PROCESSING YOUR PERSONAL DATA

5. WHO WE SHARE YOUR PERSONAL DATA WITH

6. INTERNATIONAL TRANSFERS

7. DATA SECURITY

8. YOUR RIGHTS

9. AGE LIMITATION

10. CHANGES TO THIS PRIVACY POLICY

11. DATA RETENTION

1. PERSONAL DATA CONTROLLER

Icelandic Center for Artificial Intelligence ehf. (ICAI), a company registered in Iceland, with Icelandic company ID 4602230830, and a registered address Sóltún 5, Reykjavik 105, Iceland will be the controller of your personal data.

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the details set out below.

Contact details

Our full details are:

Full name of legal entity: Icelandic Center for Artificial Intelligence ehf. (ICAI)

Email address: icai@icai.is

Postal address: Sóltún 5, Reykjavik 105, Iceland

2. CATEGORIES OF PERSONAL DATA WE COLLECT

2.1. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, maiden name, last name, username or similar identifier and title.

Contact Data includes your business or personal address, email address and telephone numbers.

Transaction Data includes details about payments to and from you and other details of services you have purchased from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.

Usage Data includes information about how you use our website and services.

Marketing and Communications Data includes information that allows us to choose how best to market specific communications to you.

Special Categories of Personal Data where you provide this to us in the context of your instructions or applying for a job (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

In addition to collecting, using, and sharing personal data, we also collect, use, and share Aggregated Data, such as statistical or demographic data, for various purposes. Aggregated Data may be created from your personal data, but it is not considered personal data under the law, as it does not directly or indirectly reveal your identity. For instance, we may use your Usage Data to determine what percentage of users access a particular feature on our website. However, if we combine or link Aggregated Data with your personal data, so that it can directly or indirectly identify you, we will treat the combined data as personal data and use it in compliance with this privacy notice.

If you fail to provide personal data

In certain situations, we may be required by law or a contract we have with you to collect personal data. If you fail to provide this data when requested, we may not be able to perform the contract we have or are attempting to establish with you (for example, to provide goods or services). If this occurs, we may have to cancel any services you have with us. However, we will inform you if this is necessary at the time.

2.2 Data you give us.

You may be asked to provide us information about yourself when you register for and/or use the Service. This information includes: first name, last name, email (together “Required Information”), phone number, address details, and any other we may deem necessary for the provision of our services to you. To use our Service, you will need to provide Required Information. You might be able to use the Service even if you do not give this data to us, but some Service’s functionality may be limited to you. Sometimes you may also need to provide to us additional information in the communication with our Support Team in order to fulfill your request (for example, we may ask you to confirm your identity by providing an ID document).

By providing information about yourself within the registration process, you agree and understand that this data will be publicly available. Please do not provide personal data to your profile that you would not want to be publicly available. Users are responsible for all the information posted by them in public accounts. You should carefully consider all the risks associated with the fact that you make certain information – in particular, phone number, the address, or information about the place of your exact location – publicly available.

We may collect your name, official government ID number and photo image to confirm your identity. For this we will share this information with a 3rd party service provider, in order to validate it with the governmental sources. The 3rd party service may use your ID number to collect the following additional data on you from the governmental sources: full name, date of birth, image, address, phone number, gender, government ID expiry date or other additional information associated with your ID number that the issuing authority may provide. The third party service may process or store your data outside of the borders of your country.

2.3 Announcements and Transactions

As part of the activities of the website, we may post information, including personal and contact information, necessary for transactions between you and us, for sending messages and communication between you and us and making payments. When you make a payment on our website, we may collect the following information:

• Your name

• Your contact information (e.g., email address, phone number)

• Your billing and shipping address

• Your payment information (e.g., credit card number, expiration date)

We use this information to process your payment and to fulfill your order. We may also use this information for billing and account purposes, as well as to communicate with you about your order.

2.4 Data provided to us by third parties

When you decide to log in using Facebook or Google, we get personal data from your Facebook or Google account. This includes your profile image, name, email, Facebook ID, Google ID, friends list. For more information, please refer to the Facebook Permissions Reference (describes the categories of information, which Facebook may share with third parties and the set of requirements) and to the Facebook Data Policy. In addition, Facebook and Google let you control the choices you made when connecting your Facebook profile to the Website. To know more about how Google processes your data, visit its privacy policy. The information obtained from third parties will be processed for the purposes described in and in accordance with this Privacy Policy.

When you decide to log in using Apple, we get Apple ID, name and email from your account. You can use Hide My Email function during signing in with Apple, and it will create and share a unique, random email address that will forward our messages to your personal email.

Apple lets you revoke access provided to the App on your Apple ID Manage Page by following the next steps.

If you were invited to register in the Service, the person that invited you can provide personal information about you, such as your phone number, email address, social media account or other contact information.

2.5 Data we collect automatically:

• Data about how you found us

  We collect data about your referring URL (that is, the place on the Web where you were when you tapped on our ad).

