Privacy Policy
At Myver, we take your privacy seriously.
1. Who we are - the Myver Services
Myver ApS offers an infrastructure to facilitate transaction enrichment, including transmission of digital receipts and related consumer information – the “Myver Services”.
Our mission is to expand the infrastructure and ecosystem of stakeholders for delivering easy access to digital receipts, receipt data and value-added services for purpose of transaction enrichment.
This Privacy Policy informs of the data processing activities of Myver, as a data processor, when providing the Myver Services which our customers, as data controllers, may deliver to their customers.
The data controllers offering to display digital receipt and value-added services to customers, we call “Customer Facing Platforms”. They include banks, credit card issuers, expense management systems, performance management systems, enterprise resource planning systems, loyalty platforms, merchant platforms, and other providers of payment facilities to customers.
The data controllers providing digital receipts to the Myver Services, we call “Merchants”.
The Myver Services will link the Customer Facing Platforms with our ecosystem of Merchants and, thereby, enabling Digital Receipts as a Service (“Digital Receipt Services”) and Value-added Services as a Service (“Value-added Services”) offered by the Customer Facing Platforms to their customers - both private and business customers (“End Customers”).
Myver’s eco-system of Merchants includes stores of all sizes who support customers’ access to Digital Receipts Services and Value-added Services, either through own loyalty platforms or through the services of other Customer Facing Platforms. We also offer to assist Merchants in analytics based on their anonymized sales data, and to support activities of advertisements, feedback features, loyalty programs, CO2 tracking and other interactive or value-adding elements.
2. What we do – the Data Processing Activities
When providing the Myver Services, Myver is a data processor of personal data acting under the instructions of the data controllers in form of Customer Facing Platforms and Merchants, each acting as independent data controllers.
The Customer Facing Platforms offer payment cards, bank accounts or other End Customer payment methods, and they are data controllers of personal data transmitted with payments or data applied for identifying a purchase. To receive the Myver Services, the Customer Facing Platforms must deliver data to match the digital receipts with the payment method applied by End Customers for the particular purchase.
The Merchants collect data for concluding sales and these “Transaction Data” may include payment card information, payment information, and transaction information. The digital receipts generated are recorded as “Line-item Data”, which includes the basket of order lines with detail of products, quantity, prices, VAT and other taxes, category descriptions, CO2 footprints and SKU.
A Merchant will engage processors to perform the sales transactions, and for creating and processing Line-item Data:
“Payment Processors” are system providers enabling Merchants to accept debet and credit card or bank account payment methods. Payment Processors handle payment processing across various channels (e.g. online or in-store payments) on behalf of the Merchant, and Payment Processors may include acquirers, payment service providers, payment gateways, terminal providers, and point-of-sale providers.
“Cash Registers” are system providers that on behalf of the Merchant keep a registry of products, product information, inventory, prices, discounts, VAT, payment method information, transaction information, customer information (e.g. in connection with loyalty programs). The Cash Registers handle registry and calculation of transactions at a point of sale (e.g. online or in-store transactions), as well as maintaining a detailed registry of all failed, pending and completed transactions (a collective bundling of linked information for each transaction, including; products purchased, product quantity, product information, unit and total prices, discounts, VAT, payment method information, transaction information, date and time, store information, and customer information). Cash Registers may include providers such as cash registers, electronic cash registers, e-commerce providers and point-of-sale providers.
The Myver Services match the information from the Customer Facing Platforms with the Merchants’ information delivered by Payment Processors and Cash Registers under the Merchants’ instructions to deliver data to Myver and the Customer Facing Platforms.
The Myver Services will transmit digital receipts to the Customer Facing Platforms for End Customers to view the digital receipt from their purchases.
For this purpose, Myver will collect, process and store the Transaction Data and Line-item Data under the instructions of the Merchant, including for matching these data with the End Customer payment methods as instructed by the Customer Facing Platforms.
When processing personal data, Myver performs the Myver Services in accordance with applicable data privacy regulation, including Regulation (EU) 2016/679 on the protection of natural persons with regard to processing of personal data on the free movement of such data (the General Data Protection Regulation, also referred to as the “GDPR”), and the Danish Data Protection Act.
3. The Categories of personal data
The Customer Facing Platforms keep the identity of the End Customers, and this data will not be transmitted to the Myver Services. The data processed is the form of payment method ID and/or token which will be matched with Transaction Data, Line-item Data and other Merchant information.
When the Myver Services has retrieved a digital receipt matching the Transaction Data, the Myver Services will deliver the digital receipt as a PDF copy or in another tangible format to include the Line-item Data to constitute a legally valid receipt. Thus, the content of the digital receipt will include information on the purchases made and, when matched with the payment method ID or token and transmitted to the Customer Facing Platform, the content can be referred to an individual End Customer.
