Privacy Notice

Svenska / English

 

Hello Vipps-user!

 

At Vipps (Vipps MobilePay AS), we care about your privacy. We strive to always keep our responsibilities front and center when we process your personal data. This Privacy Notice describes what personal information we process, why, how, and in what way you can exercise your rights.

1. Vipps' products  

The primary reason for processing your personal data is to deliver Vipps' products to you. Below you can read more about each product. Remember that you can always get insight and receive a copy of the data we process about you. You can find more information about this under point 3. 

 

1.1 When you have a Vipps profile 

Why and how do we process your personal data? 

When creating a Vipps profile, we process following information:  

 

  • Information about you (name, phone number, e-mail, personal identity number, address and in some cases the address you provide)
  • Account and card details (account number, debit or credit card number and expiry date) 
  • Usage data (views, time, frequency, duration of activities in the app, search history and sign in/log out data) 
  • Technical Data (pseudonymized ID’s, IP address, mobile device, operating system, browser, settings in app and log of technical events)  

 

Remember: As a Vipps user, other users in Sweden, Denmark, Norway and Finland will be able to see your name by searching on your phone number in the Vipps app. 

In addition, we collect the following information from various registers to ensure that we have the correct information:

 

  • Contact details (name, address, personal identity number and life status from the Swedish Population Registry)
  • Ownership and verification of bank account (personal identity number, and partial card- and account details from your bank) 
  • Political Exposed Persons (whether you are a political exposed person and information on your source of funds when using Vipps)

 

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users. Legal obligation for political exposed persons. 

 

1.2 When you send and receive money  

Why and how do we process your personal data? 
To send and receive money with Vipps, we process the following information: 

 

  • Transaction data (full name and phone number of sender and recipients, amount, transaction ID, masked card information, payment account, receiving account and text/message) 

 

However, the recipient will only have access to the following information: 

 

  • Transaction data (name and phone number of sender, amount and text/message) 

 

On what legal basis? 

The contract we have with you. See Vipps’ Terms and Conditions for Private Users.

 

1.3 When you send money to in-store merchants in Norway

Why and how do we process your personal data? 

 

To send and receive money and refunds to and from merchants, we process the following information: 

 

  • Transaction data (name and phone number, merchant information, used Vipps product or service, amount, transaction ID, masked card information, payment account, receiving account and text/message) 

However, the merchant will only have access to the following information: 

 

  • Transaction data (name, masked phone number, amount and payment text/message) 

 

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users.

 

For donations to non-profit organizations  
When contributing with monetary donations to specific non-profit organizations, the organization will receive your full name and phone number. 

 

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users.

 

1.4 When using online and in-app payments 

Why and how do we process your personal data? 

When purchasing products or services through an online merchant or within a merchant's app, we process the same data as outlined in section 1.3 When you send money to in-store merchants.

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users.

 

1.5 When you use digital Money Gift Wrappings 

Why and how do we process your personal data? 
When purchasing Vipps gift wrappings, we process the same information as stated in section 1.2 When you send and receive money. 

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users. 

 

1.6 When you use Settlements  

Why and how do we process your personal data? 


When you use our calculating tool for settlements, we process following information: 

 

  • General information about your Settlement group (group name, status of group, full name and phone number of participants, details on payments, including; amount, date and time)

 

On what legal basis? 
The contract we have with you. See Vipps’ Terms and Conditions for Private Users. 

Remember: You can add or be added to a settlement group with participants from all markets, including Sweden, Denmark, Finland and Norway.

 

1.7 When enabling functions on your phone 

When you use Vipps you can consent to following features in the settings of on your phone: 

 

  • Location (to find a merchant near you)  
  • Contact list (to select recipients from your contacts. If you prefer not to grant the app access to your contacts, you can manually enter the recipient's phone number) 
  • Pictures and camera (to add a profile picture that other users can see, to attach a picture to a Settlements group or to scan QR codes) 
  • Background updates 
  • Mobile data (to access Vipps without a wireless internet connection) 
  • For Android (we request access to your phone status and ID for the purpose of saving the mobile identifier, managing content on the SD card, and allowing you to add a profile picture) 

 

Remember: You have the option to enable or disable these functions in your phone settings. 

 

On what legal basis? 
Your consent. 

 

1.8 When enabling functions in the app 

When you use Vipps you can consent to following features in the app: 
  • Profile picture (to add a profile picture that other users can see) 
  • Chosen name for accounts and cards (to differentiate between your added accounts and cards)  
  • Blocked users (to avoid interaction with users that can no longer send you messages, requests, or transactions) 

 

Remember: You have the option to enable or disable these functions in the Vipps app.  

On what legal basis? 
Your consent. 

 

1.9 Order Management  

Why and how do we process your personal data?  When displaying receipt information connected to your purchases, we process the following information: 

 

  • Transaction data (date, time, merchant number and name, payment source, receiving account, amount, product/service, text/messages)
  • Receipt information (line items, amount, if relevant shipping price, tips and discount) 

 

On what legal basis? 

The contract we have with you. See Vipps’ Terms and Conditions for Private Users. 

