Stäng

Thank you for reading Telenor Digital's Privacy Notice

We value your privacy and take the protection of your personal data seriously. While having a privacy notice is a legal obligation under the General Data Privacy Regulation (GDPR), we also present this important information for the sake of transparency. We rely on your willingness to share your data in order to provide services to you, improve our services, and develop new products that suit your needs. This process requires mutual trust and results in mutual benefit.

Our Privacy Notice explains what personal data we collect from you, as well as why and how we process it. It also provides guidance regarding your data privacy rights and how you can exercise them.

Who is Telenor Digital and what do they do?

Telenor Digital AS is a Norwegian company and a central service provider within the Telenor Group. As such, we develop, provide, and maintain mobile apps, web applications, and backend solutions to other Telenor companies.

We also deliver services to partners outside of Telenor Group with CONNECT ID, our identity management solution. You can use CONNECT ID to sign in to services offered by Telenor Group as well as services offered by other companies.

To deliver these services, we step into one of two roles: data controller or data processor. It is important to be able to distinguish between these roles for the purposes of this Privacy Notice.

Telenor Digital as Data Controller

Telenor Digital is the data controller for the services for which you have entered into an end-user agreement with us. This controllership extends to support services for those contracted services. For example, if you have an end-user agreement with CONNECT ID, Telenor Digital is the data controller for CONNECT ID and supporting services offered for CONNECT ID by Customer Care, Privacy Service, and Analytics.

Telenor Digital as Data Processor

As data processor, our contribution is a background support activity which only exists to enable services offered by another company, usually your mobile operator. In this case, the other party is the data controller and will respond to your privacy concerns, except where we use this data to improve the support services that we offer.

What are my rights regarding the collection and use of my personal data?

You have a number of important rights regarding your personal data which you can exercise by visiting our Privacy Service. Customer Service will handle your requests and answer your questions. These include the:

Please note that the right to portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We also will not be able to extend this right in a way that would adversely affect the rights and freedoms of others.

Please contact us if you have questions about your personal data rights. You also have the right to lodge a complaint with a supervisory authority.

What personal data does Telenor Digital process and how long is it kept?

The way we collect personal information varies depending on the services you use. In general, we obtain three types of personal data from you :

Our data retention policies vary based on the purpose of processing. As a general rule, we will not keep your personal information longer than is necessary for the purposes outlined in this privacy notice.We need to keep most of your account-related data as long as you have an active account. If you choose to delete your account, we will delete your data after 30 days, except in cases where there are legal reasons to retain it.

Directly Obtained Personal Data

When you sign up to receive one of our services, you provide us with certain personal information. This can include:

Automatically Obtained Personal Data

When you use our services, some information is generated automatically. This information will vary depending on the service and the device that you use.

Examples of data generated automatically:

Indirectly Obtained Personal Data

We sometimes collect personal information about you from third parties in connection with services that we provide to you. This is a necessary element of integrating our services with the services provided to you by others, such as your mobile service provider.

Examples of data we obtain indirectly:

List of Personal Data Categories*

Why does Telenor Digital process my personal data?

Telenor Digital uses much of the personal data we process to provide you with the services you use. Your data makes these services run. This kind of data processing is referred to as "processing for the performance of contract".

In addition, we process some data for purposes defined as "legitimate interests" under the law. This usually refers to cases where we process data to better understand your experience with our products and services. The insights we gain by analysing this kind of data help us to improve and fix our existing products, as well as develop new features to meet your needs.

Finally, there are a few use cases in which we are obligated to process personal data by applicable law.

Performance of Contract

Roughly 70% of our activities rely on data processing in order to perform our contract with our end-users.

Example: When you sign up for CONNECT ID, you want a single-sign-on solution that allows you to sign in to other services easily and securely without having to provide your credentials each time. This service only works reliably if you share some basic account data with us, we can verify it (by sending you a verification code code via SMS, for example), and we can create an identity token to share with the service you intend to sign-into with CONNECT ID. All of these steps require that we process data in order to provide you with the service.

Legitimate Interest

About 25% of our activities rely on data processing defined as legitimate interests.

The following is a list of our legitimate interests for data processing:

For some specific data processing, we will ask your prior explicit consent. However, Telenor Digital rarely uses any such processing or technology; for example, we do not use automated decision making or profiling with a legal or otherwise significant effect.

Does Telenor Digital transfer personal data to Third Parties?

Third party companies help us provide and maintain our services. These third parties fall into the following categories:

Finally, if we decide to sell, buy, merge or otherwise re-organise a business, we may transfer your personal information to purchasers, or partners and their advisers.