• Device and Location Data

  We collect data from your device. Examples of such data include language settings, IP address, time zone, type and model of a device, device settings, operating system, Internet service provider, mobile carrier, hardware ID, and Facebook ID.

• Usage data

  We record how you interact with our Service. For example, we log the features, and content you interact with, how often you use the Service, how long you are on the Service, what sections you use, how many ads you watch.

• Advertising IDs

  We collect your Apple Identifier for Advertising (“IDFA”) or Google Advertising ID (“AAID”) (depending on the operating system of your device). You can typically reset these numbers through the settings of your device’s operating system (but we do not control this).

• Transaction data

  When you make payments through the Service, you need to provide financial account data, such as your credit card number, to our third-party service providers. We do not collect or store full credit card number data, though we may receive credit card-related data, data about the transaction, including date, time and amount of the transaction, the type of payment method used.

• Cookies

  A cookie is a small text file that is stored on a user’s computer for record-keeping purposes.

  Cookies can be either session cookies or persistent cookies. A session cookie expires when you close your browser and is used to make it easier for you to navigate our Service. A persistent cookie remains on your hard drive for an extended period of time. We also use tracking pixels that set cookies to assist with delivering online advertising. Cookies are used, in particular, to automatically recognize you the next time you visit our Website. As a result, the information, which you have earlier entered in certain fields on the Website may automatically appear the next time when you use our Service. Cookie data will be stored on your device and most of the times only for a limited time period.

3. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA

We process your personal data:

3.1. To provide our Service

This includes enabling you to use the Service in a seamless manner and preventing or addressing Service errors or technical issues.

3.2. To customize your experience

We process your personal data to adjust the content of the Service and make offers tailored to your personal preferences and interests.

3.3. To manage your account and provide you with customer support

We process your personal data to respond to your requests for technical support, Service information or to any other communication you initiate. This includes accessing your account to address technical support requests. For this purpose, we may send you, for example, notifications or emails about the performance of our Service, security, payment transactions, notices regarding our Terms and Conditions of Use and this Privacy Policy.

3.4. To communicate with you regarding your use of our Service

We communicate with you, for example, by push notifications or in the chat. As a result, you may, for example, receive a notification whether on the Website or via email that you received a new

message on ICAI. To opt-out of receiving push notifications, you need to change the settings on your browser or mobile device. To opt-out of a certain type of emails, you need to follow unsubscribe link located in the footer of the email or by contacting our support team at icai@icai.is, or in your profile setting.

The services that we use for these purposes may collect data concerning the date and time when the message was viewed by our users, as well as when they interacted with it, such as by clicking on links included in the message.

3.5. To research and analyze your use of the Service

This helps us to better understand our business, analyze our operations, maintain, improve, innovate, plan, design, and develop ICAI and our new products. We also use such data for statistical analysis purposes, to test and improve our offers. This enables us to better understand what features and sections of ICAI our users like more, what categories of users use our Service. As a consequence, we often decide how to improve ICAI based on the results obtained from this processing. For example, if we discover that the Jobs section is not as popular as others, we may focus on improving it.

3.6. To send you marketing communications

We process your personal data for our marketing campaigns. We may add your email address to our marketing list. As a result, you will receive information about our products and services, such as for example, special offers, and products of our partners. If you do not want to receive marketing emails from us, you can unsubscribe following instructions in the footer of the marketing emails, by contacting our support team at icai@icai.is, or in your profile setting.

We may also show you advertisements on the Website, and send you push notifications for marketing purposes. To opt-out of receiving push notifications, you need to change the settings on your device or/and browser.

3.7. To personalize our ads

We and our partners use your personal data to tailor ads and possibly even show them to you at the

relevant time. For example, if you have visited our Website, you might see ads of our products and services, for example, in your Facebook’s feed.

We may target advertising to you through a variety of ad networks and exchanges, using data from advertising technologies on and off of our Services like unique cookie, or similar tracking technology, pixel, device identifiers, geolocation, operation system information, email.

How to opt-out or influence personalized advertising

iOS: On your iPhone or iPad, go to “Settings,” then “Privacy” and tap “Advertising” to select “Limit Ad Track”. In addition, you can reset your advertising identifier (this also may help you to see less of personalized ads) in the same section.

Android: To opt-out of ads on an Android device, simply open the Google Settings app on your mobile phone, tap “Ads” and enable “Opt-out of interest-based ads”. In addition, you can reset your advertising identifier in the same section (this also may help you to see less of personalized ads).

To learn even more about how to affect advertising choices on various devices, please look at the information available here.

In addition, you may get useful information and opt-out of some interest-based advertising, by visiting the following links:

• Network Advertising Initiative –http://optout.networkadvertising.org/

• Digital Advertising Alliance –http://optout.aboutads.info/

• Digital Advertising Alliance (Canada) –http://youradchoices.ca/choices

• Digital Advertising Alliance (EU) –http://www.youronlinechoices.com/

• DAA AppChoices page –http://www.aboutads.info/appchoices

Browsers: It is also may be possible to stop your browser from accepting cookies altogether by changing your browser’s cookie settings. You can usually find these settings in the “options” or

“preferences” menu of your browser. The following links may be helpful, or you can use the “Help” option in your browser.

