Innhold
This privacy policy (the “Privacy Policy”) sets out information regarding the processing of personal data in connection with Izy (hereinafter referred to as the “Service”). The Service is a tool for communication and service delivery to employees and other persons present at modern workplaces and buildings. We act solely as an intermediary for products and services offered through the Service and bear no responsibility for the services or products you order from other parties through the Service.
The Service is provided by Izy AS (organisation number 922 177 775) (hereinafter “Izy” or “we”). When you purchase and use the Service, we process certain of your personal data. Izy takes your privacy seriously and processes your personal data in a secure and confidential manner.
Izy is the data controller for the processing of your personal data when you use our Service, in accordance with this Privacy Policy. This means that Izy is responsible for determining the purposes of the processing of personal data and for complying with applicable data protection legislation. This Privacy Policy explains which personal data we process as a data controller, how we process them, for which purposes, and on what legal basis. The Privacy Policy also explains your rights and how you may exercise those rights in respect of our processing of your personal data. Should you have any questions regarding this Privacy Policy, please do not hesitate to contact us using the contact information provided at the end of this Privacy Policy.
In addition to the processing for which Izy itself is responsible, we also process certain personal data as a data processor on behalf of building owners, employers, or other data controllers when such parties make our services available to employees and other users. This applies, for example, when we receive and process data from an employer, building owner, or third parties that supply products and services within the building, and process personal data for their purposes. Such processing, in which we act as a data processor, is always carried out in accordance with documented instructions set out in a data processing agreement. Details of such processing are further described in the respective data controllers’ own privacy policies.
All processing of personal data within the Service is carried out in accordance with applicable data protection rules, including the Norwegian Personal Data Act and the General Data Protection Regulation (GDPR). Terms used in this Privacy Policy shall be interpreted in the same manner as the corresponding terms in Article 4 of the GDPR.
For further information about the Service, please refer to the “Terms of Use” by clicking here.
The purpose of processing your personal data is to make the Service and its functionality available to you, and to support communication, administration, and service delivery between the data controller and you as a user. This applies to both registered users and guest users, cf. the separate section below.
In connection with the foregoing, certain personal data may also be shared with third-party data controllers with whom Izy collaborates and who offer products or services within the Service. When the application associated with the Service is not in use, personal data are, as a general rule, neither processed nor shared.
Depending on which functionalities of the Service you choose to utilise, personal data may also be processed for the following purposes:
The legal basis for the processing of personal data in order to deliver what you request through the Service is:
Where Izy processes personal data on behalf of building owners, employers, or other data controllers, this is carried out as a data processor in accordance with the data controller’s documented instructions, pursuant to a data processing agreement.
In certain cases, we also process personal data on the basis of our legitimate interest in providing the Service and its functionality in a secure and appropriate manner. The legal basis for this purpose is:
In certain cases, we also process device IDs linked to guest users where this is necessary in order to deliver a receipt following a completed payment. The legal basis for this is Article 6(1)(f) of the GDPR. Our legitimate interest is to deliver and follow up the receipt function in a secure and well-functioning manner. We have assessed that the limited processing of personal data that this entails, and the benefits sought to be achieved, outweigh any disadvantages to the individual user.
Guest users are persons who make purchases in the Izy App without a registered user account. In order to send a receipt following a completed payment, Izy processes a unique device ID linked to the device in question. The processing is based on Izy’s legitimate interest in being able to send a receipt to the purchaser, pursuant to Article 6(1)(f) of the GDPR. Izy has assessed that this interest outweighs the limited privacy disadvantages the processing entails. In making this assessment, particular regard has been given to the limited scope of the processing and its clearly defined purpose. The data is retained for as long as is necessary for the relevant purpose. Retention periods are assessed and determined in accordance with applicable data protection requirements and Izy’s internal guidelines.
Guest users have the same rights as other data subjects under data protection legislation. Please refer to the section “Your Rights” or contact us at info@izy.no.
The following personal data may be collected and processed in connection with your use of the Service:
In addition, cookies are used. Information about our use of cookies, together with the applicable cookie guidelines, is available in the document “Cookie Policy”, which can be found via the menu in the Izy App. There you will also have the opportunity to manage and amend your consent to the use of cookies in accordance with your preferences.
Personal data shall be deleted as soon as there is no longer a need for the data in accordance with the purposes set out above. This means that contact information is processed for as long as you use the Service and until you delete your user profile. Upon confirmed deletion of the user account, all personal data associated with the account shall be deleted within 30 days. Data relating to product interaction and diagnostics shall be anonymised within 90 days or deleted where anonymisation is not necessary. Data relating to security and incidents shall be deleted as soon as the incident has been resolved.
Where paid products and/or services are delivered through the Service, third-party services may be used for payment processing, with all information handled directly by the third party. Izy does not store or collect your payment card details. You provide this information directly to the third-party payment provider, and Izy bears no responsibility for the payment providers’ processing. Such payment partners are independent data controllers, for example Vipps and Stripe. These payment providers are responsible for compliance with standards established by PCI-DSS. PCI-DSS requirements contribute to ensuring the secure handling of payment information.
Other payment providers may include:
In order to deliver the Service to you, we engage certain sub-processors, for example those providing the platform that supports the Service. We have entered into data processing agreements with all our suppliers that have access to personal data. These suppliers act in accordance with our instructions as set out in data processing agreements. The suppliers are not permitted to process personal data for their own purposes and undertake to carry out all processing in accordance with applicable data protection legislation and the data processing agreement entered into with us. The agreements are intended, inter alia, to ensure that all storage and processing of personal data takes place within the EEA.
Further information about our sub-processors can be can be found here.
Links to other websites outside the Service are beyond our control. In such cases, you should review the privacy information on the relevant website.
We employ all requisite technical and organisational measures to safeguard your personal data. To ensure the confidentiality, integrity, and availability of personal data, we implement, inter alia, the following measures:
We carry out regular assessments of the security of all key systems associated with the Service. The data processing agreements entered into with sub-processors require the suppliers to maintain satisfactory information security.
Should you have any questions regarding the security of processing, you may contact us by sending an email to info@izy.no.
As a user of the Service, the legislation affords you certain rights which you may exercise by contacting us:
Where necessary, we may ask you to verify your identity or to provide additional information in connection with the exercise of your rights under data protection legislation. This is done to ensure that only you are granted access to your personal data, and not any person purporting to be you.
Should you disagree with the manner in which Izy processes your personal data, we ask that you contact us by email at info@izy.no.
If you consider that the processing of personal data described herein is not in accordance with data protection legislation, you may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). Information about your rights and how to contact the Data Protection Authority can be found on its website: www.datatilsynet.no.
Should changes occur in the processing of personal data or in the applicable data protection legislation, this may result in amendments to the information provided herein. You will be notified by email and/or we shall publish a prominent notice within the Service 14 days before any amendment takes effect. Updated information shall at all times be available in the mobile application.
