1. General
1.1. These terms apply to the business relationship between Kardio, which is a service from Memento ehf., ID no. 700114-0580, Bolholt 4, 105 Reykjavík ("Kardio") and Kardio's customer. The terms contain general provisions and obligations of both parties.
1.2. In addition to these terms, the general terms of businesses regarding transactions with Kvika Bank hf. ("Kvika's General Terms") apply to the contractual relationship between the user and Kardio, which are accessible on Kvika Bank hf.'s ("Kvika") website, www.kvika.is/skilmalar.
1.3. These terms apply to the services provided by Kardio.
1.4. By accepting these terms, the user declares that they have read, understood, and accepted the content of these terms.
1.5. Updated terms are published on Kardio's website www.kardio.is/termsofservice
2. Establishment of Business
2.1. A customer can establish business with Kardio following an application process for Kardio card issuance with Kvika. Upon completion, the company will receive an invitation for registration.
2.1. To establish business with Kardio, the company must have previously established business with Kvika Hf., as Kvika is the issuer of company payment cards on behalf of Kardio. At the beginning of the business relationship, the customer shall undergo a due diligence check as part of Kvika's and Kardio's application process. Kvika is obligated to check the reliability of its customers according to laws on measures against money laundering and terrorist financing.
2.3. When establishing business with Kardio, the customer is required to have the necessary permissions to enter into obligations on behalf of the legal entity. The customer is obligated to provide correct information that they and the company are truly registered for.
2.4. When establishing business with Kardio, a company access is created in the dashboard along with access for employees to the Kardio dashboard and Kardio app as needed.
2.5. Each employee is obligated to provide the correct phone number, ID number, and email address that they are truly registered for when creating a user account, and the employee must also accept Kardio's and Kvika's general terms.
2.6. Each customer and user is responsible for updating their information so that it is correct and adequate at all times.
2.7. Kardio reserves the right to request further information from customers and users if Kardio has reason to believe that the service is being used in violation of Kardio's terms, Kvika's general terms, or national laws. Furthermore, Kardio has the right to request information that Kardio deems necessary to ensure the security of the service, the security of customers, and/or the security of external parties. Information gathering can, for example, consist of inquiries to the user or demands for confirmations from them regarding the information they have provided or actions they have performed.
2.8. Kardio is authorized to reject applications from individual customers unless the law provides otherwise. Kardio generally does not have an obligation to justify its decision to reject an application unless required by law.
3. Usage and Responsibilities
3.1. All use of Kardio is the responsibility of the customer, and under no circumstances may they share information about security numbers, card information, or provide other sensitive information to another party.
3.2. In transactions with payment cards, the customer uses personal security elements for authentication and to confirm payments and other transactions in accordance with Kardio's security requirements at any given time. Personal security elements refer to any authentication that is exclusively bound to the respective customer and can only be used by them to prove their identity, such as electronic credentials or username and security number that the customer chooses or is assigned when creating a user access.
3.3. The customer can always change their security number in the Kardio app. Kardio reserves the right to change its security requirements regarding authentication and personal security elements without notice.
3.4. The customer is responsible for safeguarding security information and information about personal security elements in a secure manner and is responsible for ensuring that they do not fall into the hands of unauthorized parties or are accessible to others. The customer is responsible for all actions, including financial transactions that are confirmed with personal security elements. Use of personal security elements is equivalent to the customer's signature. The customer must notify Kardio without delay if they have reason to believe that an unauthorized party has gained access to information about their personal security elements. They should change them as soon as possible. If the customer does not safeguard their personal security elements in accordance with the above, it is considered gross negligence on their part. Kardio can block the use of electronic credentials or secret numbers and require the customer to replace the same elements if misuse or error risk is suspected.
3.5. If a Kardio user becomes aware of unusual usage or payments from their payment card that they believe they did not perform, loses their phone, or suspects that an unauthorized person has knowledge of access information to Kardio, it is the user's responsibility to immediately block their access to Kardio. Kardio reserves the right to block the user's access to Kardio if suspicion of misuse or incorrect use of any kind arises, at Kardio's sole discretion.
