Privacy notice

In short

Hello MobilePay user!  At MobilePay (Vipps MobilePay AS), we care about your privacy. We strive to always keep our responsibilities front and center when we process your personal data. This Privacy Notice describes what personal information we process, why and how, and how you can exercise your rights.   

1. MobilePay’s products  

The primary reason for processing your personal data is to deliver MobilePay’s products to you. Below you can read more about each product. Remember that you can always get insight and receive a copy of the data we process about you. You can find more information about this under point 3.  

1.1 When you have a MobilePay profile  

Why and how do we process your personal data? 

In order to provide you with a MobilePay profile, we process the following information:  

  • Information about you (name, phone number, national identity number, address and in some cases the address you provide) 
  • Account and card details (account number, masked debit or credit card number and expiry date) 
  • Usage data (views, time, frequency, duration of activities in the app, search history and sign in/log out data)  
  • Technical Data (pseudonymised ID’s, IP address, mobile device, operating system, browser, settings in app and log of technical events)  

Remember: As a MobilePay user, other MobilePay users will be able to see your name by searching your phone number in the MobilePay app.  

In addition, we collect the following information from various registers to ensure that we have the correct information:  

  • Contact details (name, address, national identity number and life- and guardianship status from the Central Personal Registry 
  • Ownership and verification of bank account (national identity number, and partial card- and account details from your bank) 
  • Political Exposed Persons  

 

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.  

 

1.2 When you send and receive money  

Why and how do we process your personal data? 

To send and receive money with MobilePay, we process the following information: 

  • Transaction data (sender and recipients full name, phone number, amount, transaction ID, masked card information, payment account, receiving account and attached payment text/message) 

However, the recipient will only have access to the following information: 

  • Transaction data (full name and phone number of sender, amount and attached payment text/message) 

Remember: As a MobilePay user, other MobilePay users will be able to see your full name by searching your phone number in the MobilePay app.  

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here.

1.3 When you send money to in-store merchants (MyShop) 

Why and how do we process your personal data? 

To send and receive money and refunds with MobilePay MyShop, we process the following information:  

  • Transaction data (senders full name and phone number, merchant information, used MobilePay product or service, amount, transaction ID, masked card information, payment account, receiving account and attached payment text/message) 

However, the merchant will have access to the following information: 

  • Transaction data (full name, masked phone number of sender, amount and attached payment text/message) 

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for private users here

For donations to non-profit organizations  

When contributing with monetary donations to specific non-profit organizations, the organization will receive your full name and phone number. 

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

Sharing national identity number 

You can consent to share your national identity number with specific organizations to receive tax deductions on your donations.  

On what legal basis? 

Your consent.   

1.4 When using online and in-app payments (MobilePay Online) 

Why and how do we process your personal data? 

When purchasing products or services through an online merchant or within a merchant's app, we process the same data as outlined in section 1.3 When you send money to in-store merchants (MyShop) 

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

1.5 When you use MobilePay Box  

Why and how do we process your personal data? 

When using MobilePay Box, we process the following information:  

  • General information about your Box (Box-name, Box-number, full name and phone number of Box-participants) 

Remember: As a MobilePay Box user, the owner of the Box can grant “viewing access” to other users (including users who are not contributors of the Box) making following information accessible to the viewers:  

  • Transaction data (full name, date, amount and attached payment text/message)  

On what legal basis? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

1.6 When you use Money Gifts-wrappings (Gift payments and gift cards)  

When purchasing MobilePay Gift wrappings, we process the same information as stated in section 1.2 When you send and receive money. 

For Gift Cards, MobilePay is the facilitator of the gift cards that you can purchase from third parties, to which we process following information:  

  • General information about the Gift Card (type of gift, date and full name and phone number of sender and recipient) 

What allows us to do this?  

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

1.7 When you use Settlements  

When you use our calculating tool for settlements, we process following information: 

  • General information about your Settlement group (name and status of group, full name and phone number of participants, details on payments, including; amount, date and time.  

What allows us to do this?  

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here
 
1.8 When you use Benefits  

Why and how do we process your personal data? 

When displaying your personal memberships and benefits you have with selected loyalty programs in the app, we process the following information: 

  • Phone number (shared with the merchant's data processor, to look up your memberships and benefits in loyalty programs) 
  • General information (received by the merchants regarding your memberships and benefits in loyalty program) 

What allows us to do this? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

Remember: The merchant is the data controller for loyalty programs and benefits, while we function as a data processor. For inquiries regarding these, please contact the respective merchant.  

