Customer Agreement for Buypass ID - smart card, mobile and ID-Key | Buypass.com
Gå rett til innhold
Help
flag-britishEN
flag-british
English
flag-norwegian
Norwegian

Customer Agreement for Buypass ID - smart card, mobile and ID-Key

Version 8.1  |  Published 2024.06.19  |  Valid from 2024.08.06

1.  About the customer agreement

1.1  Parties to the agreement

This agreement is between you, the recipient of the electronic ID, and Buypass AS (org no. 983163327), hereinafter referred to as "Customer" and "Buypass", respectively.

1.2  Scope of the agreement

This agreement applies to the application for and use of Buypass electronic identification (Buypass eID), either from Buypass directly, from one of our merchants or from an organisation. Buypass eID is provided on eIDAS assurance level high as certificates on smart cards and mobile or as a key on a key device. In addition, for smart card and mobile, qualified certificates for electronic signatures are delivered.

For general information about Buypass eID, see section 7.

For the application for and use of Buypass eID for strong authentication, additional terms and conditions apply, see section 8.

For the application for and use of Buypass eID with qualified certificates, additional terms and conditions apply, see section 9.

1.3  Acceptance of the agreement

By accepting the terms and conditions of this agreement, you consent to Buypass collecting, storing, and processing your personal information and information relating to your use of Buypass services.

You can read the agreement when you register and apply for Buypass eID. It is considered accepted when you sign or check the box to indicate that you have read and accepted the agreement.

You can also find the Customer Agreement on Buypass' website.
 

2.  Customer relationship

2.1  Establishing the customer relationship

The customer relationship is established when you register. You register either on the Buypass website, at one of our merchants, or at an organisation that operates as a registration authority (RA) for Buypass, hereinafter referred to as Organisation.

You must be 13 years of age or older to register.

Upon registration, you must always provide your Norwegian identity number (FNR or DNR). In some cases, you may also be required to provide your name, mobile phone number, and email address. You accept that Buypass and/or Organisation verifies the information against the National Population Register and may retrieve your full name, residential address, and status. If you are registered with a DNR, your national identity will be retrieved.

The establishment and administration of your customer relationship with Buypass is subject to the Norwegian Personal Data Act (Personal Data Act).

The Electronic Trust Services Act (including the Regulation of self-declaration schemes) regulates the eID assurance level that apply to Buypass eID for strong authentication and Buypass qualified certificates (see sections 8 and 9, respectively).

This means that you must provide a valid identity document, and we are obliged to verify and store the information.

You are responsible for ensuring that the information you provide is complete and accurate. If you provide incorrect information, you may be subject to prosecution and liability for damages.
 

2.2  The purpose of collecting information

To identify you as a customer in a secure manner, to protect against ID fraud, and to ensure the security of our services, we collect personal information and information relating to your use of Buypass eID.

We may only use your contact information (name, address, mobile phone number, and/or email address) to carry out various marketing activities if you have been asked if Buypass can send you information and you have explicitly agreed to this.
 

2.3  Processing and storing of information

Buypass is responsible for the security of your personal information. We shall, through planned and systematic work, ensure satisfactory information security (integrity, confidentiality, and availability) and that this is in accordance with applicable legislation.

We collect and process your personal information in accordance with the Personal Data Act for as long as the agreement applies. In accordance with the applicable regulations relating to the use of our services, we are also obliged to store your information for a period after the customer relationship is terminated. After this, we will delete the information unless we are legally obliged to store it for longer.

In our work to prevent misuse and crime, we monitor all transactions that are carried out in our systems. We have guidelines on what measures are taken and when. This includes reporting to public authorities in case of suspected criminal activity.

You must notify Buypass of any changes to your personal information. Buypass may update information on its own when the changes originate from or are confirmed by public authorities, such as information from the National Population Register.

When you use Buypass eID at one of our merchants, Buypass is not responsible for information collected, stored and processed by merchants beyond the provisions stated section 2.1. This is regulated by our merchants’ own terms and conditions in accordance with applicable data protection regulations.
 

2.4  Right of access, correction and deletion of information

Buypass is the data controller for the information processed in connection with your customer relationship. Information on the processing of personal data can be found on Buypass website (Privacy Policy), or questions can be directed to Buypass Customer Service.

