Apr 22, 2020
As the developer of ReceiptHero receipt ecosystem ("ReceiptHero Service") we take due care of the processing of your personal data. This privacy notice will inform you as to how we collect, process and share your personal data for the purposes of the ReceiptHero Service.
The data controller for the personal data processing described in this privacy notice is:
Finlaysoninkatu 7, 33210 TAMPERE, Finland
Finnish Business ID: 2943241-3
If you have questions regarding this privacy notice, please contact us by email at [l]. If your question concerns a specific Merchant, Partner Application or Co-Operation Partner (as defined below) or the services provided by them, we recommend that you contact the said party directly.
We process personal data in accordance with personal data legislation in force in Finland, including but not limited to Regulation (EU) 2016/679 of the European parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the ‘GDPR’). We require the same from all our co-operation partners contributing to ReceiptHero Service, such as point-of-sale or cash register providers, payment service providers, payment card schemes, or from other trusted service providers operating within the payment networks (hereinafter "Co-Operation Partners"), merchants providing receipt information ("Merchants") and application developers who process electronic receipts ("Application Developers", in relation to their applications "Partner Applications"). Our Co-Operation Partners as well as Merchants and Partner Applications using the ReceiptHero Service have been listed out at ReceiptHero's website ([l]) and in the ReceiptHero Service.
The ReceiptHero Service can be used by both private consumers (“Consumers”) and corporate customers and their representatives/employees (jointly “Business Customers”). Each Business Customer and Consumer (hereinafter referred also as “End User”) has a contractual relationship with ReceiptHero.
Additionally, Application Developers may request ReceiptHero to transmit electronic receipts and other data that concern Application Developer's customers who have no contractual relationship with us (“Application Developer's Customers”). Similarly, Merchants may request ReceiptHero to provide the Merchant with services concerning the purchases and receipts of those Merchant’s customers who have no contractual relationship with us (“Merchant’s Other Customers”). ReceiptHero does not act as a data controller in respect of Application Developer’s Customers or Merchant’s Other Customers. For more detailed information about these processing activities, please see Application Developer's and Merchant’s own service channels.
2. What is the ReceiptHero Service, what are our main use cases for electronic receipts and how does it work?
The ReceiptHero Service enables the provision and transmission of electronic receipts between different entities and value added services based on electronic receipts. ReceiptHero's aim is to decrease the amount of paper receipts and to enable business based on electronic receipts. The ReceiptHero Service enables, in particular, the following from the viewpoint of its customers:
- End Users (Consumers or Business Customers): Our End User may receive electronic receipts from our Merchants, inspect them at the ReceiptHero Service, and allow them to be forwarded to our Partner Applications for further processing. The electronic receipts provided to our End User may contain advertisements, feedback functions, loyalty elements, CO2 tracking and compensating, or other interactive or value added features or services. We may also send anonymous statistical information about our End User’s purchases back to the Merchant with whom the End User has transacted or to the Business Customer for whom the individual End User is working for.
- Merchants: Our Merchants may offer electronic receipts through the ReceiptHero Service. Our Merchants may add advertisements, feedback functions, loyalty elements, or other interactive or value added features to their electronic receipts and receive anonymous statistical information from us about the purchases made at the Merchant as captured by the ReceiptHero Service. Also, our Merchants may prohibit the forwarding of their electronic receipts to certain Partner Applications and utilize the ReceiptHero Service to archive electronic receipts.
- Partner Applications/Application Developers: Our Partner Applications may receive electronic receipts of purchases made by our End Users and/or the Application Developer’s Customers. Based on the said electronic receipts, the Application Developer may offer its own services to our End Users and/or the Application Developer’s Customers. The receiving and processing of electronic receipts by our Partner Applications always takes place in accordance with the agreements between the parties in question. ReceiptHero transmits the End User’s electronic receipts only to such Partner Applications in which the End User has activated the ReceiptHero Service or to which the End User has otherwise instructed ReceiptHero to transmit his/her electronic receipts.
ReceiptHero's operation is based on that by means of payment card information or other personal identifier (e.g. email address), we can reliably identify the data subjects behind the electronic receipts and process the said electronic receipts as agreed with our customers.
Due to the nature of the ReceiptHero Service, we process large amounts of electronic receipts as well as payment card information and other personal data. The receipts that concern our End Users are processed by us in accordance with our terms and conditions and this privacy notice. The receipts of Application Developer's Customer or Merchant’s Other Customers are processed by us in a manner agreed with the Application Developer or the Merchant in question. We act as a data controller only with respect to our own End Users, whereas for Application Developer's Customers and the Merchant's Other Customers we act as a data processor.
Please note Merchants and Application Developers are companies independent from ReceiptHero and always responsible for the legality of their own activities. We therefore recommend that you carefully read the terms and conditions of the Application Developer and the Merchant including their privacy notices.
3. What kind of data do we process and where does it come from?
In order to enable ReceiptHero's operations, we may process the following information about our End Users: name, email address, contractual relationship information, log and other similar technical information regarding the use of the service, as well as payment card information (including the card ID/token). The above information we receive directly from our End Users, from our Co-Operation Partners, or from the log data of our service.
For our Business Customers, we may also process information that is necessary for invoicing and fulfilling our contractual obligations, which we obtain from the Business Customer directly.