1.9 Order Management  

Why and how do we process your personal data? 

When displaying receipt information connected to your purchases, we process the following information: 

  • Transaction Data (date, time, merchant number and name, payment source, receiving account, amount, product/service, text/messages) 
  • Receipt information (line items, amount, if relevant shipping price, tips and discount)  

1.10 When you enable functionality on your phone 

You can turn on and off the following functionality under settings on your phone: 

  • Location (to find a merchant near you)  
  • Contact list (to select recipients from your contacts. If you prefer not to grant the app access to your contacts, you can manually enter the recipient's phone number) 
  • Pictures and camera (to add a profile picture that other users can see, to attach a picture to a Settlements group or to scan QR codes)  
  • Background updates 
  • Mobile data (to access MobilePay without a wireless internet connection) 
  • For Android (We request access to your phone status and ID for the purpose of saving the mobile identifier, managing content on the SD card, and allowing you to add a profile picture) 

Remember: You have the option to enable or disable these functions in your phone settings. 

What allows us to do this? 

Your consent. 

1.11  

When you use MobilePay you can consent to following features in the app: 

  • Profile picture (to add a profile picture that other users can see) 
  • Chosen name for accounts and cards (to differentiate between your added accounts and cards)  
  • Blocked users (to avoid interaction with users that can no longer send you messages or transactions) 
  • Remember: You have the option to enable or disable these functions in the MobilePay app.  

What allows us to do this? 

Your consent. 
 
1.12 When you have MobilePay as a merchant for your business or association  

To comply with our obligations under anti-money laundering regulations, we process the following personal information relating to merchants: 

Business roles (CEO, chairman, board members, deputy, accountant, auditor, etc.) 

  • Information about the person (name, phone number, e-mail address, date of birth and national identity number.
  • Signatory rights  

Beneficial owners 

  • Information about the person (name, date of birth, country, nationality, address)  
  • Information from public registers  

Politically Exposed Persons (PEP) and sanction lists 

  • Information you provide as a PEP 
  • Information from registers  

What allows us to do this? 

Our legal obligation.  

Credit rating  

When establishing a customer relationship and continuously afterwards, MobilePay conducts a credit check of the merchant you are part of. For some types of organizations e.g., where the merchants are personally financial responsible, we also carry out a credit assessment of persons with a role withing the merchant. When the credit assessment is completed, you will receive a copy of that information.  

What allows us to do this? 

Our legitimate interest.  

Onboarding and administration of the customer relationship 

For onboarding, administration of customer relationships, communication, and security for your business, we process the following personal data: 

User and admin role the Merchant Portal and Merchant App 

  • Information about you (full name, phone number, e-mail address and national identity number) 
  • Usage Data (views, time, frequency, and duration of activities in the app, search history and sign in/log out data) 
  • Technical data (internal IDs, IP address, mobile operating system, mobile device, browser, in-app settings, history of technical events, etc.) 
  • Electronic Identification (eID) with MitID 

Remember: In an effort to enhance convenience and security for you, we may use the data from your private profile when granting admin rights.  

Contact points at merchants 

  • Information about you (full name, phone number, e-mail address and national identity number) 
  • Any communication between MobilePay and the contact point 

What allows us to do this? 

The contract we have with you. See MobilePay’s Terms and Conditions for Merchants here

2. Across MobilePay services 

Some processing may not be specifically linked to a single product. Further details on this can be found below. 

2.1 For legal and regulatory reasons  

Why and how do we process your personal data? 

To fulfil our obligations according to laws and regulations, MobilePay are obliged to process some personal data, including the following:  

  • To comply with bookkeeping regulations: Accounting material, which may also contain personal information, are processed and stored in compliance with the regulations stipulated in the Bookkeeping Act 
  • To prevent and detect criminal activities: MobilePay are obliged to process some personal information for the purpose of preventing, detecting, investigating and handling fraud and other criminal activities. This includes the duty to examine and report suspicious activities and transactions under the Anti-Money Laundering Act. In addition, MobilePay obtains information from various registers to fulfil legal requirements, including politically exposed persons and sanctions. 
  • Disclosure of personal information to public authorities: MobilePay are obliged to disclose personal information when there is a court order, law enforcement request or otherwise to fulfil legal requirements, such as The Penal Code, or acts related to statistics or taxation.  
  • Disclosure of personal information to banks and other financial institutions: MobilePay might be obliged to disclose personal information to banks or other financial institutions to comply with Anti-Money Laundering laws and regulations when it is part of conducting due diligence of suspicious activities or transactions, and regarding payments fraud following the Financial Institutions Act, or other applicable local rules and regulations. 
  • Security monitoring: To detect and resolve suspicious activities and security incidents, MobilePay processes personal information when logging and monitoring our services. Ensuring information security is, among other things, anchored in the Personal Data Act and Norway’s ICT Regulation. 

