PRIVACY POLICY
Effective date May 27th, 2026
Spense AS (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal data we process. This Privacy Policy describes our practices regarding the collection, use, and disclosure of information through our Software-as-a-Service (SaaS) platform (the “Service”).
This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
We act as Data Processor for your personal information. Our Merchant (see definition of Partner in our Terms and condition; https://www.spense.no/terms-and-conditions) acts as Data Controller for your personal information.
“Personal information” and “personal data” means any information relating to an identified or identifiable natural person (‘data subject’) “
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means
Other terms in the following are in conformity with current definitions in the GDPR.
“Merchant”: Companies using Spense products and services.
“End-customer”: The customer of the Merchant
Under the GDPR, our responsibilities depend on our relationship with you:
• For Merchants (Our Customers): When you create an account and use our services, Spense AS acts as the Data Controller for your account and billing information.
• For data subjects: When an end-customer makes a payment via a Merchant using our Service, the Merchant is the Data Controller. Spense AS acts as a Data Processor, processing the end-customer’s data solely on the Merchant’s behalf and written instructions.
To provide our Service, we collect and process the following categories of data:
We process, for Merchants:
• User credentials required for platform access (name, work email address, phone number, department)
We process, for Data Subjects:
• Personal identifiers (name, email address, phone number, optional: address)
• Transaction-related metadata (date, amount, currency, order details, original invoice data, vehicle identification number, purchase history) necessary to enable payment processing and reconciliation
Regardless of categorization above we process data related to the technical installation and data. We collect IP addresses, user agent data, browser and interaction logs for security, monitoring, troubleshooting, and service improvement.
As a Data Controller for Personal Data we are processing the data under the following legal frameworks:
• Contractual Necessity: To provide the services defined in our Terms of Service cf. GDPR art. 6 1. b.
• Legitimate Interests: For fraud prevention, network security, and service improvement cf. GDPR art. 6 1. f.
We do not sell personal data. We disclose data to trusted third-party service providers (Sub-processors) only as necessary. While the specific entities may change, we share data with the following categories of providers:
• Cloud hosting and data storage providers.
• Payment gateways and open banking infrastructure partners.
• Email and SMS communication gateways.
• System monitoring and security alerting services.
Data-subjects can find a comprehensive, of our authorized Sub-processors in Appendix A of our Data Processing Agreement (DPA).
Security: We implement appropriate technical and organizational measures (TOMs) to protect your personal data against unauthorized access, loss, theft, alteration, or disclosure. These measures include:
• Access Control: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) to ensure only authorized personnel can access personal data.
• Encryption: Data is encrypted in transit (TLS) and at rest.
• System Security: Regular security assessments, vulnerability testing, and monitoring of our systems.
• Staff: Personnel with access to personal data are bound by confidentiality obligations and receive data protection training.
Retention: We retain personal data only for as long as necessary, or as required by law.
• Financial and transaction records: As required by tax and accounting legislation.
• Merchant account data: Retained for the duration of the account and securely deleted within 60 to 90 days of account closure.
• Support and correspondence records: 2 years from last contact.
We primarily store and process personal data within the European Economic Area (EEA). Where data must be transferred outside the EEA, we will ensure that the transfer is subject to appropriate safeguards in accordance with Chapter V of the GDPR. This may include ensuring that the recipient is located in a country that has been the subject of an adequacy decision. Alternatively, we may rely on the European Commission’s Standard Contractual Clauses as the legal basis for the transfer, see Article 46 of the GDPR. You may request information about the legal basis for the transfer by contacting support@spense.no.
Under the GDPR, you have the right to:
• Access: Request confirmation of whether we process your data and obtain a copy.
• Object: You have the right to object to the processing of your person data. This effectively means that you can stop or prevent us from using tour person data. However, this only applies in certain circumstances, and we may not need to stop the processing of your personal data if we have compelling legitimate grounds to continue using your person data.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data, subject to certain conditions.
• Data Portability: Request a copy of your data in a structured, machine-readable format.
• Lodge a Complaint: You have the right to lodge a complaint regarding our processing of your data with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.
How to Exercise Your Rights:
• Merchants: To exercise these rights regarding your account, please contact us directly at support@spense.no.
• End-Customers: Because your data is controlled by the Merchant you transacted with, you must direct data subject requests directly to that Merchant. Spense will assist the Merchant in fulfilling these requests.
We reserve the right to modify this Privacy Policy at any time. Significant changes will be communicated via the platform or email.
For Merchants, our platform website uses cookies. A cookie as a small file that is stored in your web browser which causes a webpage to recognize the web browser each time. Both the web page and its collaborators may use cookies. The cookies allow us to understand users’ behavior on our website so that we can improve the user experience, e.g. statistics, user preference purposes. For Data Subjects, our platform website does not use cookies.
If you have any questions about this Privacy Policy, please contact us at:
Spense AS
Grev Wedels Plass 9, 0151 Oslo, Norway
Email: support@spense.no