Lydia privacy policy

Aware of the importance of respecting your privacy and the security of your data, Lydia Solutions hereby reaffirms its commitment to being a trusted player in the processing of your personal data.

In this document (hereinafter "Privacy Policy"), "Lydia", "we", "us" and "our" refer to "Lydia Solutions".

Article 1: Legal information

Lydia Solutions, a French company (“société par actions simplifiée”) with capital of €1,786,707, registered in the Trade and Companies Register of Paris under number 534 479 589, domiciled at 14 avenue de l'Opéra, 75001, Paris, France, 

Authorised and supervised by the Autorité de Contrôle Prudentiel et de Résolution Authority("ACPR", 4 place de Budapest CS 92459 75436 Paris Cedex 09, 01.49.95.40.00) as an electronic money institution authorised to provide payment services, under bank code (CIB) 17598 and REGAFI identifier 62677.

Registered with ORIAS, the French insurance, banking and finance intermediaries' register, under number 18007465, as a non-exclusive banking and payment services agent, insurance intermediary agent, tied agent for investment service providers and banking and payment services intermediary agent.

Lydia Solutions complies with all applicable French and European regulations relating to the protection of personal data, in particular the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as the "GDPR") and the Law of 6 January 1978 relating to information technology, files and freedoms (known as the "Loi Informatique et Libertés").

Article 2: Purpose

As the controller of your personal data (hereinafter referred to as the "Personal Data"), Lydia Solutions wishes to inform you through this Privacy Policy about :

  • The categories of Personal Data we collect and process; 
  • The objectives pursued by the processing of your data (its purposes) and the data retention periods associated with each processing operation; 
  • The legal basis for the processing operations carried out ; 
  • Recipients and categories of recipients ; 
  • Transfers outside the European Economic Area ; 
  • Your rights concerning your Personal Data; 
  • The security of your Personal Data. 

This Privacy Policy is directed at and applies to you as an individual customer and prospective customer of Lydia Solutions. It also applies to you if you are:

  • A person who is interested in Lydia Solutions' products, services or content (newsletters, etc.), who subscribes to Lydia's news alerts, who interacts directly or indirectly with Lydia Solutions (via its customer service or social networks), or who visits Lydia Solutions' websites or participates in an event organised by Lydia;
  • A candidate interested in job offers posted by Lydia Solutions on its website.

The Privacy Policy is updated regularly to reflect changes in Lydia Solutions' practices as well as potential changes in the regulations applicable to Personal Data. Lydia Solutions invites you to consult it regularly in order to take note of any changes or updates made.

Article 3: Personal data collected and processed

Lydia Solutions may collect and process the following categories of Personal Data: 

  • Civil status and identification data: surname, first name(s), gender, date and place of birth, nationality, videos of both sides of one or more identity documents, proof of identity, and authentication videos (which may be subject to biometric processing);
  • Contact details: postal and e-mail addresses, telephone numbers;
  • Information about your personal situation: family situation, marital status, etc;
  • Details of your professional situation: Professional situation ;
  • Economic and financial information: income (amount, sources and supporting documents), tax residences, financial and tax situation, accounting data, consumer habits and practices;
  • Financial and transactional data (nature of transactions, date, card payments, transfers, direct debits, amount, description, reasons for transactions, bank details and other account data aggregated with your Lydia Solutions account, etc.); 
  • Login data linked to the use of our services: identification and authentication data, logs, cookies and other trackers, browsing data on websites and applications belonging to Lydia Solutions; 
  • Data resulting from correspondence and communications between you and us, carried out remotely: interviews and telephone calls, postal and electronic mail, instant messaging, communications on social networks, complaints or any other type of communication; 
  • Login data, data from the device used to connect to the mobile application and data associated with the use of any mobile application belonging to Lydia Solutions (dates and times of access to the Lydia Solutions service, data on computer or telephone equipment, data associated with the use of the device, unique identifiers, crash data or cookies).
  • Data relating to products and services subscribed to (type of product, method of payment, due date, amount) ;
  • Geolocation data (IP address or GPS data of the terminal used) ;
  • Data and information intended to be communicated to the public and shared with other customers within any mobile application belonging to Lydia Solutions: profile and wallpaper photos, images, photos related to operations carried out (which may be subject to biometric processing), comments and other messages;
  • Data provided as part of additional services such as loyalty card information provided by the customer or numbers and email addresses in the customer's address book (only if the customer chooses to link their contacts to any Lydia Solutions-owned mobile application in order to know which of its contacts are using any Lydia Solutions-owned mobile application, and provided that such information transmitted is stored encrypted, using a one-way public key) ;
  • Any other information or documents needed to trace the origin and destination of funds for transactions carried out on the customer’s account.

