In short
Hello MobilePay user! At MobilePay (Vipps MobilePay AS), we care about your privacy. We strive to always keep our responsibilities front and center when we process your personal data. This Privacy Notice describes what personal information we process, why and how, and how you can exercise your rights.1. MobilePay’s products
The primary reason for processing your personal data is to deliver MobilePay’s products to you. Below you can read more about each product. Remember that you can always get insight and receive a copy of the data we process about you. You can find more information about this under point 3.
1.1 When you have a MobilePay profile
Why and how do we process your personal data?
In order to provide you with a MobilePay profile, we process the following information:
- Information about you (name, phone number, e-mail, national identity number, address and in some cases the address you provide)
- Account and card details (account number, masked debit or credit card number and expiry date)
- Usage data (views, time, frequency, duration of activities in the app, search history and sign in/log out data)
- Technical Data (pseudonymised ID’s, IP address, mobile device, operating system, browser, settings in app and log of technical events)
Remember: As a MobilePay user, other users in Finland, Denmark and Norway will be able to see your name by searching for your phone number in the MobilePay app. For Denmark and Norway, you must be over 15 years old for other users to see your name by searching your phone number.
In addition, we collect the following information from various registers to ensure that we have the correct information:
- Contact details (name, address, national identity number and life- and guardianship status from the Central Personal Registry
- Ownership and verification of bank account (national identity number, and partial card- and account details from your bank)
- Political Exposed Persons
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.2 When you send and receive money
Why and how do we process your personal data?
To send and receive money with MobilePay, we process the following information:
- Transaction data (sender and recipients full name, phone number, amount, transaction ID, masked card information, payment account, receiving account and attached payment text/message)
However, the recipient will only have access to the following information:
- Transaction data (full name and phone number of sender, amount and attached payment text/message)
Remember: As a MobilePay user, other MobilePay users will be able to see your full name by searching your phone number in the MobilePay app.
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.3 When you send money to in-store merchants (MyShop)
Why and how do we process your personal data?
To send and receive money and refunds with MobilePay MyShop, we process the following information:
- Transaction data (senders full name and phone number, merchant information, used MobilePay product or service, amount, transaction ID, masked card information, payment account, receiving account and attached payment text/message)
However, the merchant will have access to the following information:
- Transaction data (full name, masked phone number of sender, amount and attached payment text/message)
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for private users here.
For donations to non-profit organizations
When contributing with monetary donations to specific non-profit organizations, the organization will receive your full name and phone number.
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
Sharing national identity number
You can consent to share your national identity number with specific organizations to receive tax deductions on your donations.
On what legal basis?
Your consent.
1.4 When using online and in-app payments (MobilePay Online)
Why and how do we process your personal data?
When purchasing products or services through an online merchant or within a merchant's app, we process the same data as outlined in section 1.3 When you send money to in-store merchants (MyShop)
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.5 When you use MobilePay Box
Why and how do we process your personal data?
When using MobilePay Box, we process the following information:
- General information about your Box (Box-name, Box-number, full name and phone number of Box-participants)
Remember: As a MobilePay Box user, the owner of the Box can grant “viewing access” to other users (including users who are not contributors of the Box) making following information accessible to the viewers:
- Transaction data (full name, date, amount and attached payment text/message)
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.6 When you use Money Gifts-wrappings (Gift payments and gift cards)
When purchasing MobilePay Gift wrappings, we process the same information as stated in section 1.2 When you send and receive money.
For Gift Cards, MobilePay is the facilitator of the gift cards that you can purchase from third parties, to which we process following information:
- General information about the Gift Card (type of gift, date and full name and phone number of sender and recipient)
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.7 When you use Settlements
When you use our calculating tool for settlements, we process following information:
- General information about your Settlement group (name and status of group, full name and phone number of participants, details on payments, including; amount, date and time.
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
1.8 When you use Benefits
Why and how do we process your personal data?
When displaying your personal memberships and benefits you have with selected loyalty programs in the app, we process the following information:
- Phone number (shared with the merchant's data processor, to look up your memberships and benefits in loyalty programs)
- General information (received by the merchants regarding your memberships and benefits in loyalty program)
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
Remember: The merchant is the data controller for loyalty programs and benefits, while we function as a data processor. For inquiries regarding these, please contact the respective merchant.