Under the Personal Data Act, you have the right to request access to and, if necessary, correct your personal information. You can do this yourself via "My Page" which is available at Buypass website, at our merchants’ websites or by contacting Buypass Customer Service.

You can terminate your customer relationship and have all information deleted without any further justification. You must do this by notifying Buypass via Buypass Customer Service. We will give you feedback on the deletion as soon as possible and within 30 days.

However, Buypass is obliged to keep information about Buypass eID and its use beyond this in accordance with the legislation and regulations governing such services.
 

2.5  Sharing of information 

Buypass is responsible for the confidentiality of the information obtained in the use of Buypass eID.

Buypass will not disclose personal information to third parties, unless such disclosure is required by a court order, applicable law, or by your written consent.

We analyse traffic and usage patterns to measure availability. These analyses provide the basis for further development to be able to provide better service. Data used in such analyses is anonymised and not personally identifiable information.

We cooperate with providers of analysis services, which help us to understand how users use and interact with the services we offer. In cases where we are dependent on external service providers, we will give them access to or transfer such information. These providers may use cookies and similar technologies to collect information about usage.

Any shared information will be processed in accordance with the terms of this agreement and the data processing agreement between Buypass and our subcontractor. Data used in such analyses is anonymised and it contains no personally identifiable information.
 

3.  Liability

3.1  Customer's liability

The use of your Buypass eID regulated by this agreement is your own responsibility. If you suspect unwanted activities as possible fraudulent use of your eID-devices (e.g. smartcard, security key, mobile), or the devices are no longer in your possession, you are obliged to notify Buypass immediately.

Once Buypass has received notification that your Buypass eID should be revoked, and we have confirmed the revocation, you will cease to be liable.
 

3.2  Limitation of liability

Buypass cannot be held liable for losses because of the relevant services cannot be used, either, due to technical faults, lost profits or damages resulting from business interruption, or certificates are revoked.

Buypass disclaims any liability for any losses you may incur as a customer if you use Buypass eID contrary to the terms of this agreement.

Buypass' liability for your use of Buypass eID is in any case limited to losses due to negligence on the part of Buypass and that you or others have had reasonable grounds to rely on Buypass eID. The liability extends to direct losses only and is limited to NOK 5 000 per transaction and NOK 10 000 per customer per year.

Should an extraordinary situation arise beyond the parties' control which under ordinary rules of purchase law is considered force majeure and which makes it impossible for one or both parties to fulfil one or more obligations under this agreement, the affected obligations shall be suspended for the duration of the extraordinary situation.
 

4.  Changes to the terms and conditions of this agreement

Significant changes to the agreement must be approved by you as a customer. However, Buypass is entitled to make minor amendments to the agreement, provided this does not change the relationship between us.

The updated agreement will be published and announced on Buypass website at least fifteen (15) days before the amendments take effect.

If you do not wish to accept the changes in terms and conditions, you must terminate the customer relationship. Contact Buypass Customer Service.
 

5.  Disputes

Should disagreement arise between the parties regarding the interpretation or legal effect of this agreement or concerning services, the parties may seek to resolve the dispute between themselves.

If agreement cannot be reached, the parties may seek a settlement in the courts. Oslo District Court will be the legal venue.
 

6.  Duration and termination

The customer relationship lasts until one of the parties terminates the agreement, Buypass terminates the customer relationship when there are no active eIDs or as a result of a change in status in the National Population Register.

You may terminate the agreement at any time without any further justification. If your Buypass eID was issued via an Organisation, the customer relationship terminates when your affiliation with the Organisation ceases.

If you, as a customer, act contrary to the terms of the agreement, Buypass is entitled to terminate the agreement with immediate effect. Buypass is entitled to suspend certain services in the contractual relationship. Identity fraud and document forgery or attempts to do so are always considered in this context to be a material breach of contract and may result in a police report.

A Buypass eID will be revoked immediately upon termination of the agreement.

The parties' obligations will cease upon termination of the agreement, however Buypass' obligations relating to storing and processing of personal data, referred to in sections 2.3 and 2.4, shall apply as set out in this agreement and in Norwegian law (Electronic Trust Services Act).
 

