Privacy policy (en)

This Privacy Policy (“Privacy Policy”) provides information about the processing of personal data in connection with Izy (hereinafter referred to as the “Service”). The Service is a tool designed to facilitate communication and services for employees and others present in modern workplaces/buildings. We act solely as an intermediary for the products and services made available through the Service and are not responsible for the services or products you may order from third parties via the Service.

The Service is provided by Izy AS (organization number 922 177 775), (hereinafter “Izy” or “we”). When you purchase and use the Service, we will collect, use, and process certain personal data about you. Izy takes your privacy seriously and processes your personal data in a secure and confidential manner.

Izy is the data controller for the processing of your personal data when you use our Service, in accordance with this Privacy Policy. This means that Izy determines the purposes of and means for the processing of personal data and is responsible for ensuring compliance with applicable data protection legislation. This Privacy Policy describes which personal data we process in our capacity as data controller, how we process such data, for what purposes and on what legal basis. It also outlines your rights and how you may exercise those rights with respect to our processing of your personal data. If you have any questions regarding this Privacy Policy, please do not hesitate to contact us.

In addition to the processing for which Izy is directly responsible, we also process certain personal data as a data processor on behalf of property owners, employers, or other data controllers when such parties make our services available to employees and other users. This applies, for example, when we receive and process information from an employer, property owner, or third-party service providers operating within the building, and process personal data for their purposes. Such processing, in which we act as a data processor, is always carried out in accordance with documented instructions as defined in a data processing agreement. Details of this processing are described in the respective privacy policies of the data controllers concerned.

All processing of personal data within the Service is conducted in accordance with applicable data protection laws and regulations, including the Norwegian Personal Data Act and the General Data Protection Regulation (GDPR). Terms used in this Privacy Policy shall be interpreted in accordance with the definitions set out in Article 4 of the GDPR.

For more information about the Service, please refer to the “Terms of Use” available here.

Purpose, Legal Basis and Personal Data Processed

Purpose of Processing

The purpose of processing your personal data is to make the Service and its functionalities available to you, and to support communication, administration, and service provision between the data controller and you as a registered user. This includes processing necessary for the following purposes:

Access to building-related information: To provide you with up-to-date information about the building and its facilities‍
Notifications and offers: To send you relevant notifications and offers related to the Service.‍
Resource booking: To enable booking of meeting rooms and other shared resources.‍
Ordering and purchases: To manage the ordering and purchasing of products and services from third parties, including on behalf of the data controller (e.g., through invoicing).‍
Activity overview: To provide you with an overview of your own activities within the Service.‍
Digital access cards: To facilitate access and use of digital access cards.‍
Visitor registration: To manage visitor registration and temporary access to the building.

In connection with these purposes, certain personal data may also be shared with data controller third parties that IZY collaborates with and that offer products or services via the Service. No personal data is processed or shared when the app associated with the Service is not in use.

Additional Purpose within IZY’s Service Portfolio

Depending on which functionalities of the Service you choose to use, personal data may also be processed for the following purposes:

Analytics and optimization: Analysis of historical data to provide predictive insights aimed at optimizing resource use and improving operational efficiency.
Automated payments: In certain canteens and kiosks, artificial intelligence and image recognition (of items) are used to identify products, calculate prices, and execute payment transactions automatically. The data controller may also extract purchase information to administer discounts and analyze purchasing patterns. Please note that invoicing information is not processed in this context.
Digital identifiers (such as QR codes): May be used to confirm affiliation and provide access to the Service, including the administration of benefits and discounts.
Access control and visitor management: To ensure secure physical access and smooth visitor handling, data such as name, email address, phone number, company name, host, and check-in time may be processed.
Digital access cards: To enable secure and user-friendly access, we may use your phone number as an identifier when issuing digital access cards. Before it is shared, the phone number is converted into a unique code that is transferred to the entity operating the access control system (such as the building owner or an external service provider). The code is used solely to ensure that the correct access is assigned to the correct user.

‍
Legal Basis for Processing‍

The legal basis for processing personal data in order to deliver the services you request through the Service is as follows:

GDPR Article 6(1)(a) – Consent: By accepting the Terms of Use, you consent to the processing necessary to fulfil the agreement with you.
GDPR Article 6(1)(b) – Contract: The processing is carried out solely on behalf of the data controller and in accordance with its documented instructions.

Additionally, we may compile aggregated and/or anonymised datasets for the purpose of analysing, improving, and further developing the Service. The legal basis for this processing is:

GDPR Article 6(1)(f) – Legitimate Interests: Our legitimate interest lies in improving and further developing our services for your benefit. We have assessed that the limited processing of personal data involved, and the benefits achieved, outweigh any potential disadvantages for you as a user.

In certain cases, we will also process your personal data based on our legitimate interest in delivering the Service and its functionalities to you in a secure and efficient manner. This includes the handling of errors or vulnerabilities and the prevention of misuse. The legal basis for such processing is:

GDPR Article 6(1)(f) – Legitimate Interests: Our legitimate interest is to ensure the functionality and security of the Service. We have assessed that the limited processing of personal data involved, and the benefits achieved, outweigh any potential disadvantages for you as a use.

