Privacy Policy

Your Agreement with Buypass

The privacy policy is part of the customer agreement between you, as the user/customer, and Buypass AS (Norwegian organisation number 983 163 327). The policy also covers how we process your personal data in all the services we offer. Therefore, it is important that you read this policy carefully before using any of our services.

“Personal data” describes data and evaluations that can be connected to an individual. Buypass processes personal data in accordance with the Norwegian Personal Data Act and its associated regulations, as well as other relevant legislation, such as the Norwegian Marketing Control Act and the Norwegian Accounting Act. 

Data Controller

Buypass AS is the data controller for the processing of personal data described in this privacy policy. If you have any questions concerning this privacy policy, you can contact us either by phone or by using our contact form (see Contact Information below).

Data Protection Officer

Buypass has its own data protection officer who you can contact if you have any questions about how Buypass processes your personal data, or if you need help exercising your rights in relation to your personal data. The data protection officer has a duty of confidentiality.

Processing of Personal Data

In order to process your personal data, we must have a legal basis for doing so. We process data on the following legal bases:

1) It is necessary to fulfil our agreement with you

Our primary purpose for processing your data is user administration. Depending on which of our services you have chosen, we also process data for the purposes of invoicing and executing payment orders.

2) Legal obligations

Buypass also processes your personal data to fulfil our obligations in accordance with the relevant laws, regulations, and government decisions, such as the Norwegian Personal Data Act, the Norwegian Bookkeeping Act, and the Norwegian Money Laundering Act, as well as any mandatory disclosure orders.

The purposes of this type of processing include to prevent and uncover criminal acts (such as identity theft, money laundering, terrorist financing, and fraud), to fulfil our bookkeeping requirements, and to meet our obligations in terms of reporting to the police, regulatory authorities, and other authorities pursuant to the law.

3) Legitimate interest

Buypass may process your personal data with the purpose of safeguarding a legitimate interest. In order to take precedence over individual privacy concerns, the legitimate interest must be lawful, predefined, genuine, and reasonably justified in the business activity.

One example of processing personal data on this basis would be monitoring user transaction patterns in order to discern whether a criminal act has taken place.

4) Consent

If no other legal basis applies, Buypass processes your personal data on the basis of voluntary, explicit, and informed consent from you, as the user of our services. If you have given your consent for Buypass to process your personal data, you may withdraw it any time. If you withdraw your consent, we will stop the processing and, if the sole legal basis for our processing was your consent, erase your personal data.

• When you register with us to use our services 
• When you or Buypass make any changes to the information related to your user account with us
• When you make use of our eID and/or payment services
• When you answer our inquiries 
• When you order a product or service from us
• When you use one or more of our solutions
• When you send us an inquiry
• When you sign up to an activity
• When you consent to receiving newsletters and other relevant information from us
• When you apply for a job with us
• When you visit our website www.buypass.no or www.buypass.com
• See also the customer agreement where relevant
   

Visiting Our Websites 

We use the cookie scanning tool from OneTrust to scan our website regularly in order to maintain the list of cookies we use. We classify cookies in the following categories:

• Strictly necessary cookies
• Performance cookies
• Functional cookies
• Targeting cookies

You can change your cookie settings whenever you want (with the exception of Strictly necessary cookies) by clicking on the “Cookies setting" button at the bottom of the website.

You can read more about the cookies we use at www.buypass.no and www.buypass.com.

Website Statistics
Buypass collects de-identified and anonymised data on visitors to our websites. The purpose of this collection is to develop statistics that can be used to improve and further develop the content on our websites. Examples of the type of data we collect include how the visitor uses our website, which website the visitor has come from, how many visitors visit different pages, how long visits last, what visitors click on, and which browser the visitor is using.

This data is processed in a de-identified and aggregated form. “De-identified” means that we cannot trace the data that we collect back to the individual user. “Aggregated” means that all the data is combined into one group and not processed individually. In addition, IP addresses that are collected via our websites are anonymised.

Buypass uses Google Analytics on www.buypass.no and www.buypass.com, which analyses and stores data. Any data collected by this tool is not shared with any other parties.

Buypass has implemented Matomo Analytics for analysis of websites and services on buypass.no and buypass.com. Matomo and Google are running in parallel for a period, with the goal of phasing out Google Analytics.

Our legal basis for processing data with the purpose of generating anonymous statistics is Article 6(1)(f) of the General Data Protection Act (GDPR), which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to improve and further develop the information on our websites.

Server Logs
All visits to our website are stored in a log on our servers. This data is collected to secure our website’s operationality. In the event of an attack against our website, the IP address that is used in connection with the attack will be blocked. 

HubSpot
Our CRM system HubSpot will ask your browser to accept cookies. If you accept cookies, these will track you anonymously until you submit the contact information in one of our forms and give us your consent to indirect / direct marketing from us. The consent means that information you provide can be linked to the information that has previously been anonymised about your use of our websites. If you want more information on how this works, you can see here here. (external website).

 

Other Information Collected via Our Website

• Our CCS sends e-mail and stores data
• Sales-related inquiries are stored in our CRM system
• Consent for electronic marketing

Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to be able to answer and have a conversation concerning your inquiry.

In order to send you our newsletter, we register your name, company name, and e-mail address. When you subscribe to our newsletter, you simultaneously consent to our processing of this data. Your contact details are saved in our CRM system and are not shared with any other party. If you unsubscribe from our newsletter, you simultaneously withdraw your consent to this processing, and your data is subsequently erased. You can unsubscribe by clicking the link for this within the newsletter or by using our contact form (see Contact Information below).

