Customer agreement

Version 7.0  |  Published 15.11.2018  |  Valid from 04.12.2018

1. About the customer agreement

1.1 Parties to the agreement

This is an agreement between you, as the customer and Buypass AS (organization no. 983163327) and Buypass Payment AS (organization no. 980932753), hereafter referred to as “Buypass”.

1.2 Scope of agreement

The agreement applies to the application for and use of Buypass electronic identification (eID), either from Buypass directly or from one of our Merchants. eID is supplied at various assurance levels and by different means, such as smart card, password and one-time authorisation codes, or mobile.

See section 7 for more information about eID.

See section 8 for additional terms and conditions relating to the application for and use of Buypass qualified certificates (eID level 4). See section 9 for additional terms and conditions relating to the use of Buypass Payment Solutions and e-money.

1.3 Acceptance of agreement

By accepting the terms and conditions of this agreement, you consent to Buypass collecting, storing, and processing your personal information and information relating to your use of our services.

You can read the agreement when you register and apply.  We assume that you have accepted once you sign or tick the box saying you have read and accepted the agreement.

2. Customer relationship

2.1 Establishing the customer relationship

When registering, the customer relationship is established. You register either on Buypass website or at one of our partners or Merchants.

You must be 13 years old to register. An exception to this applies when registering for “Idrettens ID”, where it is assumed that the consent of a parent or guardian has been obtained in accordance with separate guidelines issued by Norwegian Sports Federation (NIF).

Your name and phone number will always be required when registering. In some cases, we will ask for your date of birth and an e-mail address. If you are registered in the Norwegian National Registry (DSF), you must state your national ID number. In this case, you accept that we check the information and retrieve additional information from the DSF, which includes your full name, residential address with corresponding geographical location and status.

The establishment and administering of your customer relationship with Buypass is subject to the Personal Data Act (personopplysningsloven). For several services, the obligations of the Anti-Money Laundering Regulation (hvitvaskingsforskriften) apply. This means that you must provide a valid identity document and we are obliged to control and store this information.

You are responsible for ensuring that the information you provide is complete and correct. Giving deliberate misrepresentation may result in criminal liability.

2.2 The purpose of collecting information

For secure identifying you as a customer, to protect against ID fraud, and to ensure the security of our services, we collect personal information and information relating to your use of eID and other services. We will use your contact information (name, address, mobile number, and/or e-mail address) to conduct various marketing activities if you have consented to this.

2.3 Processing and storing of information

Buypass is responsible for the security of your personal information. We shall provide satisfactory information security (integrity, confidentiality and availability) through planned and systematic work and that this is in accordance with applicable legislation.

We will collect and process your personal information in accordance with obligations in the Personal Data Act as long as the agreement applies. In accordance with applicable regulations relating to the use of our services, we are also obliged to store your information for a period after the customer relationship is terminated. After that, we will delete the information unless we are required by law to keep it for longer.

We monitor all transactions that are carried out in our systems as part of our work to prevent misuse and financial crime. We have guidelines for deciding what actions to take and when. This includes reporting to the authorities on suspicion of criminal activity.

You are required to inform us of changes to your personal information. Buypass is entitled to update information when changes are made or confirmed by public authorities, such as information kept in the DSF.

Whenever you use Buypass eID or other services regulated by this agreement through one of our Merchants, Buypass is not responsible for information collected, stored, or processed by Merchants beyond the provisions stated in section 2.1. This is regulated by our Merchants’ own terms and conditions in accordance with applicable privacy regulations.

2.4 Right of access, correction and deletion of information

Buypass is regarded as the controller of the information processed in connection with your customer relationship with Buypass. You can find information about the processing of personal data on the Buypass website (Privacy Policy), or you can make an enquiry through Buypass customer service.

According to the Personal Data Act, you may request access to and, if necessary, correct your personal information. You can do this yourself on My Page available on the Buypass website, at our Merchants websites, or by contacting Buypass customer service.

You can terminate your customer relationship and ask for your information to be deleted without any further justification. You must do this by notifying Buypass via our customer service. We will let you know about the information deletion as quickly as possible and within 30 days. However, Buypass is obliged to keep information on eID and payment transactions beyond this in accordance with legislation and regulations governing such services.