1.9 Order Management
Why and how do we process your personal data?
When displaying receipt information connected to your purchases, we process the following information:
- Transaction Data (date, time, merchant number and name, payment source, receiving account, amount, product/service, text/messages)
- Receipt information (line items, amount, if relevant shipping price, tips and discount)
1.10 When you use MobilePay Easy Login
Why and how do we process your personal data?
To provide Easy Log In, we process, with your consent, the following information:
- Your preference (websites/merchants where you use Easy Login)
You may choose to share the following information from your Mobilepay profile, based on consent, to merchants:
- Information about you (name, telephone number, e-mail address, registered address in the National Registry and self-filled address, national identity number)
Did you know?
- The merchant becomes the data controller of the data you agree to share, as they will provide a separate service to you. The service entails that, the information you agree to share, is updated in our app, it will also be updated for the merchant.
- You can find an overview of businesses that you have consented to in the app: Profile > Personal information > Businesses with access in the app. Here you can withdraw your consent at any time.
- If you withdraw your consent or when it expires after one year, we will stop sharing your data with the merchant. Be aware that this does not end your agreement with the merchant. Take contact directly with the merchant if you want to end your agreement with them.
On what legal basis?
Your consent.
Remember:
In Easy Login VippsMobilepay act as the data processor for collection of marketing and other communication consents. If you have any concerns or requests regarding this, please contact the merchant as the data controller.
1.11 When you enable functionality on your phone
You can turn on and off the following functionality under settings on your phone:
- Location (to find a merchant near you)
- Contact list (to select recipients from your contacts. If you prefer not to grant the app access to your contacts, you can manually enter the recipient's phone number)
- Pictures and camera (to add a profile picture that other users can see, to attach a picture to a Settlements group or to scan QR codes)
- Background updates
- Mobile data (to access MobilePay without a wireless internet connection)
- For Android (We request access to your phone status and ID for the purpose of saving the mobile identifier, managing content on the SD card, and allowing you to add a profile picture)
Remember: You have the option to enable or disable these functions in your phone settings.
On what legal basis?
Your consent.
1.12 When enabling functions in the app
When you use MobilePay you can consent to following features in the app:
- Profile picture (to add a profile picture that other users can see)
- Chosen name for accounts and cards (to differentiate between your added accounts and cards)
- Blocked users (to avoid interaction with users that can no longer send you messages or transactions)
- Remember: You have the option to enable or disable these functions in the MobilePay app.
What allows us to do this?
Your consent.
1.13 When you have MobilePay as a merchant for your business or association
To comply with our obligations under anti-money laundering regulations, we process the following personal information relating to merchants:
Business roles (CEO, chairman, board members, deputy, accountant, auditor, etc.)
- Information about the person (name, phone number, e-mail address, date of birth and national identity number.
- Signatory rights
Beneficial owners
- Information about the person (name, date of birth, country, nationality, address)
- Information from public registers
Politically Exposed Persons (PEP) and sanction lists
- Information you provide as a PEP
- Information from registers
On what legal basis?
Our legal obligation.
Credit rating
When establishing a customer relationship and continuously afterwards, MobilePay conducts a credit check of the merchant you are part of. For some types of organizations e.g., where the merchants are personally financial responsible, we also carry out a credit assessment of persons with a role withing the merchant. When the credit assessment is completed, you will receive a copy of that information.
On what legal basis?
Our legitimate interest.
Onboarding and administration of the customer relationship
For onboarding, administration of customer relationships, communication, and security for your business, we process the following personal data:
User and admin role the Merchant Portal and Merchant App
- Information about you (full name, phone number, e-mail address and national identity number)
- Usage Data (views, time, frequency, and duration of activities in the app, search history and sign in/log out data)
- Technical data (internal IDs, IP address, mobile operating system, mobile device, browser, in-app settings, history of technical events, etc.)
- Electronic Identification (eID) with MitID
Remember: In an effort to enhance convenience and security for you, we may use the data from your private profile when granting admin rights.
Contact points at merchants
- Information about you (full name, phone number, e-mail address and national identity number)
- Any communication between MobilePay and the contact point
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Merchants here.
1.14 When you use Wish List
Why and how do we process your personal data?
