As the developer of ReceiptHero receipt ecosystem ("ReceiptHero") we take due care to the processing of personal data.
We process personal data in accordance with personal data legislation in force in Finland. We require the same from our partners ("Partners"), such as merchants providing electronic receipts ("Merchants") and application developers who process electronic receipts ("Application Developers", in relation to their applications "Partner Applications"). A list of our Partners is available at ReceiptHero's website (https://getreceipthero.com/).
ReceiptHero can be used by both private consumers (“Consumers”) and corporate customers and their representatives (“Business Customers”) by registering with us via our website or by concluding a separate contract with us. Each Business Customer and Consumer (hereinafter referred also as “End User”) has a contractual relationship with ReceiptHero.
Additionally, an Application Developer may request ReceiptHero to process also electronic receipts and other data that concern Application Developer's customers (“Application Developer's Customers”) who have no contractual relationship with us. For more detailed information about this, please see Application Developer's own service channels.
The purpose of this Privacy Notice is to describe in an open and compiled manner how personal data is processed in connection with ReceiptHero. This Privacy Notice has been published on 1 May 2017 and may be updated in accordance with ReceiptHero's terms and conditions. The latest update has been made on 22.4.2020.
2. What is ReceiptHero and how does it work?
ReceiptHero enables the provision and transmission of electronic receipts between different entities. ReceiptHero's aim is to decrease the amount of paper receipts and to enable business based on electronic receipts. ReceiptHero enables, in particular, the following:
- Merchant may provide electronic receipts to be forwarded by us to our End Users and Application Developer's Customers in accordance with this Privacy Notice and our terms and conditions.
- Application Developer may provide viewing and inspection services for electronic receipts transmitted by us and provide value-added services based on electronic receipts, such as forwarding of receipts directly to an accounting software.
- Merchants and Application Developers may add to electronic receipts or otherwise send various marketing messages with our assistance to be displayed to End Users in accordance with the marketing legislation applicable from time to time. If agreed with the Application Developer, the said marketing messages may also be added to the electronic receipts of Applications Developer's Customers.
- ReceiptHero may provide the Merchant with anonymous statistical information about End Users who have transacted with the Merchant in question, but always in such a format that it is not possible to identify individual End Users. If so agreed with the Application Developer, the said information may also be generated from the receipts of Application Developer's Customers.
ReceiptHero's operation is based on that by means of payment card information or other personal identifier (e.g. email address) we can (i) reliably identify the electronic receipts of our End Users or Application Developer's Customers from the other electronic receipts provided by Merchants using ReceiptHero, (ii) to store said receipts in our service, accessible to our End Users at our website, and (iii) to transmit the electronic receipts onwards in the manner agreed with the End User, or with the Application Developer as regards the receipts of Application Developer's Customers, unless the Merchant who produced the receipt has not explicitly prohibited the transmission of its receipts to certain Partner Applications. Our End Users will see their electronic receipts transmitted by us in our service, accessible to our End Users at our website, as well as in certain Partner Applications.
Due to the nature of ReceiptHero's operations, we process large amounts of electronic receipts as well as payment card and other personal data. If an electronic receipt provided to us by a Merchant does not concern our End Users or Application Developer's Customers (hereinafter the “Merchant's Other Customers”), we will permanently delete the said receipt within five (5) business days after having received it without further processing. The receipts that concern our End Users are processed by us in accordance with our terms and conditions and this Privacy Notice. The receipts of Application Developer's Customer are forwarded by us in a manner agreed with the Application Developer in question. We act as a data controller only with respect to our own End Users, whereas for data relating to Application Developer's Customers and the Merchant's Other Customers we act as data processors.
