Introduction

• This Data Protection and Privacy Policy (the “Policy”) describes how Cardlay A/S (“us”, ”we” or ”our”) Cardlay A/S and Cardlay Payments Solutions A/S (“Cardlay”, “us”, “we” or “our”) operates, among others, www.cardlay.com and www.vattax.com, and the Cardlay mobile apps offering a variety of services such as Cardlay Expense and Cardlay Card Management (together the “Services”). This privacy policy (the “Privacy Policy”) applies to all Services offered by us and it applies to all information collected via customers’ use of our Services and our websites. Cardlay has concluded this Privacy Policy to provide relevant information on how Cardlay collects, uses, discloses, protects or otherwise processes information. Cardlay will not use or share your information with anyone except at described in this Privacy Policy.

• The Policy is prepared and made available to comply with the General Data Protection Regulation (2016/679 of 27 April 2016) (the ”GDPR”) and the rules included herein on information to be provided to you.

Collecting personal data with cookies

• By visiting and using our website(s), cookies are collected and used based on your consent. Information in these cookies include ("Cookiedata"):

• search terms on our website(s)

• search terms on other website(s)

• IP address

• location at login

• browser type

• Cardlay uses Google Analytics, the popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site. It counts the number of visitors and tells us things about their behaviour overall – such as the typical length of stay on the site or the average number of pages a user views.

The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity, and providing other services relating to website activity and Internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google undertakes not to associate your IP address with any other data held by Google.

If you have Adobe Flash installed on your computer (most computers do) and you use Out-Law.com’s audio or video players, Google Analytics will try to store some additional data on your computer. This data is known as a Local Shared Object or Flash cookie.

This helps us to analyse the popularity of our media files. We can count the total number of times each file is played, how many people watch videos right to the end and how many people give up half way through. Adobe’s website offers tools to control Flash cookies on your computer.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser. Search in your cookie folders to find our cookie and the Google Analytics cookie if you wish to delete them.

• Cookiedata is used for: administration of customer relationships in general such as orders, purchase history, invoicing, etc., customer support, improvement of the website(s) and user experience, prevention of fraud, scams and illegal use of our website or services, prevention of unauthorized logins, to perform targeted marketing, tasks or project management (organization and planning of work and deliveries), to deliver our products, services or goods We also use Cookies for the purpose of: A number of our pages use cookies to remember:

Your display preferences, such as contrast colour settings or font size

If you have already replied to a survey pop-up that asks you if the content was helpful or not (so you won’t be asked again)

If you have agreed (or not) to our use of cookies on this site

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you watched.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here...

• Our use of cookies for the purpose of collecting personal data is carried out in accordance with section 3 of the Executive Order (No. 1148 of 9 December 2011).

• If you wish to limit or decline the cookies placed on your computer when visiting our website you can do so at any time by changing your browser settings. However, you should be aware that if you decline or reject cookies it will impact the functionality of the website which means that there are features on the website that you will not be able to see. Any browser allows you to delete cookies collectively or individually. How this is done depends on the browser you use. Remember to delete the cookies in all browsers, if you use several different browsers.

• We disclose and/or share Cookie Data with:

Cardlay uses Google Analytics, the popular web analytics service provided by Google, Inc. Google Analytics uses cookies to help us to analyse how users use the site. It counts the number of visitors and tells us things about their behaviour overall – such as the typical length of stay on the site or the average number of pages a user views.

• Below you will see an overview of the duration of the cookies we use:

A Session cookie is deleted when you close your browser. Persistent cookies are stored on your digital unit and are stored for a period of one or two years

Types of personal data processed

• We process personal data about you when this is necessary and in accordance with the applicable legislation. Depending on the specific circumstances, the processed personal data include the following types of personal data:

• name

• address

• email

• payment card details

• invoicing and bookkeeping data and documentation

• telephone number

• password

• account status (customer points, payments etc.)

• IP addresses

• purchasing history

• Payment card information and spend history.

• When relevant, personal data is collected directly from you or from external sources. Personal data about card holders is collected; (i) directly from the card holders; (ii) from the employers of the card holders and (iii) from the bank issuing the the payment cards

• If we need to collect more personal data than specified above, we will inform you by updating this Policy.

Purposes of processing the personal data

• We will only process your personal data if we have a legitimate purpose and in that case in accordance with the rules of the GDPR. The personal data we collect about you is processed for the following purposes:

• To deliver products or services.

• To provide service messages and information.

• To prevent fraudulent behavior or misuse of the IT System and/or the products or services that are provided via the IT system(s).

• To prevent fraudulent behavior or misuse of our products, services and website, including the processing of personal data for the purpose of legal actions.

• To improve our products, services, or website.

• To send newsletters and direct marketing (such as e-mails, MMS', direct messages on social media, etc.)

• To send newsletters by e-mail.

• To facilitate a sales process.