7.  Electronic identification

7.1  About Buypass eID

Buypass eID is a proof of identity that confirms that you are who you claim to be. Buypass eID typically consists of something you have, e.g. a smart card, security key or mobile phone, something you know, such as a personal PIN code or password, or something you are, such as biometrics using touch ID and/or face ID.
 

7.2  Use and safe-keeping of Buypass eID

Buypass eID identifies you as a person and is therefore strictly personal. A Buypass eID that is no longer under your personal control is to be considered stolen and must be revoked immediately by notifying Buypass Customer Service.

If you know, or suspect, that the device used for Buypass eID or the code has been misplaced (lost, stolen or the code is known to others), you must immediately change the code or contact Buypass Revocation Service, a merchant or your Organisation so that the Buypass eID can be revoked.

If you fail to do so, we are entitled to regard this as gross negligence, see section 3.1.

Regardless of which device (smart card, security key or mobile phone), a Buypass eID is always used together with a personal and secret code or biometrics (PIN code, password, touch ID, face ID, etc.). The code should never be entrusted to others and must always be kept and used in a manner that prevents unauthorised persons from gaining knowledge of it.

Buypass eID includes:

  • Buypass eID for strong authentication, see additional terms and conditions in section 8.
  • Buypass eID with qualified certificates, see additional terms and conditions in section 9.
     

8.  Additional terms and conditions for Buypass eID for strong authentication

8.1 About Buypass eID for strong authentication

Buypass is the provider of Buypass eID for strong authentication. These are regulated under the Regulation of self-declaration schemes in accordance with the Electronic Trust Services Act.

Buypass eID can be used for authentication in organisation-internal, public and private services in Norway on eIDAS assurance level high.

Buypass ID key consists of a key pair that is generated in a key device (security key or smart card). The private key remains in the device, while the public key is connected to your Buypass identity account. You control access to the keys in the device with your personal PIN code.

Buypass ID on smart card consists of two certificates where the corresponding key pair is either generated in the smart card or in an HSM at Buypass and transferred to the smart card in a secure manner. The private keys are stored protected in the smart card while the public keys are linked to your Buypass identity account via digital certificates. The two private keys/certificates can be used respectively as eID for strong authentication or for signing as eID with qualified certificates for electronic signature, see section 9.

Buypass ID in mobile also consists of two certificates where the corresponding key pair is generated and secured in an HSM at Buypass. The private keys remain in the HSM, while the public keys are linked to your Buypass identity account via digital certificates. The two private keys/certificates can be used respectively as eID for strong authentication or for signing as eID with qualified certificates for electronic signature, see section 9. To access your private keys, you must authorise access using another eID linked to your personal mobile phone. You can choose to use either Buypass password with a one-time code via SMS or the Buypass ID app installed on the mobile phone which requires the use of a PIN.

Buypass publishes all certificates in a directory so that they can be retrieved through an open public lookup service. By accepting the terms and conditions, you consent to such publication of your certificate.

Some merchants use Norwegian identity numbers as identification in their systems. If you choose to use Buypass eID with such actors, you also accept that Buypass provides your Norwegian ID number to the merchants who have the necessary authorisation.
 

8.2  Collection, processing and storage of information

Registration and/or application for Buypass eID always requires some form of identity verification.

Identity verification is carried out in accordance with the Regulation of self-declaration schemes. This requires that you meet in person and provide valid proof of your identity. You must accept that a photocopy of the identity document is taken. This is done upon delivery at the Post Office, at an affiliated organisation, merchant or at Buypass. Alternatively, you can carry out secure digital verification of your identity based on machine reading of the identity document (MRZ) and biometric facial recognition where image data is retrieved from the document's chip and compared with the photo that is collected in the identity process. You must accept that information about the identity document is transferred electronically and stored with Buypass.

We also accept the use of electronic attendance, i.e. by using a valid electronic identification (eID) at the same assurance level as the Buypass eID that is issued. Buypass will store a unique reference to the eID you use.

A copy of the identity document and/or reference to the eID used is considered personal data and will be processed as described in section 2.3.

