Merchant Services General Terms and Conditions
Terms and conditions of use for online and mobile ordering and payment processing solutions (the Service) as laid down by Weorder Norway AS (Service Provider).
This document supplements the Merchant Agreement between the Merchant and Service Provider.
The terms and conditions apply to all usage of the Service. It is considered that the Merchant has accepted the Merchant Services Terms and Conditions upon using the Service.
RIGHTS OF USE
As soon as the Merchant is registered with the Service Provider and receives access to the Service, the Merchant has the right to use and promote the Service at the Merchant location. The Service Provider has the right to list the Merchant in third party ordering apps developed by the Service Provider or a selected third party. The same transaction fees shall apply for such sales as in the Merchant’s own application unless otherwise is agreed. The Merchant’s rights of use will be cancelled upon termination of the Agreement and the Merchant will no longer be listed as a user of the Service Provider. The Merchant is not permitted in any way to transfer the Service to others.
SERVICE PROVIDER’S OBLIGATIONS
- Delivery of the Service and access to the administration of the system.
- Provision of critical operational support.
- Operation of the Service, back-office solution, text messaging service to communicate with users, system communication with the payment processor, and the setting up of a POS system.
- The Merchant must register for a developer account with Apple and/or Google and bear the associated costs (if applicable)
- The Merchant must sign a bank agreement with a payment processor (if applicable).
- The Merchant’s logistic department and staff must be adapted to the Service.
- The Merchant must provide information, graphics, etc., that are necessary to develop and operate the Service.
- The Merchant must create menus, programs and add the required information to the App.
- The Merchant must ensure that all information, menus and programs are always up-to-date.
- The Merchant must test whether the network has sufficient capacity (insufficient access to the network does not give grounds for termination).
- The Merchant must market/inform the public about the solution.
- The Merchant must offer user support and handle any disputes/complaints from customers.
- The Merchant must use a browser that is compatible with the Service.
The Service Provider offers support and training in addition to courses specified in the Agreement on weekdays from 9am-3pm (NOK 450 per commenced thirty minutes). Only critical operational telephone support is offered outside normal opening hours (NOK 750 per commenced thirty minutes). Revisions to the design exceeding the revision included in the Merchant Agreement is deemed support and priced accordingly. If the need for support is a result of an error in the Service, the Merchant will not be charged for support costs.
Both the Merchant and Service Provider have the right to use user data. The Service Provider shall not sell user data to third parties but has the right to generate aggregate statistics based on the transactions carried out by the Service.
FEES AND CHARGES
Transaction fees and charges to third party actors, e.g. text messaging and bank services, are invoiced in arrears on the 1st of each month with net 14 days payment terms, unless deducted from the transaction volume. Transaction fees are based on gross sales. Late payment penalties will be added in accordance with the Norwegian Act relating to Interest on Overdue Payments. The Merchant shall pay for expenses connected to the Service, for example, operational expenses, bank services that fall outside the category of normal operations, sales personnel and marketing materials, and
expenses incurred by third party providers such as POS-provider to facilitate the services of the Service Provider. Such expenses shall not be deducted from payments to the Service Provider. The aforementioned conditions shall apply, unless otherwise specifically agreed.
The payment processor, under their own terms and conditions, settles payments made through the App. The rate specified in the offer applies from the date of entry into force but can be changed by the payment processor with 30 days’ notice should any changes be made to the payment processor’s terms and conditions. By registering a payment account with Stripe, you agree to the Stripe Connected Account Agreement .
The general notice period is three months from the end of the month in which notice is given. The Agreement must be terminated in writing. In the event of breach, hereunder, severe late payment for the Service in accordance with the clause above, the Service could be shutdown with potential cancellation of the Agreement with immediate effect.
The Merchant bears all risk and liability for the implementation of production due to orders placed through the Service, including when technical problems linked to the Service cause implementation of such production. The Merchant is liable for the entire flow of goods: hereunder, purchasing, distribution and any wastage. The Merchant is responsible for complying with Norwegian law when using the Service, including bookkeeping and reports. The Merchant is responsible for printing and storing copies of data that are required for bookkeeping and reports. The Service Provider is not liable for local restrictions on sale or marketing of certain goods. Should the Merchant misuse the Service in a way that violates Norwegian law, the Merchant will be liable for any subsequent losses suffered by the Service Provider. The merchant is liable for disputed payments by the end user or the end user’s bank.
If the Service cannot be wholly or partly offered or if it is significantly impeded due to circumstances beyond the control of the Service Provider, the obligations of the Service Provider will be suspended until necessary and for the duration of the situation. Such circumstances also include downtime or slow mobile and/or Internet response times (which will affect the operational stability of the Service), a strike, lockout and all other situations that are deemed force majeure under Norwegian law.