3.6. If Kardio suffers damage due to the user's violations of these terms or any kind of intentional or negligent acts by the user in connection with the use of Kardio, the user shall compensate Kardio for that damage according to general rules on damages within or outside contracts. This provision also includes any claims by third parties against Kardio due to the user's use of or interaction with the Service under this agreement.
3.7. Neither Kardio nor the user shall be considered in breach of these terms or liable to the other if the cause is due to circumstances beyond the control of the party concerned (force majeure). Force majeure in this sense includes, but is not limited to, natural disasters, wars or general unrest, actions by public authorities that make performance impossible, labor disputes, etc. If performance has been impossible for the aforementioned reasons for 6 weeks or longer, either party is entitled to terminate this agreement with notification to the other party, which shall be given with 7 days' notice.
Kardio Card and Contactless Payments
4.1. Kvika is the issuer of company payment cards on behalf of Kardio. See terms on the issuance of payment cards at Kvika, www.kvika.is/skilmalar_greiðslukort.
4.2. It is necessary for the issuer and is legally obligated to process personal data to fulfill its role as a financial company and payment intermediary and to ensure security in financial and payment services. All personal data that the issuer receives and handles are processed in accordance with the Personal Data Protection and Processing Act, no. 90/2018, and Kvika's privacy policy. Personal data is used in the evaluation of applications, card issuance and credit facilities, and other regular activities of the issuer. The issuer processes information about cardholders, card holders, and guarantors. Personal data is created in the issuer's card systems. By accepting these terms, the cardholder grants the issuer permission to process personal data generated by the use of the card in payment systems. The information in question includes, among other things, ID number, phone number, address, and other information that parties have provided to the issuer by filling out the issuer's forms and forms.
4.3. The cardholder alone has permission to use their cards. Card in these terms refers to functionality with a token that Kardio provides to the cardholder and is accessible through a mobile phone or other smart devices.
4.4. It is possible to connect the card to an electronic wallet to activate contactless payments with a mobile phone or other smart device that allows the cardholder to pay with the device at payment stations (POS) that are equipped for this.
4.5. The card may be used in the following ways:
as an international payment card for purchasing goods or services
connected to a mobile phone or other smart devices for purchasing goods or services with contactless payments
4.6. The card should not be used in the following ways:
as an ATM card for withdrawal and deposit of cash in ATMs
as a bank card for withdrawal or payment at a bank/savings bank
as a withdrawal card in transfer services (e.g., Aur)
4.7. The user of the service and the cardholder of the respective payment card(s) shall always be the same person. The cardholder's access to wallets (Apple/Google Pay) shall only be used by themselves, and the user is prohibited from sharing access information or cards with a third party or otherwise providing a third party with access to their personal access to the wallets supported by the service. Cards should only be set up in wallets on smart devices that are owned and under the control of the user, and delete linked payment cards from the payment solution/application of the service provider if the smart device is loaned, sold, or if the customer stops using it. Do not install the Kardio app on a smart device where the operating system has been tampered with, and/or stop using the service and delete information (including payment cards) related to it from the smart device if its security has been compromised in any way, such as by installing unsafe applications or suspicion of unauthorized access to the smart device in any way.
4.8. The user shall ensure the confidentiality of access information, card information, and electronic credentials, and is responsible for any damage that may result from the aforementioned information reaching a third party, whether with the user's knowledge or not. A user who authenticates themselves with the correct security number is considered the rightful owner of the respective user access to Kardio, and only that person has permission to perform actions on that user access. The user always bears full responsibility for all actions that have been confirmed in the aforementioned manner in Kardio.
4.9. Personal security elements in these terms refer to any authentication that is bound to the respective individual exclusively and can only be used by them to prove their identity in transactions according to these terms, such as electronic credentials, security numbers, facial recognition, and fingerprints.