With regard to purchases and payment transactions, we process for example the following information with regard to our End Users: the seller and its contact details, item-level purchases with prices and taxes, date of receipt, filing identifier/reference of the receipt, payment card used in connection with the purchase, and other information normally shown on the receipt. We receive this information from Merchants or from our Co-Operation Partners.
4. For what purposes is the data used and what is the legal basis for processing?
As regards the End Users of the ReceiptHero Service, we process the data to enable the ReceiptHero Service (see section 2 above), to fulfil our contractual obligations and to maintain contact with our End Users. This processing is based on an agreement. We do not process our End Users' data for automated decision making purposes (including profiling).
As a part of the ReceiptHero Service, payment transactions of our End Users will also need to be monitored. The monitoring is carried out by our Co-Operation Partners to whom we provide payment card details of our End Users for the purposes of the payment transaction monitoring. The processing of payment card information takes place in accordance with the PCI DSS standard. When a payment transaction of our End User is captured by our Co-Operation Partner, we are provided the relevant payment transaction details from our Co-Operation Partner for us to provide our End User with the corresponding electronic receipt. We decide at our sole discretion which Co-Operation Partners we use for payment transaction monitoring. The processing in this regard is based on an agreement with the End User.
We also process data to a certain extent for direct marketing purposes. The basis for the processing in this regard is our legitimate interest. For example, we may send customer communications, since our End Users must always have up to date information about Merchants and Partner Applications using the ReceiptHero Service so that our End Users can affect the processing of their personal data (see section 7 below).
To the extent that direct marketing requires the explicit consent of End Users, the consent can be withdrawn at any time. Please note, however, that the withdrawal of consent does not affect the lawfulness of processing prior to the withdrawal and does not prevent us from sending to our End Users information or communications that is necessary to End Users of the ReceiptHero Service.
We process Business Customers' data also for billing purposes. In this case, the processing is based on ensuring compliance with our legitimate interest.
5. To whom is your data transmitted or disclosed?
We will transmit the electronic receipts of our End Users to those Partner Applications in which our End Users have activated the ReceiptHero Service, and, if our End User so wish, to his/her personal communication tools (such as End User's email or Facebook Messenger application). Our End User can see his/her activated Partner Applications in the ReceiptHero Service.
In addition, for the purposes of the ReceiptHero Service, we may provide payment card information and payment transaction data to our Co-Operation Partners. This allows us to identify and transmit electronic receipts of our End Users as described above. The processing of payment card information takes place in accordance with the PCI DSS standard.
We process personal data also by resorting to services of third parties. For example, we use third party customer information systems to manage and communicate with our End Users. Correspondingly, we utilize third party data storage services to store and back up the data we process. Therefore, these third parties have access to the personal data we process. The said third parties act as processors of personal data and are not allowed to use the data for their own purposes. We have entered into data processing agreements with third parties to ensure that personal data are processed in accordance with data protection legislation.
Some of our service providers operate outside the EU/EEA. We use EU Commission Standard Contractual Clauses, none of the data is however processed outside of the EU/EEA
6. How is your data protected?
When processing your personal data, we apply physical and organisational safeguards, such as encryption or hashing and limited backup of the transmitted data, locked spaces and secure access management. In addition, we comply with the PCI DSS standard when processing payment card information. Further, in order to avoid unauthorised access, alteration and misuse of personal data, only those of our employees and representatives who need to process personal data in order to enable the ReceiptHero Service are authorized to do so.
7. What are data subject's chances to affect and what are the rights of data subjects?
Our End User can affect the processing of their data through the ways in which they use the ReceiptHero Service. For example, if an End User does not activate a specific Partner Application, the electronic receipts of the End User will not be transmitted to the said Partner Application. Similarly, if the End User would prefer not to be provided an electronic receipt regarding a particular transaction or a particular Merchant, he/she can choose not to use the payment card or other personal identifier (e.g. email address) registered with the ReceiptHero Service in connection with the said transaction or Merchant, in which case there will be no electronic receipt created by the ReceiptHero Service.
However, End Users should note that if they use a payment card or other personal identifier (e.g. email address) registered with the ReceiptHero Service when transacting with a Merchant that offers electronic receipts through the ReceiptHero Service, an electronic receipt of the purchase in question will automatically be produced and transmitted to the End User’s activated Partner Applications.
Due to the above, we regularly inform our End Users of new Merchants or Application Developers that have started to use the ReceiptHero Service. This will allow our End Users to receive up-to-date information regarding which purchases can result in an electronic receipt generated by the ReceiptHero Service and to which Partner Applications the receipts can be transmitted.
Finally, we wish to emphasize that we guarantee the data subjects all their statutory rights. This includes that, under certain circumstances you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party (also known as data portability).
- Where our processing is solely based on your specific consent you have the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
If you wish to exercise any of your rights under the data protection legislation that are available to you then please contact us in writing in such a way that we can identify you or come to visit us personally. We may need to ask for further information in order to ensure that we have adequately identified you. Our contact information can be found in the beginning of this privacy notice.
Finally, if you believe that have processed your personal data against the law, you may lodge a complaint with the data protection authority (www.tietosuoja.fi).
8. Data storage and destruction
We will delete information of our End Users if the data subject has not used the ReceiptHero Service in any way for 5 years. We monitor data usage at least once a year to determine the need for deletion. If it is necessary to retain personal data in order to fulfil legal obligations (e.g. accounting obligations), the retention period is 10 years or any other period expressly provided for by law. Instead of deleting we may also anonymize the data.
9. Updating this privacy notice
This privacy notice may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices.