Version 8.0 | Published 2020.12.23 | Valid from 2021.01.11
1. About the customer agreement
1.1 Parties to the agreement
This is an agreement between you, as the customer and Buypass AS (organization no. 983163327), hereafter referred to as customer and Buypass respectively.
In cases where the services you as a customer use include Buypass e-money and payment solutions, Buypass Payment AS (corp. No. 980932753) will be included as a party to the agreement, hereinafter referred to as Buypass Payment.
1.2 Scope of agreement
The agreement applies to the application for and use of Buypass electronic identification (Buypass eID), either from Buypass directly, from one of our merchants or from an organisation. Buypass eID is supplied at various assurance levels and by different means, such as smart card, security key, password and one-time authorisation codes, or mobile.
See section 7 for more information about Buypass eID.
See section 8 for additional terms and conditions relating to the application and use of Buypass eID for strong authentication.
See section 9 for additional terms and conditions relating to the application for and use of Buypass eID with qualified certificates for natural persons.
See section 10 for additional terms and conditions relating to the use of Buypass e-money and payment solutions.
1.3 Acceptance of agreement
By accepting the terms and conditions of this agreement, you consent to Buypass collecting, storing, and processing your personal information and information relating to your use of our services.
You can read the agreement when you register and apply for Buypass eID. We assume that you have accepted once you sign or tick the box saying you have read and accepted the agreement.
You also find Customer agreement in PDF-fomat here.
2. Customer relationship
2.1 Establishing the customer relationship
When registering, the customer relationship is established. You register either on Buypass website, at one of our merchants, or at an organisation that operates as a registration authority (RA) for Buypass, hereinafter referred to as Organisation.
You must be 13 years old to register. An exception to this applies when registering for “Idrettens ID”, where it is assumed that the consent of a parent or guardian has been obtained in accordance with separate guidelines issued by Norwegian Sports Federation (NIF).
When registering, your Norwegian Identity Number (birth number (FNR) or D-number (DNR)) will be required. In some cases, also name, mobile number and email address are required. You accept that Buypass and/or Organisation verifies the information towards the National Population Register (FREG) and can retrieve your full name, residential address with associated geographical location, and status, and if DNR your national identity.
The establishment and administering of your customer relationship with Buypass is subject to the Personal Data Act (Personopplysningsloven).
The Electronic Trust Services Act (Lov om elektroniske tillitstjenester) together with the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften) regulate the eID levels, which apply to Buypass eID for strong authentication (see section 8) and Buypass qualified certificates (see section 9), while the Anti-Money Laundering regulation (Hvitvaskingsregelverket) apply to payment services (see section 10).
This means that you must provide a valid identity document and we are obliged to control and store the information.
You are responsible for ensuring that the information you provide is complete and correct. Giving deliberate misrepresentation may result in criminal liability.
2.2 The purpose of collecting information
For secure identifying you as a customer, to protect against ID fraud, and to ensure the security of our services, we collect personal information and information relating to your use of Buypass eID and /or payment services.
We can only use your contact information (name, address, mobile number and / or email address) to conduct various marketing activities if you have been explicitly asked and accepted that Buypass sends you such information.
2.3 Processing and storing of information
Buypass is responsible for the security of your personal information. We shall provide satisfactory information security (integrity, confidentiality and availability) through planned and systematic work and that this is in accordance with applicable legislation.
We will collect and process your personal information in accordance with obligations in the Personal Data Act as long as the agreement applies. In accordance with applicable regulations relating to the use of our services, we are also obliged to store your information for a period after the customer relationship is terminated. After that, we will delete the information unless we are required by law to keep it for longer.
We monitor all transactions that are carried out in our systems as part of our work to prevent misuse and financial crime. We have guidelines for deciding what actions to take and when. This includes reporting to the authorities on suspicion of criminal activity.
You are required to inform us of changes to your personal information. Buypass is entitled to update information when changes are made or confirmed by public authorities, such as information kept in the Norwegian Population Registry.