This Personal Data is collected either directly from you by Lydia Solutions or, if necessary, indirectly:

  • With the Répertoire National d'Identification des Personnes Physiques database ;
  • From the Direction Générale des Finances Publiques authority;
  • Any judicial or financial authorities, state agencies or public bodies, within the limits authorised by regulations;
  • From the financial institution where you have opened an account, which you can link to your Lydia Solutions account, as part of the payment initiation and account information services.
  • Through publications and databases made available by the official authorities or by authorised third parties, or 
  • Through websites and social networks containing information that you wish to make public.

As part of our legal and regulatory obligations to monitor business relationships, we may also collect and process information from persons with whom we do not have a direct relationship: a member of your family, a close friend, your employer, your legal representative or a personal contact. The collection and processing of this information is necessary for the purposes of tracing the origin and destination of funds from transactions carried out with your account. 

Certain categories of data or Personal Data collected by Lydia Solutions may be combined in order to better meet the purposes described in Article 4. These reconciliations are carried out by Lydia Solutions taking care to use only the data strictly necessary to achieve the purpose of the processing (in compliance with the principle of data minimisation, provided for by the GDPR).

Article 4: Purposes of processing and retention period for Personal Data

1 - General provisions

Lydia Solutions processes the categories of Personal Data referred to in Article 3 on a case-by-case basis to meet different objectives or purposes. Each of these categories is associated with a data retention period after which the data is no longer used, is archived and then anonymised and/or deleted. The purposes justifying the processing of your Personal Data are as follows: 

  • Management of the business relationship, the payment or electronic money account opened in Lydia Solutions' books and/or the products and services subscribed to, in particular for evidential purposes. Your Personal Data may be kept for a period of five (5) years from the end of the business relationship or, as the case may be, from the end of any legal or collection proceedings and/or the expiry of any applicable limitation periods. 
  • Carrying out opinion and satisfaction surveys and statistical studies. Your Personal Data may be kept for a period of three (3) years from the time the study is carried out.
  • Combating fraud (e.g. establishing ratings or scores, detecting atypical transactions). Your Personal Data may be kept for a maximum period of five (5) years from the closure of the proven fraud file or the issuing of an alert in our systems.
  • Compliance with Lydia Solutions' legal and regulatory obligations, in particular Know Your customer obligations, operational risk management (in particular IT network security, customer protection, supervision and internal control, transaction security and security in the use of international payment networks), financial security obligations (combating money laundering and the financing of terrorism and obligations relating to sanctions and embargoes), obligations relating to the determination of your tax status and compliance with associated tax regulations, ethics and the fight against corruption; data protection and any other obligations relating to the management and monitoring of compliance risks. Your Personal Data will be kept for a period of five (5) years as from the triggering event provided for by the regulations in force (e.g. in relation to the activation, loading and use of electronic money, five years as from the execution of these operations).
  • The prevention and detection of criminal offences and/or taking legal action (e.g. for the identification of seriously reprehensible behaviour or acts such as violence towards Lydia Solutions staff). Your Personal Data may be kept for a period of between five (5) and twenty (20) years, depending on the nature of the offence, from the date on which it was discovered. When legal proceedings are initiated, the data is kept until the end of these proceedings and the expiry of the applicable limitation periods. 
  • Management of dormant accounts and data relating to the search for the persons concerned. Your Personal Data may be kept for a maximum of thirty (30) years in accordance with the regulations in force.
  • The recording of your conversations and communications with Lydia Solutions, regardless of their medium (e-mails, letters, telephone conversations, etc.). Depending on the applicable regulations, your Personal Data may be kept for varying periods of time, which may not, however, exceed five (5) years from the date of recording. The recording media or their reproduction will be kept for periods proportionate to the purpose of the recording in question (from 6 months for staff training purposes, to 5 years when the telephone recording is likely to be used as evidence).
  • Accounting processing: accounting data may be kept for a period of ten (10) years in accordance with the legal provisions in force. 
  • Cookies and other trackers. trackers last for a maximum of thirteen (13) months.
  • Research and analysis to improve processes and develop models. Your Personal Data may be used to improve our internal control procedures or to contribute to risk and compliance management. Personal Data is retained for a specified period of time for each of these sub-purposes. 
  • Commercial prospecting, proposing commercial offers adapted to your situation and your consumption profile, carrying out promotional offers and games, commercial events and advertising campaigns. Personal Data may be kept for a maximum of three (3) years from the end of the commercial relationship or, in the case of prospective customers, from the last contact. This Personal Data may be anonymised and aggregated in order to draw up statistical reports. 