In general, the Line-item Data and any information attached hereto, will fall in the category of general personal data. However, the digital receipts may collectively lead to information on preferences or behaviors of the End Customer, and the data may, separately or in bulks, reveal special categories of personal data. For purchases with certain Merchants, it is given that the Line-item Data may include special categories of personal data. Thus, the content of the digital receipts may reveal sensitive personal data as listed in the GDPR, art. 9(1), including, but not limited to, health information or trade union memberships. Also, the digital receipts may include other categories of data such as personal identification numbers (CPR) or information related to criminal offences such as payments of fines.
When the End Customer accepts the Digital Receipts Services and/or Value-added Services, the End Customer must consent to the processing of personal data for the purpose, including for the transmission of data to the Customer Facing Platform.
4. The Lawful Basis for the data processing activities
The Customer Facing Platforms are responsible for obtaining a valid legal consent for the processing activities from each of their End Customers, including an authorization to request transmission of the Line-item Data.
The Myver Services performs the processing activities relying on the lawful basis of the Customer Facing Platforms, as data controllers of payment ID or token data, to enable the identification and retrieval of a digital receipt to a specific End Customer account with a Customer Facing Platform.
The lawful basis is the End Customer consent to receive the Digital Receipts Services and/or Value-added Services cf. the GDPR, art. 6(1)(a), art. 9(2)(a), cf. art. 7, and the Danish Data Protection Act § 8(3) and (4), and § 11(2). The Customer consent shall be clearly distinguishable when included in the contract with the Customer Facing Platform for receipt of payment services, cf. the GDPR, art. 6(1)(b) and art. 7(2).
The Merchants make the Transaction Data and the Line-item Data available to the Myver Services in a structured, commonly used, machine-readable and interoperable format to be transmitted to the Customer Facing Platform according to End Customers consent and their requests to receive the digital receipts. Only digital receipts for purchases of End Customers who have consented to receive Digital Receipt Services will be transmitted to the Customer Facing Platforms.
The Merchants and their data processors must set up their systems for data portability of the digital receipt, and the Merchants must assert whether categories of personal data must be extracted before transmission with the Myver Services, or whether the Merchant, particularly for transmitting special categories of personal data, must also collect and document an explicit End Customer consent.
The Merchants will instruct its data processers to process by means that are adequate, relevant and limited to the necessary, the portfolio of Transaction Data and Line-item Data in order to retrieve the digital receipts requested by End-Customers according to the GDPR, art. 20(1) on data portability and under the legitimate interests of the Merchants to sign up to the Digital Receipt Services balancing these interests against the interests and fundamental rights and freedoms of the data subjects, cf. the GDPR, art. 6(1)(f). It rests with the Merchants to inform their customers of the purposes for processing Transaction Data and Line-item Data.
The personal data is pseudonymized, and identification of the End Customer is made only by the Customer Facing Platforms following a match with a payment method ID or token using the Myver Services.
Myver has received instructions under a data processing agreement (DPA) concluded with each of the Customer Facing Platforms.
Myver has also concluded DPAs with each Merchant in the Myver eco-system for enabling Digital Receipt Services, and the Merchants have instructed their Payment Processors and Cash Registers to provide data to the Myver Services.
The Merchant may, when a lawful basis is provided, also instruct Myver as a data processor to provide other data processing services, including for purposes, as a Customer Facing Platform, to offer Value-added Services to End Customers.
5. Data Subjects’ exercise of Privacy Rights
The Customer Facing Platform is the data controller of Digital Receipt Services
The Customer Facing Platforms, as the issuers of payment methods applied by End Customers, are the data controllers of End Customers’ personal data.
If an End Customer wants to exercise his/her/their rights under the GDPR, the End Customer must contact the Customer Facing Platform who have issued the payment method and to whom the End Customer provided his/her/their consent to receive Digital Receipt Services.
The Customer is referred to the contact details available on their Customer Facing Platform’s website.
When End Customer consent is the lawful basis for the processing activities, the End Customers have the right to withdraw their consent at any time. If an End Customer chooses to withdraw a consent, it does not affect the lawfulness of the Myver Services’ processing based on the previously given consent and up to the time of withdrawal. Withdrawal of an End Customer consent will, therefore, only take effect going forward.
The Merchant is the data controller of the Digital Receipts
The Merchants issue and hold copies of digital receipts, including Transaction Data to conclude and document the sales. Each Merchant is the data controller of its data, including the Line-item Data with the content of the digital receipts.
If a data subject wants to exercise his/her/their rights under the GDPR, the data subject must contact the Merchant who has issued the digital receipt under the transaction for sale of the Merchant’s goods and services.
The data subject is referred to the contact details available on the Merchant’s website.
The Merchant is the data controller of Value-added Services and/or Marketing Activities
The Merchant may offer other services to the End Customers as Value-added Services as well as the End Customers may sign up to retrieve digital receipts on the platform of Merchants also acting as a Customer Facing Platform.
If a data subject wants to exercise his/her/their rights under the GDPR, and/or will withdraw a consent to receive marketing material, the data subject must contact the Merchant who makes the services available and to whom the data subject provided his/her/their consent to receive the Merchant’s services and/or marketing material.
The data subject is referred to the contact details available on the Merchant’s website.