• Cookie settings in Internet Explorer

• Cookie settings in Firefox

• Cookie settings in Chrome

• Cookie settings in Safari web and iOS

Google allows its users to opt out of Google’s personalized ads and to prevent their data from being used by Google Analytics.

Facebook also allows its users to influence the types of ads they see on Facebook. To find how to control the ads you see on Facebook, please go here or adjust your ads settings on Facebook.

3.8. To enforce our Terms and Conditions of Use and to prevent and combat fraud

We use personal data to enforce our agreements and contractual commitments, to detect, prevent, and combat fraud. As a result of such processing, we may share your information with others, including law enforcement agencies (in particular, if a dispute arises in connection with our Terms and Conditions of Use).

3.9. To comply with legal obligations

We may process, use, or share your data when the law requires it, in particular, if a law enforcement agency requests your data by available legal means.

3.10. To process your payments

We provide paid products and/or services within the Service. For this purpose, we use third-party services for payment processing (for example, payment processors). As a result of this processing, you will be able to make a payment and use the paid features of the Service.

Important Information: Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably believe that we need to use it for another purpose that is compatible with the original purpose. If you want to know how processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for a purpose unrelated to the original purpose, we will inform you and explain the legal basis that allows us to do so.

Please note that we may process your personal data without your knowledge or consent, as long as we comply with the above regulations and this is required or permitted by law.

4. AUTHORISED REQUIREMENTS FOR PROCESSING YOUR PERSONAL DATA

We process your personal data, in particular, under the following authorized requirements:

• your consent;

• to perform our contract with you;

• for our (or others’) legitimate interests;

• to comply with legal obligations.

WITH WHOM WE SHARE YOUR PERSONAL DATA

We share information with third parties that help us operate, provide, improve, integrate, customize, support, and market our Service. We may share some sets of personal data, in particular, for purposes and with parties indicated in Section 2 of this Privacy Policy. The types of third parties we share information with include, in particular:

5.1. Service providers

We share personal data with third parties that we hire to provide services or perform business functions on our behalf, based on our instructions. We may share your personal information with the following types of service providers without limitation:

• cloud storage providers (Amazon, DigitalOcean, Hetzner)

• data analytics providers (Facebook, Google, Appsflyer)

• marketing partners (in particular, social media networks, marketing agencies, email delivery services; such as Facebook, Google, Mailfire)

• Web hosting service provider (Squarespace)

• Education partners (Thinkific)

• Payment web platforms (SaltPay and Sportabler)

5.2. Law enforcement agencies and other public authorities

We may use and disclose personal data to enforce our Terms and Conditions of Use, to protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others, and to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, or in other cases provided for by law.

5.3. Third parties as part of a merger or acquisition

As we develop our business, we may buy or sell assets or business offerings. Customers’ information is generally one of the transferred business assets in these types of transactions. We may also share such information with any affiliated entity (e.g. parent company or subsidiary) and may transfer such information in the course of a corporate transaction, such as the sale of our business, a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.

6. INTERNATIONAL TRANSFERS

Some of our external third parties are based or send personal data outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so

8. YOUR RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights are as stipulated below;

• Rights to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. This is why we are providing you with the information in this Privacy Policy.

• Right of access. You have the right to obtain access to your personal data (if we are processing it) and certain other information (similar to that provided in this Privacy Policy). This is so you are aware and can check that we are using your personal data in accordance with data protection law.

• Right to rectification. You are entitled to have your personal data corrected if it is inaccurate or incomplete.

• Right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enable you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.

• Right to restrict processing. You have the right to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further.

• Right of data portability. You have the right to obtain and reuse your personal data in a structured, commonly used and machine-readable format in certain circumstances. In addition, where certain conditions apply, you have the right to have such information transferred directly to a third party.

• Right to object to processing. You have the right to object to us processing your personal data for our legitimate business interests or for direct marketing purposes (including in each case any related profiling).

• Right to withdraw consent to processing. If you have given your consent to us to process your personal data for a particular purpose (for example, direct marketing), you have the right to withdraw your consent at any time (although if you do so, it does not mean that any processing of your personal data up to that point is unlawful).

• Right to make a complaint to the data protection authorities. You have the right to make a complaint to the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your personal data or believe our processing of your personal data does not comply with data protection law.

9. CHANGES TO THIS PRIVACY POLICY

We may modify this Privacy Policy from time to time. If we decide to make material changes to this Privacy Policy, you will be notified through our Service or by other available means and will have an opportunity to review the revised Privacy Policy. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.

10. DATA RETENTION

We will store your personal data for as long as it is reasonably necessary for achieving the purposes set forth in this Privacy Policy (including providing the Service to you), which includes (but is not limited to) the period during which you have a ICAI account. We will also retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Effective date: 30th March 2023