Aera Payment & Identification AS, org # 917351538 («Aera») is a Norwegian Limited Liability company that offers Payment & Identification Services. Aera offers services to both businesses and consumers.
Aera is located at Askekroken 11, 0277 OSLO. Aera holds a license as a Payment Initiation/ Account Information Service Provider from the Norwegian Financial Authority.
You can reach Aera via: * Phone: +47 22 55 25 01 * E-mail: support@aera.id
Aera has an appointed Data Protection Officer, whom you can reach at privacy@aera.id
For our business as a whole, we have a Privacy Policy which you can find here. In addition to this, we have separate policies for individual customer groups. This policy regulates the services we offer directly to consumers in more detail than the main privacy policy. If you are a consumer and you have entered into an agreement with Aera to use our services, this Privacy Policy forms a part of that agreement.
Aera processes personal data about you – our customer – in order to provide you with payment and /or identification services (the “Services”), as well as improving and further developing these. Because we are a licensed payment institution, we also need to perform certain controls related to anti-money laundering and combating financing of terrorism (AML/CFT) as well as combating fraud, which are mandatory under laws to which we are subject. These controls involve automated processing, including profiling, and may produce legal effects significantly affects you. Furthermore, we store transactional data for record keeping and bookkeeping purposes.
The different categories of data we process, and details related to them such as retention time, can be found in the Data Processing report which is available as an appendix to this policy in our consumer portal.
We offer services typically for usage in conjunction with infrastructure belonging to one or more merchant chain(s), transportation providers or other organizations (hereafter “chains”) offering good or services to consumers. As such, if you use our services inside a merchant app, it will share some data with this merchant, such as a confirmation of payment and data enabling earning of benefits in activated loyalty programs.
If a transaction or customer relationship raises red flags, we are in some cases compelled by the Norwegian Anti-Money Laundering Act to report this to the police, thereby sharing such data as the law decrees.
We do not share your data to any third party for marketing purposes.
The different categories of data we share, recipients of data and details related to them can be found in the Data Processing report which is available as an appendix to this policy in our consumer portal.
Data we process to deliver our services to you are because this is necessary to fulfill the contract for those services. Data we share with chains are based on you consenting to enabling our services for that specific chain. You can withdraw this consent at any time.
Data we process for anti-money laundering are processing because this is necessary for compliance with a legal obligation to which the controller is subject, specifically the Norwegian Anti-Money Laundering Act §29.
Data we process for record keeping and bookkeeping purposes are processing because this is necessary for compliance with a legal obligation to which the controller is subject, specifically the bookkeeping act (for accounts) and records of transactions.
The personal data we process about you consists of a profile and transactional data. The profile data is collected directly from you when you sign up to our services or gathered from third party and made visible to you during the same sign-up process. The transactional data is generated by you and any merchant system and/or bank system you interact with when you use our services.
Both these sets of data are available to you through our customer portal found on www.aera.id/consumer You may also access data through the chain apps. Accessing your data from Aera through a chain app does not cause this data to be shared with the chain.
The data provided directly from you may be updated by you at any time in the chain app or through our customer portal. Data we receive from or check against external services or public registers, such as your national identity number or registered address cannot be changed in our services, but need (if they are incorrect) to be changed in the registers they are found, such as the National Population Register.
The transactional data cannot be changed, this is data that forms the basis of records and accounts.
If you stop using our services, we will delete your data as soon as we are able to. As a licensed payment institution, Aera is obliged to perform mandatory controls related to AML/CFT and fraud as mentioned above in section 2, in which we process and store personal information. This includes personal data registered in the onboarding process, AML-data and transactional data.
As a licensed payment institution, Aera shall record and retain information and documents for five years after the customer relationship has ended as well as five years after each transaction is completed. In cases where further checks and controls were necessary, Aera can store data up to 13 years, depending on the severity of the case.
The Anti-Money Laundering Act has precedence over the right to erasure in GDPR (cf. Article 17(3) litra b) meaning that data is stored according to the Anti-Money Laundering Act.
Under the Accounting act, Aera are legally obliged to store transactional data for five years after end of the financial year for record keeping and bookkeeping purposes.
For data shared with the authorities due to the Norwegian Anti-Money Laundering Act, deletion follows the policy of the relevant authorities. Object
You have the right to object to the processing we perform on your personal data. If you wish to exercise this right, please contact privacy@aera.id Complaint to the Data protection Authorities
You also have the right and ability to launch a complaint with the Data Protection Authorities, the lead authority for Aera is the Norwegian DPA, found at www.datatilsynet.no.
We do our utmost to keep your data safe. Aera is the holder of an ISO 27001 certification for information security management and as a licensed entity we operate under the supervision of the Norwegian Financial Authority (Finanstilsynet).
All consumer data are processed in the European Economic Aera (EEA). No transfer of consumer personal data to any third country is performed by Aera as a controller.
You are being presented with these Terms of Use because you are about to register as a user of the “Aera Access” Service.
By completing the registration and confirming that you have read and understood the terms, you agree that they apply to your use of the Service. Because you use the Service as part of your job, the terms also affect our employer.
The mobile application “Aera Access” is used as authentication and login method to verify users and grant access to the various customer portals Aera offers. This document describes the Terms of Use for the application, as well as how the privacy concerning data needed for its use are handled.
