Privacy policy
This privacy policy explains how we collect, use, and protect your personal information in accordance with the General Data Protection Regulation (GDPR). It should be read in conjunction with our Data Processing Agreement (DPA), which governs how we process personal data as a data processor under GDPR Article 28.
Who we are
Cardboard AS is a company headquartered in Norway that provides online services and virtual payment cards to business customers.
Personal data we collect
We may collect and process the following types of personal data about you:
- Contact information, such as your name, email address, and phone number.
- Business information, such as your job title, company name, and business address.
- Billing information, such as your billing address and payment details.
- Usage information, such as your IP address, device information, and website usage data.
How we use your personal data
We may use your personal data for the following purposes:
- To provide our services to you, including billing and support.
- To communicate with you about our services, including marketing and promotional materials.
- To comply with legal and regulatory requirements.
- To improve our services and to analyze usage data.
Legal basis for processing
Our legal basis for collecting and processing your personal data is based on:
- Processing necessary for performing our services as agreed in our terms.
- Your consent where specifically provided.
- Compliance with legal obligations, e.g. accounting requirements, and Know Your Customer and Anti Money Laundering processes.
Data security
We implement appropriate technical and organizational measures to protect your personal data. For detailed information about our security practices, please see our security page.
Data sharing and international transfers
We may share your personal data with third-party service providers, such as payment processors or IT support providers, in order to provide our services to you. Any transfer of your personal data outside the European Economic Area (EEA) will only occur under appropriate safeguards as required by data protection law, such as standard contractual clauses, to ensure your data remains protected according to EEA standards.
Data retention
We will retain your personal data for as long as necessary to provide our services to you, and in accordance with legal and regulatory requirements.
Your rights
You have the right to access, rectify, or erase your personal data, as well as the right to object to or restrict processing of your personal data. You also have the right to data portability and the right to lodge a complaint with a supervisory authority.
For details about how we assist with GDPR data subject requests, please see our Data Processing Agreement.
Third-party services
For information about our sub-processors and service providers, please refer to Appendix B of our Data Processing Agreement, which contains a comprehensive and up-to-date list of all third parties that may process your personal data.
Cookies
We use cookies on our website to provide you with a better user experience. For more information about the cookies we use and how to manage them, please see our cookie settings.
Changes to this privacy policy
We may update this privacy policy from time to time. Any changes will be posted on our website, and we encourage you to review this privacy policy periodically.
If you have any questions or concerns about this privacy policy or our data processing practices, please contact us at hello@cardboard.inc.
Last updated: 2025-01-29