MERCHANT AS A REFERENCE
The Merchant will be a reference customer of the Service Provider and can be used in customer dialogues and marketing materials. With significant exposure, the Merchant shall be consulted.
REFERENCE TO RHE SERVICE PROVIDER AND TECHNOLOGY
The Service delivered by the Service Provider will be labelled with the Service Provider’s name and logo. The “Powered by Weorder” text link will also be added to the Service with a link to weorder.com. These labels will be used in the descriptions of the Apps in the App Store and Google Play. The Service Provider’s brand name/profile shall not have a dominant place within the application.
The Service Provider has the right to immediately shutdown one or more of the modules of the Service used by the Merchant with abnormal activity. This could be, but is not limited to, fraudulent activity, the uploading of abusive images, hacking attacks, overloading or an unstable Internet connection.
The Parties in the Merchant Agreement can only transfer rights and obligations in the Merchant Agreement with written consent from the other Party. Transfers to daughter or sister companies within the same corporate group or mergers and acquisitions with other companies (not necessarily in the same corporate group) does not require such consent. Rights to remuneration in accordance to the Merchant Agreement can be freely transferred without written consent.
INTELLECTUAL PROPERTY RIGHTS CONNECTED TO THE SERVICE
The Service Provider is allowed to use the Merchant’s intellectual property rights, such as brand name, logos, graphic assets, films, etc., to develop and operate the Service.
This Agreement complies with Norwegian law. Oslo District Court shall handle disputes arising from the Agreement. The Merchant cannot claim financial compensation for any consequences suffered through the utilization of the Service based solely on the terms and conditions of use.
Data Processing Agreement
This Data Processing Agreement is an addendum to the Merchant Services General Terms and Conditions (the “Main Agreement”).
For the purposes of this Data Processing Agreement, the Merchant is hereunder defined as the “Controller” and the Service Provider as the “Processor”, each a “Party” and collectively “the Parties”
BACKGROUND AND SCOPE
The Controller has entered into an agreement with the Processor which involves Processing of Personal Data by the Processor on behalf of the Controller.
This Data Processing Agreement sets out the rights and obligations of the Parties with respect to the Processor’s Processing of Personal Data on behalf of the Con-troller.
When the Controller is a legal entity established in the European Economic Area (the “EEA”), relevant data protection legislation will include the EU Data Protection Directive 95/46/EC (the “Directive”) and, from the date it becomes applicable, the EU General Data Protection Regulation (EU) 2016/679 (the “GDPR”), including all relevant national legislation implementing the Directive and the GDPR (jointly re-ferred to as “Applicable Data Protection Law”).
This Data Processing Agreement shall apply to all Processing of Personal Data carried out by the Processor on behalf of the Controller under the Main Agreement.
The purposes of Processing, the categories of Personal Data and the categories of Data Subjects concerned are detailed in Annex 1 to this Data Processing Agree-ment. The Processor shall only Process the categories of Personal Data and the categories of Data Subjects for the purposes set out in Annex 1, unless otherwise instructed in writing by the Controller.
This Data Processing Agreement shall not apply to Personal Data processed in connection with the Main Agreement, which are processed for purposes defined by one Party and to which the other Party is not a processor. The Processor may pro-cess Personal Data for the following purposes, and to which the Controller shall have no liability:
- Establishment, administration and maintenance of user accounts which may be used to login to all apps and webshops provided by the Processor, in-cluding fault correction, analysis and improvements relating to the accounts and
- Marketing communications sent in the Processors’ own name.
The Processor is not involved in, and shall not have any responsibility for the Con-troller’s processing of Personal Data:
- Outside the app or webshop, e.g. processing for the purpose of delivering items according to an order from the end-user and
- Marketing communications sent in the Controllers’ own name.
Words written with capital letters in this Data Processing Agreement shall be inter-preted in accordance with definitions set out in Applicable Data Protection Law if not otherwise explicitly stated.
OBLIGATIONS OF THE CONTROLLER
The Controller shall ensure that the Controller (and each of the Controller’s Per-sonnel) at all times comply with all requirements applicable to controllers under Applicable Data Protection Law in connection with the Processing of Personal Da-ta. The Controller is responsible for:
- Ensuring that there is a legal basis for the Processing of Personal Data in accordance with Applicable Data Protection Law and that Personal Data are Pro-cessed for the purposes described in Annex 1;
- Safeguarding the Data Subjects’ rights to information and access, and for rectifying or deleting their Personal Data;
- Complying with applicable Personal Data Breach notification requirements by notifying data protection authorities and/or Data Subjects where required.
The Controller shall immediately notify the Processor about any changes to the scope of Processing under this Data Processing Agreement.
OBLIGATIONS OF THE PROCESSOR
During the term of this Data Processing Agreement, cf. clause 0, the Processor shall comply with Applicable Data Protection Law.
The Processor shall only Process the Personal Data based on the documented in-structions and routines issues by the Controller as set out in Annex 1.
The Processor shall not by actions or omission of actions put the Controller in a sit-uation where the Controller is in breach of any provisions in Applicable Data Pro-tection Law.
The Processor shall perform reasonable assistance to the Controller in ensuring compliance with the requirements under Applicable Data Protection Law, including GDPR Articles 32 to 36.
Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III.
Restrictions on use
The Processor shall not Process Personal Data beyond what is necessary to fulfil its obligations towards the Controller under the Main Agreement and in accordance with the instructions issued in Annex 1. The Processer may however process Per-sonal Data as a controller as set out in section 0 above.
The Processor shall ensure that Personal Data is not disclosed to any third party unless instructed to do so by the Controller or required to do so by law.
The Processor shall by means of planned, systematic organisational and technical measures ensure a level of security appropriate to the risk related to the Processing of Personal Data in accordance with Applicable Data Protection Law.
The Processor’s security measures shall, in particular, prevent that the Personal Data Processed is:
(i) accidentally or unlawfully destroyed, lost or altered;
(ii) disclosed or made available without authorization; or
(iii) otherwise Processed in violation of Applicable Data Protection Law.
More detailed security requirements that shall apply to the Processor are set out in Annex 1.
Any use of the information system that is contrary to established routines, instruc-tions from the Controller or Applicable Data Protection Law, including Personal Da-ta breaches and other security breaches, shall be treated as a discrepancy.
The Processor shall follow up discrepancies, by way of re-establishing the normal state of affairs, eliminating the cause of the discrepancy and preventing its recur-rence.
The Processor shall without undue delay after becoming aware of it, report the dis-crepancy to the Controller. The report shall include the information required by Ap-plicable Data Protection Law. The Processor shall also provide the Controller with reasonable assistance in order for the Controller to comply with Personal Data Breach notification requirements to the Supervisory Authority and Data Subjects and to answer any inquiries from the Supervisory Authorities.
The Processor must without undue delay after becoming aware of the circumstanc-es in question notify the Controller in writing about:
(i) any suspicion that the instructions from the Controller are in violation of Applicable Data Protection Law;
(ii) any events, which significantly impede the Processor’s current or future ability to perform the Processing in accordance with this Data Processing Agreement;
(iii) any request for disclosure of Personal Data Processed under the Data Processing Agreement by authorities, unless expressly prohibited under mandatory law and
(iv) any request for access to the Personal Data received directly from the Data Subjects or from third parties.
The Processor shall notify the Controller without undue delay if it is or is likely to become unable to comply with any of its obligations under this Data Processing Agreement. Upon such notification the Controller shall be entitled, at its sole discre-tion, to suspend the right of the Processor to Process Personal Data pursuant to this Data Processing Agreement until the Processor is able to demonstrate satisfactory compliance.
Upon the Controller’s request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Data
The Controller is entitled to appoint an independent expert whom shall have ac-cess to the Processor’s data processing facilities and receive the necessary infor-mation in order to be able to audit whether the Processor has complied with its ob-ligations under this Data Processing Agreement. Such auditor shall not be a direct competitor of Processor and auditor shall sign Processor’s non-disclosure agree-ment prior to the audit taking place. The Controller shall carry all costs associated with such audit.
Use of subcontractors
To the extent the Processor uses subcontractors or others not employed by the Processor to Process Personal Data under the Main Agreement, the Processor shall enter into a written agreement with subcontractors ensuring that the subcon-tractors undertake responsibilities corresponding to the obligations set out in this Data Processing Agreement. The Processor shall be fully liable to the Controller for the acts or omissions of its subcontractors.
The Controller has consented to the use of the subcontractors listed in Annex 1 d). If the Processor wishes to engage a new subcontractor or make other changes to the list of subcontractors, the Processor shall inform the Controller by written notice in due time before the change is taking effect. If the Controller has justifiable rea-sons for not accepting the change, and the Processor cannot with reasonable ef-forts provide the Controller with another alternative, the Controller shall have the right to terminate the Main Agreement with immediate effect. If the Controller does not respond to the notification within 7 days, the Controller shall be deemed to have accepted the change.
Transfer of Personal Data
The Processor shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) which is not considered to provide an adequate level of protection according to Applicable Data Protection Law, without the Controller’s prior written consent.
