Privacy Policy


Bláfugl ehf, (doing business as Bluebird Nordic) (hereinafter “We”, “Ours”, “Company”) process the personal data of its’ customers, potential customer, emploeeys, candidates to employess, suppliers, partners etc. (hereinafter – you, your) personal data in accordance with the provisions of the legal acts regulating the legal protection of personal data and applying the highest technical and legal standards of protection and taking all necessary measures to prevent possible breaches of personal data protection. This Privacy Policy (hereinafter referred to as the “Privacy Policy“) sets out the basic rules for the collection, processing and storage of your personal data and other information related to you, the scope, purposes, sources, recipients of your personal data and your rights as a personal data subject and other important aspects of your use of the Company’s services. This information is important, so we hope you will read it carefully.

As used in this Privacy Policy, the term “personal data” (the “Personal Data”) means any information about you relating to you as a natural person, a data subject whose identity is known or can be directly or indirectly identified through the use of certain data (e.g. name, surname, personal identification number, address, telephone number, etc.).

In processing the personal data, we responsibly comply to the regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), the Icelandic law regarding privacy and processing of personal data no. 90/2018 and other directly applicable legal acts regulating the protection of personal data, as well as instructions from competent authorities.

In the event that you provide us with personal information other than your own (for example, identifying another person as a beneficiary), please inform them of this Privacy Policy and its contents.

If the user of the services is a legal entity, this Privacy Policy applies to natural persons whose personal data is transferred to us by a legal entity. The user must duly comply with Art. 14 of the GDPR. to inform data subjects (managers, beneficiaries, representatives, etc.) about the transfer of their personal data to the Company.

Contact details of the Data Controller:

Bláfugl ehf. (doing business as Bluebird Nordic)

Urðarhvarf 6

203 Kópavogur

Iceland. 460899-2229

Tel: +354 420 0200

If you have any questions regarding this Privacy Policy or requests regarding the processing of your personal data, please contact our Data Protection Officer by email: [email protected]

By visiting the Company’s websites and / or using the information contained therein and / or our services, you acknowledge and confirm that you have read and understood this Privacy Policy.


This Privacy Policy applies to our Website (the Websites) and any service provided by the Company or other activities of the Company where personal data is being process.

The terms and conditions of the Privacy Policy apply to you every time you access the content and/or the service we provide, regardless of which device (computer, cell phone, tablet, TV, etc.) you are using.

This Privacy Policy does not apply to links to other entities websites provided on our websites; therefore, we recommend that you read the personal data processing rules applied on such websites.


  • When processing your personal data, we:
    • comply with current and applicable legislation, including the GDPR;
    • we will process your personal data in a lawful, fair, and transparent manner;
    • we will collect your personal data for specified, clearly defined and legitimate purposes and will not continue to process it in a way incompatible with those purposes, except to the extent permitted by law;
    • take all reasonable steps to ensure that personal data which are inaccurate or incomplete, having regard to the purposes for which they are processed, are rectified, supplemented, suspended or destroyed without delay;
    • we will keep them in such a form that your identity can be established for no longer than is necessary for the purposes for which the personal data are processed;
    • we will not disclose or disclose personal data to third parties except as provided in the Privacy Policy or applicable law;
    • ensure that your personal data is processed in such a way as to ensure the appropriate security of personal data through appropriate technical or organizational measures, including protection against unauthorized or unlawful processing of personal data and against unintentional loss, destruction, or damage. Contact details of our Data Protection Officer: [email protected]


