Usage Data

Who is this for?

This information is intended for anyone who uses our software. Typically "you" are a user with one of our customers. For example, you can be using an expense- app from Visma to register your travel expenses, or making payments, approving invoices, or doing the accounts for your company using one of our products.

Particularly online software, such as Visma Cloud ERP, Time, Payroll and Expense, needs to process your personal data to varying degrees. This page provides you with information about how we may use personal data when you are using our products and services.

Please note that "usage data" (see below for a description) is quite limited in terms of personal data, and is typically only name, email and other basic information associated with your user or user activity that we need in order to provide you with login- credentials, security functions, provide support and similar.

We do not make profiles of you, sell the data to any third parties or use the data for any purpose that would require your individual consent.

This information is also for customers, to inform about how data about your users or others you register in our systems is processed, and how we may use limited production data for certain purposes related primarily to development and testing.

 

What is “usage data”?

“Usage data” is certain data this is generated by use of our services, either by an individual user or from general use of the system. Exactly what type of data depends on the software or system in question. For example, and on-premise application may be completely offline, and no usage data is generated or collected. A cloud application however, will have more usage data because it needs to interact with your web browser, transmit data via the internet, and is hosted by Visma.

 

We categorise usage data as:

  • Technical information and traffic data, for example:

    • Type of operating system or browser, keyboard language
    • Response times, error codes
    • IP- address

 

  • Aggregated customer- or user-generated data, for example:

    • Session durations and login attempts
    • Number of users in the company database
    • Which bank payment file formats are used
    • The number of invoices sent and received
    • Customer- or company unique identifiers, such as "CustomerID"
    • Annual, quarterly and monthly locking of bookkeeping, VAT reporting and similar
    • Whether or not OCR is activated in invoices, whether or not a webshop is activated and similar
    • Various field- statuses, such as whether or not "bank account number" or "IBAN" have been filled in

 

This type of data does not typically contain personal data, and is the bulk of Usage Data.

 

  • Non-aggregated customer- or user-generated data, for example:

    • Security logs
    • User account information
    • Content of support tickets and chats

 

  • Limited production data

    • Images, files or databases from a production environment, in certain limited circumstances and in subject to strict safeguards. 

 

What about personal data in usage data?

Generally, we will seek not to process personal data as part of usage data. For most of the purposes for which we process usage data, personal data is not required or desired, and in some cases it is even "noise".

For example, our user experience personnel do not need to know the identify of a user in order to work on improving the interface of the software based on aggregate usage patterns: they only need to know e.g. that x% of total users use a particular feature. 

We will therefore remove personal data whenever possible, before processing the usage data futher. We do this using various techniques and processes colloquially referred to as "anonymisation". Anonymisation essentially removes personal data and identifiers from a data set to the extent that individuals are no longer identifiable. 

We are using combinations of various techniques to acheive this, for instance substitution, noise addition, permutation and various methods of generalisation, as recommended by the Article 29 Data Protection Working Party (this is an independent European advisory body on data protection and privacy).

Where anonymisation is not possible or feasible, for example in order to prevent and investigate a security incident associated with a particular user or customer, or to train an OCR- interpreter (optical character recognition, used for electronically interpreting documents such as invoices), we will take other appropriate security measures based on the risk represented by the processing in question.

For example, only the PSIRT (Product Security Incident Response Team) will have access to information about the security incident, and only the team working on the OCR- interpreter will have access to the test data, and always in secure environments.

We may also take other appropriate measures, such as to pseduonymise the data, which means that unique attributes are replaced or encrypted in order to prevent direct linkability of the data subject. This can be relevant for instance in certain support cases.

What do we use usage data for?

Usage data is only used for the following purpses:

 

Software and user experience improvement

We may use usage data for making improvements to our products and user experience. For example, we may monitor the number of invoices going through the systems, system response times and silmar in order to ensure that the systems are fast and responsive. We may also analyse whether or not customers use certain functionality, such as OCR (optical character recognition, for electronically interpreting e.g. invioces) or webshop activiation, in order to evaluate which features or functionality the market uses.

This does typically not involve any personal data, and we do not track what individual named users do in our systems for this purpose.

Sometimes, user may be invited to participate in user experience tests, for example to test a new version. This will be informed about separately in each case.

We will also use data to provide certain functionality, like fetching support tickets for the user, allow personal preferences in the application, for instance by remembering the placement of an in-app support panel or languange preference.

 

Marketing and displaying relevant information

We may use usage data for marketing complimentary or value-adding products to the customer. For example, if the customer is using Visma.net Expense, we may market the Expense mobile app to the customer's users. We may also use usage data to prevent marketing the mobile app to customers that already using it.

We may also use usage data to provide the customer with relevant market updates and information, such as providing information about new regulations for expense- claims.

 

Security and related purposes

Security is very important, particularly for online products and services. We may use usage data to protect and improve the security of our software, services, infrastrucutre and data, and those of our customers.