Remember: You can decide if you want to have receipt shown in your app or not. You can do that under your settings in your profile "Show digital receipts in Vipps".

 

2. Across Vipps services 

Some processing may not be specifically linked to a single product. Further details on this can be found below. 

 

2.1 For legal and regulatory reasons  

Why and how do we process your personal data? 


Since Norway is the host country from the which the services are offered to Sweden, as cross-border services without a branch, as a general rule all Norwegian laws and regulations apply.

To fulfil our obligations according to laws and regulations, Vipps are obliged to process some personal data, including the following:

 

  • To comply with bookkeeping regulations (accounting material, which may also contain personal information, are processed, and stored in compliance with the regulations stipulated in the Bookkeeping Act)
  • To prevent and detect criminal activities (Vipps are obliged to process some personal information for the purpose of preventing, detecting, investigating, and handling fraud and other criminal activities. This includes the duty to examine and report suspicious activities and transactions under the Anti-Money Laundering Act. In addition, Vipps obtains information from various registers to fulfil legal requirements, including politically exposed persons and sanctions)
  • Disclosure of personal information to public authorities (Vipps are obliged to disclose personal information when there is a court order, law enforcement request or otherwise to fulfil legal requirements, such as The Criminal Act, or acts related to statistics or taxation) 
  • Security monitoring (to detect and prevent suspicious activities and security incidents, Vipps processes personal information when logging and monitoring our services. Ensuring information security is, among other things, anchored in the Personal Data Act (persondataloven) and ICT Regulation)

 

On what legal basis? 
Our legal obligation.  

2.2 For customer follow up  

Why and how do we process your personal data? 


Vipps processes personal data to assist you in case of any inquires, challenges or concerns related to our products or services, including but not limited to: 

 

  • Information about you (name, phone number, e-mail, registered address, and personal identity number) 
  • Information about your issue 
  • Information about the customer relationship (which products and services you use, the duration of usage, etc.)

 

Depending on the inquiry, it may also include: 

 

  • Transaction data (name and phone number of sender and recipients, amount, transaction ID, masked card information, payment account, receiving account and attached payment text/message) 
  • Account and card details (bank account number, masked debit or credit card number and expiry date) 
  • Usage data (views in the app, time and clicks in our surfaces, searches, logins and logouts) 
  • Technical data (internal ID’s, IP address, operating system, mobile device, browser, settings in app, log of technical events, etc.) 

 

On what legal basis? 

The contract we have with you. See Vipps’ Terms and Conditions for Private Users.

Recording of phone calls with customer service
Vipps processes personal data when we record phone calls for quality assurance and training of our employees. We only do this if you consent to it. The recording will include all personal data that is in your conversation with customer service. 

The recording will be kept for 30 days. If a recording is relevant in a legal dispute or a security incident, it may be kept for a longer period based on another legal basis.

Remember: You can always withdraw your consent by sending an email to privacy@vippsmobilepay.com. In that case, the recording will be permanently deleted.

On what legal basis? 
Your consent.

2.3 For marketing activities 


Basic customized marketing on our platforms

Vipps carries out basic segmentation to adapt marketing in our app or websites to you and to ensure that end users under 18 are excluded from our marketing activities. For this, we use the following personal data:

 

  • Age group range 
  • Geographic area
  • Activity level

 

On what legal basis? 
Our legitimate interest.

Advanced customized marketing on our platforms
If you consent, we adapt marketing in the app or websites to ensure that the content is as relevant to you as possible. We base our marketing activities on customer analysis and the information we have about you:

 

  • Contact details
  • Which services you use
  • Usage data (pages visited, time and clicks on our platforms, search history, logins and logouts)
  • Bank account and payment card information
  • Transaction data (when and where you shop, but not what you buy and the amount)

 

On what legal basis? 
Your consent.

Marketing via e-mail or SMS
If you consent, we may send you suggestions and offers via e-mail or SMS. For this, we process:

 

  • Information about you (name, telephone number, e-mail)

 

On what legal basis? 
Your consent.

Remember:  An overview of your consents to marketing activities is available in the app under Profile > Settings. You can withdraw your consent at any time.

 

2.4 To test and develop our products, services and for statistical purposes 

 

Internal development of our services and testing 
Vipps process personal data for service development, maintenance and to improve customer experience. To do this, we analyze how our products and services are used. For this type of processing, we do not identify the end users, but use aggregated, pseudonymized or anonymized data. The following information may be processed to generate such analyses: 

 

  • Demographic data (age, gender, geographic area) 
  • Which Vipps services/products you use 
  • Technical data (customer ID, cookies, user agent, etc.) 
  • Usage data (views in the app, time and clicks in our platforms, search history, logins, and logouts) 
  • Aggregated or pseudonymized transaction data 
  • Profile information (number of payment cards and bank accounts) 
  • Usage of accessibility features

 

On what legal basis? 
Our legitimate interest. 