When you create a wish list, we process the information you enter. If you add a link, we will display a picture of the content, name of the product and similar details from the link to provide you with a clear representation of the wish list item.
- Your first name and profile picture
- Wish list details (list name and description, item name, description, picture and price)
Remember: You can share your wish list with any user, including users in other countries. Please note that users can further share the link to other users potentially making the list public. Users you have blocked in the app cannot see your wish lists, even with the link. We discourage users from entering sensitive information in the wish list.
On what legal basis?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
Recommendations and Inspirational lists
Why and how do we process your personal data?
Wish list is designed to help you find the content that fits your needs and interests. We therefore provide recommendations and inspirational lists in the Wish list space. For that purpose, we segment users based on basic demographics, or if you consent to it we may profile you to provide you with tailor-made recommendations and offers. See section 2.4 to find out how segmentation and profiling works.
Remember: The recommendations and inspirational lists may include sponsored content. You can read our terms for more information about sponsored links. If you click on a sponsored link and proceed to the third-party website, there might be further data collection and tracking in connection to your visit and purchases for the purposes defined in our terms and conditions section 25. Wish List. Vipps MobilePay will not be sharing any personal data with the affiliates or third parties for these purposes. Third-party data collection and tracking will, in some cases, be carried out by the site you visit and/or our partner Adtraction affiliate network, according to their terms and conditions that you can read here.
On what legal basis?
Basic segmentation is based on our legitimate interest.
Profiling is based on your consent, and can be withdrawn in the app -> Profile -> Privacy Setting tab.
2. Across MobilePay services
Some processing may not be specifically linked to a single product. Further details on this can be found below.
2.1 For legal and regulatory reasons
Why and how do we process your personal data?
To fulfil our obligations according to laws and regulations, MobilePay are obliged to process some personal data, including the following:
- To comply with bookkeeping regulations: Accounting material, which may also contain personal information, are processed and stored in compliance with the regulations stipulated in the Bookkeeping Act
- To prevent and detect criminal activities: MobilePay are obliged to process some personal information for the purpose of preventing, detecting, investigating and handling fraud and other criminal activities. This includes the duty to examine and report suspicious activities and transactions under the Anti-Money Laundering Act. In addition, MobilePay obtains information from various registers to fulfil legal requirements, including politically exposed persons and sanctions.
- Disclosure of personal information to public authorities: MobilePay are obliged to disclose personal information when there is a court order, law enforcement request or otherwise to fulfil legal requirements, such as The Penal Code, or acts related to statistics or taxation.
- Disclosure of personal information to banks and other financial institutions: MobilePay might be obliged to disclose personal information to banks or other financial institutions to comply with Anti-Money Laundering laws and regulations when it is part of conducting due diligence of suspicious activities or transactions, and regarding payments fraud following the Financial Institutions Act, or other applicable local rules and regulations.
- Security monitoring: To detect and resolve suspicious activities and security incidents, MobilePay processes personal information when logging and monitoring our services. Ensuring information security is, among other things, anchored in the Personal Data Act and Norway’s ICT Regulation.
On what legal basis?
Our legal obligation.
2.2 For customer follow up
Why and how do we process your personal data?
MobilePay processes personal data to assist you in case of any challenges or concerns related to our products or services, including:
- Information about you (full name, phone number, e-mail, registered address and national identity number)
- Information about your issue
- Information about the customer relationship (which products and services you use, the duration of usage, etc.)
Depending on the issue, it may also include:
- Transaction data
- Account and card details (bank account number, masked debit or credit card number and expiry date)
- Usage data (views in the app, time and clicks in our surfaces, searches, logins and logouts)
- Technical data (internal ID’s, IP address, operating system, mobile device, browser, settings in app, log of technical events, etc.)
What allows us to do this?
The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.
Chat with Customer Service
When you chat with customer service on our website or portal, MobilePay processes the following information to ensure good customer service and follow-up:
- Information about you (name and phone number)
- Information about your issue (content of the chat)
- Authentication data (if you need to receive certain types of data from us, we require BankID identification)
Remember: Customer chat information will as a rule be stored for 30 days, but this can be extended if a case requires it.
2.3 Recording of phone conversations
Telephone conversations are recorded based on consent; for the purpose of quality assurance and the training of our employees.
How long the data will be stored?
The call records will be kept for 30 days.
You can always withdraw your consent by sending an email to privacy@vippsmobilepay.com. Upon the withdrawal of consent the recording will be deleted permanently.
If a recording is relevant for legal dispute(s) or security incident(s), the recording will not be deleted until the case(s) or incident(s) has been finally settled in accordance with the applicable statute of limitation, c.f. Article 6(1)(f) “legitimate interest” of the GDPR.
Your rights
You can always enforce your rights that are defined in section “3. Your Rights“ and get informed about the recording, have access to copy of your data, request your data to be deleted or object to the processing activities based on legitimate interest.
If you or the corresponding party (the employee) exercise their rights under GDPR, e.g. by requesting access to a recorded conversation (before it is automatically deleted), then we will review and store the recording to the extent necessary for the documentation of compliance with our obligations and/or to address any related complaints.
On what legal basis?
Your consent.
2.4 For Marketing Activities
Basic segmentation
We carry out basic segmentation to provide you with relevant recommendations and offers. For this purpose, we process the following data:
-
Age
-
Gender (based on your national identity number)
-
Geographic area (based on postal code)
-
Use of our products and services (e.g. if you have certain products activated or not, or the items you added to your wish list)
On what legal basis?
Our legitimate interest. You can object to it, see section 3.6 Right to Protest.
Personalised marketing
If you consent to it, we will personalise our marketing across our app and channels like email, SMS or push messages. The purpose is to provide you with the most relevant and tailor-made offers, recommendations and discounts from us and third-parties.
Personalised marketing is based on analysis of the following information about you:
-
Transactions and purchases (all transactions including your receipts and basket details when available)
-
Profile details (such as your name, address and the cards you’ve added)
-
Your use of Vipps MobilePay products and services (such as how, when and how often you use them)
-
Your use of the app (such as visited pages in the app, app settings e.g. language etc.)
What allows us to do this?
Your consent.
Marketing via e-mail, SMS and Push Messages
If you consent, we may send you suggestions and offers based on, via e-mail SMS or Push Messages. For this, we process:
-
Contact information (name, phone number and e-mail)
On what legal basis?
Your consent.
Remember: You can see an overview of your consents to marketing activities in the app under Profile > Settings. You can withdraw your consent at any time. Please note that it may take some time for us to technically implement withdrawal of the consent due to the frequency of system updates.
2.5 To test and develop our products, services and for statistical purposes
Internal development of our services and testing
MobilePay process personal data for service development, maintenance and to improve customer experience. To do this, we analyse how our products and services are used. For this type of processing, we do not identify the end users, but use aggregated, pseudonymized or anonymized data. The following information may be processed to generate such analyses:
- Demographic data (age, gender, geographic area)
- Which MobilePay services/products you use
- Technical data (Customer ID, Cookies, user agent, etc.)
- Usage data (views in the app, time and clicks in our platforms, search history, logins, and logouts)
- Aggregated or pseudonymised Transaction Data
- Profile information (number of payment cards and bank accounts)
- Usage of accessibility features
On what legal basis?
Our legitimate interest.
Statistics
We further process this information to develop user surveys, user analyses, market analyses, and reports based on usage patterns and demographics. We use statistical data to group users into similar usage patterns and this helps us understand how our services are used. The results cannot be linked back to you as we use aggregated data for this purpose, unless you give your consent. In some situations, we forward the results of the analyses to merchants that use MobilePay. This information cannot be linked back to you. MobilePay shares aggregated statistics with banks,
On what legal basis?
Our legitimate interest.
Sharing statistics with public authorities
MobilePay shares aggregated statistics with certain partners, such as banks, Statistics Denmark and the Ministry of Finance.
On what legal basis?
Our legitimate interest.
The legal basis for Statistics Denmark and Ministry of Finance is legal obligation.
2.6 Use of Data Processors
MobilePay uses several suppliers who process personal data on our behalf (“Data Processors”). In these cases, MobilePay enters into a Data Processing Agreement with the supplier to ensure that the processing is carried out in accordance with GDPR. Relevant data processors we use are:
- Cloud service providers (Microsoft Azure, Salesforce, Splunk, Mixpanel, Slack, Puzzel, Signant, Link Mobility, Twilio Sendgrid, Jobylon)
- Software providers (Microsoft 365)
- Service providers (Nets, TietoEvry, DNB, Danske Bank, Adyen)
- Consulting firms
- Banks
When we transfer personal data outside the European Union (EU) or the European Economic Area (EEA)
In some cases, MobilePay may transfer personal data to Data Processors in countries outside the EEA. Such transfers can only be made if the Data Processor has provided assurance that your privacy and rights are protected. This may be a transfer basis approved by the European Commission e.g., to an approved country, through Standard Contractual Clauses, or through valid Binding Corporate Rules. In special situations, another valid transfer basis, such as agreement or consent, may be used if the level of protection corresponds to the level in the EEA.
2.7 Security of personal data
Information security is fundamental to delivering safe and simple solutions. Through effective security measures and processes, MobilePay ensure that your personal data is protected against unauthorized access and alterations and is available when needed. For this, we have implemented measures such as:
- Identity and Access Management
- Secure Software Development and Security Testing
- Encryption
- Network Security
- Security Monitoring and Incident Management
- Safety training and knowledge sharing among employees
- Security requirements and follow-up of Data Processor and suppliers
Security measures are implemented, monitored, and continuously improved based on a risk-based approach to ensure that personal data is adequately protected over time.
2.8 Retention of your information
Personal data will not be stored for longer than necessary and according to the following rules:
- The main rule is that we store personal data for as long as you have an active customer relationship. This means that you will have an overview of your history in the app.
- When you terminate your customer relationship, certain information will be stored by MobilePay for another 5 or 10 years in accordance with Money Laundering Act or Accounting Act.
- Personal data that we process based upon your consent will be deleted when you withdraw your consent, unless there is another legal basis for further processing.
- In some situations, we may have a legitimate interest in retaining the information for a longer period e.g. for back-up purposes.
2.9 Roles and responsibilities between MobilePay and Merchants
MobilePay and merchants are independent data controller for most of our services. MobilePay has an agreement with all our end users. This means that MobilePay is responsible for its own processing activities of personal data that are necessary to provide the payment solutions. Similarly, merchants have their own agreements with their customers, and are themselves responsible for their own processing activities of personal data in order to provide their services e.g. being able to carry out a sale. We do not enter into data processor agreements in the situations where MobilePay and the merchant are independent data controllers.
3. Your rights
If you wish to exercise your rights, you can send your request to our Data Protection Officer and Privacy Team at privacy@vippsmobilepay.com.
3.1 Right to access
You have the right to access the information stored about you. Remember that you can find most of this information about you in your profile and in your activity list in the MobilePay app.
3.2 Right to rectification
You have the right to demand that incorrect information about you be corrected. You can change your e-mail, address, picture, account, and card information in the app. In other cases, you can send us an e-mail.
3.3 Right to be forgotten
You have the right to demand to delete information about you if MobilePay does not have a legal basis for storing it further.
3.4 Right to withdraw your consent
You may withdraw your consents at any time.
- If you have shared your information in MobilePay with companies, you can withdraw this consent: under Profile > Personal information > Companies with access and Browsers that remember you
- Marketing: under Profile > Settings
- Settings on your phone: under settings on your phone
- Settings in the app: e.g. under Profile > Settings or Profile > Accounts and cards
3.5 Right to information
You have the right to be informed about how we process your personal data. We do this in this Privacy Notice, in our Terms and Conditions, and when obtaining consent.
3.6 Right to protest
If we process information about you based on our legitimate interest, you have the right to object to our processing of information about you. This can be for example for analysis purposes or for compiling personal data across our services.
3.7 Right to restriction
In special situations, you have the right to request a restriction of the processing of personal data.
3.8 Right to data portability
You have the right to have your data transferred in a machine-readable format to a new Data Controller.
3.9 Right to complain
You also have the right to complain to the Norwegian Data Protection Authority at P.O. Box 458 Sentrum NO-0105 Oslo or to a Data Protection Authority near you.
Changes in this Privacy Notice
MobilePay continuously works to improve and develop our services. We will change information in this Privacy Notice, some might refer to it as a Privacy Policy, in the event of any changes in the law, services we provide or in our own personal data processing practices. If MobilePay makes major changes that may affect your privacy or rights, you will be notified in the app or by email.
Version 1.1. Updated 18.06.2024