Aera Access is developed by Aera and is built around the service Aera Secure ID, which is also used for payment and access control solutions provided by Aera. The service enables secure authentication, via a mobile device, to a service outside the device. Activation of Aera Access requires Norwegian BankID. The BankID authentication verifies who you are and creates a trusted binding between you, the mobile device and the application. After that, you can use your mobile’s native authentication mechanisms, fingerprint or face recognition, to verify and access the services you are registered for. For the mobile device’s authentication solutions to be operative, it is required to have either fingerprint or face recognition enabled in order to use the Service.
When using BankID your date of birth and BankID’s personal identifier (PID) is transferred to Aera’s central systems.
These remain stored in both your mobile device and Aera’s central systems as long as you are using the Service. If you delete the application, the Aera Access data in your device will be deleted immediately. If you have a backup of your device, the backup-file might contain information about until you delete the backup of Aera Access. If you have not used the application for 60 days, we will notify you that your access will be revoked. If your inactivity persists for another 30 days, your access will be revoked and associated data from Aera’s central systems will be deleted.
Aera Access should only be used from phones that are available by Aera’s customers or their subcontractors.
Permission to access Aera’s portals through Aera Access is given to individuals, based on lists Aera receives from its customers.
Since access is granted based on the mobile device’s native authentication mechanisms, it is imperative that you are the only one that has access to these. By using this Service, you guarantee that no one else has registered their fingerprints, face, or other authentication mechanisms on the device on which you are installing this application. You also guarantee that no one else knows your screen-lock, e.g. personal pin or swipe pattern.
Note if you make changes to the registered fingerprint or face on the device, you will have to re-activate the application using BankID.
Before activation, the application must be downloaded in accordance with instructions from your employer. If you intend to use “BankID på mobil”, this must be installed on your mobile device. If you wish to use BankID with the token/code generator, please make sure you have this available.
The application should only be installed on phones owned by your employer that are intended for professional use in a job context.
If you are supposed to use the application, Aera should have received information about this and you will be registered in our access management system. The application can only be activated with pre-registered mobile numbers. Contact your employer if you are not able to activate the application.
When the application is done, private and public cryptographic keys are created in a secure area on your mobile device. The public key is sent to Aera and stored along with your BankID identifier (PID). This will bind the mobile device to you as a user and enable the use of the device’s biometric authentication mechanisms, fingerprints or face, to verify you in Aera’s central systems, and thus to grant access to the Aera’s portals.
The Aera Access application and the services the application can grant you access to shall solely be used to access the services Aera, or Aeras customers, have a entered into an agreement with your employer to provide and that you have been assigned to perform. Any attempt at use or access that is not a necessary to preform your professional assignment as described above is prohibited. Any information accessed through this Service shall be treated as confidential to any outsider.
As a user of the Service, you are obliged to never lend or leave your mobile device, computer or similar equipment unlocked, or otherwise expose Aera’s portals or any information or functionality that then can be accessed to any third party. Nonconformity
If you lose your mobile device, or otherwise think that the security of Aera’s systems might be compromised, you must immediately and without delay report via email to support@aera.id
If you want to terminate the use of the application, you can delete it from your mobile device. This will cause all data associated with the application on your device to be deleted. Note that if you keep a backup of your device, the backup may contain copies of the data that existed on your phone at the time the backup was taken.
By deleting the application, the connection between your device and Aera’s systems will cease and Aera will no longer be able to receive or send information to or from your device. All privacy data related to the application stored at Aera will be automatically deleted after 90 days of inactivity.
If you have not actively used the application for 60 days, we will notify you that your access will be revoked. If your inactivity persists for another 30 days, your access will be revoked and associated data from Aera’s central systems will be deleted. Logs of which users have authenticated themselves and thereby accessed Aera’s portals will be kept for five years.
The legal basis for processing personal data related to the use of the application and accessing Aera’s portals, is service agreements between Aera and Aera’s customers, service agreements between Aera’s customers and your employer, as well as employment contract with your employer. Aera’s customer as your client is the data controller, while Aera is its data processor. This relationship is governed through a data processing agreement.
The legal basis for the processing is cf. personal data regulation Art. 6 (1) (b) that it is necessary to fulfill the purpose of the said agreements.
As a registered user you have several rights related to the processing of your personal data. This includes, but is not limited to, transparency, rectification, deletion and the right to protest.
If you would like to know more about how Aera processes personal information, please read our privacy policy at URL: https://aera.id/personvern/
Questions or inquiries about the processing of personal data can be addressed to: privacy@aera.id. Exercising your rights is done by contacting your client through your employer.
The following personal information will be retrieved from BankID to your mobile device:
The following personal information will be generated in your mobile device:
The following personal data will be transferred from BankID to Aera’s central systems:
The following personal data will be transferred from your device to Aera’s central systems:
In addition, Aera receives and stores information about which mobile device model, operating system version and language package are used, as well as the application’s name and ID.
Note that Aera keeps access logs in which the logon time, IP address and which User Agent browser is used are recorded each time the application is used to e.g., login to a web portal.
The logs are stored for five years.
The following personal data will be generated in Aera’s central systems:
Access to Aera’s portals and permission to use the Aera Access application is subject to these Terms of Use. Violation of the Terms of Use, abuse of the Service, or other unlawful conduct and may result in penalties and/or liability for you as a user and/or your employer. Aera may at any time revoke any access to its portals and the Aera Access application if this is required for security reasons.
Questions about Aera Access or these Terms of Use can be addressed to: support@aera.id
Aera Access Terms of Use, version 1.0.
Oslo, April 2020