Your Personal Data collected and processed in accordance with the aforementioned purposes may be kept for an additional period if the defence of a right or interest so requires, or in order to meet the requirements of French or European authorities such as the ACPR or the Autorité des marchés financiers ("AMF"). In this case, your Personal Data will not be used for any other purpose, it will be kept in an intermediate archive and will only be accessible to authorised persons with a need to know (e.g. legal department, compliance department, audit and inspection bodies).

2 - Provisions specific to remote identity verification

In order to verify your identity remotely and to comply with its legal and regulatory obligations relating to identification, verification of identity and knowledge of its customers, Lydia Solutions is required to collect the following Personal Data directly from you:

  • A colour video of both sides of your official identity document (national identity card or valid European passport or residence permit) and,
  • An authentication video, i.e. a video of your face known as a "video selfie", taken in colour with the front camera of your mobile phone, of sufficient quality and brightness and showing no digital alteration (presence of filters).

To do this, you shall authorise Lydia Solutions to access your mobile phone's microphone and front and back cameras, then film yourself for a few seconds and say a random phrase orally. The videos recorded in this way are viewed by one of our specially authorised staff in order to authenticate you. Once authenticated, the video can no longer be accessed by our employees: it is automatically stored in a semi-intermediate archive.

Nota Bene: Specific technical processing of biometric data (within the meaning of Article 4.14 of the GDPR), captured during the video of your face, is carried out by Lydia Solutions for the purposes of verifying your identity remotely. This specific technical processing of facial images makes it possible to confirm the unique identification of a customer on the basis of their physical, physiological or behavioural characteristics. It also detects the 'living' character of the customer's face to check that it has not been physically or digitally altered. This biometric data is deemed sensitive within the meaning of the GDPR. In order to use this processing in accordance with Article 9 of the GDPR, we shall demonstrate a specific need to identify our customers to enable access to our services, under the supervision of the Commission Nationale de l'Informatique et des Libertés (CNIL) committee.

You are always free to choose whether or not to make an authentication video. You can choose to complete the alternative identity verification process proposed by Lydia Solutions, without any additional constraints, incentives or special considerations.

3 - Specific provisions for requests deemed sensitive

Lydia Solutions may ask you to take an authentication video (a video of your face known as a "video selfie") in order to allow you to carry out requests, deemed sensitive, relating to the modification of your security data and or during the process of recovering access to your Lydia Solutions account (examples: password recovery, telephone number change or blocked account). 

To do this, you shall authorise Lydia Solutions to access your mobile phone's microphone and front and back cameras, then film yourself for a few seconds and state your request orally. The videos recorded in this way are viewed by one of our specially authorised employees for the purpose of authenticating you. Once you have been authenticated, the video is no longer accessible to our employee: it is automatically stored in a semi-intermediate archive. Lydia Solutions does not process these images biometrically. 

You are always free to choose whether or not to make an authentication video. You may choose to use the alternative route for processing requests deemed sensitive, as proposed by Lydia Solutions, without any additional constraints, incentives or special consideration.

4 - Provisions specific to profiling

Lydia Solutions carries out profiling processing, i.e. processing that consists of evaluating certain aspects of its customers concerning their economic situation, their personal preferences or centres of interest, the analysis of their behaviour, or their location and movements.

This profiling is used for various purposes, mainly to secure your transactions, combat fraud, personalise the relationship, prospect for new business or to better meet our obligations relating to the management and monitoring of compliance risks. 

In the case of commercial prospecting, the processing consists of analysing some of your Personal Data in order to establish profiles that correspond to you. These profiles enable us to send you personalised offers that are better adapted to your needs, expectations or situation.

