PERSONAL DATA CHARTER
DELUPAY (hereinafter referred to as "DELUPAY") is a société par actions simplifiée (simplified joint stock company) with capital of 1,909,000 euros, registered in the PARIS Trade and Companies Register under no. 914 438 031, with its registered office at 10, rue Roquépine - PARIS 8ème, acting in its capacity as a Payment Service Provider (PSP).
ARTICLE 1. Purpose and scope of the Policy
DELUPAY attaches the utmost importance and care to the protection of privacy and Personal Data, as well as to compliance with the provisions of the applicable Legislation.
The Personal Data Charter is applicable to all users (hereinafter "Users") Customers and Merchants and for the provision of products and services related to electronic money and payment accounts as defined in the General Terms and Conditions of Use of DELUPAY solutions.
Regulation (EU) 2016/679 of April 27, 2016 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Data (hereinafter "RGPD") provides that Personal Data must be processed lawfully, fairly and transparently. Thus, this Personal Data Charter (hereinafter the "Charter") aims to provide you with simple, clear information on the Processing of Personal Data concerning you, in the context of your browsing and operations carried out on our solutions.
ARTICLE 2: Data Controller
DELUPAY collaborates, under mandate, with payment and electronic money institutions and account information service providers approved by the ACPR namely with Banque DELUBAC Société en commandite simple, n° DE RCS 305 776 890, with capital of €11,695,776, having its registered office based at 16, place saléon terras 07160 LE CHEYLARD , all jointly responsible for the processing of personal data of customers and merchants, in accordance with the provisions of Article 26 of Regulation (EU) 2016/679 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Data.
DELUPAY and Banque DELUBAC jointly define the purposes and means of processing. The data of users of DELUPAY solutions is shared with a co-processor only for the purposes of carrying out contracts established with DELUPAY.
As part of your activity on one or more DELUPAY solutions (hereinafter referred to as the Application), DELUPAY collects and uses personal data relating to you, individuals (hereinafter referred to as the "Data Subject"), in conjunction with Banque DELUBAC.
DELUPAY is a QR code and NFC payment and collection solution for physical and online commerce. It is intended for customer and merchant users as described below:
- The customer user (hereinafter "Customer") of our DELUPAY Application: you use the Application to make payments to merchants;
- The merchant user (hereafter "Merchant") of our DELUPAY Application: in your position as a merchant, you use the Application to offer the DELUPAY payment method to your customers.
ARTICLE 3 What Personal Data do we collect and how?
By using our application, you provide us with a certain amount of information about yourself, some of which may identify you ("Personal Data").
The nature and quality of the Personal Data collected about you varies according to your status as a Customer or Merchant:
For DELUPAY customers :
- Identification data: this includes any information that would enable us to identify you, such as your surname, first name, date and place of birth, address, nationality and cell phone number. We may also collect your e-mail address and tax identification numbers. Your identity document and your photo or video image are processed for identity verification purposes and forwarded to Banque DELUBAC.
- Data relating to your professional situation: This data is collected so that you can open a DELUPAY account, including the nature of your business and your profession.
- Login data: this is all the information we need to access your personal account, such as password and other information required for authentication and account access.
We also collect your IP address for maintenance and statistical purposes.
- Financial data: this corresponds to the User's net monthly income, bank statements or IBAN.
- Documents of different kinds (PDF, Office format, Image) with titles, contents, folder names, or information linked to a document, such as comments written in the documents, alert and reminder dates.
- Browsing information: when you browse our website, you interact with it. As a result, certain information relating to your browsing is collected.
- Data collected through cookies: For more information on this subject, please consult our policy on Cookie management.
- Data collected from Third Parties : the Personal Data you have agreed to share with us by connecting your third-party bank account.
- Geolocation data: used to secure payments and combat fraud. Where applicable, this data may be used for appropriate commercial prospecting purposes, subject to the customer's prior consent.
For retailers using DELUPAY :
- Identification data: this includes all information that would enable us to identify you: first and last name, date and place of birth, nationality, cell phone number and e-mail address. We also collect identity information on the Merchant's manager and beneficial owners: first and last name, date and place of birth, nationality, e-mail address.
- Data relating to your professional situation: This data is collected in order to open a DELUPAY account, including the business address, SIRET number, legal classification and NAF code of the establishment concerned.
- Login data: this is all the information we need to access your personal account, such as password and other information required for authentication and account access.
We also collect your IP address for maintenance and statistical purposes.
- Financial data: IBAN, transactions carried out via the Application.