2.5 Sharing of information 

Buypass is responsible for the confidentiality of the information obtained in the use of Buypass eID and services.

Buypass will not disclose personal information to third parties, unless such information is required according to the authority's request for extradition, the principle of Lex superior or by your own written consent.

We analyze traffic and usage patterns to measure availability. These analyses provides the basis for further development to improve the performance of our services.

We run external analysis tools to understand how customers use and communicate with the services we offer.  In cases where we rely on external service providers, we will give them access to or send them such information. These providers may use cookies and similar technologies to collect usage information.

Any shared information will be processed in accordance with the terms of this agreement and the data processor agreements entered into between Buypass and our Merchants and subcontractors. The data used for such analyses is anonymised and it contains no personally identifiable information.

3. Liability

3.1 Customer liability

The use of your eID and services regulated by this agreement is your responsibility.

If you suspect unwanted activities as possible fraudulent use of your eID-devices (e.g. smartcard, mobile), or the devices are no longer in your possession, you are obliged to notify Buypass immediately.

Once Buypass has received notification that your eID should be blocked and revoked, and we have confirmed the revocation, you will cease to be liable.

3.2 Limitation of liability

Buypass cannot be held liable for losses as a result of the relevant services cannot be used, either, due to technical faults, lost profits or damages resulting from business interruption, or certificates are revoked.

Buypass disclaims its liability in the case of any losses you may incur as a customer if you use eID or other services contrary to the terms of this agreement.

When you use eID, Buypass’ liability is limited, in any case, to losses resulting from negligence on the part of Buypass and where you or others had reasonable grounds to rely on eID. Liability extends to direct losses only and is limited to NOK 5,000 per transaction and NOK 10,000 per customer per year.

When using payment services, Buypass’ liability is limited to the payment transactions themselves from the moment they are received in Buypass’ systems. Buypass remains external to disputes relating to goods or services purchased at our Merchants sites, complaints, refunds, or similar. Information stored in error- or transaction logs shall be considered as binding evidence for the circumstances to which it pertains.

Should an extraordinary situation arise, which is outside of the parties’ control and which, according to normal purchase law, is regarded as Force Majeure, and which makes it impossible for one or both parties to satisfy one or more obligations of this agreement, the affected obligations will be suspended for the duration of the extraordinary situation.

4. Changing the terms and conditions of this agreement

As a customer, you are entitled to approve significant changes to this agreement.

However, Buypass are entitled to to make minor amendments to this agreement, provided this does not change our relationship with you.

New versions of this agreement will be published and announced on Buypass’ website at least fifteen days before the amendment(s) take(s) effect.

If you do not wish to accept the the changes in conditions, you must terminate your customer relationship. Please contact Buypass customer service.

5. Disputes

Should disagreement arise between the parties regarding the interpretation or legal effect of this agreement or concerning services, the parties may seek to resolve the dispute between themselves.

If such attempts are unsuccessful, disputes concerning payment services shall be taken to the Financial Complaints Committee.

If agreement cannot be reached, the parties may seek a settlement in the courts. Oslo District Court will be the legal venue.

6. Duration and termination

The customer relationship will last until one of the parties terminate the agreement, or until it terminates as the result of a change in status in the Norwegian National Registry (DSF).

You are entitled to terminate the agreement at any time without any further justification.

If, as a customer, you act contrary to the terms of the agreement, Buypass is entitled to terminate the agreement with immediate effect. Buypass is entitled to suspend services offered under the contractual relationship if necessary. Identity fraud and document forgery or attempts at the same will always be considered as a material breach and may be reported to the police.

An eID will be revoked immediately upon termination of the agreement. Buypass will attempt to pay any funds held in your e-money account to your registered bank account.

The parties’ obligations will terminate upon cancellation of the agreement, however Buypass’ obligations relating to storing and processing of personal data (discussed in sections 2.3 and 2.4) will apply as stipulated in this agreement and in Norwegian law.

7. Electronic identification

7.1 About eID

An electronic ID (eID) is a proof of identity that confirms that you are who you claim to be.