Data transfers outside of the EU/EEA

In some specific cases, we transfer data to countries outside the European Economic Area (EEA)/European Union (EU). Such transfers occur when:

In the first two cases, the countries to which we transfer the data are determined by the location of your mobile service provider or the location of the services you are using with CONNECT ID. Unless it is necessary to transfer the data to a country outside the EU/EEA for the performance of our contract with you, we enter into standard data protection clauses adopted by the European Commission ("EU Model Clauses").

Many of our vendors are located in the United States, however, the hosting services we purchase limit the location of processing to Ireland, which means that the data does not leave the EEA. For vendors that help us improve and maintain our products, such as web analytics, we enter into EU Model Clauses, or, where applicable, use the "Privacy Shield" programme.

In addition, the EU has preapproved certain countries that are considered as having an adequate level of data protection.

Changes to the Privacy Notice

We may update this Privacy Notice from time to time, as our data processing may change and we would like to keep you informed.

Where we think it is appropriate, and in the event that we make material changes to our privacy notice, we will also notify you that our privacy notice has been updated. By continuing to use our services after that period you confirm your continuing acceptance of this privacy notice.

How can I contact Telenor Digital regarding my privacy rights?

If you have privacy-related questions or concerns, the quickest way to get in touch is the Review section of our Privacy service. Customer Service will respond to your request via email as soon as possible, and refer you to the Data Protection Officer.

Telenor Digital AS
Snarøyveien 30
1331 Fornebu, Norway
Org. No. NO 996 516 288

* List of Personal Data Categories

Personal Data Categories for CONNECT ID

Data Subject Identifier

Personal Data Retention Policy Remarks
Full Name Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.

General User Data

Personal Data Retention Policy Remarks
User Base Data Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.
User Rights Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.
Full Name Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.

Logic Account Identifier

Personal Data Retention Policy Remarks
Email Address Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.
(End-)User Account ID Event-triggered
Deleted when account is deactivated
The "CONNECT ID" upon which the service is based.
Identity Token 0 ... 1 day
Deleted immediately when token is invalid
The identity token is generated by CONNECT ID and passed to confirm an end-user's identity.
IP-Address — End-User 1 month ... 2 years
Retained in basic logs for investigation of bugs and other incidents for 30 days. Retained in security logs for 1 year for investigation of security incidents.
Security logs are accessible only to few individuals, and only in defined, exceptional circumstances, where the access is required for the investigation of security incidents.
MSISDN Event-triggered
Deleted when account is deactivated
Part of core customer information, required to provide the service.
One-time verification code 1 day ... 1 month
Invalidated after 30 minutes or 3 wrong attempts
A one-time verification code that you may receive during sign-up and sign-in, depending on the chosen method.
Password/verification code Event-triggered
Deleted when account is deactivated
Your CONNECT ID password.
Password Recovery Link 1 month ... 2 years
Active for 90 days, deleted 90 days after inactive. Retained for investigation of incidents.
A link that you receive when you triggered password recovery. We retain it to be able to trace illegitimate or malicious password recovery attempts.

Technical Data — B2B

Personal Data Retention Policy Remarks
API Credentials Event-triggered Used by our partner services to configure the integration. Not related to end-users.

Technical Data — User

Personal Data Retention Policy Remarks
Hardware Environment 1 month ... 2 years
Same policy as other log data (see IP address)
Information on the end-user device to optimise the service.
Software Environment — Integrating App Event-triggered
Deleted when account is deactivated
The service, for which you use CONNECT ID to sign-in.
Software Environment — User Agent 1 month ... 2 years
Same policy as other log data (see IP address)
Information sent by your browser and used to optimise the service.

Time And Location

Personal Data Retention Policy Remarks
Timestamp 1 month ... 2 years
Same policy as other log data (see IP address)
The time of the day, when an event occured. This is relevant for example to recognise malicious sign-in attempts, due to high frequency of sign-in attempts.

User Behaviour

Personal Data Retention Policy Remarks
Click Stream 1 month ... 2 years
Same policy as other log data (see IP address)
Information on how users use the app, where they may get stuck and where components may not work as intended.
User Behaviour — Logs 1 month ... 2 years
Same policy as other log data (see IP address)
Historic logs of user activities, such as sign-in attempts, used i.e. under exceptional circumstances to investigate security vulnerabilities.
Other User Events 1 month ... 2 years
Same policy as other log data (see IP address)
Other user triggered events of potential IT-security relevance.

Personal Data Categories for Customer Service

What personal data is used by the customer care service is highly contextual and strongly depends on what service you are seeking assistance with. The list below is comprehensive, but usually only a small fraction of it will apply, depending on your request.

Customer Service & Customer Communication

Personal Data Retention Policy Remarks
Customer Service Interaction - All 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Your interaction with the Customer Service.