- Documents of different kinds (PDF, Office format, Image) with titles, contents, folder names, or information linked to a document, such as comments written in the documents, alert and reminder dates.
- Browsing information: when you browse our website, you interact with it. As a result, certain information relating to your browsing is collected.
- Data collected through cookies: For more information on this subject, please consult our policy on Cookie management.
- Data collected from Third Parties : the Personal Data you have agreed to share with us by connecting your third-party bank account.
In general, for all Customer or Merchant Users, Data may be collected directly from you or indirectly from third parties such as :
- Anti-fraud organizations,
- Sponsorship.
- Identity control provider AriadNext
- The open banking provider: Powens enables DELUPAY to provide its services of aggregation of bank accounts and information on linked accounts of DELUPAY customers. Powens' Privacy Policy can be found here.
Finally, Face ID or Touch ID data used to connect to the Application or pay for a transaction by recognizing your face or fingerprint is only stored on the terminal used for the connection and is in no way transmitted or stored by DELUPAY or Banque DELUBAC.
ARTICLE 4 Why do we collect your Personal Data and how?
We collect your Personal Data for specific purposes and on different legal grounds.
Concerning Application Customer Users :
In the context of contract performance or pre-contractual measures, your Data is processed for the following purposes:
- Reminder to open accounts that have not been finalized ;
- Account opening management ;
- Transaction validation ;
- Bank account registration via IBAN or direct connection to your bank account;
- Management of direct debit authorizations on the User's bank account;
- Manage and customize spending limits ;
- Sending sponsorship proposals ;
- Sponsorship and rewards management ;
- Management of your account scoring (LCB-FT, fraud, via interrogation of third-party databases)
- Dispute management ;
- Messaging with the merchant ;
- Calls to customer service or technical support ;
- Enrolling a new connection terminal
- Deleting an account
On the basis of your consent, your Data is processed for the following purposes:
- Automated analysis of identity documents when creating a DELUPAY customer account;
- Login with Face ID or Touch ID ;
- Notification of the opening of the DELUPAY service in new countries ;
- Manage the direct connection between your DELUPAY account and your bank account;
- Sales and marketing prospecting;
- Transmission of your Data to our commercial partners ;
- Management of cookies requiring your consent ;
In the context of DELUPAY's legitimate interests, your Data is processed for the following purposes:
- Newsletter management ;
- Drawing up statistics to improve products and services;
- Satisfaction surveys and opinion polls;
- Pre-litigation and litigation management ;
Within the framework of the legal and regulatory obligations to which DELUPAY is subject, your Data are processed for the following purposes:
- Verification of the User's identity ;
- Fighting fraud ;
- Combating money laundering and the financing of terrorism;
- General and subsidiary accounting ;
- Declaration of account opening to the French tax authorities' FICOBA (fichier national des comptes bancaires et assimilés).
Concerning Merchant Users
In the context of contract performance or pre-contractual measures, your Data is processed for the following purposes:
- Account creation and management Boutique DELUPAY ;
- Customer collection via the DELUPAY application;
- Configuration of bank transfers and direct debits for refunds ;
- Transaction management and follow-up, i.e. payment received, transfer, reimbursement;
- Team and store member management, including account creation and administration, including user creation, first login follow-up, login attempts from new devices;
- Mailbox management ;
- Sending sponsorship proposals ;
- Sponsorship and rewards management ;
On the basis of your consent, your Data is processed for the following purposes:
- Management of cookies requiring your consent ;
In the context of DELUPAY's legitimate interests, your Data is processed for the following purposes:
- Sales and marketing prospecting;
- Transmission of your Data to our commercial partners ;
- Newsletter management ;
- Drawing up statistics to improve products and services;
- Satisfaction surveys and opinion polls;
- Pre-litigation and litigation management ;
Within the framework of the legal and regulatory obligations to which DELUPAY is subject, your Data are processed for the following purposes:
- Verification of the User's identity ;
- Fighting fraud ;
- Combating money laundering and the financing of terrorism;
- General and subsidiary accounting ;
ARTICLE 5: Do we share your personal data?
Your Data is intended for authorized DELUPAY employees in charge of managing and executing contracts and legal obligations, depending on the purpose of the collection and within the limits of their respective responsibilities.
All personal data of Customers and Merchants are covered by professional secrecy under the conditions defined in article L.511-33 of the French Monetary and Financial Code.