4.8. Card information is valuable and should be guarded like money. Any dispute or damage regarding the purchase of goods or services paid for with the card is completely irrelevant to the issuer and without liability for them.
4.10. Kardio reserves the right to deny authorization for payment with cards. The most common reasons why Kardio denies payment are the following:
The card has been closed or frozen
The card has been reported stolen
The payment amount exceeds the available amount
Confirmation with personal security elements has been incorrect
The card's validity period has expired
The law stipulates otherwise
4.12. If there is a well-founded suspicion of unauthorized or fraudulent use of the card, Kardio reserves the right to deny withdrawal authorization and close the card. In that case, the cardholder is notified immediately afterward. If that suspicion is unfounded, the card is reopened for use.
4.13. The cardholder can access a statement of withdrawals and card usage in the Kardio app, in the Kardio dashboard, and in the statement sent from Kvika. The statement shows the name of the sellers where the card was used, along with the date and amount and other detailed information. For foreign transactions, the amount of the currency in which the purchase was made and the reference exchange rate are shown.
4.14. Cardholder withdrawals in foreign currency are converted to Icelandic krona at the exchange rate in effect on the day the transaction enters the issuer's card system as a withdrawal. Information about the exchange rate can be found on Kvika's website: http://www.kvika.is. The use of a card in foreign exchange transactions is subject to the information duty to the Central Bank of Iceland according to law no. 87/1992 on foreign exchange matters and rules set with authority in those laws.
4.15. The delivery date of a transaction from the seller to the acquirer determines to which card period the withdrawal belongs.
4.16. The card period for Kvika's company cards is from the 27th to the 26th of each month.
Lost Cards, Closures, and Cancellations
5.1. If a cardholder becomes aware of unauthorized payments or suspects misuse of the card, they must change their personal security elements, such as locking their smartphone with appropriate security settings, e.g., with a new security number, freeze the card in the app, and notify Kardio of such without delay by contacting Kvika's service center at phone number 585-6565. The cardholder has the right to receive confirmation that they have fulfilled their notification obligation. As soon as a notification has been received, the person who received the notification must close the card and prevent further use of it and/or misuse. The person who receives the cardholder's notification, whether it is Kvika or a VISA representative, must keep such notification for 18 months.
5.2. Kardio can recall the card without notice in case of misuse or violations by the cardholder of the rules and terms that apply to the card, at the issuer's discretion, or if there are default payments by the cardholder.
5.3. Kardio has the authority to register all recalled cards and distribute that information to sellers of goods and services.
5.4. The cardholder is prohibited from using the card after its validity period expires or has been invalidated. Misuse of the card is against the law, cf. inter alia, Article 249 of the General Penal Code no. 19/1940.
6. Debits
6.1. Kardio is authorized to debit fees and costs on the customer's card at Kardio, and the debits shall appear on the customer's statement. If other terms or agreements of Kardio with customers stipulate charges, those agreements shall prevail over Kardio's price list.
6.2. The card period for Kardio company cards is from the 27th to the 26th of each month.
6.3. The bill for a company's card usage at Kardio is issued by Kvika Bank as a claim at the beginning of each month, and the claim will appear in all Icelandic banks and savings banks.
7. Processing and Handling of Personal Data
7.1. Kardio is the data controller for data processing, as defined in the laws on personal data protection and the European Union's GDPR regulation.
7.2. Kardio has a legal obligation to ensure the security of the personal data that Kardio processes. Kardio fulfills that obligation by, for example, establishing privacy and security policies, assessing the risks that threaten the respective processing, such as the risk of unauthorized access to the information, damage or deletion, and implementing security measures to counteract such risks.
7.3. The main purpose of processing personal data is to provide customers with the requested service. Authorization to process personal data can, among other things, be due to the execution of a contract, legal obligations that rest on Kardio, and due to the legitimate interests of the company.
7.4. An individual can access their personal data and, under certain circumstances, request that it be corrected, deleted, its processing limited, object to its collection and processing, and request the transfer of their own data to another party. The individual also has the right to file a complaint with the Data Protection Authority. An individual has the right to withdraw their consent at any time if the authorization for processing is based solely on consent but not legal requirements.
7.5. The personal data collected about the cardholder in connection with the application for a card will be recorded in the issuer's computer system.
7.6. All information about card accounts and card usage is stored in the issuer's computer systems. Encrypted information about transactions on the cardholder's card is sent to international card associations, i.e., information about the card number, when the transaction is made, the amount of the transaction, and what the seller's business is.
7.7. Kardio is legally authorized to maintain and process the information electronically. Processing can, for example, be necessary when making business agreements, to serve them during their validity period, and for the purpose of presenting and displaying information on smart devices. The processing of personal data can also be used as a basis for financial advice and customer analysis.
7.8. Kardio may use personal data for marketing purposes, including to develop new service channels and business solutions directed at a specific group of recipients based on personal data. Kardio can communicate for this purpose with customers via email, the Kardio app, the Kardio dashboard, or other electronic messages. Kardio uses similar communication channels to assess the quality of service that Kardio provides. Kardio's customers can request that the use of personally identifiable information or sending of emails for marketing purposes does not take place.
7.9. The classification of personal data, such as for financial transactions that the customer has access to through smart device solutions, may be presented to the customer in any way that increases their usability and transparency or to fulfill the service elements that are offered at any given time, provided that the security of the information is ensured adequately thereafter.
7.10. The information may be shared with a third party, e.g., for monitoring or to service providers, but full security and confidentiality are maintained with such distribution.
7.11. The processing and storage of personal data shall be in accordance with what is necessary for the operation of payment intermediation. The processing of personal data may be necessary for investigations if suspicions arise about money laundering or other fraud, and such processing is based on relevant legislation. Kardio shall ensure that the processing and storage of personal data are always in accordance with applicable laws and regulations.
7.12. Kardio's customers have the right to obtain information about what personal data Kardio has recorded about them according to the provisions of the law on personal data protection and processing of personal data.
7.13. Changes in the ownership of Kardio do not affect the rights and obligations of the user, and Kardio's service will remain unchanged regardless of such changes unless the user is notified otherwise with reasonable notice.
7.14. The customer confirms that they are aware that in order to fulfill its obligations according to these terms, it is necessary for Kardio to collect and process personal data in accordance with laws and regulations. More information about the handling, processing of personal data, and the rights of individuals in connection with the processing of personal data at Kardio can be found here: http://www.kardio.is/personuverndarstefna.
8. Processing and Handling of Personal Data
8.1. For all card transactions in Kardio, receipts or invoices can be added through the app or dashboard for purchases of goods and services. Payment information, along with receipts and invoices, are stored in the Kardio database for 2 years and are accessible to customers during that time through the app, dashboard, web service connection to accounting systems, and in downloadable form, e.g., Excel file.
8.2. The following information is collected in connection with payment information with the purpose of using it for monitoring functionality, product development, as well as providing customers with enhanced service and analysis in connection with the expenses of the company and employees:
Communication information
User information and identifiers
Information appearing on receipts or invoices
Technical information such as IP address and device number
Event logs
Encodings, remarks, and anything else that may be added to payment information by customers
8.3. Full security will be maintained in the processing of payment and personal information. Information is not stored in the app but only in Kardio's core systems, and if applicable, service providers. All communications between the app and core systems are encrypted, and Kardio operates under active security and privacy policies.
8.4. Companies and their employees are responsible for ensuring that the attached image of a receipt or invoice is clear and legible. The same applies to ensuring that the receipt or invoice is correct and applies to the transaction that is being added.
8.5. Kardio is neither an accounting service nor an accounting system and therefore does not meet the requirements of law no. 145/1994 on accounting for the preservation of data. Kardio reserves the right to monitor use to ensure security and compliance with laws. Kardio notifies relevant monitoring authorities and competent authorities of illegal conduct.
