Privacy

Last updated: 17 June 2026

Short version: we keep almost nothing about you personally — no name, no account, no payment data. We do keep anonymous product analytics so we can tell which features are useful. We don't sell anything because there isn't anything to sell.

1 · Who we are

The Tourist Trapp ehf. is a private limited company registered in Reykjavík, Iceland. We make the Icebreaker app ("Icebreaker", "the app"). You can reach us at hello@thetouristtrapp.com.

2 · What we collect

Your location, if you grant the permission

When you grant the iOS or Android location permission, the app reads your latitude and longitude to show you what's nearby (cafés, bars, events, fuel stations) and to give Vinur context when you chat with him. Your coordinates stay on your device and are sent to our server only as part of a Vinur chat request, never logged.

The text of your Vinur chats

When you talk to Vinur, your messages are sent to our API server, which forwards them to OpenAI to generate a reply. We do not store chat logs. We retain the request only as long as it takes to produce an answer, then drop it.

Your IP address, at the API server

Our API server logs the IP address of every request for rate-limiting and abuse prevention (so a single visitor can't loop requests and burn through our OpenAI budget). The IP is masked before it is written to logs: for IPv4 we drop the last octet (203.0.113.x), for IPv6 we keep only the first four hextets. The full address lives in memory long enough to evaluate the rate-limit window, then is discarded.

Anonymous product analytics (PostHog)

We use PostHog to understand how the app is used in aggregate — which features people open, how long the app is in the foreground, which screens get touched, and whether common flows fail. PostHog stores:

• Anonymous events (the screen you opened, the button you tapped, etc.).
• Device-level metadata (OS version, app version, screen size, language, country at IP-level).
• A randomly-generated install ID — a UUID created the first time you open the app. It is not tied to your name, email, phone number or any account, because Icebreaker has no accounts.

We do not enable PostHog session replay, do not capture form input, and do not attach your name, email, or any contact information to events — Icebreaker has none of those to attach. PostHog data is hosted in PostHog Cloud's EU region. You can opt out of analytics from inside the app's settings.

3 · What we don't collect

• Your identity. No name, email address, phone number, account, sign-in, or social login. Icebreaker has no accounts.
• Your payment details. The app doesn't take payments. Any booking happens on the venue's own site or in person.
• Advertising IDs or cross-app tracking. We do not read your IDFA / GAID. We do not run ads. We do not share anything with ad networks, data brokers, or marketing pixels (no Google Analytics, no Meta SDK).
• Session recordings, form input, or content of your typing. PostHog session replay is disabled.
• Children's data. Icebreaker is not designed for users under 13. We don't knowingly collect data from anyone we have reason to believe is a child.

4 · Who we share data with

We do not sell your data. We don't share it with advertisers because we don't run ads. The only third parties that ever see any of it:

• OpenAI — when you chat with Vinur, your message text passes through our server to OpenAI's chat completions API. OpenAI's handling is governed by their Privacy Policy.
• Apple and Google — if you install Icebreaker through TestFlight, the App Store, or Google Play. Their handling is governed by their respective privacy policies.
• Fly.io — hosts our API server in the EU region. Operates as a data processor on our behalf.
• PostHog — receives the anonymous product analytics described in §2 (events, device metadata, install ID). Hosted in PostHog Cloud's EU region. Their handling is governed by their Privacy Policy.
• Weather, road and fuel APIs — when relevant in-app screens load, we fetch data from OpenWeatherMap, Vegagerðin and Gasvaktin. These requests don't include anything that identifies you; weather requests carry only a coarse latitude/longitude.

5 · How long we keep things

• Vinur chat messages: not stored. Held in memory only during the request.
• Rate-limit / abuse counters: in-memory on our server. Rate-limit window resets each hour; abuse cooldown lasts up to 30 minutes. Everything is lost on server restart and is never written to disk.
• Server access logs: include the masked IP, request path, status code and response time — never message bodies or coordinates. Retained at most 7 days, then deleted.

6 · Where data is processed

Our API server runs in Fly.io's Amsterdam region (EU). PostHog analytics events stay in PostHog Cloud's EU region. Vinur chat messages are forwarded to OpenAI, which processes them according to its own terms; OpenAI's infrastructure spans multiple regions including the US. By using Vinur, you accept this cross-border transfer.

7 · Your rights under GDPR

Because Icebreaker is built by an Icelandic company and EU / EEA visitors use the app, the GDPR applies to us regardless of where you live. Your rights:

• Right of access — ask what we hold about you. (In almost every case the honest answer is "nothing tied to your identity".)
• Right to erasure — ask us to delete whatever we do hold.
• Right to object to processing.
• Right to data portability, where it applies.
• Right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) or with the supervisory authority of your own EU / EEA country.

To exercise any of these rights, email hello@thetouristtrapp.com. We respond within 30 days.

8 · Children's privacy

Icebreaker is intended for adults visiting Iceland and is not directed to children under 13. We do not knowingly collect personal information from children. If you are a parent or guardian and you believe your child has provided us with personal information, contact us and we'll address it.

9 · Security

Our API server is served exclusively over HTTPS with HSTS. Standard transport security applies to every request your device makes to us, and from us to OpenAI / weather / road / fuel APIs. No system is perfectly secure, but the absence of accounts, payment data and stored chat history means there is very little to leak in the first place.

10 · Changes to this policy

When something material changes, we update this page and bump the "Last updated" date at the top. If a change meaningfully expands what we collect, we'll surface a notice in the app the next time you open it.

11 · Contact

The Tourist Trapp ehf.
Reykjavík, Iceland
hello@thetouristtrapp.com

← Back to Icebreaker