  • Bluebird processes the following personal information’s:
    • information’s you provide to take care of and complete a freight booking or to provide you with a service that you have requested,
    • your name, address, email, contact information,
    • Payment and account transaction,
    • information on bank accounts
    • VAT numbers
    • dates of construction or payments received
    • information about your freight services,
    • information’s about your booking,
    • information’s on special requests such as requests for special freight handling, requests for additional assistance or services and other relevant information,
    • information regarding your previous freight services,
    • information on your previous cargo, disturbances, changes in services, such as updates, presentation, claims, damages, and customer feedback
    • information regarding communication and registration, check-ins,
    • we will store your information’s to ensure that our communication with you is appropriate.
    • we will store your information if you have registered your information for an offer, or interacted with us on social media
    • information’s on how and in what way you contact us on our website
    • in order to customize your information to you and to improve our website, we collect information’s about your search on our website and the content you have looked at as well as your communication by the use of cookies and comparable technology
    • by processing your data and data usage we can realize if and when you have visited our website. We are able to contact you and offer you detailed information on your booking and the destinations you have shown interest in.
    • information on your location based on your equipment and device if you have browsed our website (IP address). IP address (i.e. Internet Protocol address) is a numeric code combination which that can serve as a unique identifier for your computer on other device (it can be turned off on your device).
    • Identify the country of entering the website or program, which will allow us to provide more appropriate content and language.


For direct marketing purpose, we process your personal data in the following cases:

  • when we obtain your explicit consent to such processing;
  • when you are a customer of us who have not objected to the processing of personal data for the purpose of direct marketing, marketing of similar services or products.

For direct marketing purpose, we may process your personal data.

With your expressed consent to receive direct marketing messages or newsletters you subscribe, you agree to receive our news about new services, products, invitations to events etc.

We inform you that Visitors may at any time refuse our newsletters or other promotional messages by clicking on a link to this in our outgoing newsletters and/or messages.

When you provide your information directly to us you may be asked if you don´t want to receive our marketing material.

Whatever your choice on receiving material from us or by which methods they are delivered, we will respect it.

You can change your mind at any time on whether you would like to receive marketing material or not. If you no longer choose to receive marketing materials from us, you can withdraw your consent at any time.


Our use of your personal data will always have a lawful basis. Most commonly, we use your personal data:

  • Where we need to conlude any contract and/or perform any contract we have entered into with you;
  • Where we need to comply with a legal obligation;
  • Where we have your consent;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interest.

“Legitimate interest” means our interest to enhance our services, products, to manage the processes of businesses and activities. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. The legitimate interests that we pursue include:

Bluebird collects and processes your personal data on the basis of different legal grounds, depending on the nature of the personal data being provided and the type of processing involved.
Some of the personal data is processed on the basis that it is necessary for the performance of our agreement with you, or in order to take steps at the request of the user prior to entering such an agreement, or to register you as a new customer and verify your identity.
A ground relied upon processing your personal data is legitimate interests, where you believe you have a reasonable expectation that we will perform a particular type of processing on your behalf, or where such processing is strictly necessary for fraud detection and prevention. An example would be where we respond to your queries and enquiries.
A ground relied upon for certain types of processing is that it is necessary in order to allow compliance with a legal obligation. An example of this would be to retain business records for fixed periods of time in order to comply with local legal requirements.
In accordance with the EU regulation 2016/679 and the Icelandic law regarding privacy and processing of personal data no. 90/2018 you may request a copy of all your personal information obtained by Bluebird.


We will retain your personal data only for as long as necessary to achieve and fulfil the purposes set out in this Privacy Policy, taking into account the nature of the services provided to you and the contracts you enter into, unless longer storage of personal data and related documents is required by applicable laws and regulations and is necessary (e.g. mandatory time limits for accounting and others, etc.) or is required for the defence of the Data Controller’s legitimate interests in judicial, other public institutions etc.

We ensure and take all necessary measures to avoid storing outdated or unnecessary personal data about You and to keep Your personal data up-to-date and accurate.

Generally, Bluebird keeps personal data in accordance with our internal retention procedures, which are determined in accordance with our regulatory obligations and good practice. In addition, Bluebird may retain personal data relating to previous booking activity to comply with national laws, prevent fraud, collect any fees owed, resolve disputes troubleshoot problems, assist with any investigation, and take other actions permitted or required by applicable national laws.

Bluebird actively reviews personal information so that it is not retained longer than there is a legal basis for it being processed. In some cases, it may be anonymized and in other cases, deleted.

We will use your personal data for direct marketing purposes for 3 (three) years after you’re giving consent or after the end of the contractual relationship (direct marketing of similar services or products).


We responsibly implement appropriate organisational and technical personal data security measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The security measures we implement include the protection of personnel, information, IT infrastructure, internal and public networks as well as office buildings and technical equipment.

In the event of personal data breach of security that could seriously jeopardise your rights or freedoms and determine the circumstances with which unauthorised access to personal data has been obtained, we will immediately inform you about it.


In some incidents Personal Data is distributed outside the company, but only if applicable by privacy laws and an agreement is in place with the external party.

As we share your personal data within Bluebird, this will involve transferring your data outside the EEA. Many of our external third parties are based outside the EEA so their processing of your personal data will also involve a transfer of data outside the EEA.

We may share some of your personal data with the following categories of third parties:

  • any Avia Solutions Group[1] company (listed at and other group companies for the purposes set out in this Privacy Policy (for example, for the purposes of performance of contracts and the management of relationship with customer);
  • representatives acting on our behalf with respect to the promotion of our services in particular territories;
  • companies providing data centers, hosting, cloud, site administration and related services, software developers, providing, maintaining and developing companies, companies providing information technology infrastructure services, companies providing communication services;
  • credit and debit card companies used to facilitate payment transactions related to the provision of our services, banks and other credit and/or payment companies;
  • our professional advisors, auditors, lawyers and/or fiancial advisers;
  • our other service providers (data processors) or our subcontractors;
  • notaries, if the contract concluded with you requires a notarial form;
  • judicial officers, entities providing legal s and/or debt recoveries services, subrogator of claim right;
  • companies providing advertising and marketing services;
  • companies providing archiving, physical and / or electronic security, asset management and/or other business services;
  • in accordance with the laws to state institutions, establishments, etc.;
  • law enforcement authorities at their request or on our own initiative if there is a suspicion that a criminal offense has been committed, as well as courts and other dispute resolution bodies; tax administrators
  • in the event of a company restructuring, transfer / acquisition and / or business transfer / acquisition, to a third party acquiring the business and processing personal data for the same purposes as specified in this Privacy Policy and/or doing the Due Diligence by our and/or their legal and/or financial advisors, etc.


As a general rule, your personal data will be processed in the countries of the European Economic Area (hereinafter – EEA). However, in certain cases, your personal data may be transferred to non-EEA countries. Please note that in non-EEA states, personal data may be subject to less protection than within the EEA, but we carefully evaluate the conditions under which such data will be processed and stored after being transferred to the above-mentioned entities.

According to European Union and Icelandic data protection laws, certain requirements need to be fulfilled when your personal information is transferred to a country outside the European Economic Area. The purpose of these requirements is to make sure your personal information is adequately protected, even when being transferred outside the European Economic Area.

Please note that if the European Commission has determined that the third country, territory or one or more specified sectors in that third country or international organization concerned provides an adequate level of personal data protection, the transfer must take place in the same manner as in the EEA. Please be informed that you can have access to the information as to the states in respect of which the decision of the European Commission has been taken, here:

In other cases, we take all necessary measures to ensure that your personal data is transferred to the recipient safely processing the data. The tools we use: a contract with a non-European recipient of personal data includes specific clauses for the secure processing of the data. In certain cases, we ask for your consent to transfer your data outside the Republic of Lithuania or the EEA.


We do not normally use automated decision-making under Article 22 of the GDPR to initiate and execute contractual relationships. Should we apply this procedure in individual cases, we will inform you separately, if required by law.

We process your personal data in a partially automated way in order to assess certain personal aspects (hereinafter Profiling). We use profiling, for example, when we are required by law to prevent money laundering or manage financial risk.


We guarantee the implementation of these rights and the provision of any related information at your request or in case of your query:

  • know (be informed) about the processing of your personal data;
  • to get access to your personal data which are processed by the Data Controller;
  • request correction or addition, adjustment of your inaccurate, incomplete personal data;
  • require the destruction of personal data when they are no longer necessary for the purposes for which they were collected;
  • request the destruction of personal data if they are processed illegally or when you withdraw your consent to the processing of personal data or do not give such consent, when is necessary;
  • disagree with the processing of personal data or withdraw the previously agreed consent;
  • request to provide, if technically possible, the provision of your personal data in an easily readable format according to your consent or for the purpose of performing the contract, or request the transfer of data to another data controller.

