Information Policy of Internet á Íslandi hf.

By using the services of the company, you are accepting our collection and processing of information about you according to this information policy.

This is the Information Policy for Internet á Íslandi hf, hereinafter referred to as ISNIC, Modernus or RIX. This policy applies to all our services:, , and . Please note that the Icelandic version of this document  should be considered authoritative and takes precedence in the case of any discrepancies.

The employees and management of ISNIC are aware of the special role of the company, its responsibilities and obligations with respect to private persons, enterprises, the authorities and the Internet community. See also a short summary of the history of the Internet in Iceland, and the company’s terms and conditions.


The company declares that it conforms to European rules on personal protection (the European GDPR Directive). It promises not to disclose personal data to any third party except with the permission of the user, or customer, in excess of what may be necessary to establish a bank claim, etc. or at the demand of the Icelandic authorities.

Your right to information

According to legislation on personal protection (GDPR), you are entitled to know what information the company has about you and to have such information changed if it is wrong and to have such information erased if no other and more important reasons do not prevent such erasure. Please send a signed enquiry, together with your e-mail address, in this regard labelled “My personal information” to:

Internet á Íslandi hf. Katrínartún 2, 18. floor, 105 Reykjavík

General Information Policy

What kind of information are we collecting?

The company only collects and stores information that is necessary to fulfil its service obligations to customers. This information mainly consists of the name, ID number, telephone number, mobile phone number and e-mail of the company’s customers and their contacts. The information is used to be able to provide services over the Internet, send invoices, create bank claims, collect debts, send important notifications and for publication in the rightholder registry of ISNIC (Whois).

Data security

The company places the greatest importance on information security, as regards both the copying of data, both internally and externally, as well break-in defences. For this purpose, the company saves all data and all software on its own servers and operates its own computer facilities in Reykjavík to which no external parties have access.

External backup facilities are also located in Reykjavík. Only the technical information (i.e. DNS information) of domains is stored in many locations (Anycast) in different locations in the world to ensure the functionality of .is domains throughout the Internet.

Data deletion

Information on inactive users, who are neither connected to active services nor transactions, is deleted 6 months after the most recent transaction. Business and accounting information more than 7 years old are either deleted or some proportion of them sent to the National Archives of Iceland. Svarbox Chat messages are automatically deleted after 120 days.


The company uses only its own Web Measure service (, for all the websites of the company. It distributes text files (cookies) to the browsers of users, which store them in transient memory or long term storage (hard disk). The purpose is, on the one hand, the collection and management of necessary technical information and, on the other hand, to collect information on when and from where the users of the website came from, such as IP addresses, towns, cities, countries, areas and referring URLs as well as what pages of the company website they are looking at. No personably identifiable information is collected and no cookies are disclosed to any third parties. For this reason, consent is not required for use of cookies on ISNIC websites.

Service-specific Policies

Operation of authoritative name servers of .is

No personably identifiable data is created during the provision of the service, and there is no equipment in place to examine the content of traffic sent to main name servers operated by ISNIC. Aggregate statistical information is extracted from traffic reaching the authoritative name servers of ISNIC, but no personally identifiable data.

ISNIC's Public Whois Service

What is collected? ISNIC collects and stores information on the name, kennitala, telephone number, mobile phone number, e-mail address and address of rightholders of .is domains and their contacts in a Whois register and provides limited access thereto on the website of ISNIC.

Why does ISNIC publish information? In order to ensure that Internet service providers, rightholders and others who need to do so, can gain access to necessary information easily.
ISNIC, however, automatically hides names, e-mail, kennitala, telephone numbers, mobile phone numbers and addresses (with the exception of the country name) of those who are labelled as individuals in the rightsholder records, but publishes the provided country name for those who have not chosen to display info publicly.

Note that many rightholders have valid reasons to publish additional information on the rightholders of their domains and their contacts publicly in the Whois database. ISNIC publishes the name, e-mail and address of the contacts and rightholders who have so chosen and have selected “My Name and Address Published” under “My Settings” after logging in to the ISNIC website.

View the manner in which ISNIC publishes information on the rightholders and contacts of domains by accessing your own domain, or a domain owned by another individual or business, in the Whois search window at the top of the page ISNIC home page.

