Last updated: 01.07.2022
1.1 Preliminary verification of data input and confirmation of interest to purchase the invoice
We need to verify that a company representative inputs the correct company information, including company name and business address. The legal basis for this processing is our legitimate interests in ensuring that we will be invoicing the correct company at the right invoicing address (GDPR Article 6(1) litra f). For this purpose, we process personal data about which company the representative claims to be able to place an order on behalf of.
We share the name of the company with our partner banks. The purpose of this is to inquire whether the banks are interested in purchasing the invoice for the order placed by the company's representative. This processing is based on our legitimate interests in providing the Services to companies and the banks (GDPR Article 6(1) litra f).
1.2 Verification of the potential customer placing an order intent
If none of the partner banks is interested in purchasing the order invoice, the Merchant will not present the Two Services as a payment option.
If one or several banks are interested in purchasing invoices regarding orders placed by the company's representative, the Merchant presents the Two Services as a payment option.
For order baskets sized above a certain threshold, we must verify the company placing the order as well as the identity of the person claiming to represent the company. We will then process personal data about the company representative placing an order for the purpose of ID verification. We will process information about the representative's name, the company delivery address, and which company the representative claims to be able to order on behalf of. We will also conduct ID verification to match the company representative with the company they claim to place an order on behalf of. For this purpose, we will process the previously stated information in addition to information about the type of connection the representative has with the company in question. We will use methods provided by Vipps Login and Enin AS for these ID verification purposes.
The legal basis for this processing is our legitimate interests in verifying the company and ensuring that the company representative is authorized to represent the company (GDPR Article 6(1) litra f).
To place an order using Two as a payment method, we must check with the relevant partner bank whether they confirm their interest in buying the payment claim for the order placed. If this is confirmed, Two facilitates the sale of the invoice from the merchant to the partner bank. For these purposes, Two collects and shares with the partner bank information about the company representative's name, the company delivery address, the name of the company, and the items and products purchased.
Two also facilitates the distribution of the invoice to the buyer company. For this purpose, Two will share the same information as described in the previous paragraph with the company, and the company will receive EHF and the company representative will receive the invoice as a PDF-file by email.
The legal basis for this processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and the partner bank (GDPR Article 6 (1) litra f).
Two provides the opportunity to prospective company representative buyers to onboard themselves (as an individual) and their company via Two's Buyer Center. This onboarding requires collection and other processing of information on the company name, company organization number, registered company address, the representative's name, work email address, relationship to the company, work department, mobile phone number and individual authentication (via Vipps Login).
Company representatives who are Admin Users can edit Buyer Profile Types as well as spending limits for all Users onboarded on behalf of a company. Users can view a dashboard of and have the ability to download locally purchase history of their own transactions conducted via the Two Services. Admin Users can view all the company's transactions conducted via the Two Services. This will include information about which merchant sold the goods or services, which user made the purchase, order data, order amount, which products or services were purchased, order delivery (yes/no) and payment status (paid/to be paid/in arrears).
Using the Buyer Center is voluntary. The legal basis for the processing is our legitimate interests in facilitating the delivery of the Two Services to the buyer company and allowing the company to manage their purchases (GDPR Article 6 (1) litra f).
Two provides the opportunity for prospective merchant representatives to onboard themselves (as an individual) and their company via Two's Merchant Center. For this purpose, we will process information about the company name, company organization number, registered company address, annual B2B sales, annual turnover, tax residency, countries of operation, Bank account number, selection of product and service types it wants to offer and the website URL. We will also process personal data about the representative's name, work email address, individual authentication (Vipps Login), the representative's relationship to the company, mobile phone number, DOB, and answers to a series of KYB Questions.
The users can view a dashboard and have the ability to download locally, sales history of the merchant's transactions conducted via the Two Services. This includes information about the buyer company's name (who bought goods/ services), transaction date, transaction items sold, order amount, order Delivery (Yes/ No) and payment Status (paid/to be paid).
The representatives can also request a view of the performance of the merchant's buyers' payouts to the partner banks, i.e. for the partner banks to share with the merchants via Two whether the original invoices generated have been paid upon credit term expiry. This will include information about the buyer company's name, transaction date, transaction items sold, order amount, order delivery (Yes/No), payout status to partner bank (paid/to be paid/in arrears/in collection).