In order to exercise your rights, please send us the request by e-mail [email protected]  or directly coming to the Company by address Bluebird Nordic, Urðarhvarf 6, 203 Kópavogur, Iceland.

Upon receipt of your request, we may ask you to provide proof of your identity or other identifying information to ensure that we are exercising your rights as a data subject and to prevent unauthorized disclosure of personal data or information to others who are not entitled to it. If we are unable to identify you, we will not be able to exercise your rights as a data subject.

We provide information about the processing of your personal data free of charge. If your request is unfounded, repetitive or disproportionate, we may charge a fee commensurate with our administrative costs.

Upon receipt of your request, we will respond to you within 30 calendar days of receipt of your claim and the due date for submission of all documents necessary to prepare the answer.

In exceptional circumstances, which may require us to have additional time, the deadline for replying may be extended for a further two months, depending on the complexity of the situation. In this case, it is mandatory to inform the Data Subject in writing about such extension within 1 (one) month from the receipt of the request and indicate the reasons for the delay. If we think we need to, we will stop the processing your personal data, except for storage, until your application is resolved. If you have legally waived your consent, we will immediately terminate the processing of your personal data and within no more than 30 calendar days, except in the cases provided for in this Privacy Policy and in the cases provided for by law when further processing of yourpersonal data is binding on us by the legislation in force, the legal obligations we are facing, court judgements or binding instructions from the authorities. The responce will be provided in the same way as your request was received.

By refusing to comply with your requirement, we will clearly indicate the grounds for such refusal.

If you disagree with our actions or the response to your request, you can complain to the competent state authority A complaint can be made by writing to :

The Icelandic Data Protection Authority

Rauðarárstíg 10

105 Reykjavík.

In all cases, we recommend that you contact us before making a formal complaint so that we can find the right solution.


We may, from time to time, expand or reduce the scope of our business operations and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this notice, be permitted to use that data only for the same purposes for which it was originally collected by us.


Our Websites may contain links to other websites, which are not operated by us. We have no control over how your data is collected, stored, or used by such other websites and we advise you to check the privacy policies of any such websites before providing any data to them.


When you visit social networks, your personal data is processed by a specific social network, and we start processing your personal data when you visit Bluebird on social networks. Through various social media channels, we want to introduce you to our wide range of services / products and exchange ideas and opinions with you on important topics.

Your personal data provided on the social network is processed for the following purposes:

  • communicate with our social network visitors;
  • respond to visitor inquiries;
  • obtaining statistical information;
  • conducting customer surveys, marketing campaigns, market analysis, lotteries, competitions or similar actions or events;
  • if necessary, defending the legitimate interests of the Company in institutions and in other cases;

Unless explicitly stated otherwise, the legal basis for data processing is Article 6 part 1 point (f) of the GDPR. Our legitimate interests are to be able to answer your messages or questions and analyze our availability on social networks, to present our products and services. To the extent that you wish to enter into a contractual relationship with us with your request, the legal basis for such processing is Article 6 part 1 point (b) of the GDPR.

If we intend to process your personal data for any other purpose not mentioned above, we will notify you prior to such processing.

Our pages on social networks are managed by specific social networks, so when you visit them, the processing of personal data is based on the social network privacy policies. With some social networks, depending on the social network policy, the purposes and scope of the processing, we are considered as joint data controllers.


We reserve a right to change this Privacy Policy unilaterally from time to time in accordance with business and legal requirements (for example, if the law changes). Any changes will be immediately posted on our websites. We recommend that you check this page regularly to keep up-to-date.

This Privacy Policy applies from the date it is posted on the Websites. Last review of the Privacy Policy: 22. august 2022. If you continue to use our services (such as the Website) after changing the terms of the Privacy Policy, you will be deemed to have read and understood the changed terms of the Privacy Policy. We encourage you to periodically review this Privacy Policy to be informed of how we use your information.

[1] AVIA SOLUTIONS GROUP PLC, a private limited liability company, established and acting under the laws of the Republic of Cyrpus, registration code HE 380586, registration addres 28 Oktovriou, 1, ENGOMI BUSINESS CENTER BLC E, Flat / Office 111 Egkomi, 2414, Nicosia, Cyprus.