Version 1.6 - 29.09.17

1. Your Vipps agreement with Vipps

The Vipps Privacy Protection Policy is part of the terms and conditions for the use of Vipps and thus part of the Agreement between you as a Vipps user and Vipps AS («Vipps»).

2. Purpose of processing personal data

Vipps processes your personal data in accordance with the Norwegian Personal Data Act and Vipps’ concession from the Norwegian Data Protection Authority. The main purpose of Vipps’ processing of personal data when you use Vipps is to fulfil the obligations undertaken by Vipps in order to implement the Agreement. In Vipps, personal information is also processed, among other things, for the following purposes:

• Customer relationship management and marketing
• Further development and improvement of Vipps
• Prevention and identification of criminal acts

In addition, Vipps will process personal data as prescribed or provided by law or to the degree you have consented to such processing.

3. Accesses in Vipps

In order to ensure effective Vipps functionality, Vipps requests various accesses to your mobile phone. These accesses apply to:

• Location – enabling you to find merchants close to where you are. In order for your phone to be able to connect via Bluetooth to a point of sale terminal from locked screen, the Vipps application needs access to your phone’s location services even when the app is running in the background Vipps does not store information about your location. You can turn off Vipps’ access to location service in your phone’s settings, however please be aware that in-store payment or the function to find merchants nearby will not work
• List of contacts – enabling you to ask for money from or send money to your friends
• Photos and camera – enabling you to take and upload your profile picture
• Background updates – enabling Vipps to run in the background to check the status of payments you have made as well as incoming payments
• Mobile data – enabling you to use Vipps when you are not connected to a wireless network
• Notifications – enabling Vipps to send messages to your mobile phone
• Telephone status and ID – enabling the storing of a mobile identification number
• Changing/deleting SD card content (Android) – enabling you to upload your profile picture
• Bluetooth – in order to connect your phone to point of sale terminals, you need to activate Bluetooth on your phone

Please note that if you use the Android Lollipop operating system, you cannot upgrade to version 1.5 of Vipps without consenting to Vipps being given access to locations when being installed. If you would not like Vipps to have access to locations, you can turn this option off under Settings in Vipps as soon as the application has been upgraded and you have logged in.

4. Information stored by Vipps

Vipps stores information which is provided by yourself in Vipps when you register and which is generated when you use the service. Vipps stores the following data:

• Your name, telephone number, address and e-mail address (is not stored on your mobile phone)
• For administering your customer relationship in Vipps. Your address is also used for marketing purposes and to enable you to quickly fill in your delivery address on websites where you can pay using Vipps. You can use Vipps without specifying your address.
• Card data linked to your Source of Funds (is not stored on your mobile phone)
• For making payments
• Your national identity number (is not stored on your mobile phone)
• For identification and security purposes and for administering your customer relationship in Vipps
• Your account information (is not stored on your mobile phone)
• For making payments
• Your PIN code (is not stored on your mobile phone)
• For protecting Vipps against misuse
• The mobile device used and its operating system
• For security purposes
• Your mobile identification number, which is created when you establish a Vipps profile (is not stored on your mobile phone)
• A security measure enabling identification of your mobile phone
• Messages you and the recipient send to each other
• Transaction history and generated screenshots

5. Collection of data from public records

Vipps will collect data about you from public records to the extent that this is required for the fulfilment of our obligations towards you under this Agreement or obligations prescribed by law.

6. Disclosure of personal data

Information that can be linked to you personally will not be shared with others unless it is stipulated in this Agreement or founded on the law, or if you have specifically agreed thereto. In accordance with the Agreement, Vipps will, as an example, send some information about you to the recipients of your payments. See more about this in item 5.1 in the Vipps terms and conditions.

When you establish a Vipps profile, other Vipps users can search for you in the solution by means of your telephone number. Vipps can also inform issuers of Vipps Invoice that you have activated this function, so that these issuers can send you invoices in Vipps.

Vipps can share your personal data with sub-suppliers who process personal data on behalf of Vipps (processors). The transfer of personal data to such processors is in accordance with processor agreements which, among other things, prevent the processors from using the data for other purposes. The transfer of personal data to Vipps’ processors is not deemed to be disclosure.

7 . Customer relationship management and marketing

Vipps will inform you about products within the payment service category. In addition, Vipps will give you information about product categories other than payment services through electronic marketing if you have given your consent. This implies that Vipps may send you useful information and offers for products and services electronically in the Vipps app, to your mobile phone number or your stated e-mail address. Consent in accordance with this provision encompasses electronic marketing of all types of products and services, not only products you have previously consented to. You may withdraw your consent at any time by contacting Vipps.

8. Prevention and identification of criminal acts

Vipps will process personal data with the purpose to prevent, identify, solve and deal with criminal fraud and other criminal acts. Information will be obtained from and handed over to other banks and financial institutions, the Banks’ Misuse Register (common misuse register of own and other accounts and payment instruments), the police and other public authorities. Data can be stored up to ten years from registration. Vipps will process personal data to fulfil the investigation and reporting duty for suspicious transactions in accordance with the Money Laundering Act. The bank is obliged to report suspicious information and transactions to the Financial Intelligence Unit at the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime. In accordance with Section 23, first subsection litra b) and litra f) of the Personal Data Act, you do not have the right to access to the information the bank has registered for these purposes.

9. Right of access, rectification and deletion

You may get right of access to the data Vipps has registered about you by sending a written and signed request to Vipps. Please contact Vipps to rectify information about you which is inaccurate. Personal data will not be stored longer than necessary to carry out the purpose of the processing. Thereafter, the data will be deleted or anonymised, unless the information will or can be stored beyond the statutory time period. This also applies if you delete your Vipps profile. Information about your transactions will be stored by Vipps as long as this is required by law.

10. Securing personal data

Personal data collected by Vipps shall be stored and processed in a safe and secure manner. The bank has established and documented procedures and measures to ensure satisfactory data security with regard to confidentiality, integrity and accessibility in accordance with Section 13 of the Personal Data Act.

11. Amendments

Vipps can make amendments to this privacy protection policy to comply with statutory requirements and the bank’s own procedures for collecting and processing data. If significant amendments are made, you will have to approve the terms and conditions again.

12. Controller

Vipps acts as controller for the handling of personal data as outlined in this privacy protection policy. If you have any questions concerning the Vipps privacy protection policy, please do not hesitate to contact Vipps on www.vipps.no, or call +47 22 48 28 00.