The Supplier is responsible for the processing of personal data through the thrownomore.no website, the application “Throw No More” (hereinafter referred to as the “Service”) in AppStore® and Google Play® and for the Supplier’s internal use of personal data.
For questions regarding the Supplier’s processing of personal data, the Supplier may be contacted:
Throw No More
Org nr: 917 245 444
- Personal data: Information that can be directly or indirectly linked to a living physical person. Examples of personal information are name, address, telephone number and e-mail address. Information about IP address and user behavior when using the Services may also, according to the circumstances, constitute personal information.
- De-identified: Personal data that cannot be traced back to the individual user.
- Processing: Personal data processing includes all use of personal data, such as collection, transfer and storage.
Controller: The party who alone or together with another party determines the purpose and manner of processing of personal data. The controller is ultimately responsible for ensuring that the processing takes place in accordance with current legislation related to the handling of personal data.
2. The Users’ rights
Supplier shall respond to inquiries from users about access or other rights pursuant to the Act of 15 June 2018 no. 38 relating to the processing of personal data [Personal Data Act] §§ 18, 22, 25, 26, 27 and 28 without undue delay and no later than 30 days from the date of the inquiry, unless special circumstances occur. Unless special conditions makes it impossible to respond to the inquiry within this deadline.
If the Supplier is unable to respond to inquiries within the deadline, a preliminary reply shall be provided with information on the reason for the delay and the probable time for the response to be given.
Users may exercise their rights described below in this chapter by sending an email to email@example.com.
3. What kind of information do we collect?
A detailed description of the different types of personal data collected is given below.
3.1 Website Statistics
The Supplier collects de-identified visitor information on thrownomore.no using the Google Analytics tool. All user statistics are merged into a group and are not processed individually.
The purpose of this is to compile statistics that are used to improve and further develop the content of the website and improve the user experience. Examples of what the Supplier collects are;
- Number of visitors to site
- Duration of the website visits
- Which websites the users come from
- Which countries the visitors come from
The site thrownomore.no uses “cookies”. A cookie is a small text file that is stored on the user’s device. The file contains information and is used, among other things, to support the user of the site and for statistics. This does not pose any security risk to the user and allows the Supplier to offer users the best working service. The website is at this moment only using a third-party cookie, Google Analytics. The function can be switched off in most browsers through a menu option, such as “settings”, “security”, etc.
3.3 Contact form
On thrownomore.no users can contact the Supplier via a contact form. Inquiries through the contact form on the website and to the email address firstname.lastname@example.org are processed through Zendesk. Zendesk is a customer support platform that makes it easier for the Supplier to keep track of all inquiries. The Supplier has ownership of and control the data stored in the platform, Zendesk does not own any of the data.
Such an inquiry will be stored along with the user’s name, telephone number, email and company. The personal information received from the contact form will not be used for any purpose other than to answer the inquiry. Personal data will be deleted within 3 months after the inquiry is answered, unless otherwise is specifically agreed.
The Supplier requests that users do not submit or register sensitive information.
The basis for the use of the contact form is Article 6, number 1, letter a of the General Data Protection Regulation (GDPR), regarding consent. The User may withdraw the consent at any time by contacting the Supplier. If the user withdraws their consent, this will not affect the legality of the processing of personal data that occurred before the consent was withdrawn.
The supplier’s employees use email for internal communication and in contact with external users. Each employee is responsible for deleting messages that are no longer relevant, and at least once a year review and delete unnecessary content in the email. Upon resignation, the email accounts will be deleted, but some relevant emails may be sent to colleagues. Sensitive personal information is not sent by email.
The Supplier’s email addresses support TLS encryption to ensure email communication with users. Most mail services support this. However, the Supplier requests that no sensitive personal data or protective information be sent by email, as the Supplier cannot guarantee that the user’s email provider supports TLS.
The basis for this treatment is s Article 6, number 1 f), of the General Data Protection Regulation (GDPR), which allows the Supplier to process information that is necessary to safeguard a legitimate interest that outweighs the privacy of the individual. The legitimate interest is to secure the Service’s ICT infrastructure.
3.5 Information about job seekers
If a person applies for a position with the Supplier, it is necessary for the Supplier to be able to process information about that person to evaluate the application. All job applications and personal information associated with job applications are stored in the Supplier’s database for one year, unless the registered person requests that it be deleted.