All information about the application for and use of Buypass eID will be retained for at least 7 years after the Buypass eID expires.
 

8.3  Revocation

As a customer you can request revocation of your Buypass eID by contacting Buypass Revocation Service or the Organisation you are affiliated with.

If your Buypass eID was issued via an Organisation, the Organisation may revoke your Buypass eID on its own initiative if there is a valid reason for revoking, e.g. termination of employment or other affiliation with the Organisation.

Buypass may revoke your Buypass eID on its own initiative if there is a valid reason for revoking.
 

9.  Additional terms and conditions for Buypass qualified certificates

9.1  About Buypass qualified certificates

Buypass is the certificate provider of Buypass qualified certificates for electronic signatures, which are regulated under the Electronic Trust Services Act. These certificates are hereafter referred to as Buypass qualified certificates.

The Buypass qualified certificates are linked to a private key which only you have access to, either in a smart card or for Buypass ID on mobile and ID@Work stored centrally at Buypass. You authorise the access to the private key in the smart card using your personal PIN code. Similarly, you authorise the access to your centrally stored private key using another personal Buypass eID at a sufficient assurance level.

Buypass qualified certificates are valid for 3 years from the date of issuance.

Buypass publishes all certificates in a directory so that they can be retrieved through an open public lookup service. By accepting the terms and conditions, you consent to such publication of your certificate.

Some merchants use Norwegian identity numbers as identification in their systems. If you choose to use certificates with such actors, you also accept that Buypass may provide your Norwegian identity number to the merchants who have the necessary authorisation.
 

9.2  Scope and acceptance

These terms and conditions apply to the application for and use of Buypass qualified certificates. The terms and conditions are in addition to and apply in conjunction with the current Buypass customer agreement, see sections 1-7 in this agreement.

As part of the additional terms and conditions, the Certification Practice Statement (CPS) for Buypass Class 3 Person Qualified Certificates also applies. A short version of the relevant information can be found in the PKI Disclosure Statement (PDS) document.

The obligations that you as a customer undertake by applying for and using Buypass qualified certificates are described under the subject and subscriber obligations sections in these documents.

The Buypass customer agreement, PDS and CPS are available on Buypass website under the CA Documentation (legal) and Person Qualified Certificates tab.

We consider these additional terms and conditions accepted once you as a customer confirm that you have read and accepted them upon registration, or upon first use of the qualified certificates.
 

9.3  Collection, processing and storage of information

Registration and/or application for Buypass qualified certificates always requires some form of identity verification. Identity verification is carried out in accordance with the Electronic Trust Services Act.

This requires that you meet in person and provide valid proof of your identity. You must accept that a photocopy of the identity document is taken. This is done upon delivery at the Post Office, at an affiliated organisation, merchant or at Buypass.

We may send your mobile phone number and/or e-mail address to the distribution service provider so that you can receive information about the shipment from Buypass.

We also accept the use of a valid electronic identification (eID) for identity verification when issuing Buypass qualified certificates. Buypass will then store a unique reference to the eID you use.

A copy of the identity document and/or reference to the eID used is considered personal data and will be processed as described in section 2.3.

All information about the application for and use of Buypass qualified certificates will be retained for at least 7 years after the certificate expires.
 

9.4  Revocation

As a customer you can request revocation of your Buypass qualified certificate by contacting Buypass Revocation Service or the Organisation you are affiliated with.

If your Buypass qualified certificate was issued via an Organisation, the Organisation may revoke your Buypass qualified certificate on its own initiative if there is a valid reason for revoking, e.g. termination of employment or other affiliation with the Organisation.

Buypass may revoke your Buypass qualified certificates on its own initiative if there is a valid reason for revoking.

For more information on valid reasons for revoking and how revoking is carried out, please refer to the Certification Practice Statement (CPS).
 

10  Buypass contact information

If you have any questions about this agreement or anything else you may be wondering about, please feel free to contact us at:

Buypass Customer Service, e-mail: support@buypass.no 

Buypass Customer Service, phone: +47 22 70 13 00 

Buypass Customer Service, website: https://www.buypass.com/the-company/contact-customer-support 

Buypass Revocation Service: https://www.buypass.com/security/revocation-service