An eID usually consists of something you have in the form of a device, e.g. a smart card or mobile phone, and something you know, like a personal PIN code or password.

7.2 Use and safe-keeping of eID

An eID identifies you as a person and is therefore strictly personal. An eID that is no longer under your personal control should be considered stolen and should be revoked immediately by notifying Buypass customer service.

If you know or suspect that the device being used for an eID has been mislaid, lost, or stolen, or that someone else knows the code, you should change the code immediately or contact Buypass revocation service or a Buypass Merchant.

If you fail to do this, we are entitled to regard this as gross negligence (see section 3.1).

Regardless of which device (smart card, PC, or mobile), an eID is always used together with a personal and confidential code (PIN, password, etc.). The code should never be entrusted to others and should always be kept and used in a manner that prevents unauthorised person to gain knowledge of the code.

8. Additional terms and conditions for Buypass qualified certificates

Buypass offers different versions of the eID based on a range of technologies; one of these is PKI-based (certificate). This technology has particular features that make it attractive for many areas of use, including authentication, electronic signatures, and encryption.

Buypass qualified certificates are digital certificates that meet the highest security requirements.

8.1 About Buypass qualified certificates

Buypass is the certificate provider of Buypass qualified certificates for electronic signatures (regulated under Norwegian Act 2018-06-15-44 relating to electronic trust services (lov om elektroniske tillitstjenester), hereafter referred to as “Buypass qualified certificates”.

Buypass qualified certificates meet the requirements of Person High in accordance with the Requirements specification for PKI in the public sector, and can be used as eID at the highest assurance level. Buypass qualified certificates can also be used for advanced electronic signatures in accordance with the Act relating to electronic trust services.

The qualified certificates are linked to a private key which you alone have access to, either within a smart card or stored centrally at Buypass. You authorize the access to the private key in the smart card with your personal PIN code. Similarly, you authorize the access to your centrally stored private key by using your personal eID at a sufficiently assurance level.

Buypass qualified certificates are valid for up to 5 years from the date of issuance.

Buypass publishes all certificates in a directory so they can be retrieved using an open public lookup service. By accepting the terms and conditions you consent to such publication of your certificates.

Some Buypass Merchants use Norwegian National ID Number as identification term in their systems. If you choose to use the certificates for accessing a Merchant system, you also accept that Buypass can give your national ID number to the Merchants who have the necessary authorisation.

8.2 Scope and acceptance

These terms and conditions apply to the application for and use of Buypass qualified certificates. The terms and conditions are in addition to and apply alongside those in the current Buypass customer agreement (see sections 1-7 of this agreement).

As part of the additional terms and conditions, the document “Certification Practice Statement (CPS) for Buypass Class 3 Qualified Certificates” also applies. A shortened version of the relevant information can be found in the document “PKI Disclosure Statement (PDS)”.

The obligations you, as a customer, undertake by applying for and using Buypass qualified certificates, are described under the subject and subscriber obligations within these documents.

The Buypass Customer Agreement, PDS, and CPS are available from the Buypass website: select CA Documentation (legal) and then Personal qualified certificates.

We consider these additional terms and conditions as accepted once you confirm that you have read and accepted them upon signing up as a customer or upon first time using the qualified certificates.

8.3 Collecting, processing, and storing information

Some form of identity verification is required whenever you sign up for and/or order Buypass qualified certificates.  Identity verification is carried out in accordance with the Norwegian Act relating to electronic trust services (lov om elektroniske tillitstjenester).

It requires that you appear in person and provide valid proof of identity. You must accept that a photocopy will be made of your identification document. A distribution service provider such as Norwegian Post can do this. It may also be performed at one of our Merchants, or at Buypass.

We may send your mobile number and/or e-mail address to the distribution service provider in order to keep you informed of shipping information.

We also accept the use of electronic attendance, which means using valid electronic ID (eID), corresponding to the same security level as Buypass qualified certificates. In this case, Buypass will store a unique reference to the eID you use.

The copy of the identification document and/or reference to the eID used will be regarded as personal data and processed as described in section 2.3.

All information about the application for and use of Buypass qualified certificates will be retained for ten years after the certificate expires.