The users can set up rules to qualify the (i) level of Strong Customer Authentication, and (ii) establish recourse on transactions that may fail the partner bank's credit check. This will include information about transactions to which no Strong Customer Authentication is required, max order amount, and max buyer credit riskiness (e.g. Probability of Default) required in order for the merchant to provide merchant recourse for a prospective invoice financing facility.
Processing as described in this section is based on our legitimate interests in enabling the merchant company and their representatives to use the Two Services (GDPR Article 6 (1) litra f).
Two builds algorithmic statistical models based on registered fraud events to identify patterns and predict future fraud behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies. For this purpose, we process information about fraud events, type of fraud events, date of fraud events, company name, company organization number, name of involved individual(s), IP address, delivery address, email address, phone number, "device finger print" (if available), order value at risk, recovery of order value after event, number of days until recovery.
Two builds algorithmic statistical models based on registered credit events to identify patterns and predict future credit risky behavior for both existing and new merchants, buyer companies, and individuals representing or claiming to represent merchants or buyer companies. For this purpose, we process information about credit events, type of credit events, date of credit events, company Name, company organization number, name of involved individuals, transacting order, order value at risk, products and number of items per product in transaction, recovery of order value after event and number of days until recovery.
The legal basis for these processing purposes is our legitimate interests in preventing, identifying and handling fraud events and in preventing, identifying and handling credit events involving risky behavior.
1.5 Sales and marketing
We will contact companies and their representatives for sales and marketing purposes. This includes direct marketing to potential and existing customers, conducting customer surveys and finding potential customers via social media.
We will process information about the company name, phone number, email and URL, and the name and contact information of the relevant company representatives.
For direct marketing to potential customers, we obtain consent (GDPR Article 6(1) litra a). If you have consented to being contacted by us for sales and marketing, you may withdraw your consent at any time. Processing for other sales and marketing purposes, is based on our legitimate interests in promoting and increasing the sale of our products and services (GDPR Article 6(1) litra f).
The cookies and similar technologies we use are as follows:
The legal basis for this processing is our legitimate interests in analyzing and continuously improving our platforms and make them as relevant as possible to our customers (GDPR Article 6(1) litra f).
1.6 Providing customer service
We process personal data about the persons who contact our customer service. The information processed will depend on the information you disclose to us and what other information is necessary to process in order to respond to your enquiry. The processing is based on your consent (GDPR Article 6(1) litra a) and our legitimate interests in receiving feedback in order to further develop and improve the Services (GDPR Article 6(1) litra f). You may withdraw your consent at any time. Please note that insofar as we have also collected the personal data based on our legitimate interests, we can continue storing the relevant data even if you withdraw your consent.
1.7 Legal obligations and legal claims
We will process personal data in order to comply with certain legal obligations, such as accounting obligations. In such cases, we will only process personal data insofar as necessary in order to fulfill the relevant legal obligations (GDPR Article 6(1) litra c).
In some cases, it is necessary for us to process personal data for the establishment, exercise and/or defense of legal claims. We will only process personal data insofar as necessary for our legitimate interests relating to such claims (GDPR Article 6(1) litra f).
We share personal data with our merchants, buyer companies, and partner banks, in addition to verification providers (such as Vipps, Enin AS, Brønnøysundregistrene), as further described above. We also use Google Cloud for hosting purposes, and the hosting servers are located within the EU/EEA.
We will share personal data when necessary in order to facilitate commercial transactions, such as mergers and acquisitions. We also share data with governmental and supervisory authorities and others when required to do so by law.
We will not transfer personal data to recipients in countries outside the EU/EEA that do not offer adequate data protection, unless appropriate safeguards are in place.
We store personal data for as long as necessary to fulfill the purposes described above. We delete personal data when there is no longer a need to retain the data for the purposes for which they were collected.
We handle your personal data securely and have established procedures that meet data protection requirements. The security measures are of technical, contractual and organizational nature. For example, we conduct regular assessments of the security in all central systems that are used for the handling of personal data. We have also entered into agreements with our subcontractors that require them to ensure appropriate information security regarding the services they provide to us. We limit the access to personal data to personnel who have a need for access in order to carry out their tasks. We have implemented access control so that personal data is only available for personnel with a justifiable need.
You can have certain rights in personal data concerning you. What rights you have depends on the circumstances and applicable law. Some rights that may be relevant for you are: