Jónsbók
Login

Privacy Policy of Raxiom ehf.

Raxiom ehf., ID no. 570724-1180, Hlíðarvegur 16, 200 Kópavogur ('the company'), processes personal data in accordance with Icelandic Act No. 90/2018 on the protection of personal data and the EU General Data Protection Regulation (Regulation (EU) 2016/679), together with applicable privacy rules, recommendations and guidelines.

This privacy policy explains how the company processes personal data for Jónsbók. For subscriber content and user activity, Raxiom ehf. acts as a data processor and each subscriber remains the data controller. The company acts as a data controller for account administration, billing, security, compliance and direct business contact data.

Types of Personal Data Collected

Depending on how Jónsbók is used, the company processes the following categories of personal data:

  • Account and authentication data, including email addresses and authentication metadata handled through Clerk.
  • Login history, usage telemetry, security logs and audit records.
  • Customer Content submitted to Jónsbók, including chats, prompts, uploaded documents, generated outputs, document metadata and feedback.
  • Support, sales and customer-success communications, including messages sent to hello@jonsbok.ai.

Where the company acts as a data controller, it also processes:

  • Customer contact, contract administration and billing information.
  • Security, incident-response and compliance records needed to operate and protect Jónsbók.

Where does the company get personal data from?

The company obtains personal data from users, subscribers, identity providers and system logs when users sign in to Jónsbók, submit content, request support or otherwise interact with the service.

Why is personal data collected?

The company collects personal data to:

  • Comply with legal requirements applicable to its operations.
  • Fulfill contractual obligations and provide Jónsbók to subscribers and users.
  • Authenticate users, enforce access controls and ensure information security.
  • Process chats, uploaded documents and model requests to generate responses.
  • Communicate with users and subscribers, provide support, and improve the product without training language models on Customer Content.

For what purpose is the personal data used?

The company processes personal data to operate Jónsbók, administer subscriptions, authenticate users, enforce tenant access, process chats and uploads, generate responses, provide support, secure infrastructure and comply with legal obligations.

Customer prompts, chats, uploads, outputs and feedback remain the property of the subscriber or user that submitted them and are not used to train language models.

With whom is personal data shared?

The company uses carefully selected service providers in the following categories:

  • Hosting and storage providers.

    These providers host application data and customer content in EU/EEA regions and store content encrypted.

    Customer content is encrypted at rest with AES-256 and protected in transit with TLS 1.2 or higher.

  • AI model providers.

    These providers process prompts and uploads to generate responses and do not retain customer content for model training.

  • Authentication, application hosting, observability and support providers.

    These providers help deliver login, application delivery, diagnostics and customer support. Current provider names, locations and safeguards are maintained in our sub-processor materials and Data Processing Agreement.

Where processing involves a transfer outside the EEA, the company uses the EU-US Data Privacy Framework, Standard Contractual Clauses or other appropriate safeguards. More detailed security and sub-processor information is available on request.

How long is personal data retained?

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Customer content is retained until deleted by the user or subscriber, the account is closed, or the subscription terminates, subject to documented backup retention schedules. Contact, contract and compliance records are retained only as long as needed for the relevant business, legal or security purpose.

Security of Personal Data

The company uses EU/EEA hosting, encryption at rest and in transit, logical tenant separation, and separation between user identity and encrypted content.

Access to production systems is restricted to authorized personnel, protected by MFA, logged, and subject to confidentiality obligations.

The company is ISO/IEC 27001 certified and maintains information-security controls, independent security testing and incident-response procedures.

View the Jónsbók Trust Center

Rights of Data Subjects

Data subjects have the following rights regarding their personal data:

  • Right of access to personal data
  • Right to rectification of personal data
  • Right to erasure of personal data
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

To exercise these rights, contact hello@jonsbok.ai. Where the company acts as processor, it assists the relevant subscriber in responding to the request.

Individuals have the right to lodge a complaint with the Data Protection Authority in accordance with the Act on Data Protection and Processing of Personal Data and may file a complaint by sending an email to postur@personuvernd.is. More information can be found on the Data Protection Authority's website, www.personuvernd.is.

Contact Information

If you have questions about this privacy policy or the processing of your personal data, please contact us at hello@jonsbok.ai.

Changes to Privacy Policy

We may update this privacy policy from time to time. We will notify users or subscribers of material changes by posting the updated policy on this page or by other appropriate notice.

This privacy policy is effective as of May 6, 2026.

Last modified: May 6, 2026