Finally, please note that although the electronic receipts produced by the Merchants and the services offered by Application Developers that relate to electronic receipts are based on ReceiptHero's operations and the electronic receipts transmitted by us, the Merchants and Application Developers are companies independent from ReceiptHero and always responsible for the legality of their own activities. The Merchant is therefore always responsible for providing to you a receipt of your transaction and the Application Developer for that its services are provided in accordance with the agreement between you and the Application Developer. We therefore recommend that you carefully read the terms and conditions of the Application Developer and the Merchant and their privacy notices.
3. What kind of data do we process and where does it come from?
In order to enable ReceiptHero's operations, we process the following information about our End Users: name, email address, contractual relationship information, log and other similar technical information regarding the use of the service, as well as payment card information. For our Partners and Business Customers, we may also process information that is necessary for invoicing and fulfilling our contractual obligations. This information is obtained from our End Users, Partners and Business Customers, as well as from the log data of our service.
For Application Developer's Customers, we process mainly the data that appears from the payment card of Application Developer's Customer, and that information we get directly from the Application Developer.
The personal identifiers (i.e. card ID/token) concerning the payment cards of our End Users or Application Developer's Customers we receive from a trusted payment service provider. The payment card identifier allows us to identify receipts of our End Users or the Application Developer's Customers.
With regard to purchase and payment transactions, we process for example the following information with regards to our End Users and Application Developer's Customers: the seller and its contact details, purchases with prices and taxes, date of receipt, filing identifier/reference of the receipt, payment card used in connection with the purchase, and other information normally shown on the receipt. We receive this information from Merchants using ReceiptHero and payment service providers.
4. For what purposes is the data used and what is the legal basis for processing?
As regards the End Users of ReceiptHero, we process the data to enable ReceiptHero's operations (see section 2 above), to fulfil our contractual obligations and to maintain contact with our End Users, Partners and Business Customers. This processing is based on an agreement. We do not process our End Users' data for profiling or automated decision making purposes.
We also process data to a certain extent for direct marketing purposes. The basis for the processing in this regard is our legitimate interest. For example, we may send customer communications to update our information, since our End Users must always have upto-date information about Partners using ReceiptHero so that our End Users can affect the processing of their personal data (see section 7 below).
To the extent that direct marketing requires the express consent of End Users, we request the consent when the End User registers with ReceiptHero and the consent can be cancelled at any time. Please note, however, that withdrawal of consent does not affect the lawfulness of processing prior to withdrawal and does not prevent us from sending to our End Users information or communications that is necessary to End Users of ReceiptHero.
We process Business Customers' and Partners' data also for billing purposes. In this case, the processing is based on ensuring compliance with legal obligations.
To the extent that we act as processors for the personal data of Application Developer's Customers, the purpose of processing is to enable operations of ReceiptHero and those of the Application Developer, and it is based on an agreement between the Application Developer and the Application Developer's Customer. To the extent that we process receipts of Merchant's Other Customers, the processing is based on compliance with the Merchants' legal obligations or legitimate interest. For more information about the processing of personal data of Application Developer's Customers and the Merchant's Other Customers, please contact the Application Developer or the Merchant in question.
5. To whom is your data transmitted or disclosed?
We transmit electronic receipts to our Partner Applications and, if our End Users so wish, to their personal communication tools (such as End User's email address or Facebook Messenger application). We will transmit the electronic receipts of our End Users to those Partner Applications in which our End User have activated ReceiptHero with the payment card or other personal identifier (e.g. email address) which the End User also used in connection with the transaction in question. The electronic receipts of the Application Developer's Customers will be transmitted by us to the Partner Application or other applications to which the Application Developer has instructed us to forward the electronic receipts Applications Developer's Customers.
In addition, we may provide payment card information to trusted payment service providers to enable ReceiptHero's operations. This allows us to identify and transmit electronic receipts of our End Users and Application Developer's Customers as described above. The processing of payment card information takes place in accordance with the PCI DSS standard.