Our legal basis for processing your personal data in connection with our newsletter is Article 6(1)(a) of the GDPR – in other words, your consent. You can withdraw your consent any time by unsubscribing from the newsletter. Withdrawing your consent will not impact the legitimacy of the processing that happened before consent was withdrawn.

When signing up to an event, we will ask for personal data such as your name, contact information and workplace. This data is collected with the purpose of providing information to other participants, managing, and facilitating the event itself, and preparing an attendance list. This data is stored in our CRM system.

Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to be able to conduct activities, such as seminars, smoothly and efficiently.

Our Use of Other Tools

Hotjar
Hotjar is an analytical tool that we use to analyse user behaviour on our websites in order to make them more user friendly. It uses the visitor’s IP address to collect data on their movement, clicks and general behaviour on the website. This data is anonymised and stored for a maximum of 365 days.

HubSpot
We use HubSpot as a CRM system to manage information about our contacts (customers, partners and prospects). Here we store data such as name, e-mail, telephone, and notes related to dialogue / sales processes. Data is stored for as long as needed, or the user requests to be deleted.

Pureservice
We use Pureservice from Syscom AS as a case management tool for our customer support service. We store data such as names, e-mails, telephone numbers, and description of the matter and the suggested solution. Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest, as well as Article 6(1)(b) of the GDPR, which allows us to process data that is either necessary for fulfilling an agreement with the data subject or for implementing measures at the data subject’s request before entering into an agreement.

Buypass is required to keep a copy of validations for any issued certificates for 10 years after the certificate has expired or been revoked.

Buypass Community

Buypass uses Forumbee as the total supplier of Buypass Community. Therefore, in this context, Forumbee’s own guidelines and privacy policy take precedence over Buypass’ privacy policy.

Sharing Information

Buypass will not disclose your personal data to any third parties unless this is required by the relevant legislation or in accordance with a final judgement, or unless this is known and approved by you beforehand.

For more details on sharing information, see point 2.5 of the customer agreement.

Storage and Security

When you submit your personal data to us, you can be sure that storage and processing only takes place in Norway. Buypass does not store personal data for longer than is necessary to fulfil the purpose of processing.

In accordance with the GDPR, we have established and documented measures and routines that safeguard the integrity, accessibility, and confidentiality of all the personal data we process.

All our eID and payment services are encrypted with technology that has been deemed secure by the relevant legislation and standards. 

It is your responsibility as the data subject to keep the password or PIN code that gives you access to our services, or services from other providers that use our eID and payment services, secret.

For more details on how we process and store your personal data, see point 2.3 of the customer agreement. For more details on liability, see section 3 and point 7.2 of the customer agreement. 

Accessing, Changing, and Rectifying Information

In accordance with the Norwegian Personal Data Act, you have the right to access your own personal data. If the information we have about you is incorrect, you have the right to have the information rectified, supplemented, or erased. You can correct certain information yourself by logging in to “Min side” on Buypass.no or “My page” on Buypass.com. 

If you have any questions related to our processing of your personal data, you can contact us either by telephone or through our contact form (see Contact Information below). To ensure that your personal data is disclosed to the correct person, Buypass may require that any requests for access be made in writing or that your identity be verified in another way.

Buypass AS stores personal data in accordance with the applicable legislation. In accordance with Section 28 of the Norwegian Personal Data Act, any data that no longer fulfils the purpose of its storage is erased. Any personal data that is processed on the basis of your consent is erased once that consent is withdrawn unless there is a legal basis or requirement for further storage.

For more details related to your right of access, right to rectification, and right to erasure, see section 2.4 of the customer agreement.

Right of Access and Disclosure of Personal Data
If you want to exercise your right of access, you can contact our customer support service, who will handle your request, and either answer your questions or advise you on how to proceed with gaining access to your personal data.

Once your access request has been received, we will respond as soon as possible and no later than 30 days after we have received your request. If unusual circumstances mean that we are unable to answer within 30 days, we will send a preliminary response explaining the delay and providing an expected response time.

Access into How Buypass Stores and Uses Customer Data 
You have the right to request information on which personal data we are processing on you and which security measures are in place to protect your personal data.

With regard to 23(1)(b) and 23(1)(f) of the Norwegian Personal Data Act, you do not have the right to access any data we have registered on you in order to fulfil our duty to investigate and report suspicious transactions under the Norwegian Money Laundering Act. 

Suspicions on unauthorised access: 
If you suspect that someone has gained unauthorised access to your personal data, contact us immediately by using our contact form (see Contact Information below).

Erasure

You have the right to terminate your customer relationship and have all your data erased without needing to provide a reason for this.

If you wish to exercise this right, you must inform Buypass via our customer support service (see Contact Information below). We will provide a response on the erasure as soon as possible and within 30 days. However, regardless of this, Buypass is obliged to store information about use of our eID and payment services in accordance with the laws and regulations that cover such services.

For more details related to your right of access, right to rectification, and right to erasure, see section 2.4 of the customer agreement.

Complaints  

If you believe we are processing personal data contrary to the relevant personal data legislation, you can contact our data protection officer at personvernombud@buypass.no or complain to the Norwegian Data Protection Authority. You can find all the contact information for the Norwegian Data Protection Authority at www.datatilsynet.no.

 

Changes to this Policy 

Changes may be made to this policy as a result of legal requirements, in order to include new products and services or changes to existing products, or as a result of changes in how we collect and process personal data.

Contact Information

Buypass AS, Nydalsveien 30A, 0484 Oslo, Norway. Phone number: +47 22 70 13 00.

If you want to contact us, you can use our contact form or send an e-mail to support@buypass.com.