In particular, the personal data of the Customer and the Merchant may be transmitted by DELUPAY to its payment service providers, as well as to operational service providers such as investment companies, digital asset service providers, finance companies and credit institutions, and insurance groups with which DELUPAY has set up a contractual relationship for the purposes of carrying out the transactions and services offered, provided that these third-party recipients of personal data are subject to regulations guaranteeing an adequate level of protection as defined in Article 561-7 II b of the French Monetary and Financial Code and in compliance with the RGPD, namely in particular:
- Banque Delubac;
- The service providers and subcontractors we use to carry out a range of operations and tasks on our behalf, in particular:
- Our identity verification service provider AriadNext ;
- Our open banking provider for the connection between the Application and your personal bank account: Budget Insight enables DELUPAY to provide its bank account aggregation services and information on the linked accounts of DELUPAY customers. The Budget Insight Privacy Policy is available here.
- Business partners only when you (Customer users) have expressly consented via a checkbox on our Data collection forms;
- Duly authorized public authorities (judicial, supervisory, etc.), as part of our legal and regulatory obligations;
- Regulated professions (lawyers, bailiffs, etc.) who may be involved in the implementation of guarantees, collection or litigation;
These partners and service providers only have access to the data that is strictly necessary for the performance of contracts established with DELUPAY.
When your Data is communicated to our service providers and subcontractors, they are also asked not to use the Data for purposes other than those initially intended. We make every effort to ensure that these third parties maintain the confidentiality and security of your Data.
In all cases, only the necessary Data is provided. We make every effort to ensure the secure communication or transmission of your Data.
We do not sell your Data.
ARTICLE 6: Are your personal data transferred to third countries?
DELUPAY endeavors to store Personal Data in France, or at least within the European Economic Area (EEA).
However, it is possible that the Data we collect when you use our platform or as part of our services may be transferred to other countries. This is the case, for example, if some of our service providers are located outside the European Economic Area.
In the event of a Transfer of this type, we guarantee that it will be carried out :
- To a country offering an adequate level of protection, i.e. a level of protection equivalent to that required by European regulations;
- Within the framework of standard contractual clauses ;
- Within the framework of internal company rules.
ARTICLE 7: How long do we keep your personal data?
We retain your Personal Data only for as long as is necessary to fulfil the purpose for which we hold the Data, to meet your needs or to comply with our legal obligations.
Shelf lives vary depending on a number of factors, such as :
- DELUPAY's business needs;
- Contractual requirements ;
- Legal obligations ;
- Recommendations from supervisory authorities.
In accordance with the regulations relating to the fight against money laundering and the financing of terrorism, DELUPAY and DELUPAY Bank are legally required by the French legislator to keep intermediate archiving (restricted access, intermediate stage before deletion) for five (5) years from the closing of Customer or Merchant accounts or the termination of their contractual relationship:
- Customer identity documents ;
- Documents and information relating to customer operations and transactions;
- All information collected as part of compliance procedures (fight against fraud, money laundering and terrorist financing, etc.).
The retention periods for your Data are as follows:
Concerning Customer Users :
Goals | Shelf life |
---|---|
Reminder to open accounts that have not been finalized ; | 12 months from last contact |
Account opening management ; | 5 years from account closure |
Transaction validation ; | 5 years from account closure |
Bank account registration via IBAN ; | 5 years from account closure |
Management of direct debit authorizations on the User's bank account; | 5 years from account closure |
Manage and customize spending limits ; | 5 years from account closure |
Sponsorship and rewards management ; | 1 year |
Scoring management ; | 5 years from account closure |
Dispute management ; | 5 years from account closure |
Automated analysis of identity documents when creating a DELUPAY customer account | 5 years from account closure |
Face ID login | No data storage on DELUPAY systems |
Notification of DELUPAY service opening in new countries | 3 years from last contact |
Manage the direct connection between your DELUPAY account and your bank account; | 3 years from last contact |
Sales and marketing prospecting; | 3 years from last contact |
Transmission of your Data to our commercial partners ; | 3 years from last contact |
Newsletter management ; | 3 years from unsubscribing |
Management of cookies requiring your consent ; | Consult the Cookie Policy |
Service improvement statistics ; | 1 year |
Satisfaction surveys and opinion polls; | 1 year |
Pre-litigation and litigation management ; | 5 years from account closure |
Drawing up statistics to improve products and services; | 1 year |
Verification of the User's identity ; | 5 years from account closure |
Fighting fraud ; | 5 years from account closure |
Combating money laundering and the financing of terrorism; | 5 years from account closure |
General and subsidiary accounting ; | 5 years from account closure |
For Merchant Users :
Goals | Shelf life |
---|---|
Account creation and management Boutique DELUPAY | 5 years from account closure |
Customer collection via the DELUPAY application | 5 years from account closure |
Setting up bank transfers | 5 years from account closure |
Transaction management and tracking, i.e. payment received, transfers, refunds | 5 years from account closure |
Team and store member management, including account creation and administration, including user creation, first login follow-up, login attempts from new devices | 1 year |
Mailbox management | The entire account opening period |
Sending sponsorship proposals | 1 year |
Sponsorship and rewards management | 1 year |
Management of cookies requiring your consent | Consult the cookie policy |
Sales and marketing prospecting operations | 3 years from last contact |
Transmission of your Data to our commercial partners | 3 years from last contact |
Newsletter management | From unsubscription |
Service improvement statistics | 1 year |
Satisfaction surveys and opinion polls | 1 year |
Pre-litigation and litigation management | 5 years from account closure |
Verification of the User's identity | 5 years from account closure |
Fighting Fraud | 5 years from account closure |
Combating money laundering and the financing of terrorism | 5 years from account closure |
General and subsidiary accounting | 5 years from account closure |
ARTICLE 8. How do we guarantee the security of your Personal Data?
