Privacy policy

Merchant Group AS, organisation number 931 966 022, Bryggen 3, 5003 Bergen, Norway, is the controller for personal data collected in the portal and in operating the express checkout service.

Privacy contact: support@merchant.no or phone +47 98 18 08 85.

We process data to provide and improve the portal (account, store setup, billing), to run the checkout API (checkout session, Vipps/MobilePay login, generation of checkout links), for security and troubleshooting (logs, rate limiting), to comply with legal obligations, and for customer support when you use chat in the logged-in portal.

Portal user: name, email, password hash at the authentication provider, company name, country, organisation number where relevant, language preference and role.

Store and integration: including Shopify store domain, technical integration keys/tokens for Vipps/MobilePay and Shopify, subscription status and related fields required to connect the service.

Checkout flow: temporary storage of cart data (variant ID and quantity, store domain, brand choice) in Redis with automatic deletion after about 15 minutes. We do not maintain a lasting customer profile for end customers in this flow on our side.

When logging in with Vipps/MobilePay, user information (e.g. name, email, phone, address) is retrieved to build a one-time link to Shopify checkout. That information is transferred to Shopify as part of the purchase flow and processed there under the store’s responsibility towards the end customer.

Operational and security logs: event type, time, technical metadata (e.g. number of cart lines, store domain where logged), IP address and browser identifier (User-Agent) where logged in the database. The portal may also write audit events (who did what) and use IP addresses for API rate limiting.

Payment card data is processed by Stripe; we do not store full card numbers with us.

Support chat (Crisp) in the logged-in portal may receive profile information you already have on the account (e.g. email and company details) to provide help.

Processing is based on performing the contract with you (service delivery), complying with legal obligations (e.g. accounting where applicable), and legitimate interests in operations, security and troubleshooting, limited to what is necessary and proportionate.

Where we ask for consent (e.g. for future specific features), consent is voluntary and may be withdrawn.

We use necessary subprocessors: Supabase (database and authentication), Stripe (payment/subscription), Upstash (Redis for checkout sessions and rate limiting), Vipps MobilePay (login), Shopify (store platform), Crisp (portal chat), and a hosting provider (e.g. Render) to run the applications.

Subprocessors process data under a data processing agreement or equivalent mechanism where required, and only on our instructions for processing we control.

Some vendors may process data outside the EU/EEA. In those cases we ensure transfers through approved mechanisms, such as the EU Commission Standard Contractual Clauses or equivalent safeguards under the GDPR.

Checkout sessions in Redis are deleted automatically after about 15 minutes.

Account, store and log data are kept while you are a customer and afterwards as long as needed to handle claims, security, accounting or other legal purposes. Logs may be kept for shorter or longer periods depending on operational security needs.

You have the right of access, rectification, erasure where not prevented by law, restriction of processing, data portability where the law provides for it, and to object to processing based on legitimate interests.

To exercise rights, contact support@merchant.no. You may also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

The portal uses cookies and local storage necessary for login (session) and language choice. You can limit cookies in your browser; parts of the service may then stop working.

We may update this policy. The current version is always shown with the “last updated” date at the top of the page.