We process personal data also by resorting to services of third parties. For example, we use third party customer information systems to manage and communicate with our End Users. Correspondingly, we utilize third party data storage services to store and back up the data we process. Therefore, these third parties have access to the personal data we process. The said third parties act as processors of personal data and are not allowed to use the data for their own purposes. We have entered into data processing agreements with third parties to ensure that personal data are processed in accordance with data protection legislation.
6. How is your data protected?
We comply with normal physical and organisational safeguards when processing personal data, such as encryption and limited backup of the transmitted data, locked spaces and secure access management. In addition, we comply with the PCI DSS standard when processing payment card information. Further, in order to avoid unauthorised access, alteration and misuse of personal data, only those of our employees and representatives who need to process personal data in order to enable ReceiptHero's operations are authorized to do so.
7. What are data subject's chances to affect and what are the rights of data subjects?
Our End User and Application Developer's Customers can affect the processing of their data through the ways in which they use ReceiptHero. For example, if an End User does not activate ReceiptHero in a specific Partner Application, the receipts or other information of the End User will not be transmitted to the said Partner Application. Similarly, if the End User or Application Developer's Customer does not use a payment card or other personal identifier (e.g. email address) that has been registered with ReceiptHero in connection with a particular transaction, no electronic receipt is produced from the said transaction.
However, End Users and Application Developer's Customers should note that if they use a payment card or other personal identifier (e.g. email address) registered with ReceiptHero when transacting with a Merchant that offers electronic receipts through ReceiptHero, an electronic receipt of the purchase in question will automatically be produced and transmitted in accordance with section 5 above.
Due to the above, we always inform our End Users when a new Merchant starts using ReceiptHero or when ReceiptHero may be activated in connection with a new Partner Application. This will allow our End Users to receive up-to-date information about which purchases can result into an electronic receipt generated by ReceiptHero and to which Partner Applications the receipts can be transmitted.
The Merchants and Application Developers using ReceiptHero have for their own part taken into account the operation principles and data processing practices of ReceiptHero. As mentioned above, the receipts of Merchant's Other Customers will be deleted within five (5) business days after we have received them, and the receipts and data of the Application Developer's Customer are processed by us only in a manner agreed with the Application Developer in question. The Merchants and Application Developers are responsible for their own part for providing adequate and timely information to their own customers.
Finally, we wish to emphasize that we guarantee the data subjects all their statutory rights. These include, in particular, the right to information, the right to have their data corrected and transferred, the right to be forgotten, and the right to refuse processing of personal data. However, there are certain exceptions to the right of the data subject to the deletion of his/her data. For example, we may not delete the data if processing is necessary to comply with a legal obligation. However, we will not process such personal data based on legitimate interest if the data subject objects to the processing of their data.
If a data subject wishes to exercise his/her rights under data protection legislation, he/she must contact us in writing in such a way that we can identify the data subject, or come to visit us personally. We may need to ask the data subject for further information in order to ensure that we have adequately identified the data subject and to be able to identify the data subject. Our contact information can be found in section 9 below.
If the data subject believes we have processed personal data against the law, the data subject may lodge a complaint with the data protection authority (<a href="http://www.tietosuoja.fi).
8. Data storage and destruction
We will delete information of our End Users if the data subject has not used ReceiptHero in any way for 5 years. We monitor data usage at least once a year to determine the need for deletion. If it is necessary to retain personal data in order to fulfil legal obligations (e.g. accounting obligations), the retention period is 10 years or any other period expressly provided for by law. Instead of deleting we may also anonymize the data.
The above applies also to the data of Application Developer's Customers, which we will however always delete if so requested by the Application Developer or if our agreement with the Application Developer expires.
The data concerns only the Merchant's Other Customers will be deleted by us within five (5) business days after receiving them.
9. Who should I contact for further details?
With regard to ReceiptHero's data protection matters you may contact us at any time by emailing (email@example.com).
If your question concerns a specific Partner or the services provided by them, we recommend that you contact the Partner in question directly.
ReceiptHero Ltd., Finnish Business ID: 2943241-3