The basis for processing this is Article 6, number 1 b), of the General Data Protection Regulation (GDPR). The processing is necessary to fulfill an agreement to which the registered person is party, or to take action on the person’s request prior to the conclusion of an agreement. If the registered person does not provide this information or refuses to process it, the agreement cannot be fulfilled.
If the application contains specific categories of personal data, the processing basis is the General Data Protection Regulation (GDPR), Article 9 (2) (b) and (h).
The supplier also receives indirect personal information from an employee if he or she has provided someone as a reference. The basis for this treatment is Article 6 (1) (f) of the General Data Protection Regulation (GDPR), which allows the Supplier to process information that is necessary to safeguard a legitimate interest that outweighs the privacy of the individual.
3.6 For the stores
In accordance with the Terms and Conditions, the Service works so that the stores enter relevant groceries into the Service. Stores can, optionally, access this by creating a user profile to manage the content published in the Service. When creating an user profile it is required:
- E-mail address
- Mobile number, to enable 2-factor login with SMS code
- Associated store and chain.
No password is stored as the Service uses a type of cryptography that generates a unique code for each user. The code cannot be reversed and render the password.
The basis for processing personal data in connection with the creation of a user in the Service is Article 6 (1) (a) of the General Data Protection Regulation (GDPR), consent. The user can withdraw consent at any time by deleting the user profile. If the user withdraws their consent, this will not affect the legality of the processing of personal data that occurred before the consent was withdrawn.
4. Provider’s use of data processors
To provide the user with a better experience, the service requires some personally identifiable information. The information requested is stored on the user’s device and is not collected by the Supplier.
4.1 Google Maps
The Supplier uses Google Maps, and its API, to present relevant stores in a map. The user’s location data is linked to the device used. The provider does not store any other information about the users of the app.
Users’ personal settings in the app are stored locally on the phone and are de-identified information.
Only the last known position is processed (all previous locations are deleted), in order to give the user an overview of the goods in that area.
The basis for processing personal data relating to location data is Article 6 (1) (b) in the General Data Protection Regulation (GDPR); the processing is necessary to fulfill an agreement to which the user is a party, or to take action on the user’s request before entering into an agreement. The agreement in this case is the Terms and Conditions for the Service. If the user does not provide this information, or refuses to process it, the agreement cannot be fulfilled.
4.2 Google Firebase
The Supplier uses Google Firebase to send messages with updates. These are not visible push messages, but data messages sent to the Service when the content is updated.
The processing basis for processing personal data using Google Firebase is Article 6 (1) (b) of the General Data Protection Regulation (GDPR). The processing is necessary to fulfill an agreement to which the user is a party, or to take action on the user’s request before entering into an agreement. The agreement in this case is the Terms and Conditions for the Service. If the user does not provide this information, or refuses to process it, the agreement cannot be fulfilled.
5. How long the Supplier stores personal information
The Supplier only stores personal information as long as it is necessary for legitimate purposes or to provide the service to the users, in accordance with applicable law.
The Supplier deletes all information when the user deletes the Service from their device or the user is no longer active. The service and associated cloud services are built in such a way that no storage of user data is required. The Service only operates in sessions, where the device identification number is connected with location data to present relevant information to the user when the Service is in use, in accordance with the Terms and Conditions. As soon as the Service is no longer in use, the session is terminated and personal information associated with the session is deleted.
6. Your rights
Users of the thrownomore.no website, the Service and users affected by the Supplier’s internal use of personal data are entitled to:
- access to their own information stored by the Supplier
- that incorrect or incomplete information is corrected, deleted or supplemented
- to dispute the Supplier’s processing of personal data
- to be able to withdraw consent
- to data portability; To the extent applicable, to transfer data the Supplier has collected under the consent, to another solution.
Requests shall be answered within 30 days.
The systems undergo continuous penetration testing based on tools, documentation and methodology from OWASP (Open Web Application Security Project).
8. Supervisory Authority
The Norwegian Data Protection Agency oversees Throw No More.
Objections can be addressed to the Norwegian Data Protection Agency:
- Web: https: /www.datatilsynet.no
- E-mail: email@example.com
- Phone: +47 22 39 69 00
- Postal address: PO Box 8177 Dep., 0034 Oslo, Norway
Last updated: 27.03.2020