What allows us to do this? 

Our legal obligation.  

2.2 For customer follow up  

Why and how do we process your personal data? 

MobilePay processes personal data to assist you in case of any challenges or concerns related to our products or services, including: 

  • Information about you (full name, phone number, e-mail, registered address and national identity number) 
  • Information about your issue 
  • Information about the customer relationship (which products and services you use, the duration of usage, etc.) 

Depending on the issue, it may also include: 

  • Transaction data 
  • Account and card details (bank account number, masked debit or credit card number and expiry date) 
  • Usage data (views in the app, time and clicks in our surfaces, searches, logins and logouts) 
  • Technical data (internal ID’s, IP address, operating system, mobile device, browser, settings in app, log of technical events, etc.) 

What allows us to do this? 

The contract we have with you. See MobilePay’s Terms and Conditions for Private Users here

Remember: We record telephone conversations for the purpose of training and quality assurance. You can read more about this here.

What allows us to do this? 

Your consent and if the communication become a security matter, calls may be recorded based on legitimate interest 

2.3 For marketing activities 

Basic customised marketing on our platforms 

MobilePay carries out segmentation to ensure that relevant service information is provided to you, and to ensure that end users under 18 are excluded from our marketing activities.  

What allows us to do this?  

Our legitimate interest. 

Marketing via e-mail or SMS 

If you consent, we may send you suggestions and offers based on segmentation, via e-mail or SMS. For this, we process: 

  • Contact Information (name, phone number and e-mail)  

What allows us to do this?  

Your consent. 

Marketing activities outside our platforms 

If you consent, we provide you with relevant suggestions and offers outside our platform, such as social platforms and websites. To do this, we need to know who you are when you use the relevant social platforms and websites. We connect the personal data that you have provided to us, with information that you have provided in an external channel. By doing this, we can share messages and information that we assume to be of interest to you. In such cases, MobilePay transfers personal data that has been masked to the individual third party. You can find more information on our cookie site here. For this, we process: 

  • Information about you (name, telephone number, e-mail) 
  • Usage data (pages visited, time and clicks on our platforms, search history, logins and logouts) 

What allows us to do this?  

Your consent. 

Remember: You can see an overview of your consents to marketing activities in the MobilePay app under Profile > Settings. You can withdraw your consent at any time. 
 
2.4 To test and develop our products, services and for statistical purposes 

Internal development of our services and testing 

MobilePay process personal data for service development, maintenance and to improve customer experience. To do this, we analyse how our products and services are used. For this type of processing, we do not identify the end users, but use aggregated, pseudonymized or anonymized data. The following information may be processed to generate such analyses: 

  • Demographic data (age, gender, geographic area) 
  • Which MobilePay services/products you use 
  • Technical data (Customer ID, Cookies, user agent, etc.) 
  • Usage data (views in the app, time and clicks in our platforms, search history, logins, and logouts) 
  • Aggregated or pseudonymised Transaction Data 
  • Profile information (number of payment cards and bank accounts) 
  • Usage of accessibility features 

What allows us to do this?  

Our legitimate interest. 

Statistics

 
We further process this information to develop user surveys, user analyses, market analyses, and reports based on usage patterns and demographics. We use statistical data to group users into similar usage patterns and this helps us understand how our services are used. The results cannot be linked back to you as we use aggregated data for this purpose, unless you give your consent. In some situations, we forward the results of the analyses to merchants that use MobilePay. This information cannot be linked back to you. MobilePay shares aggregated statistics with banks, 

What allows us to do this?  

Our legitimate interest.  

Sharing statistics with public authorities 

MobilePay shares aggregated statistics with certain partners, such as banks, Statistics Denmark and the Ministry of Finance. 
 

What allows us to do this?  

Our legitimate interest. 

The legal basis for Statistics Denmark and Ministry of Finance is legal obligation. 
 
