Privacy statement in Expense
1. Introduction
The Privacy Statement helps you understand what personal data we collect in the application Expense, why we collect it, and how we handle, protect, store, export, and delete your personal data.
Personal data is any information relating to an identified or identifiable natural person, such as an email address, street address, phone number, etc.
2. Contact us
The controller responsible for the processing of your personal data is:
Visma Software AS Office: Karenslyst Allé 56, 0277 Oslo Telephone number: +47 46 40 40 00
If you have any comments or questions about our Privacy Statement or any privacy concerns, including regarding a possible breach of your privacy, please contact us by sending an email to kundesenteret@visma.no or by using the privacy request form.
We will handle your requests or complaints confidentially. Our representative will contact you to address your concerns and outline the options regarding how these may be resolved. We aim to ensure that complaints are resolved in a timely and appropriate manner.
3. Visma Software AS as Processor
For the personal data processed in Expense, your employer is the Controller. Visma Software AS does in such cases act as a Processor and processes the personal data on behalf of and according to instructions given by your employer. For more information regarding this, please contact customer support for the specific service.
If you want to invoke your rights in relation to the processing of your personal data in Expense, you should direct this to your employer.
4. Visma Software AS as Controller
In some cases, Visma Software AS will be the Controller for your personal data processed in the application. This is when Visma Software AS determines the purposes and means of the processing of personal data. When Visma Software AS is the Controller for your personal data processed in the application, this section 4 applies. If you want to learn more about Visma Software AS’s general processing of personal data and the specifics of data collected via the company’s website, please see Visma Software AS’s general privacy statement.
4.1. Processing activities
Visma Software AS processes your personal data for the processing activities as described below.
Security
Visma Software AS processes personal data in order to detect, mitigate, and prevent security threats and abuse, as well as perform necessary maintenance and debugging. The personal data involved includes your name, email address, user, and web traffic data such as login ID, username, IP address, and device information.
Our legal basis for this processing of personal data is our legitimate interests, cf. GDPR article 6 nr. 1 f). The legitimate interest is to maintain a secure environment for our customers and operations.
We will only store your personal information for as long as necessary to fulfill the purpose of processing, and your personal data will be deleted within 3 months after the latest registered activity.
Piloting new features
Visma Software AS occasionally conducts pilot programs with selected customers to test and refine new functionality before a general release. This allows us to gather valuable feedback and ensure the stability of new features. The personal data we process for this purpose is limited to your name and email address.
Our legal basis for processing your personal data is our legitimate interest, cf. GDPR article 6 nr. 1 f). The legitimate interest is to develop innovative solutions and ensure that new features align with our users’ needs and quality standards.
We will process your personal data only as long as necessary to fulfill the purpose of the pilot phase. Personal data collected for this purpose will be deleted 2 months after the specific pilot project has concluded.
Service improvement
Visma Software AS continuously strives to improve and develop the quality, functionality, and user experience of our product. The personal data we process includes your name, email address, user and web traffic information such as login ID, username, and IP address. Additionally, we process statistics that indicate how you use our software.
Our legal basis for processing your personal data is our legitimate interest, cf. GDPR article 6 nr. 1 f). The legitimate interest is to ensure that we meet our customers’ expectations.
We will process your personal data only as long as necessary to fulfill the purpose. Personal data will be deleted within 3 months after the latest registered activity.
AI assistant in our products
When you use our AI assistant in a product, we ask for consent to store the conversation you have with the AI assistant. The conversation may contain personal data, including sensitive information, depending on what you choose to write yourself. The purpose of the storage is to further develop and improve the assistant’s ability to provide relevant and correct answers. It is entirely voluntary to share the conversation log, and you can use the AI assistant with full functionality even if you choose not to share this information with us.
Our legal basis for processing your personal data is based on your voluntary, specific, and informed consent, cf. GDPR article 6 no. 1 a). You have the right to withdraw this consent at any time without this affecting the lawfulness of the processing that took place prior to the withdrawal. To withdraw your consent, you can contact us via email at kundesenteret@visma.no or by using this form.
All personal data (including stored conversations) collected through the use of the AI assistant will be deleted after 3 months.
Customer feedback
Visma Software AS systematically collects feedback through micro-surveys, which may be sent via the application. These surveys typically measure Net Promoter Score (NPS), Customer Effort Score (CES), or Customer Satisfaction (CSAT), and may include custom questions. A typical survey requests a rating followed by an optional free-text explanation. Please note that you always have the right to decline a survey. We will not contact you if you do not respond to the survey, which means you decide when your personal data is used.