Confidentiality
9.1. Kardio and Kardio's employees are bound by confidentiality and secrecy about what they learn in the performance of their work and concerning private and business matters of the service's customers. This confidentiality and secrecy obligation remains even after leaving the position. However, the customer can authorize the lifting of confidentiality. A judge can also rule that it is mandatory to provide information in court or to the police or that it is mandatory to provide information according to law that concerns private and/or business matters of customers that Kardio is normally bound to keep confidential.
Protection of Intellectual Property
10.1. All rights and interests related to the service and the software it is based on, by whatever name they are called, including but not limited to, copyright, patent right, trademark right, trade secrets, and know-how are the property of the issuer and/or the service provider with whom the issuer is in collaboration about the service.
10.2. The cardholder does not acquire any rights or interests over the service and/or the software that the service is based on by activating and using it.
10.3. The cardholder's use of the service shall be normal and lawful, in the context of the service, the terms, rules, and information, which are in question at any given time. The cardholder is prohibited from doing anything that can go against or have a negative impact on the rights of the issuer and/or the service provider over the service.
End of Business
11.1. The customer is authorized to terminate their business relationship with Kardio without notice unless otherwise agreed. Termination shall be notified in a verifiable manner. Kardio is authorized to terminate the business relationship with the customer with two weeks' notice, if the business relationship does not concern payment service in the sense of the law on payment service no. 120/2011, unless otherwise stated in special terms to that effect. If the business relationship concerns payment service according to the aforementioned laws, Kardio is authorized to terminate the business relationship with two months' notice.
11.2. If the customer, upon termination of a contract or other service, owes Kardio fees or other charges for provided service, Kardio is authorized to debit the fees from the customer's account.
11.3. Kardio reserves the right to lock accounts and terminate business with the customer if they are found to have violated these terms or laws and regulations. The customer shall be informed of the closure as soon as possible.
Changes to Terms and Other Notifications
12.1. Kardio has the authority to change the provisions of these terms unilaterally. If the changes are burdensome for the customer, they shall be notified of them in a secure manner, such as with messages in the Kardio app, Kardio dashboard, by email to the customer's notified email address, or with a notification on Kardio's website, no later than two months before they take effect. The cardholder shall have access to the current terms in electronic form. Other changes Kardio is authorized to publish with a notification on its website: www.kardio.is or in the Kardio app or Kardio dashboard. The customer is considered to have accepted the change if they do not notify otherwise before the planned effective date, as well as if they use the service after the new terms have taken effect.
12.2. If the cardholder wants to stop all use of the payment card, they shall close it through the Kardio dashboard and they are responsible for all limitations on the use of the card according to the options available there.
Changes to Terms and Other Notifications
13.1. Customers can bring disputes before the courts.
13.2. On Kardio's website, www.kardio.is/hafasamband, it is possible to send suggestions and complaints regarding what relates to Kardio's operations and service. You can also send an email to hjalp@kardio.is for inquiries or complaints of all kinds.
13.3. All cases that may arise from the use of the service shall, unless otherwise agreed, be governed by Icelandic law.
13.4. If a case arises due to violations of these terms or disputes about their interpretation, it may be brought before the District Court of Reykjavík. The customer also agrees that Kardio may, if it chooses, conduct collection cases in the country where the cardholder has residence at any given time.
Validity Period
14.1. These terms are issued by Kardio in Icelandic and are valid from April 10, 2024, until the time when new terms take effect.
14.2. The service agreement between Kardio and the customer is indefinite but can be terminated by either party with 30 days' notice, based on the end of the month, unless a shorter period is provided for in these terms.
14.3. The customer is advised to read the provisions of these terms and others that apply carefully before accepting them electronically and to seek explanations from Kardio's employees if they find any of their provisions unclear. By selecting: "Accept," the customer declares that they have read the terms, accepts them, and commits to using the service in accordance with them in all respects.
Kardio as part of Memento ehf.
Bolholt 4, 105 Reykjavík
Email address: kardio@kardio.is