Statistics
We further process this information to develop user surveys, user analyses, market analyses, and reports based on usage patterns and demographics. We use statistical data to group users into similar usage patterns and this helps us understand how our services are used. The results cannot be linked back to you as we use aggregated data for this purpose unless you give your consent. In some situations, we forward the results of the analyses to merchants that use Vipps. This information cannot be linked back to you.

On what legal basis? 
Our legitimate interest.  

Sharing statistics with public authorities 
Vipps shares aggregated statistics with certain partners, such as banks and Statistics Norway.

 

On what legal basis? 
Our legitimate interest. The legal basis for Statistics Norway is legal obligation. 

 

2.5 Statistical, scientific, and historical research purposes

Vipps or third parties may process data in a compatible manner for statistical, scientific, and historical research purposes. This includes research projects or similar activities, and may involve the anonymization of personal data 

 

On what legal basis?  
Our legitimate interest

 

2.6 Use of Data Processors  

Vipps uses several suppliers who process personal data on our behalf (“Data Processors”). In these cases, Vipps enters into a Data Processing Agreement with the supplier to ensure that the processing is carried out in accordance with GDPR. Relevant data processors we use are: 

 

  • Cloud service providers (Microsoft Azure, Salesforce, Splunk, Mixpanel, Slack, Puzzel, Signant, Link Mobility, Twilio Sendgrid, Jobylon)
  • Software providers (Microsoft 365) 
  • Service providers (Nets, TietoEvry, DNB, Danske Bank, Adyen) 
  • Consulting firms
  • Banks

 

When we transfer personal data outside the European Union (EU) or the European Economic Area (EEA) 
In some cases, Vipps may transfer personal data to Data Processors in countries outside the EU/EEA. Such transfers can only be made if the Data Processor has provided assurance that your privacy and rights are protected. This may be a transfer basis approved by the European Commission e.g., to an approved country, through Standard Contractual Clauses, or through valid Binding Corporate Rules. In special situations, another valid transfer basis, such as agreement or consent, may be used if the level of protection corresponds to the level in the EU/EEA.

 

2.7 Security of personal data  

Information security is fundamental in delivering safe and simple solutions. Through effective security measures and processes, Vipps ensure that your personal data is protected against unauthorized access and alterations and is available when needed. For this, we have implemented measures such as: 

 

  • Identity and Access Management 
  • Secure Software Development and Security Testing
  • Encryption
  • Network Security
  • Security Monitoring and Incident Management 
  • Safety training and knowledge sharing among employees 
  • Security requirements and follow-up of Data Processors and suppliers

 

Security measures are implemented, monitored, and continuously improved based on a risk-based approach to ensure that personal data is adequately protected over time.

 

2.8 Retention of your information  

Personal data will not be stored for longer than necessary and according to the following rules: 

  • The main rule is that we store personal data for as long as you have an active customer relationship. 
  • When you terminate your customer relationship, certain information will be stored by Vipps for another 5 or 10 years in accordance with Norwegian Anti Money Laundering Act or Accounting Act. 
  • Personal data that we process based upon your consent will be deleted when you withdraw your consent unless there is another legal basis for further processing.

 

3. Your rights 

If you wish to exercise your rights, you can send your request to our Data Protection Officer or to our Privacy Team at privacy@vippsmobilepay.com.

3.1 Right to access  

You have the right to access the information stored about you. Remember that you can find most of this information about you in your profile and in your activity list in the Vipps app. 

3.2 Right to rectification  

You have the right to demand that incorrect information about you be corrected. You can change your e-mail, address, picture, account, and card information in the app. In other cases, you can send us an e-mail.

3.3 Right to be forgotten  

You have the right to demand to delete information about you if Vipps does not have a legal basis for processing or storing it further.  

3.4 Right to withdraw your consent  

You may withdraw your consents at any time.  

 

  • If you have shared your information in Vipps with companies, you can withdraw the consent by following: under Profile > Personal information > Companies with access and Browsers that remember you
  • Marketing: under Profile > Settings 
  • Settings on your phone: under the settings on your phone 
  • Settings in the app: e.g. under Profile > Settings or Profile > Accounts and cards 

 

3.5 Right to information  

You have the right to be informed about how we process your personal data. We do this in this Privacy Notice, in our Terms and Conditions, and when obtaining consent. 

3.6 Right to protest

If we process information about you based on our legitimate interest, you have the right to object to our processing of information about you. This can be for example for analysis purposes or for compiling personal data across our services.

3.7 Right to restriction

In special situations, you have the right to request a restriction of the processing of personal data. 

3.8 Right to data portability  

You have the right to have your data transferred in a machine-readable format to a new Data Controller. 

3.9 Right to complain 

You have the right to complain to the Norwegian Data Protection Authority at P.O. Box 458 Sentrum NO-0105 Oslo or to a Data Protection Authority near you.  

Changes in this Privacy Notice 

Vipps continuously works to improve and develop our services. We will change information in this Privacy Notice, some might refer to it as a Privacy Policy, in the event of any changes in the law, the services we provide or in our own personal data processing practices. If Vipps makes major changes that may affect your privacy or rights, you will be notified in the app or by email.

 

Version 1.1 Updated 24.09.2024.