Back

Privacy Policy

1. What does this Privacy Notice cover?

The protection of personal data is important to Nets Denmark A/S (hereinafter "Nets", "us", "our", "we"). Storebox is a product owned by us. That is why safeguarding personal data is essential to everything we do, and why we strive to provide the best possible protection of personal data.

Below, you will find information about how we process your personal data (the "Privacy Notice") in Storebox.

This Privacy Notice covers the processes described under Section 2.

We will act as the data controller for the personal data listed in the table in Section 2 below.

2. The type of personal data we process, our purpose and legal basis

Topic Storebox app – eReceipt: Customer Storebox app – eReceipt: Merchant Card Link
When do we collect personal data? We collect personal data when you sign up to Storebox. Upon signup to Storebox as a merchant. Data is processed to enable consumers to receive digitalized receipts.
What kind of personal data?
  • - Customer number
  • - Customer purchase history
  • - Email address
  • - Log data
  • - Full name
  • - PAN (account number)
  • - Payment information
  • - Time of transaction
  • - Transaction amount
  • - Username/ID
  • - Merchant name (one man company)
  • - Name of cashier (if shown on eReceipt)
  • - Full name
  • - Email address
  • - Customer number
  • - Customer purchase history
  • - Email address
  • - Log data
  • - Full name
  • - PAN (account number)
  • - Payment information
  • - Time of transaction
  • - Transaction amount
  • - Username/ID
  • - Merchant name (one man company)
What is the purpose? The purpose is to provide you with the services you have signed up to offered by Storebox, i.e., eReceipt. The purpose is to provide your customers (i.e., the end user) with the Storebox services. In order to provide you with the services offered by Storebox, i.e., eReceipt, we must enable Card Link to connect your card(s) with the eReceipt solution.
What is the legal basis? GDPR Article 6(1), litra b (performance of a contract).

GDPR Article 6(1), litra f for cashier names shown on receipts. 		GDPR Article 6(1), litra b (performance of a contract).

GDPR Article 6(1), litra f for cashier names shown on receipts. 		GDPR Article 6(1), litra b (performance of a contract).

GDPR Article 6(1), litra f for cashier names shown on receipts.
Who are the recipients? We do not share your personal data with third parties. We do not share your personal data with third parties. Transaction data is sourced from NDS and CAPS.
What is the storage period? Account deleted immediately after termination confirmation. Receipts deleted 90 days after request. Personal data deleted three (3) years after agreement termination. Personal data deleted 30 days after account termination.

3. Where does your personal data come from?

The personal data what we process are mainly obtained from you, but it depends on the facts and the specific circumstances. For instance, we may verify your national identification number against the central national CPR register in Denmark or similar national registers in other countries than Denmark.

Generally, we will not use your personal data for other purposes, which are not compatible with the original purpose for which the personal information was collected, without your explicit consent. Compilation or anonymisation for statistical purposes is considered compatible with the original purpose.

4. Who is engaged when we are processing your personal data?

We make use of service suppliers for our IT operation(s) and IT operational support. Such suppliers provide the following services relating to the Storebox products:

  1. Hosting of the platform
  2. Development of the services
  3. Technical support

In the event such suppliers have access to personal data collected or processed by us, the supplier acts as data processor and acts in accordance with a written agreement and under the instructions from us.

5. Transfers to countries outside EU/EEA

In some cases, we will transfer personal data to countries outside the EU/EEA. Such transfers will only take place subject to appropriate safeguards are in place for the transfer including:

  1. The country has been deemed by the Commission of the European Union to have an adequate level of protection of personal data. Personal data can without further measures be transferred to such third countries
  2. The country has not been deemed by the Commission of the European Union to have an adequate level of protection of personal data, but we provide appropriate safeguards for the transfer through the use of "Standard Contractual Clauses”, as published by the Commission of the European Union, EU-US Data Privacy Framework or any other contractual agreement approved by the competent authorities or any other legal basis, including the use of supplementary measures if deemed necessary.

Where no appropriate safeguards are provided, such as the above mentioned, transfer of personal data to "unsafe" third countries can take place based on specific legal basis for the transfer.

For instance, the transfer can take place based (i) if you have consented hereto, (ii) for the performance of a contract with a company established in such third country and (iii) if necessary in relation to legal claims. The specific legal bases are stated in Article 49(1) of the General Data Protection Regulation (‘GDPR’).

You can always obtain a copy of the relevant legal basis for the transfer, or information about where it can be accessed, by contacting our Data Protection Officer. You will find the contact details under Section 8.

6. Security

We are dedicated to protecting your personal data.

As part of this dedication, we have adopted internal security policies and instructed our employees accordingly to comply with applicable legislation, e.g., the GDPR.

We have implemented appropriate procedures and security measures to protect your personal data from being destroyed, lost or altered, publicised unlawfully and against being disclosed to unauthorised persons or otherwise processed contrary to applicable data protection legislation.

7. Your rights as a data subject

As a data subject you have several rights available to you, which you may exercise by contacting us.

You can exercise your rights by submitting your request here: dpo.nets@nexigroup.com.

According to the GDPR, you have the following rights:

  1. The right to request information about what personal data we process about you.
  2. The right to have rectified your personal data.
  3. The right to erase your personal data. Please note that exercising this right might be limited according to national law, i.e., we might not be able to delete and/or modify all personal data.
  4. The right to object to the processing of your personal data and have the processing of your personal data restricted.
  5. An unconditional right to object to the processing of your personal data for direct marketing purposes.
  6. If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent for a specific service by following the instructions for the specific service, please refer to the website for the specific service offered by us.
  7. The right to receive your personal information in a structured, commonly used and machine-readable format (known as data portability), subject to fulfilment of specific conditions set by data protection law.

Please note, we may decline disclosure to you if you are in possession of the information already or if disclosing them to you is impossible or would involve a disproportionate effort or would impair the achievement of the objectives of the processing.

If you have any concerns about the manner in which we process your personal data, you can contact the Danish Data Protection Agency (in Danish: "Datatilsynet"): www.datatilsynet.dk (website in Danish and English).

You can also lodge a complaint with a data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work or where the alleged infringement has taken place.

7.1 Deletion of account

To delete your account and all your data, please follow these four steps:

  1. Sign in to your account in your Storebox app.
  2. Go to Profile at the top.
  3. Tap Delete profile at the bottom.
  4. Click Yes, I am sure.

Please note: All your data will be deleted permanently once you confirm the deletion of your account. After your confirmation of deletion, Nets will not be able to recover any data as we will delete your personal data immediately. Hence, please make sure that you have downloaded all the data you need before deleting your profile.

If you experience any issues with erasing the profile from your Storebox application or have any further questions, please do not hesitate to contact us via email dpo.nets@nexigroup.com.

8. Contact us

You are welcome to contact our Nordic Data Protection Officer if you have any questions, complaints or other concerns related to data protection and privacy on the following email address: dpo.nets@nexigroup.com

For questions to us of a more general character not concerning personal data:

Nets Denmark A/S
CVR-nr. 20016175
Klausdalsbrovej 601
DK-2750 Ballerup