This policy explains what data the Vipps MobilePay for LeadConnector integration ("the integration", "we") processes when an agency or sub-account uses it to accept payments, and how that data is protected. The integration is operated by LeadConnectorPay and is not affiliated with Vipps MobilePay AS.
1. Data we process
| Data | Purpose |
|---|---|
| Vipps API credentials | To authenticate payment requests on behalf of each sub-account. Stored encrypted (AES-256-GCM), never in plaintext. |
| Payment tokens / agreements | To run subscription renewals the customer has authorized. Stored encrypted. |
| Transaction records | Amount, currency, status and references — to sync the CRM, support verification and refunds. |
| Contact identifier | The LeadConnector contact ID, to attach a payment to the correct record. |
| OAuth tokens | To call the LeadConnector API on the account's behalf. Stored encrypted. |
2. Data we never receive
- Card numbers, expiry, or CVV. These are entered only on Vipps MobilePay's own PCI-compliant hosted checkout. They never reach our servers.
- We handle payment tokens, not raw card data.
3. How data is protected
- Sensitive fields (API keys, tokens, OAuth tokens) are encrypted at rest with AES-256-GCM authenticated encryption.
- All traffic is encrypted in transit over HTTPS; HTTP is automatically upgraded.
- Inbound webhooks are cryptographically verified (HMAC-SHA256 for Vipps, RSA-SHA256 for LeadConnector) before being trusted.
- Data is isolated per sub-account; one account cannot access another's data or secrets.
- Secrets are kept out of logs and are never returned to the browser.
4. How data is shared
We share data only with the two parties required to complete a payment: Vipps MobilePay (to process the charge, refund or agreement) and LeadConnector (to record the transaction against your CRM). We do not sell data or share it for advertising.
5. Data retention
Transaction and credential records are retained while the integration is installed for your account. When the app is uninstalled, the associated credentials and payment methods are deactivated. You may request deletion of your data by contacting us.
6. Your rights
Depending on your jurisdiction (including the EU/EEA under GDPR), you may have the right to access, correct, or delete your personal data, and to object to or restrict its processing. To exercise these rights, contact us at the address below.
7. Contact
Questions about this policy or your data? Email support@leadconnectorpay.com.