Release of hidden Registration Data from ISNIC's Whois ISNIC can deliver hidden registration data to third parties if good and legitimate reasons are provided such as enforcement of legal rights or to prepare a domain dispute case at a competent decision party according to Chapter 8 in the .is Domain Rules. To obtain hidden information from ISNIC it is necessary to submit a „Request of hidden data“ and send a signed copy to Please note that your Request, with all information, will be disclosed to the owner (registrant) of the information provided. ISNIC reserves the right to reject a request of hidden data on its own terms. In that case a formal demand will have to come from a competent Icelandic party according to Art. 27.

The Web Measure site®

The Web Measure site collects information on the IP addresses of the users of web media but no personally identifiable data. The data on Internet use is stored for an unlimited period for research purposes in the company’s databases. The access information (name, e-mail and telephone numbers) of ISNIC's customers is stored as long as they have access to the system. See: Veflistinn .

Svarbox® Chat or Messenger

ISNIC is the Data Controller of this service. The Svarbox® Chat system stores communication data (conversations, messages) on a central server in the ISNIC data center. The communication data is a log of free-form conversations between Svarbox Customer service representitives and their customers (the general public). The data is neither stored by the customers of the service, nor the users. ISNIC decides unilateraly where, when and how long the data is stored, and grants limited access to this data to Customers of the service. Since this data is only stored by ISNIC, the parties to the conversation are sharing their conversation with a third party, which is ISNIC. Consequentially, ISNIC is the Data Controller (“ábyrgðaraðili”) of this process, within the context of the GDPR and Icelandic Law 90/2018 regarding the processing of personal data.

ISNIC does not require that users of the service provide personal details about themselves, or any other sensitive data, before participating in a conversation. In order to safeguard the privacy of everyone involved, ISNIC encourages the Svarbox Customers to only request the minimum required information on log-in to the chat system, e.g. a first name or nickname, rather than a full name and/or e-mail address.

The data collected during a Svarbox conversation are not processed further and will never be delivered to a third party. The conversation data is stored for 120 days and deleted automatically once that time has passed, unless the Svarbox Customer, or a user of the service, sends ISNIC a written request to delete the data at an earlier date. Svarbox Customers have access to the stored data for 120 days. Credit card numbers are automatically obscured, aside from the four final digits. Usernames (e-mail addresses) and customer names are stored as long as necessary to provide the service, but deleted thereafter. See also: .

Website monitoring

Varðhundurinn® (the Watchdog) monitors the connection and uptime of web servers. No personably identifiable information is collected, except that the access information (name, e-mail and telephone numbers) of users are stored in the database of ISNIC as long as they have access to the service, and deleted thereafter.

RIX (Reykjavík Internet Exchange)

RIX is the exchange station (peering point) of Icelandic Internet service providers, where they (only Internet companies) can route Internet traffic among themselves and thereby prevent domestic traffic from being transmitted over foreign connections, with the attendant additional cost and delays. No personably identifiable data is created during the provision of the service, and there is no equipment in place to examine the content of traffic sent through RIX.

ISNIC reserves the right to publish summaries of Internet traffic volumes, in particular on .

Coordinated Disclosure

ISNIC encourages coordinated disclosure. If you find security issues with our software or services, please we would very much appreciate it if you followed the RFPolicy 2.0 when disclosing them. Specifically, we'd like to ask you to:

  1. Let us know about the vulnerability you have identified, at
  2. Give us 5 days to respond to your report.
  3. Coordinate with us on the timeline of the disclosure.

We do not at this time offer any monetary compensation for vulnerability disclosure, but we are more than happy to give credit to you and your work when acknowledging the vulnerability on our website and social media channels.

Reykjavík, 16th October 2019
On behalf of Internet á Íslandi hf.
Jens Pétur Jensen, CEO

Modification log:

  • 8. may 2019 (content updated to match policy in Icelandic)
  • 7. may 2019 (transcribed from PDF to HTML)
  • 16. okt 2019 (release of hidden registration data)
  • 20. okt 2021 (coordinated disclosure)
Leave a message and we will reply as soon as we can.

Message received

To top