Personal Data Processed
The following categories of personal data may be collected and processed when you use the Service:

Contact information: Name, email address, phone number, employer, and department at your workplace.
Purchase and order history: Information related to any products or services you order through the Service
Preferences: User-defined preferences such as favorite items (e.g., preferred food).
Feedback: Feedback submitted through the Service.
Location data: GPS data associated with the building in which you use the Service, if such functionality is enabled. You will be notified on your device when this is activated, and you may later deactivate it; however, certain features may then become unavailable.
Product interaction and diagnostic data: Operating system, device model, screen resolution, app version, network type (cellular/wifi), device orientation (portrait/landscape), timestamps of usage, IP address, browser type and version, visited web pages, time spent on pages, unique device identifiers, and technical logs.

In addition, cookies are used. Information about our use of cookies, as well as the applicable cookie policy, is available in the document titled ‘Cookie Policy’, which can be accessed through the menu in the Izy app. It also provides the opportunity to manage and adjust your consent to the use of cookies in accordance with your preferences.

Personal data will be deleted as soon as it is no longer necessary for the purposes outlined above. This means that contact details are processed as long as you actively use the Service and until you delete your user profile, if applicable. Data related to product interaction and diagnostics will be anonymised and then deleted after anonymisation has been completed, and in any case no later than 90 days. Data related to security incidents will be deleted once the incident has been resolved.

Sharing and Transfer of Personal Data
If paid products and/or services are offered through the Service, third-party payment processors may be used. All payment-related information is handled directly by the third party. IZY does not collect or store your payment card information. Such information is provided by you directly to the third-party payment providers, and IZY is not responsible for how these providers process your data. These payment providers act as independent data controllers, such as Vipps and STRIPE. They are responsible for complying with standards established by PCI-DSS, which are designed to ensure the secure handling of payment information.

Other payment processors may include:

Apple Store In-App Payments – see their privacy policy at: https://www.apple.com/legal/privacy/en-ww/
Google Play In-App Payments – see their privacy policy at: https://www.google.com/policies/privacy/

To deliver the Service to you, we use certain subcontractors, such as those who provide the platform that supports the Service. We have entered into data processing agreements with all suppliers who have access to personal data. These suppliers act in accordance with our instructions as set out in data processing agreements. They are not permitted to process personal data for their own purposes and are contractually obligated to carry out all processing in accordance with applicable data protection legislation. The agreements also ensure that all storage and processing of personal data takes place within the European Economic Area (EEA).

For additional information about our sub-processors, please click here.

Links to external websites outside the Service are beyond our control. You are advised to review the privacy policies applicable to those websites.

Data Security
We implement all required technical and organizational measures to safeguard your personal data. In order to ensure the confidentiality, integrity, and availability of personal data, we have implemented, among other things, the following measures:

Encryption of data at rest and in transit (AES-256 and TLS 1.2+).
Logging and monitoring of system access, with regular review of security logs.
Access control based on the principle of least privilege and role-based access rights.
Daily data backups, including offline archives and quarterly recovery testing.
Annual training of employees in data protection and information security
Monthly vulnerability scans and immediate remediation of critical findings.

We regularly assess the security of all core systems associated with the Service. The data processing agreements we have entered into with our subcontractors require them to maintain adequate levels of information security.
If you have questions about the security of the processing, you may contact us by email at info@izy.no

Your Rights
As a user of the Service, you are entitled under applicable data protection legislation to exercise the following rights by contacting us:

Withdraw Your Consent

Any consent you have given in relation to the Service may be withdrawn at any time. Please note that withdrawing consent does not necessarily mean that data already transferred can be deleted.

Request Access and Data Portability

You have the right to access the personal data registered about you in the Service and to receive a copy of such data. Where legally and technically feasible, you may also request that the data be transferred directly to a new service provider.

‍Request Rectification, Erasure, or Restriction of Processing

You may contact us to have inaccurate information about you corrected, or to request the deletion of personal data. Please note that you may also correct or delete certain information yourself. You may also request that we restrict the processing of specific data. IZY will, to the extent possible, comply with requests for deletion or restriction. However, we may not be able to fulfill such requests if there are overriding legal or statutory obligations that require us to retain the data, for instance for documentation or reporting purposes.

Object to Processing

You have the right to object to the processing of personal data based on a legitimate interest. If you can demonstrate compelling grounds relating to your particular situation, we will cease processing unless we have overriding legitimate reasons to continue the processing.

If necessary, we may ask you to confirm your identity or provide additional information in connection with the exercise of your rights under data protection regulations. This is to ensure that access to your personal data is granted only to you and not to anyone falsely claiming to be you.

If you disagree with how IZY processes your personal data, we encourage you to contact us at info@izy.no

Right to Lodge a Complaint with a Supervisory Authority
If you believe that the described processing of your personal data is not in compliance with applicable data protection legislation, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). You can find information about your rights and how to contact Datatilsynet on their website: www.datatilsynet.no.

Changes
If there are changes to the way we process personal data, or if applicable data protection laws are amended, this may result in changes to the information provided in this Privacy Policy. You will be notified by email and/or a prominent notice will be displayed in the Service at least 14 days before any such changes take effect. The most recent version of this Privacy Policy will always be available in the mobile application.

‍