The data controller responsible for your personal data is:

Company: Wooom ehf.

Registration number (kennitala): 520922-0830

Address: Grandavegur 42, 107 Reykjavík, Iceland

Email: wooom@wooom.is

Website: wooom.is

2.1 Booking and reservation data

When you apply for a place on a Wooom retreat, we collect the following information about you and your partner:

• Full name
• Email address
• Phone number
• Sex / gender
• Postal address (street, city, country, postcode)

This data is necessary to process your reservation, manage the payment, and communicate with you about the retreat.

2.2 Website usage data

When you visit wooom.is, we collect technical data about your visit through cookies and similar technologies, including:

• Pages visited and time spent on the site
• Browser type and operating system
• Approximate geographic location (country/city level)
• How you arrived at the site (e.g. search engine, social media, direct)

This data is collected only with your consent, via our cookie consent tool (CookieHub). You can withdraw your consent at any time by adjusting your cookie preferences.

2.3 Communications

If you contact us by email, we retain a record of that correspondence including your email address and the content of your messages.

2.4 Marketing communications

If you have opted in to receive updates and news from Wooom, we will use your email address to send you relevant communications. You can unsubscribe at any time by clicking the unsubscribe link in any email, or by contacting us at wooom@wooom.is.

2.5 Health, dietary, and special requirements

To provide the safest and most personalised retreat experience, we may ask you to share information about relevant health conditions, dietary requirements, and allergies. This may include information that qualifies as special category data under GDPR Article 9 (such as health or medical information).

We process this information only with your explicit consent (GDPR Article 9(2)(a)) and use it solely to accommodate your needs during the retreat. This data is not shared with third parties beyond retreat staff and any directly involved service providers (such as catering), and is deleted following the retreat.

2.6 Photography and video at the retreat

We occasionally photograph or film retreat activities for use in our marketing materials, website, and social media. These images or videos may include participants.

We will always ask for your explicit written consent before photographing or filming you. Participation is entirely voluntary and has no bearing on your retreat experience. If you consent and later change your mind, you may withdraw consent at any time by contacting us at wooom@wooom.is; we will remove your images from future use as promptly as possible.

We only process your personal data where we have a lawful basis to do so under GDPR Article 6. The bases we rely on are:

Contract performance (Article 6(1)(b)): When you book a retreat, processing your booking data is necessary to fulfil our contract with you — including confirming your reservation, processing payment, and communicating logistics.

Consent (Article 6(1)(a)): For website analytics cookies, advertising tracking (Google Ads, Meta Pixel), and marketing emails, we rely on your freely given consent. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legitimate interests (Article 6(1)(f)): We may process limited data to maintain the security of our website, prevent fraud, and improve our services, where this does not override your rights and interests.

• To process and confirm your retreat reservation
• To communicate with you about your booking, including payment, logistics, and pre-retreat information
• To process payments (via our payment provider)
• To respond to your enquiries and correspondence
• To send marketing updates, if you have consented
• To analyse website traffic and improve our site (with your consent via cookies)
• To measure the effectiveness of our advertising campaigns (with your consent via cookies)
• To comply with legal obligations

We use cookies and similar technologies on wooom.is. A cookie is a small text file placed on your device when you visit a website.

We use the following categories of cookies:

Strictly necessary cookies: Required for the website to function. These cannot be disabled.

Analytics cookies: We use Google Analytics (GA4) to understand how visitors use our site. This data is anonymised and aggregated. These cookies are only set with your consent.

Marketing cookies: We use Meta Pixel (Facebook/Instagram) and Google Ads tracking to measure the performance of our advertising. These cookies are only set with your consent.

You can manage your cookie preferences at any time using the cookie settings link in the footer of our website.

We do not sell your personal data. We share it only with trusted third-party service providers who process it on our behalf, or where legally required. These include:

Google LLC: We use Google Analytics to analyse website traffic, and Google Ads for advertising. Google may process data in the United States. Google participates in the EU-US Data Privacy Framework.

Meta Platforms, Inc.: We use the Meta Pixel to measure the performance of our Instagram and Facebook advertising. Meta may process data in the United States. Meta participates in the EU-US Data Privacy Framework.

Payment processor: We use a third-party payment provider to process retreat deposits and balances securely. We do not store your full payment card details.

All third parties are contractually required to handle your data in accordance with GDPR and to use it only for the specific purposes we have agreed.

Some of our service providers are based outside the European Economic Area (EEA), primarily in the United States. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Participation in the EU-US Data Privacy Framework (applicable to Google and Meta)

Booking and reservation data: We retain your personal data for as long as necessary to fulfil your retreat booking and for a period of up to 5 years thereafter, to comply with legal and accounting obligations.

Website analytics data: Aggregated and anonymised usage data is retained for up to 26 months in Google Analytics (the platform default).

Marketing communications: We retain your email address on our marketing list until you unsubscribe or ask us to remove it.

Correspondence: Emails and support communications are retained for up to 3 years.

When data is no longer needed, we delete it securely or anonymise it so it can no longer be linked to you.

Under GDPR, you have the following rights in relation to your personal data:

Right of access: You can request a copy of the personal data we hold about you.

Right to rectification: You can ask us to correct any inaccurate or incomplete data.

Right to erasure: You can ask us to delete your personal data, subject to certain legal exceptions.

Right to restriction: You can ask us to pause processing of your data in certain circumstances.

Right to data portability: You can request a copy of the data you have provided to us in a structured, machine-readable format.

Right to object: You can object to processing based on legitimate interests or for direct marketing purposes.

Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at wooom@wooom.is. We will respond within 30 days.

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Icelandic Data Protection Authority:

Persónuvernd

(Icelandic Data Protection Authority)

Rauðarárstígur 10, 105 Reykjavík, Iceland

Website: www.personuvernd.is

We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority, so please contact us first at wooom@wooom.is.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our website uses HTTPS encryption and access to personal data is restricted to authorised personnel only.

However, no transmission of data over the internet is completely secure. While we do our best to protect your data, we cannot guarantee the absolute security of data transmitted to our site.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Icelandic Data Protection Authority (Persónuvernd) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Our services are intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at wooom@wooom.is and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email if you are an existing customer.

We encourage you to review this policy periodically to stay informed about how we protect your data.

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us:

Email: wooom@wooom.is

Address: Grandavegur 42, 107 Reykjavík, Iceland

Website: wooom.is

We aim to respond to all privacy-related enquiries within 30 days.