• To provide support and service messages, including responding to questions and complaints and sending updates about our products and services.

• To communicate and exchange data with public authorities when required by law.

• To respond to inquiries or complaints.

• To store personal data to comply with applicable legislation requirements such as bookkeeping acts.

Legal basis for processing personal data

• We only process your personal data when we have a legal basis to do so in accordance with the GDPR. Depending on the specific circumstances, the processing of personal data is done on the following legal basis:

• The legal basis for the processing of such personal data is consent, in accordance with GDPR, Article 6(1)(a). You can withdraw your consent at any time by contacting us via the contact details provided at the end of this Policy. If you withdraw your consent, the personal data processed will be deleted, unless it can or must be processed in order to comply with legal obligations.

• The processing is necessary for the performance of a contract to which the data subject is a party in accordance with GDPR, Article 6(1)(b), the first indent.

• The processing is necessary to comply with applicable legislation in accordance with GDPR, Article 6(1)(c).

• The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract in accordance with GDPR, Article 6(1)(b), last indent.

• The processing is necessary for the purposes of the legitimate interests where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with GDPR, Article 6(1)(f).

• If we send you direct marketing, including by email, we will ask for your prior consent in accordance with the applicable rules such as marketing acts.

Disclosure and transfer of personal data

• We only transfer personal data to other entities when legally permitted or required. Our organization is part of a concern or a group of companies where, depending on the circumstances, personal data is shared.

• We transfer personal data to the following recipients from the EU/EEA:

• Banks (for example in connection with payments etc.)

• Processors

• Suppliers

• Collaborators

• Tax authorities (for example in connection with accounting etc.)

• The Milage functionality in Cardlay Expense activates Google Maps API(s) when finding and tracking destinations and calculating distances. Thus, when activating the Milage functionality of Cardlay Expense, the users accepts the terms of use for Google Maps

API(s) available at http://www.google.com/intl/en/policies/terms.

• From time to time we use external entities as suppliers to assist us in delivering our services. The external suppliers will not receive or process personal data unless applicable law allows for such transfer and processing.

Where the external parties are acting in the role of processors, the processing is always based on a data processing agreement in accordance with the requirements under GDPR.

Where the external parties are acting in the role of controllers, the processing of personal data is based on such external parties’ data privacy policy and the relevant legal bases which the external parties are obligated to inform about unless the applicable legislation allows otherwise.

• We transfer personal data to countries or international organisations outside the EU/ EEA.

• If you have any questions about our use of processors, cooperation with other controllers, including our subsidiaries, or the transfer of data to third countries, you may contact us for more information or documentation of our legal basis for such transfers.

Erasure and retention of personal data

• We ensure that the personal data is deleted when it is no longer necessary for the processing purposes described above. However, we retain your personal data to the extent that we are legally obligated, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of your personal data, you may contact us by using the email mentioned in the last section of this Policy."

Data subject rights

• As a data subject under GDPR, you have a number of rights.

  • You have the right to request access to the personal data we process about you, the purposes we process the personal data, and whether we disclose or transfer your personal data to others.

  • You have the right to have incorrect information rectified.

  • You have the right to have certain personal data deleted.

  • You may have the right to restriction of our processing of your personal data.

  • You may have the right to object to our processing of your personal data based on reasons and circumstances that pertain to your particular situation. Objection can also be to the processing of personal data for the purpose of direct marketing.

• You have the right not to be subject to a decision based solely on automated means, without human interference unless the decision (1) is necessary for entering into, or performance of a contract between you and the Organization,

• (2) is authorised by law, or (3) is based on your explicit consent.

• If the processing of your personal data is based on your consent, you are entitled to withdraw such consent at any time. Withdrawal of your consent will not affect the lawfulness of the processing carried out prior to your withdrawal.

• You are entitled to receive personal data which you have provided to us in a structured, commonly used, and machine-readable format (data portability).

• You can always lodge a complaint with the data protection authority.

• Your rights may be subject to conditions or restrictions. Accordingly, there is no certainty that you will be entitled to for example data portability in the specific situation; it will depend on the circumstances of the processing.

• More information about data subject rights can be found in the guidelines of the national data protection authorities.

• Please use you the contact details below if you want to use your rights.

• We try to meet your wishes about our processing of personal data, but you can always file a complaint to the data protection authorities.

Changes to this Policy

• We reserve the right to update and amend this Policy. If we do, we correct the date and the version at the top of this Policy. If we make significant changes, we will provide notification by way of a visible notice, for example on our website or by direct message.

Contact

• You may contact us at the below specified email if you:

• disagree with our processing or consider our processing of your personal data infringes on the law,

• have questions or comments to this Policy, or

• want to invoke one or more of your rights as a data subject described in this Policy.

If you have questions or comments to this Policy or if you would like to invoke one or more data subject rights, please contact us at In case you have any questions or comments to this Privacy Policy please contact us by email to legal@cardlay.com.