When a data subject consent is the lawful basis for the processing activities, the data subjects have the right to withdraw their consent at any time. If a data subject chooses to withdraw a consent, it does not affect the lawfulness of the Myver Services’ processing based on the previously given consent and up to the time of withdrawal. Withdrawal of a data subject consent will, therefore, only take effect going forward.
6. Security Measure
Myver applies technical and organizational safeguards to protect the data transferred with the infrastructure of the Myver Services.
Myver is certified under the PCI DSS-standard for processing payment card information and has implemented measures to comply with this standard as well as compliance with the MDM-standard for protecting infrastructure equipment.
Safeguards for the Myver Services:
Myver applies technical and organizational safeguards to protect the data transferred with the infrastructure of the Myver Services.
Myver is Level 1 certified under the PCI DSS-standard for processing payment card information and has implemented measures to comply with this standard as well as compliance with the MDM-standard for protecting infrastructure equipment.
Our technical measures include firewalls, encryption at rest and in transit, hashing, multi-factor authentication, password protection of databases, data minimization, secure back-up systems, penetration testing, and secure coding framework. Our organizational measures include training under a security awareness program in addition to secure access management and limiting access to personal data only on a need-to-know basis for providing the Myver Services.
Myver’s technical and organizational safeguards protect personal data against accidental or unlawful disclosure or access to data, and against loss or alteration of data.
7. Disclosure of personal data
Myver discloses data to third parties when it is necessary for performance and delivery of the Myver Services, and to fulfil our legal obligations.
The Myver Services are operated with the support of third-party service provides, all being committed sub-processors of Myver for processing and storing data and for monitoring, back-up, hosting, and other services and related support. The sub-processors may have access to data processed with the Myver Services, but are strictly prohibited from using the data for their own purposes.
Myver has concluded data processing agreements with the sub-processors to ensure compliance with the GDPR and other applicable data protection legislation, and to oblige the sub-processors to terms of secrecy as well as technical and organizational measures that are not less restrictive than the instructions of the data controllers to Myver, and are effective to secure data against unauthorized access or loss of data.
8. Transfer of personal data to third countries
Myver is established in Denmark and for the Myver Services, we carry out data processing on servers located in the EU/EEA or in countries approved under an adequacy decision by the EU Commission as countries having an adequate level of personal data protection. Our primary hosting center is located in Denmark.
Myver has a branch in Uruguay as an approved third country by the European Commission for purpose of GDPR. From our Uruguay branch, we provide support services and product development to the Myver Services using local consultants. Our activities in Uruguay are operated under the Myver security measures, standards and safeguards, cf. section 6 above.
Myver applies cloud services from AWS and other international providers operating globally. Myver has concluded DPAs with its cloud service providers and has included conditions that data must be processed and stored on servers located in the EU/EEA.
For any transfer of data to third countries, Myver ensures that appropriate safeguards for transfers of personal data have been implemented in compliance with the GDPR such as the European Commission’s adequacy decisions or its Standard Contractual Clauses for the transfer of personal data to third countries. In relation to cloud service providers having group companies situated in the United States, the provides have either certified themselves under the EU-U.S. Data Privacy Framework and/or submitted to the Standard Contractual Clauses and thus, committed to a set of rules that, among other things, guarantee individuals’ rights that correspond to the protection under the GDPR.
9. Retention of personal data
Myver has adopted retention policies for processing and storage of data in the Myver Services and for adherence to the instructions of the data controllers.
For the Digital Receipt Services, Myver will immediately delete data which is not matched with a payment method ID or token (non-qualified data), unless instructed by the Merchant to process the data for other purposes, such as Value-added Services or statistics on anonymized data.
For data matching a payment method ID or token (qualified data), the data is processed and stored according to the agreements with the relevant Customer Facing Platform and the Merchant delivering the data. The data may be stored with the Customer Facing Platforms and/or within the Myver Services, depending on whether Myver also provides underlying hosting services to the Customer Facing Platforms and additional services to the Merchant.
Myver only stores data that is still relevant and necessary for the purpose of maintaining delivery of the Myver Services to the Customer Facing Platforms and/or to the Merchants.
If a data subject wants to exercise his/her/their rights under the GDPR to request deletion of personal data, the data subject must contact the Customer Facing Platform and/or the Merchant who makes the services available to the End Customer. We refer to the information provided under section 5.
10. Contact Data
For any questions to Myver or on the Myver Privacy Policy, please contact us at:
Myver ApS
CVR-NO: 42698261
Fabriksvej 2
5485 Skamby
Denmark
Email: contact@myver.io
11. Supervision and Complaints
Myver ApS is subject to the supervision of the Danish Data Protection Agency. A data subject may file a complaint against Myver ApS with the Danish Data Protection Agency or the national data protection agency where the data subject resides.
Contact information to the Danish Data Protection Agency is found at www.datatilsynet.dk
12. Privacy Policy updates
This Privacy Policy is issued on 31 March 2025. Myver ApS may at any time, at its sole discretion, update the Privacy Policy, including to reflect changes in legal, regulatory, operational requirements or contractual requirements.