2.5 Use of Data Processors  

MobilePay uses several suppliers who process personal data on our behalf (“Data Processors”). In these cases, MobilePay enters into a Data Processing Agreement with the supplier to ensure that the processing is carried out in accordance with GDPR. Relevant data processors we use are: 

  • Cloud service providers (Microsoft Azure, Salesforce, Splunk, Mixpanel, Slack, Puzzel, Signant, Link Mobility, Twilio Sendgrid, Jobylon) 
  • Software providers (Microsoft 365) 
  • Service providers (Nets, TietoEvry, DNB, Danske Bank, Adyen) 
  • Consulting firms 
  • Banks  

When we transfer personal data outside the European Union (EU) or the European Economic Area (EEA) 

In some cases, MobilePay may transfer personal data to Data Processors in countries outside the EEA. Such transfers can only be made if the Data Processor has provided assurance that your privacy and rights are protected. This may be a transfer basis approved by the European Commission e.g., to an approved country, through Standard Contractual Clauses, or through valid Binding Corporate Rules. In special situations, another valid transfer basis, such as agreement or consent, may be used if the level of protection corresponds to the level in the EEA. 
  
2.6 Security of personal data  

Information security is fundamental to delivering safe and simple solutions. Through effective security measures and processes, MobilePay ensure that your personal data is protected against unauthorized access and alterations and is available when needed. For this, we have implemented measures such as: 

  • Identity and Access Management 
  • Secure Software Development and Security Testing 
  • Encryption 
  • Network Security 
  • Security Monitoring and Incident Management 
  • Safety training and knowledge sharing among employees 
  • Security requirements and follow-up of Data Processor and suppliers 

Security measures are implemented, monitored, and continuously improved based on a risk-based approach to ensure that personal data is adequately protected over time. 

2.7 Retention of your information  

Personal data will not be stored for longer than necessary and according to the following rules: 

  • The main rule is that we store personal data for as long as you have an active customer relationship. This means that you will have an overview of your history in the app. 
  • When you terminate your customer relationship, certain information will be stored by MobilePay for another 5 or 10 years in accordance with Norway’s Money Laundering Act or Finland’s Accounting Act. 
  • Personal data that we process based upon your consent will be deleted when you withdraw your consent, unless there is another legal basis for further processing. 
  • In some situations, we may have a legitimate interest in retaining the information for a longer period e.g. for back-up purposes.  

2.8 Roles and responsibilities between MobilePay and Merchants  

MobilePay and merchants are independent data controller for most of our services. MobilePay has an agreement with all our end users. This means that MobilePay is responsible for its own processing activities of personal data that are necessary to provide the payment solutions. Similarly, merchants have their own agreements with their customers, and are themselves responsible for their own processing activities of personal data in order to provide their services e.g. being able to carry out a sale. We do not enter into data processor agreements in the situations where MobilePay and the merchant are independent data controllers.  

3. Your rights 

If you wish to exercise your rights, you can send your request to our Data Protection Officer and Privacy Team at privacy@vippsmobilepay.com. 

3.1 Right to access  

You have the right to access the information stored about you. Remember that you can find most of this information about you in your profile and in your activity list in the MobilePay app. 

3.2 Right to rectification  

You have the right to demand that incorrect information about you be corrected. You can change your e-mail, address, picture, account, and card information in the app. In other cases, you can send us an e-mail. 

3.3 Right to be forgotten  

You have the right to demand to delete information about you if MobilePay does not have a legal basis for storing it further.  

3.4 Right to withdraw your consent  

You may withdraw your consents at any time.  

  • If you have shared your information in MobilePay with companies, you can withdraw this consent: under Profile > Personal information > Companies with access and Browsers that remember you 
  • Marketing: under Profile > Settings 
  • Settings on your phone: under settings on your phone 
  • Settings in the app: e.g. under Profile > Settings or Profile > Accounts and cards 

3.5 Right to information  

You have the right to be informed about how we process your personal data. We do this in this Privacy Notice, in our Terms and Conditions, and when obtaining consent. 

3.6 Right to protest  

If we process information about you based on our legitimate interest, you have the right to object to our processing of information about you. This can be for example for analysis purposes or for compiling personal data across our services. 

3.7 Right to restriction  

In special situations, you have the right to request a restriction of the processing of personal data. 

3.8 Right to data portability  

You have the right to have your data transferred in a machine-readable format to a new Data Controller. 

3.9 Right to complain  

You also have the right to complain to the Norwegian Data Protection Authority at P.O. Box 458 Sentrum NO-0105 Oslo or to a Data Protection Authority near you.  

Changes in this Privacy Notice 

MobilePay continuously works to improve and develop our services. We will change information in this Privacy Notice, some might refer to it as a Privacy Policy, in the event of any changes in the law, services we provide or in our own personal data processing practices. If MobilePay makes major changes that may affect your privacy or rights, you will be notified in the app or by email. 

Version 1.0. Updated 16.01.2024