For each of these profiling processing operations, an in-depth analysis is carried out in order to determine whether the processing should be based on your consent, Lydia Solutions' legitimate interest, or on another legal basis (performance of a contract, legal obligation).

If the profiling is based on your consent: we ensure that your consent is obtained, after having informed you in an explicit and transparent manner about the use of your Personal Data. We also allow you to withdraw your consent at any time. 

If the profiling is based on Lydia Solutions' legitimate interests: we will have carried out a prior analysis enabling us to ensure, for each processing operation envisaged, that your interests and fundamental rights are respected and that you can reasonably expect your data to be used in this context. We allow you to object to such processing at any time, under the conditions provided for by the regulations and in accordance with the procedures described in article 6

5 - Specific provisions for fully automated decisions 

Where Lydia Solutions carries out data processing involving fully automated decision-making, including profiling, which produces legal effects relating to you or which significantly affects you, such processing shall be based on one of the following legal grounds: your consent, the performance of a contract, Lydia Solutions' legitimate interest or a legal obligation. This processing is carried out in accordance with the applicable regulations and is accompanied by appropriate guarantees.

If this profiling has legal consequences for you, you may request the intervention of a human being, in particular in order to obtain a re-examination of your situation, to express your own point of view, to obtain an explanation of the decision taken or to contest the decision. 

6 - Provisions specific to cookies and other trackers

Cookies or other trackers are trackers deposited and read, for example, when visiting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used. 

You are informed that during your visits to our sites or when using one of our mobile applications, cookies and trackers may be installed on your terminal equipment. 

Where necessary, we obtain your consent prior to installing such cookies on your terminal equipment and also when we access data stored on your equipment. 

For more information, you can consult Lydia's Cookies and Trackers Policy at any time. 

7 - Specific provisions for access to your telephone directory and telephone recordings

Telephone conversations between you and our customer services departments (customer service, compliance, anti-fraud, etc.) may be recorded for the purposes of staff training, evaluating or improving the quality of our products and services, providing evidence in the fight against fraud, money laundering and the financing of terrorism and for the purposes of verifying your identity in order to exercise your rights in relation to your Personal Data. Prior to any recording, we will inform you and you have the right to object. 

Lydia Solutions allows you to link your mobile phone's contact list to any Lydia Solutions-owned mobile application to find out which of your contacts use our services as you do. To do this, we need to collect the numbers and email addresses in your address book. We do not process this data in any other way (only an imprint and not the collection of raw data is carried out). This information is transmitted and stored encrypted, using a one-way public key. You may disable this feature at any time in any Lydia Solutions-owned mobile application.

Article 5: Legal basis for processing

The processing carried out by Lydia Solutions is based on one of the following legal bases: 