Whenever you use Buypass eID and/or payment services regulated by this agreement at one of our merchants, Buypass is not responsible for information collected, stored or processed by merchants beyond the provisions stated in section 2.1. This is regulated by our merchants’ own terms and conditions in accordance with applicable privacy regulations.
2.4 Right of access, correction and deletion of information
According to the Personal Data Act, you may request access to and, if necessary, correct your personal information. You can do this yourself on My Page (Min Side) available on the Buypass website, at our merchants websites, or by contacting Buypass customer service.
You can terminate your customer relationship and ask for your information to be deleted without any further justification. You must do this by notifying Buypass via Buypass customer service. We will let you know about the information deletion as quickly as possible and within 30 days.
However, Buypass is obliged to keep information on Buypass eID and payment transactions beyond this in accordance with legislation and regulations governing such services.
2.5 Sharing of information
Buypass is responsible for the confidentiality of the information obtained in the use of Buypass eID and/or payment services.
Buypass will not disclose personal information to third parties, unless such information is required according to the authority's request for extradition, the principle of Lex superior or by your own written consent.
We analyse traffic and usage patterns to measure availability. These analyses provide the basis for further development to improve the performance of our services.
Any shared information will be processed in accordance with the terms of this agreement and the data processor agreements entered between Buypass and our merchants and subcontractors. The data used for such analyses is anonymised and it contains no personally identifiable information.
3.1 Customer liability
The use of your Buypass eID and/or payment services regulated by this agreement is your own responsibility. If you suspect unwanted activities as possible fraudulent use of your eID-devices (e.g. smartcard, security key, mobile), or the devices are no longer in your possession, you are obliged to notify Buypass immediately.
Once Buypass has received notification that your Buypass eID should be revoked, and we have confirmed the revocation, you will cease to be liable.
3.2 Limitation of liability
Buypass cannot be held liable for losses because of the relevant services cannot be used, either, due to technical faults, lost profits or damages resulting from business interruption, or certificates are revoked.
Buypass disclaims its liability in the case of any losses you may incur as a customer if you use Buypass eID and/or payment services contrary to the terms of this agreement.
When you use eID, Buypass’ liability is limited, in any case, to losses resulting from negligence on the part of Buypass and where you or others had reasonable grounds to rely on eID. Liability extends to direct losses only and is limited to NOK 5,000 per transaction and NOK 10,000 per customer per year.
When using payment services, Buypass’ liability is limited to the payment transactions themselves from the moment they are received in Buypass’ systems. Buypass remains external to disputes relating to goods or services purchased at our merchants sites, complaints, refunds, or similar. Information stored in error- or transaction logs shall be considered as binding evidence for the circumstances to which it pertains.
Should an extraordinary situation arise, which is outside of the parties’ control and which, according to normal purchase law, is regarded as Force Majeure, and which makes it impossible for one or both parties to satisfy one or more obligations of this agreement, the affected obligations will be suspended for the duration of the extraordinary situation.
4. Changing the terms and conditions of this agreement
As a customer, you are entitled to approve significant changes to this agreement.
However, Buypass are entitled to make minor amendments to this agreement, provided this does not change our relationship with you.
New versions of this agreement will be published and announced on Buypass website at least fifteen (15) days before the amendment(s) take(s) effect.
If you do not wish to accept the changes in conditions, you must terminate your customer relationship. Please contact Buypass customer service.
Should disagreement arise between the parties regarding the interpretation or legal effect of this agreement or concerning services, the parties may seek to resolve the dispute between themselves.
If such attempts are unsuccessful, disputes concerning payment services shall be taken to the Financial Complaints Committee.
If agreement cannot be reached, the parties may seek a settlement in the courts. Oslo District Court will be the legal venue.
6. Duration and termination
The customer relationship will last until one of the parties terminate the agreement, or until it terminates as the result of a change in status in the Norwegian Population Registry.
You are entitled to terminate the agreement at any time without any further justification.
If your Buypass eID is issued via an Organisation, the customer relationship terminates when your affiliation with the Organisation ends.