We use usage data in a variety of ways in order to do this. We may monitor and log things like user password resets, login- attempts, IP- addresses and certain system actions or requests, such as related to payments and the sending out of invoices. If we discover suspicious behaviour or activites, we may use the data to prevent, investigate, notify and secure evidence, both for us and our customers.

This can be for instance in cases of intrusion, fraud or phishing.

 

Statistics and research

We may use aggregated data for various statistical and research purposes, such as:

  • Traffic flows, for example to identify peak times for logins, invoicing etc
  • Product usage, for example module activiations, intregrations, use of certain payment formats etc
  • Market figures, such as how many payslips are processed in a certain country, product or market segment.

 

Statistical and research data is typically aggregated and will not contain any personal data. This means that we may see how many payslips that are made using our systems, but not their content or who they belong to. 

 

Compliance

When you are using our software, we have certain rights and duties to ensure that the use is in accordance with the contract between us and your employer, or whoever gave you access to the system (your accounting office for example).

We will use usage data to activate, authenticate and authorise your account. This can be for instance checking your user credentials to determine which modules you have access to, or if you are a primary contact, we can log when you accepted the Terms of Service.

 

Development and testing

Developing modern cloud software is very dependent on data, both in terms of quantity and quality. The best data to use, is "real" data, which means production data rather than artifically generated data. 

We may occasionally copy certain data from customer instances in order to do specific tests and development, such as testing a product migration to a new hosting provider, or to test whether a new or updated integration or functionality works with real data, such as a new payment access point provider, or to train a model to recognise certain invoice formats.

This is always subject to strict safeguards, both organisational and technical. This data is never used for marketing purposes.

Information we must provide

Because we are collecting usage data as described above from your use of our systems, and this data may contain personal data, we must provide you with the following information, in accordance with the GDPR’s Article 13:


  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;

Visma Software International AS

Karenlyst Allé 56

0277 Oslo

Norway

Visma Software SMB is a divison in the Visma group of companies, consiting of many companies. You can see which companies may be a controller, and how to contact us, from the contact page.

In most cases, the controller will be the company you have purchased a product or service from.

For example, if you are using eAccounting, the Visma company you've purchased the right of use from will also be the data controller for usage data associated with for example marketing and support as described above.



  1. the contact details of the data protection officer, where applicable;

Lars Martin Ottersen

Data Protection Officer, Visma group

dpo@visma.com



  1. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

The purposes for processing are provided in the Data Processing Agreement in the Terms of Service, and in further described above under "What do we use usage data for."

 

Legal basis:

We are processing usage data from our software services based on “legitimate interest”, which is one of the six legal grounds for processing personal data under the GDPR. This is stated in our Terms of Service.

Specifically, the use of legitimate interest is based on the GDPR’s Article 6, f), which states that processing the data is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This means that Visma must perform a so-called “balancing test,” where the rights to privacy of someone who is registered in our systems are balanced against our legitimate interests in processing the data.

We’ve done this assessment at two levels: 

  • Policy: The purposes for processing, and its basis in legitimate interest, have been assessed at the division- level and is approved by the Visma Privacy Council and Data Protection Officer. 
  • Risk Assessment for every single product or service that processes personal data, in order to ensure:
    • that data is only processed for the purposes authorised in the Terms of Service, and:
    • that the data is protected appropriately.

 

For example, we have controls in place to ensure that usage data that is processed based on the Terms of Service is not used for purposes that may require consent from the individual.

We advise you to also read Machine Learning and Automation, which explains how very little personal information is actually processed as part of “usage data”.

We do not process information about children: our systems are business- related systems, and primarily process non-personal data related to payments and so on.

 

  1. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

The legitimate interest for each purpose for processing is provided in the Data Processing Agreement in the Terms of Service, and further described in "What do we use usage data for" above.

 

  1. the recipients or categories of recipients of the personal data, if any;

As stated in the Terms of Service, we may share usage data with other companies in the Visma group, and our certified Partners.

Usage data is not shared freely with these parties however, but only based on a data release policy founded on the purposes for processing usage data in the Terms of Service.

For example,

  • The security team may get access to security event logs and IP- addresses of users for the purposes of preventing and investingating security incidents.
  • Support personnel may get access to a production databse if required in order to solve a support case for the customer.
  • The company with which the customer has entered into the Terms of Service for a particular product, and the customers Partner if any, may get access to licensing data for the purposes of adminstering the customer relationship, and for marketing purposes as described above.
  • Marketing teams may get access to customer names and stakeholders/ customer contacts for the purpose of performing the Net Promoter Score survey.
  • Product, user interface and marketing teams may get access to parts of usage data to analyse how customers use software, for the purposes of optimising it, improving user experience and generating aggregate statistics about use of certain software features.
  • A development team may get access to a limited set of data from a production environment, for the purpose of developing or improving functionality, testing a new version of the software or testing migrating the software to a new hosting environment.

 

 

  1. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

All transfers of personal data to third countries/ third parties are listed on the service information page. All such transfers, such as using a third party hosting provider, are subject to the safeguards in the Terms of Service (link 3.4).