If the Controller has given its written consent to transfer of Personal Data to a Third Country, the Processor and/or its subcontractors undertake, on the request from the Controller, to enter into EU standard contractual clauses for the transfer of Personal Data to processors in third countries (2010/87/EU) or other clauses replacing the 2010/87/EU clauses.
The Processor may also rely on the EU-US Privacy Shield or other instruments constituting a legal basis for the transfer in accordance with Applicable Data Pro-tection Law. For the avoidance of doubt, transfers based on the EU-US Privacy Shield or other instruments still require the Controller’s prior written consent.
If the Processor wants to transfer Personal Data to a country not providing an ade-quate level of protection, the Processor shall inform the Controller of the intended transfer at the latest 3 months before such transfer takes place. If the Controller does not consent to such transfer and the Processor cannot with reasonable efforts provide the Controller with another alternative, the Controller shall have the right to terminate the Agreement with immediate effect.
The Processor shall be subject to a duty of confidentiality for any of the Personal Data and other data Processed according to the Main Agreement. This means that the Processor shall not distribute Personal Data Processed according to the Main Agreement to any third party without Controller’s prior written consent except if it is required by mandatory law.
The Processor shall ensure that all persons who get access to Personal Data are aware of the confidentiality obligation set out herein. If not bound by a statutory con-fidentiality obligation, the Processor must ensure that all persons who are some-how involved in the Processing of Personal Data sign a confidentiality agreement.
The duty of confidentiality shall survive termination of this Data Processing Agree-ment and/or the Main Agreement.
TERM AND TERMINATION
This Data Processing Agreement shall be effective from the time the Main Agree-ment is signed by both parties and until the Main Agreement expires, save for clauses that shall remain in force according to this Data Processing Agreement or the Main Agreement.
Upon termination of this Data Processing Agreement the Processor and its subcon-tractors shall cease to Process the Personal Data held by the Processor on behalf of the Controller. The Processor and/or its subcontractors shall in such event return all such Personal Data provided to the Processor by the Controller for the purposes of the Main Agreement.
The Personal Data shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of the data. If feasible, the Controller may decide that the Personal Data shall instead be trans-ferred to another processor. If the costs associated with such transfer exceed the costs of returning the Personal Data to the Controller, the Controller shall carry the extra costs. The Processor shall upon the Controller’s request document the extra costs.
As an alternative to returning or transferring the Personal Data, the Controller may, at its sole discretion decide, that all or parts of the Personal Data shall be deleted by the Processor upon receipt of written instruction from the Controller. The Proces-sor has no right to keep a copy of any Personal Data provided by the Controller in relation to the Main Agreement or this Data Processing Agreement in any format, and all physical and logical access to such Personal Data shall be deleted.
CHOICE OF LAW AND LEGAL VENUE
This Data Processing Agreement shall be governed by Norwegian law.
If a dispute cannot be resolved by negotiations between the Parties, the dispute shall be resolved through legal proceedings with the Oslo District Court as exclu-sive venue.
This attachment constitutes the Controller’s further instructions to the Processor in connection with the Processor’s Processing of Personal Data for the Controller, and is an integrated part of the Data Processing Agreement.
a) Categories of personal data and Data Subjects
The Processor shall process the Personal Data entrusted to it under the Main Agreement, related to end-users and service administrators in the form of:
|Type of personal data||Data Subjects|
|end-user, services administrator|
|phone number||end-user, services administrator|
|first name||end-user, services administrator|
|last name||end-user, services administrator|
|Information about ordered goods||end-user|
|masked payment card number (4106 51** **** 3123)||end-user|
|payment card expiry date||end-user|
|device used to make an order (operating system type/ browser/mobile phone model)||end-user|
|restaurant session (last time when user added item to cart, tried to order or successfully ordered)||end-user|
|reward program information||end-user|
|transaction information (number, amount, date)||end-user|
|company/institution data (name, address)||end-user|
b) Purposes of processing:
The personal data may be processed to facilitate end-user purchases from the Controller, hereunder:
- To manage orders from end-users
- To facilitate communication between the Controller and end-users, e.g. in the event of changes to the delivery of orders or responding to end-user requests, comments or questions or marketing communications.
- As required by applicable law, legal process or regulation.
- To investigate and prevent security issues and misuse.
- For debugging and improving the service.
- To carry out analysis of the use of the service.
c) List of subcontractors, including location of Processing:
- Amazon Web Services, Inc., Seattle, WA 98108-1226 (Data is only processed within the EU)
- Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
- Stripe Payments Europe Ltd., North Wall Quay, Dublin 1 Ireland
Weorder Norway AS
Bus. Reg. No. 920 142 362 MVA
Tordenskiolds gate 3