If, as a customer, you act contrary to the terms of the agreement, Buypass is entitled to terminate the agreement with immediate effect. Buypass is entitled to suspend services offered under the contractual relationship if necessary. Identity fraud and document forgery or attempts at the same will always be considered as a material breach and may be reported to the police.
An Buypass eID will be revoked immediately upon termination of the agreement. Buypass will attempt to pay any funds held in your e-money account to your registered bank account.
The parties’ obligations will terminate upon cancellation of the agreement, however Buypass’ obligations relating to storing and processing of personal data (discussed in sections 2.3 and 2.4) will apply as stipulated in this agreement and in Norwegian law.
7. Electronic identification
7.1 About Buypass eID
Buypass eID is a proof of identity that confirms that you are who you claim to be. Buypass eID usually consists of something you have in the form of a device, e.g. a smart card, security key or mobile phone, something you know like a personal PIN code or password, or something you are like biometrics with use of touch ID and/or face ID.
7.2 Use and safe-keeping of Buypass eID
Buypass eID identifies you as a person and is therefore strictly personal. Buypass eID that is no longer under your personal control should be considered stolen and should be revoked immediately by notifying Buypass customer service.
If you know or suspect that the device being used for Buypass eID has been mislaid, lost, or stolen, or that someone else knows the code, you should change the code immediately or contact Buypass revocation service, a merchant or your Organisation so that the Buypass eID can be revoked.
If you fail to do this, we are entitled to regard this as gross negligence (see section 3.1).
Regardless of which device (smart card, security key, or mobile), an Buypass eID is always used together with personal and confidential code or biometrics (PIN, password, touch ID, face ID, etc.). The code should never be entrusted to others and should always be kept and used in a manner that prevents unauthorised person to gain knowledge of the code.
8. Additional terms and conditions for Buypass eID for strong authentication
8.1 About Buypass eID for strong authentication
Buypass is the provider of Buypass eID for strong authentication without use of qualified certificates. These are regulated in the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften) under the Electronic Trust Services Act (Lov om elektroniske tillitstjenester).
Buypass eID can be used for authentication for organisation-internal, public and private services in Norway on the assurance levels substantial and high.
Buypass is the provider of several types of eIDs for strong authentication:
- Buypass Fido2 Security Key (BpFido2 Key) consists of a key pair generated in a device (security key or smart card). The private key remains in the device, while the public key is connected to your Buypass identity account. You control access to the keys in the device yourself with your personal PIN code. BpFido2 Key is delivered as an eID at the levels substantial and high in accordance with the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften).
- Buypass Code (BpCode) is a mobile APP that is connected to your identity account at Buypass after activation using your verified mobile number. You control access to your identity yourself using a mobile app and your personal PIN code or touch ID/face ID. Buypass Code is an eID which together with BpFido2 Key can be used at level substantial in accordance with the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften).
Some merchants use the Norwegian National ID Number as identification in their systems. If you choose to use the Buypass eID for accessing a merchant system, you also accept that Buypass can give your National ID Number to the merchants who has the necessary authorisation.
8.2 Collection, processing, and storage of information
Whenever you sign up for and/or order Buypass eID, some form of identity control is always required. Identity verification is carried out in accordance with the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften).
It requires that you appear in person and provide valid proof of identity. You must accept that a photocopy of the identity document can be taken. This is done at an affiliated Organisation.
Alternatively, you can carry out secure digital verification of your identity based on reading of a machine-readable passport and biometric face recognition. You must accept that information about the identity document is transmitted electronically after the reading and stored at Buypass.
We also accept the use of electronic attendance, i.e. by using a valid electronic identification (eID) at the same security level or higher than the Buypass eID that is issued. In this case, Buypass will store a unique reference to the eID you use.
A copy of the identity document and / or reference to the used eID is considered as personal data and will be processed as described in section 2.3.
All information about the application for and use of Buypass eID will be retained for 5 years or 10 years after the expiration of Buypass eID. 5 years applies to Buypass eID at assurance level substantial and 10 years applies to Buypass eID at assurance level high.