DELUPAY undertakes to protect the Personal Data that we collect, or that we process, against loss, destruction, alteration, unauthorized access or disclosure.
Accordingly, we implement all appropriate technical and organizational measures, depending on the nature of the Data and the risks involved in processing it. These measures must preserve the security and confidentiality of your Personal Data. They may include practices such as restricted access to Personal Data by persons authorized by virtue of their functions, pseudonymization or encryption.
In addition, our practices and policies and/or physical and/or logical security measures (secure access, authentication procedure, back-up copy, software, etc.) are regularly checked and updated if necessary.
ARTICLE 9. What are your rights?
The RGPD provides Data Subjects with rights that they can exercise. These include:
- Right to information: the right to clear, precise and complete information on the use of personal data by DELUPAY.
- Right to information: the right to clear, precise and complete information on the use of personal data by DELUPAY.
- Right of access: the right to obtain confirmation from DELUPAY as to whether or not one's personal data is being processed and, where applicable, the right to obtain a copy of the Personal Data that the Data Controller holds on the applicant.
- Right of rectification: the right to have Personal Data rectified if they are inaccurate or obsolete and/or to have them completed if they are incomplete.
- Right to erasure / right to be forgotten : the right, under certain conditions, to have the Data erased or deleted, unless DELUOPAY has a legitimate interest in keeping them, namely :
- Personal data is no longer required for the purposes for which it was collected or otherwise processed;
- The Customer or Merchant withdraws his consent or objects to the processing of his personal data;
- Personal data has been processed unlawfully;
- When DELUPAY or Banque DELUBAC are not legally required by French law to retain customer data as part of the fight against money laundering and the financing of terrorism (see 2.3 Retention period).
- Right to object: the right to object to the Processing of Personal Data by DELUPAY for reasons relating to the applicant's particular situation (subject to conditions).
- Right to withdraw Consent : the right at any time to withdraw Consent where Processing is based on Consent.
- Right to restrict processing: the right, under certain conditions, to request that processing of personal data be temporarily suspended.
- Right to data portability : the right to request that personal data be transmitted in a reusable format enabling it to be used in another database.
- Right not to be subject to automated decision-making : the right of the applicant to refuse fully automated decision-making and/or to exercise the additional guarantees offered in this respect.
- Right to define post-mortem directives: the right for the applicant to define directives concerning the fate of Personal Data after his/her death.
Additional rights may be granted by local regulations to the Persons concerned.
To this end, DELUPAY and Banque DELUBAC have implemented a procedure for managing the rights of Individuals that complies with the requirements of the applicable Legislation. This procedure establishes :
- The standards to be met to ensure transparent information for those concerned;
- Legal requirements that must be met ;
- The authorized means of submitting a request for each right, according to the category of Persons concerned ;
- Operational processes to handle these requests in accordance with the above requirements;
- The parties involved in these processes, their roles and responsibilities.
To exercise your rights, please contact the Data Protection Officer (DPO):
- Postal address: Délégué à la Protection des Données - 16 Place Saléon Terras 07160 Le Cheylard
- Email address: dpo@delupay.com
When you send us a request to exercise a Right, you are asked to specify as far as possible the scope of the request, the type of Right exercised, the Personal Data Processing concerned, and any other useful information, in order to facilitate the examination of your request. In case of reasonable doubt, you may also be asked to provide proof of your identity.
You also have the right to complain to the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07, about the way in which DELUPAY collects and processes your data.
ARTICLE 10. Updating of this Policy
This Policy may be updated from time to time to take account of changes in regulations relating to personal data.
Last updated: 20/03/2024.