To process your feedback effectively, we collect data related to your response, your identity, and your usage context. This data includes, but is not limited to, your score and comments, your username/ID and email address, the company name and country associated with your account, and the specific product or service you are using.
The purpose of processing personal data is to manage your feedback. This includes registering your score or comments from the survey. We use this data to better understand your needs and inform you of any measures taken based on your feedback. We may contact you to clarify your feedback, follow up on your input, or request further feedback.
Our legal basis for processing your personal data is our legitimate interest, cf. GDPR Article 6(1)(f). Our legitimate interest is to increase the quality of our products and services and deliver the best possible user experience. We use the feedback to develop our products in the direction our customers desire and to continuously improve the overall quality.
We will only process your personal data for as long as necessary to fulfill the purpose of the processing mentioned above. Your personal data will be deleted after 6 months.
5. How your personal data may be shared
5.1. Within the Visma Group
Visma Software AS is a part of the Visma Group, which consists of several subsidiaries. In order to maintain an overview and insight, we may share your personal data across companies in the Visma Group.
5.2. Outside of the Visma Group
Visma Software AS may also share your personal data with external third parties in the following contexts:
Processors
Visma Software AS uses processors to process personal data. These processors are typically vendors of cloud-based services or other IT services. When using processors, Visma Software AS will enter into a data processing agreement in order to safeguard your privacy rights. If processors are located outside the EU/EEA, we ensure legal grounds for such international transfers on your behalf, hereunder by using the EU Model Clauses. You are welcome to request more detailed information on our processors by contacting us as described in the section “Contact us”.
Business partners
Visma Software AS may share your personal data with selected business partners, including technology partners, sales partners, consultants, auditing firms, and other service providers, to the extent this is necessary to deliver our services, manage our business, or fulfill legal obligations. Sharing with business partners takes place only on the basis of a valid legal basis according to GDPR article 6, and we enter into necessary agreements to ensure that personal data is processed in accordance with applicable privacy legislation.
Public authorities
The police and other authorities may request access to information from Visma Software AS. This can include both personal data and non-personal data.
In such cases, we follow internal guidelines and procedures to evaluate the access request and consult with legal experts. We share only information that is strictly required by law, and only on the basis of valid court orders or similar legal documents from public authorities.
To prevent unauthorized access to all information we process, we also implement technical measures such as encryption and access control. The Visma Security Program safeguards high security standards and confidentiality.
We ensure our legal obligations in contracts with our subcontractors, who are also required to implement organizational and security measures equivalent to our own.
If we receive access requests from authorities outside the EEA, we carefully evaluate such requests in accordance with applicable privacy legislation. We share only information where this is required by law, and only on the basis of valid court orders or equivalent legal documents.
6. Your rights
You can invoke the following rights in relation to our processing of your personal data:
- Access. You have the right to request a copy of the personal data we process about you.
- Rectification. You also have the right to request rectification of inaccurate personal data concerning you. If you have an account for our sites or services, this can usually be done through the appropriate “your account” or “your profile” sections on the applicable site or service.
- Deletion. You can request deletion of personal data relating to you.
- Restriction. You may ask us to restrict the processing of your personal data.
- Portability. You may ask us to provide you or others with your personal data in a structured, commonly used, and machine-readable format.
- Object. You have the right to object to our processing of your personal data on the basis of legitimate interest or for direct marketing purposes. You also have the right to object to our processing of your personal data for the performance of tasks carried out in the public interest, or in the exercise of official authority or based on legitimate interest.
Where the processing is based on consent, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the processing that took place prior to the withdrawal.
Please note that there may be certain exceptions or limitations in the above rights that may apply depending on the circumstances of your situation. In such cases, we will provide you with detailed information about the relevant exception or limitation and help you exercise your rights to the greatest extent possible, in accordance with applicable laws and regulations.
Please send an email to kundesenteret@visma.no or use this privacy request form to file requests as mentioned in this section.
Finally, you also have a right to file a complaint to the data protection authorities with regards to our processing of your personal data.
7. Changes
We encourage you to review the Privacy Statement regularly. If we make significant changes to the Privacy Statement that materially alter our privacy practices, we will notify you of this.
The Privacy Statement was last updated: 2026-05-27.