As a customer you can request revocation of your Buypass eID by contacting the Buypass Revocation Service or the Organisation you are affiliated with.
If your Buypass eID has been issued via an Organisation, the Organisation may revoke your Buypass eID on its own initiative if there is a valid reason for revoking, e.g. termination of employment or other affiliation with the Organisation.
Buypass can revoke your Buypass eID on its own initiative if there is a valid reason for revoking.
9. Additional terms for Buypass qualified certificates
Buypass eID with qualified certificates is based on technology (PKI - Public Key Infrastructure) that has special characteristics that make it attractive for many types of usage including authentication, signing and encryption.
9.1 About Buypass qualified certificates
Buypass is the certificate provider of Buypass qualified certificates for electronic signatures regulated under the act of Electronic Trust Services (Lov om elektroniske tillitstjenester), hereafter referred to as Buypass qualified certificates.
The certificates may be used for public and private services in Norway for authentication, as Buypass eID level high in accordance with the Regulation on self-declaration scheme (Selvdeklarasjonsforskriften).
The qualified certificates are linked to a private key which you alone have access to, either within a smart card or for Buypass ID in mobile and ID@Work stored centrally at Buypass. You authorize the access to the private key in the smart card with your personal PIN code. Similarly, you authorize the access to your centrally stored private key by using your personal Buypass eID at a sufficiently assurance level.
Buypass qualified certificates are valid for up to 3 years from the date of issuance.
Buypass publishes all certificates in a directory so they can be retrieved using an open public lookup service. By accepting the terms and conditions you consent to such publication of your certificates.
Some merchants use Norwegian National ID Number as identification in their systems. If you choose to use the certificates for accessing a merchant system, you also accept that Buypass can give your National ID Number to the merchants who have the necessary authorisation.
9.2 Scope and acceptance
These terms and conditions apply to the application for and use of Buypass qualified certificates. The terms and conditions are in addition to and apply alongside those in the current Buypass customer agreement (see sections 1-7 of this agreement).
As part of the additional terms and conditions, the document “Certification Practice Statement (CPS) for Buypass Class 3 Person Qualified Certificates” also applies. A shortened version of the relevant information can be found in the document “PKI Disclosure Statement (PDS)”.
The obligations you, as a customer, undertake by applying for and using Buypass qualified certificates, are described under the subject and subscriber obligations within these documents.
The Buypass Customer Agreement, PDS, and CPS are available from the Buypass website: select CA Documentation (legal) and then Person qualified certificates.
We consider these additional terms and conditions as accepted once you confirm that you have read and accepted them upon signing up as a customer or upon first time using the qualified certificates.
9.3 Collecting, processing, and storing information
Whenever you sign up for and/or order Buypass qualified certificates, some form of identity control is always required. Identity verification is carried out in accordance with the Electronic Trust Services Act (Lov om elektroniske tillitstjenester).
It requires that you appear in person and provide valid proof of identity. You must accept that a photocopy will be made of your identification document. A distribution service provider such as Norwegian Post can do this. It may also be performed at a related Organisation, merchant or at Buypass.
We may send your mobile number and/or e-mail address to the distribution service provider to keep you informed of shipping information.
We also accept the use of valid electronic ID (Buypass eID) at the same security level as Buypass qualified certificates. In this case, Buypass will store a unique reference to the Buypass eID you use.
The copy of the identification document and/or reference to the Buypass eID used will be regarded as personal data and processed as described in section 2.3.
All information about the application for and use of Buypass qualified certificates will be retained for ten years after the certificate expires.
9.4 Revocation of qualified certificates
As a customer you can request revocation of your Buypass eID with qualified certificates by contacting Buypass Revocation Service or the Organisation you are affiliated with.
If your Buypass eID with qualified certificates has been issued via an Organisation, the Organisation may revoke your certificates if there is a valid reason for revoking, e.g. termination of employment or other affiliation with an Organisation.