Data Subject Identifier

Personal Data Retention Policy Remarks
Full Name 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Part of core customer information, required to provide the service.

General User Data

Personal Data Retention Policy Remarks
User Rights 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
User rights that you may have in another service that integrates with our service, and which may be influential for an issue that you may encounter in using these services.

Logic Account Identifier

Personal Data Retention Policy Remarks
Email Address 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Part of core customer information, required to provide the service.
(End-)User Account ID 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Your CONNECT ID (if any).
IP-Address 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
The IP-address linked to your customer service ticket.
MSISDN 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Part of core customer information, required to provide the service.
One-time verification code 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
A one-time verification code that you receive when you ask our customer service for password recovery.
Password Recovery Link 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
A link that you receive when you ask our customer service for password recovery.
Ticket-ID 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Customer Service operates on so-called tickets, to be able to follow-up your request over a longer period, if needed.
User Name 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
 

Technical Data — B2B

Personal Data Retention Policy Remarks
API Credentials 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Used by our partner services to configure the integration - relevant for customer service requests from B2B partners.
Not related to end-users.

Technical Data — User

Personal Data Retention Policy Remarks
Hardware Environment 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Information on the end-user device to understand the technical issue encountered.
Software Environment — Other 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Information on the software environment on your device to understand the technical issue encountered.
Software Environment — User Agent 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Information on the software environment on your device to understand the technical issue encountered.

Time And Location

Personal Data Retention Policy Remarks
Timestamp 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
The time of the day, when an event occured. This is relevant i.e. to identify temporary issues you may have encountered, but a timestamp is also part of your customer service ticket, to allow us to see the progress of our service in assisting you.

User Behaviour

Personal Data Retention Policy Remarks
Click Stream 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Information on how users use the app, where they may get stuck and where components may not work as intended.
Purchase Fact / Transaction Data 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Where you referred to our customer service in reference of direct operator billing, depending on the case we may need transaction data referring to the transaction in question to help you with it.
Service Usage Metadata 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Other user triggered events of relevance to the technical issue you encounter.
User Behaviour — Logs 1 month ... 2 years
To follow-up an issue on repeated occurrence (i.e. sporadic technical issues)
Historic logs of user activities, such as sign-in attempts, used i.e., under exceptional circumstances to investigate security vulnerabilities.

Personal Data Categories for Privacy Service

Logic Account Identifier

Personal Data Retention Policy Remarks
(End-)User Account ID Event-triggered
Deleted when account is deactivated
Your CONNECT ID.
Retained to be able to display and check consent decisions and objections.

User Behaviour

Personal Data Retention Policy Remarks
Other User Events 1 month ... 2 years Retained for service capacity planning and product improvement.

Personal Data Categories for Analytics

General User Data

Personal Data Retention Policy Remarks
User Base Data — All 1 month ... 2 years Retained to have a historical comparison of user base data frequencies between seasons of different years.

Logic Account Identifier

Personal Data Retention Policy Remarks
CPID 1 month ... 2 years An encrypted MSISDN (phone number).
Retained to diagnose technical issues.
(End-)User Account ID 1 month ... 2 years Retained to have a historical comparison of number of distinct users between seasons of different years.
IP-Address — End-User 1 month ... 2 years Retained to have a historical comparison of user density in different estimated locations between seasons of different years.
MSISDN 1 month ... 2 years Retained to have a historical comparison of number of distinct users between seasons of different years.
One-time verification code 1 month ... 2 years Retained to diagnose technical issues. The verification code is invalidated after 1 minute.
Logic Account Identifier (ACR) 1 month ... 2 years A number used internally to distinguish between users without looking up who they are.
Retained to have a historical comparison of number of distinct users between seasons of different years.

Technical Data — B2B

Personal Data Retention Policy Remarks
Operation Status Confirmation Message 1 month ... 2 years Retained to have a historical comparison of the API call status frequencies between seasons of different years.

Technical Data — User

Personal Data Retention Policy Remarks
Software Environment — User Agent 1 month ... 2 years Retained to have a historical comparison of browser usage between seasons of different years.

Time And Location

Personal Data Retention Policy Remarks
Timestamp 2 years ... 10 years The time of the day, when an event occured.
Retained to track statistics evolution over time.

User Behaviour

Personal Data Retention Policy Remarks
Purchase Fact 0 ... 1 day
Processed in near real-time to update statistical counters, and then immediately deleted.
 
Service usage metadata 1 month ... 2 years User-triggered events that allows insights on the performance of the the product and potential technical issues.
Retained to have a historical comparison of number of service usage patterns between seasons of different years.
Stäng