8.4 Revocation of qualified certificates

Buypass is entitled to block and revoke qualified certificates if there are valid reasons for doing so.

Issuers of Buypass eID with qualified certificates can request revocation of certificates if there are valid reasons for doing so.

You as a customer can request revocation of certificates by contacting Buypass revocation service or the relevant issuer of Buypass eID with qualified certificates.

For more information about reasons for revoking and how revoking is carried out, please refer to the Certification Practice Statement (CPS).

9. Additional terms and conditions for Buypass Payment Services

9.1 Legal regulation and licencing provisions    

Buypass provides payment services to Merchants. Some payment services are defined as e-money services and are regarded as services under section 2.4 of the Norwegian Financial Institutions Act (finansforetaksloven). E-money are issued by Buypass’ subsidiary company, Buypass Payment AS, under a licence from the Norwegian Ministry of Finance.

9.2 About e-money accounts

When you sign up and establish a customer relationship an associated e-money account may be set up depending on the relationship. The e-money account can hold e-money for purchasing goods / services from Buypass Merchants.

The e-money account is accessed and disposed using an eID issued by Buypass.

You need to be fifteen years of age to be a customer of payment services.

9.2.1 Purchases and redemption

E-money stored in an e-money account should not be considered as a deposit, nor will it accrue interest, nor is it protected by collective banking insurance schemes.

E-money is purchased and redeemed at its face value in Norwegian kroner. You can do this yourself on My Page available on the Buypass website or at our Merchants.

Buypass is entitled to charge a fee on the purchase and redemption of e-money.

Buypass is entitled to stop the payment services with immediate effect, and will then set a date for the latest deadline for the redemption of e-money. After the deadline, Buypass is not obliged to redeem balance.

9.3 Payment methods – source of funds

A bank account transfer can do transfer of funds to your e-money account, by using a Visa/MasterCard debit or credit card, or with an invoice.

9.3.1 Payment cards

Buypass is approved under the PCI DSS (Payment Card Industry Data Security Standard). This standard sets comprehensive requirements concerning data security in relation to transactions as well as the storing and use of payment card information.

Buypass processes card transactions in connection with the purchase and redemption of electronic funds. In order to carry out a payment card transaction we need your name, card number, card expiry date, and CVC/CVV code.

We encrypt and process all information confidentially and in compliance with the Marketing Control Act (markedsføringsloven) and the Personal Data Act (personopplysningsloven). We never share your full card number or other card details with our Merchants.

You can choose to delete the card information you have stored in our systems at any time.

9.3.2 e-Invoice – digital invoice

e-Invoice is an electronic invoicing service that allows you to receive invoices directly into your Internet bank account. You activate this service within your own Internet bank. On activation, you must provide your full name, your national ID number, e-mail address, and mobile number.

Buypass will send invoices to your Internet bank account on behalf of our Merchants and you must accept each invoice manually for payment.

9.4 Processing and storing of information

The terms and conditions described in section 2.3 apply to the processing and storing of payment information.

9.5 Right of access, correction and deletion of information

Buypass shall ensure that you are able to access account statements for your e-money account, either on the Buypass website or on sites of Merchants who offer our payment services. You are responsible for checking movements on the account and notifying in case of suspected errors.

If an incorrect debit- or credit transaction has occurred on your e-money account, Buypass is entitled and obliged to correct the error by correcting the account.

If an account is incorrectly credited and you are disposing these funds, you are obliged to pay back the amount of funds that is not covered by the account. This applies even if you acted in good faith concerning the incorrect credit.

You are entitled to make a complaint if you believe a transaction connected to your e-money account is incorrect. Complaints of this nature should be stated to Buypass customer service. Buypass is obliged to investigate the situation, handle the complaint, and reply to you within a reasonable timeframe. We refer to section 5 for information on handling dispute.

9.6 Sharing of information

The terms and conditions described in section 2.5 apply to the sharing of payment information.

10. Buypass contact information

If you have questions concerning this agreement or require information in other matters, please contact us using one of the following methods:

E-mail: support@buypass.com
Telephone: +47 22 70 13 00
Website: https://www.buypass.com/the-company/contact-customer-support
Revocation: https://www.buypass.com/security/revocation-service