Buypass can revoke your Buypass eID with qualified certificates if there is a valid reason for revoking.
For more information about reasons for revoking and how revoking is carried out, please refer to the Certification Practice Statement (CPS).
10. Additional terms and conditions for Buypass Payment Services
10.1 Legal regulation and licencing provisions
Buypass provides payment services to merchants. Some payment services are defined as e-money services and are regarded as services under section 2.4 of the Norwegian Financial Institutions Act (Finansforetaksloven). E-money are issued by Buypass’ subsidiary company, Buypass Payment AS, under a licence from the Norwegian Ministry of Finance.
10.2 About e-money accounts
When you sign up and establish a customer relationship an associated e-money account may be set up depending on the relationship.
The e-money account can hold e-money for purchasing goods / services from merchants.
The e-money account is accessed and disposed using an Buypass eID.
You need to be fifteen years of age to be a customer of payment services.
10.2.1 Purchases and redemption
E-money stored in an e-money account should not be considered as a deposit, nor will it accrue interest, nor is it protected by collective banking insurance schemes.
E-money is purchased and redeemed at its face value in Norwegian kroner. You can do this yourself using the mobile app or the My Page feature, both available from a connected merchant.
Buypass is entitled to charge a fee on the purchase and redemption of e-money.
Buypass is entitled to stop the payment services with immediate effect and will then set a date for the latest deadline for the redemption of e-money. After the deadline, Buypass is not obliged to redeem balance.
10.3 Payment methods – source of funds
A bank account transfer can do transfer of funds to your e-money account, by using a Visa / MasterCard debit or credit card, Vipps or with an invoice.
10.3.1 Payment cards
Buypass is approved under the PCI DSS (Payment Card Industry Data Security Standard). This standard sets comprehensive requirements concerning data security in relation to transactions as well as the storing and use of payment card information.
Buypass processes card transactions in connection with the purchase and redemption of electronic funds. To carry out a payment card transaction we need your name, card number, card expiry date, and CVC/CVV code.
We encrypt and process all information confidentially and in compliance with the Marketing Control Act (Markedsføringsloven) and the Personal Data Act (Personopplysningsloven). We never share your full card number or other card details with our merchants.
You can choose to delete the card information you have stored in our systems at any time.
10.3.2 e-Invoice – digital invoice
e-Invoice is an electronic invoicing service that allows you to receive invoices directly into your Internet bank account. You activate this service within your own Internet bank. On activation, you must provide your full name, your national ID number, e-mail address, and mobile number.
Buypass will send invoices to your Internet bank account on behalf of our merchants and you must accept each invoice manually for payment.
10.4 Processing and storing of information
The terms and conditions described in section 2.3 apply to the processing and storing of payment information.
10.5 Right of access, correction and deletion of information
Buypass shall ensure that you are able to access account statements for your e-money account, either on the Buypass website or on sites of merchants who offer our payment services. You are responsible for checking movements on the account and notifying in case of suspected errors.
If an incorrect debit- or credit transaction has occurred on your e-money account, Buypass is entitled and obliged to correct the error by correcting the account.
If an account is incorrectly credited and you are disposing these funds, you are obliged to pay back the amount of funds that is not covered by the account. This applies even if you acted in good faith concerning the incorrect credit.
You are entitled to make a complaint if you believe a transaction connected to your e-money account is incorrect. Complaints of this nature should be stated to Buypass customer service. Buypass is obliged to investigate the situation, handle the complaint, and reply to you within a reasonable timeframe. Refer to section 5 for information on handling dispute.
10.6 Sharing of information
The terms and conditions described in section 2.5 apply to the sharing of payment information.
11 Buypass contact information
If you have questions concerning this agreement or require information in other matters, please contact us using one of the following methods:
Buypass customer service, e-mail: firstname.lastname@example.org
Buypass customer service, telephone: +47 22 70 13 00
Buypass website: https://www.buypass.com/the-company/contact-customer-support
Buypass Revocation Service: https://www.buypass.com/security/revocation-service