Cache rendered at: 22:05:57
English
English
Deutsch Norsk

Privacy statement

This privacy statement explains how Vendanor AS (hereinafter referred to as "Vendanor") collects, uses, stores, and shares personal data in connection with our services, including our website, automated solutions, and administrative systems. Vendanor, as the data controller, processes personal data in accordance with applicable privacy regulations, including the General Data Protection Regulation (GDPR). Vendanor only collect and process personal data that is necessary for the purposes outlined in this statement, and unnecessary data is neither collected nor stored. Company information and contact details are available at vendanor.com.

Categories of data subjects and personal data processed

A. Visitors of vendanor.com

Visitors browsing the public website.

Visitors' IP address
  • Purpose: Technically necessary, including for secure and stable website operation.
  • Legal basis: Legitimate interests.
  • Retention: Deleted after 90 days
Data submitted via contact form
  • Purpose: Communication and follow-up (see Business Contacts).
  • Legal basis: Consent.
  • Retention: See Business Contacts.
Cookies

No tracking, analytics, or marketing cookies are used. Only technically necessary cookies are applied to support basic functionality (e.g. remembering display preferences). These cookies are anonymous and do not involve the storage or processing of personal data.

B. Users of the end-user portal my.vendanor.com

End-users and the general public accessing the self-service portal..

IP addresses
  • Purpose: Technically necessary for the secure and stable operation of the portal, and for maintaining system security.
  • Legal basis: Legitimate interests (including security).
  • Retention: Deleted after 90 days.
Refund requests
  • Purpose: Processing of refund claims submitted by the user.
  • Legal basis: Fulfilment of contract and statutory obligations.
  • Retention: Stored in line with legal requirements (typically minimum 5 years)
Email address submitted for management
  • Purpose: Enabling the user to manage stored contact details via a secure magic link.
  • Legal basis: Consent (for storage of contact details) and legitimate interests (for secure verification and functionality).
  • Retention: Data is deleted when the user removes the stored email.
Cookies

No tracking, analytics, or marketing cookies are used. Only technically necessary cookies are applied to support basic functionality (e.g. remembering display preferences). These cookies are anonymous and do not involve the storage or processing of personal data.

C. Vending machine end-customers

End customers, i.e., customers of a vending machine owner/customers of Vendanor's customers, using a machine.

Contact information (email address and/or phone number)
  • Purpose: Delivery of e-receipts. An email address may also be stored for reuse in future purchases, so the user does not need to re-enter it. Contact details are always processed when used to send a receipt. Masked/hashed versions may be retained longer for troubleshooting and security purposes.
  • Legal basis:
    • Consent – for storage of contact details for reuse.
    • Legitimate interests – for processing necessary to deliver receipts/messages and maintain security.
  • Retention:
    • Stored contact details are automatically deleted after 500 days of inactivity and can be deleted earlier by the user via my.vendanor.com.
    • Contact details that appear in system logs are automatically deleted after 90 days.
    • Masked/hashed versions may be retained for longer periods to support troubleshooting and security
Transaction data (payment information and sales orders)
  • Purpose: Processing of purchase transactions, delivery of receipts, troubleshooting, ensuring system security, and compliance with financial/legal requirements. This includes payment references and masked/hashed card numbers, as well as order details such as product, price, time, and location.
  • Legal basis: Fulfilment of contract, legitimate interests (including security), and statutory obligations (e.g. accounting law).
  • Retention:
    • Transaction data is stored as long as necessary to fulfil contractual and statutory obligations, including accounting requirements (typically minimum 5 years).
    • Masked/hashed payment information may be retained longer for troubleshooting, security, and analytical purposes.

D. Vending machine owners

System users – employees or partners of vending machine owners.

Name phone number, email address, user identifier, IP address, system activity logs, and similar information necessary for authentication and system operation.
  • Purpose: Secure authentication, user access management, operational support, and accountability.
  • Legal basis: Consent, fulfilment of contract and legitimate interests (including security).
  • Retention: Personal data is deleted 1000 days after the user account is deactivated. System activity logs and IP addresses are retained as long as necessary for security and accountability, typically no longer than 90 days unless masked/hashed for audit purposes
User interaction

Actions performed in the portal (e.g. navigation, clicks, configuration changes) are recorded together with the user ID.

  • Purpose: Debugging, troubleshooting, operational support, and accountability.

  • Legal basis: Consent, legitimate interests (including security and system reliability).

  • Retention: Interaction logs are typically retained for up to 90 days, unless further retention is required for audit, troubleshooting, or legal purposes-

Cookies

When a user logs in, a cookie is stored containing a unique identifier linked to the user account.

  • Purpose: Secure authentication, user access management, and stable functionality of the fleet management portal.

  • Legal basis: Consent, fulfilment of contract and legitimate interests (including security).

  • Retention: Session-based; deleted automatically when the browser session ends.

E. Business contacts

Includes customers, suppliers, and other professional contacts of Vendanor.

Name, position, contact details (email, phone), correspondence history, and other business-related information contained in emails, documents, and files. This may also include miscellaneous information that naturally arises in correspondence and files, provided it is relevant for the business relationship.
  • Purpose: Management of business relationships, communication, invoicing, and follow-up with customers and suppliers.
  • Legal basis: Fulfilment of contract, legitimate interests, and statutory obligations (e.g. accounting and recordkeeping requirements).
  • Retention: Data is stored in accordance with applicable statutory requirements, including the Accounting Act (minimum 5 years).

Your Rights

You have the following rights regarding your personal data:

  • Right of access: You may request access to the personal data we have stored about you.
  • Right to rectification: You may request corrections to inaccurate or incomplete data.
  • Right to erasure: You may request deletion of your data unless we are legally required to retain it.
  • Right to data portability: You may request your data in a structured, machine-readable format.
  • Right to withdraw consent: You may withdraw your consent at any time, where consent is the legal basis for processing.
  • Right to object: You may object to processing based on our legitimate interests.  
  • Right to restriction: You may request that the processing of your personal data be restricted in certain cases.  
  • Right to complain: You may file a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no if you believe your rights have been violated.  

To exercise your rights, contact Vendanor at info@vendanor.com.

Anonymised usage statistics

Anonymised usage statistics are collected across all Vendanor websites, apps, and portals for the purpose of improvement and analytics. No personal data is stored, so legal basis and retention are not applicable. No cookies are used for this purpose.

Automated decisions and profiling 

Vendanor do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on you.  

Subcontractors

Vendanor uses subcontractors for certain services, such as data storage and message distribution. All subcontractors are bound by data processing agreements that ensure personal data is processed in accordance with GDPR and this privacy statement. All data is processed within the European Economic Area (EEA), and we do not transfer personal data outside the EEA. 

Information sharing

Vendanor shares data with third parties only as outlined in this statement, including:

  • Vending machine owners: Data from vending machine end users may be shared with the respective vending machine owners. Such processing is carried out under data processing agreements in compliance with GDPR.
  • Law requirement: For example, in response to requests from public authorities or courts.

Security

Vendanor implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. This includes, but is not limited to, encrypted communication and access control systems.

Data breach notification

In the event of a personal data breach, Vendanor will notify affected individuals, relevant partners, and authorities in accordance with legal requirements.

Changes to this privacy statement

Vendanor reserves the right to update this statement as necessary, for example, due to changes in regulations or our services. The updated version will be published on vendanor.com.

Data protection contact

For questions regarding the processing of personal data, please contact the Chief Executive Officer of Vendanor.