  • The performance of the contract concluded with you (for example: the management of an electronic money or payment account, the issuing of means of payment, the taking out of insurance against loss or theft of means of payment, information relating to transactions carried out via Lydia Solutions).
  • This legal basis underpins the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation and information of an economic and financial nature, financial and transactional data, data relating to the products and services subscribed to and data resulting from correspondence and communications between you and us.
  • The purpose of this processing is: to manage the business relationship, the Lydia Solutions account and/or the products and services subscribed to, its management as well as the implementation of associated insurance, to provide information concerning Lydia Solutions services (updating of contracts / conditions of use of services or information relating to the performance of Lydia Solutions services).
  • Compliance with the legal and regulatory obligations incumbent on Lydia Solutions as an electronic money institution authorised to provide payment services.
  • This legal basis underpins the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to the products and services subscribed to, data from correspondence and communications between you and us and any other information or document required to trace the origin and destination of funds from transactions carried out with your account.
  • The purposes of this processing are: customer knowledge, operational risk management, constant vigilance over the business relationship, the fight against money laundering and the financing of terrorism, themobile application of sanctions and embargoes, obligations relating to the determination of your tax status and compliance with associated tax regulations, ethics and the fight against corruption, the management of dormant accounts and data relating to the tracing of data subjects, data protection and all other obligations relating to the management and monitoring of compliance risks.
  •  The pursuit of Lydia Solutions' legitimate interests (e.g. commercial prospecting, surveys and the sending of personalised communications, fraud prevention, analysis of the use made by customers of Lydia Solutions' services and the mobile application or the constitution of datasets to test the effectiveness of the compliance tools put in place by Lydia Solutions).
  • This legal basis underpins the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to the products and services subscribed to, login data relating to the use of our services, cookies, data from correspondence and communications between you and us and geolocation data.
  • The purposes of this processing are the prevention of fraud, the prevention of non-payment, the collection and management of disputes (amicable, over-indebtedness and legal disputes), the management of claims, the management of successions, the fight against financial crime, the prevention and management of incivilities towards our employees, the security of our networks, surveillance of our premises, in particular by means of video surveillance, analysis of our risk in terms of entering into business relationships, research and development activities, management of statistical studies and satisfaction surveys for the purpose of improving customer knowledge, commercial prospecting, profiling and marketing segmentation and our communication activities.
  • The choice of this legal basis is made after a rigorous balancing of the interests pursued by Lydia Solutions with your interests, if you are concerned by the processing, and the assessment of reasonable expectations in this respect. We put in place safeguards to protect your interests, rights and fundamental freedoms (e.g. right to information, right to object and right to restrict processing).
  • Consent for specific treatments.
  • This legal basis underlies the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to the products and services subscribed to, login data relating to the use of our services, data resulting from correspondence and communications between you, geolocation data, data and other information intended to be communicated to the public and shared with other customers within any mobile application belonging to Lydia Solutions.
  • The purposes of this processing are: commercial prospecting by postal or electronic mail, by text message, by telephone call, the placing and reading of advertising cookies, the management of promotional offers and games and the hosting of public communication areas within any mobile application belonging to Lydia Solutions.
  • The customer's legitimate interest (e.g. the creation of datasets to test the effectiveness of compliance tools put in place by Lydia Solutions, the recording of a proportion of customer calls in order to assess the quality of our services, the fight against fraud).
  • This legal basis is based on the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, and recordings of some customer calls.
  • The purpose of this processing is to evaluate the quality of Lydia Solutions' services, improve the user experience, prevent fraud, and communicate with Lydia Solutions' support and anti-fraud teams.
  • The choice of this legal basis is made after a rigorous balancing of the interests pursued by Lydia Solutions with your interests, if you are concerned by the processing, and the assessment of reasonable expectations in this respect. We put in place safeguards to protect your interests, rights and fundamental freedoms (e.g. right to information, right to object and right to restrict processing).

Article 6: Recipients

Your Personal Data may be communicated for the following purposes: 

  • Lydia Solutions' partners, principals, agents, intermediaries and insurers, subcontractors and service providers (Floa, PayLead, Bitpanda, Braze, Google Cloud Platform). This communication only takes place in the context of processing for one of the purposes described in article 2;
  • In compliance with applicable regulations, to third parties in France or abroad for the purposes of establishing, safeguarding or defending a legal right, as part of administrative or criminal investigations by one or more regulators, to ensure compliance with commitments made to them or as part of legal proceedings of any kind. 
  • To certain regulated professions such as auditors and lawyers, to provide regulatory reports or to act in defence of our rights. 
  • To payment originators and account information service providers, only with your consent or at your request (e.g. Tink).

In application of article L. 511-34 of the French Monetary and Financial Code, the personal information collected may be transmitted by our partners to other entities belonging to the same group of companies (branches and subsidiaries).

Article 7: Your rights

Under the conditions and within the limits authorised by the applicable regulations, you have the following rights: 

  • Access your Personal Data, 
  • Have your Personal Data rectified, updated and deleted, beaing in mind that deletion can only take place when: 
  • Personal Data is no longer required for the purposes for which it was collected or otherwise processed, 
  • You have withdrawn your consent on which the processing was based and there is no other legal basis for it, 
  • You have objected to the processing of your Personal Data for reasons relating to your particular situation and there are no compelling legitimate grounds for proceeding, 
  • Personal Data has been processed unlawfully,
  • Personal Data shall be deleted to comply with a legal obligation under European Union or French law to which Lydia Solutions is subject, 
  • You object to the processing of your Personal Data for reasons relating to your particular situation and there is no compelling legitimate reason to continue, 
  • Oppose the processing of your Personal Data for commercial prospecting purposes, including profiling linked to such prospecting (see article 8);
  • Receive the Personal Data concerning you that you have provided to us, for automated processing based on your consent or the performance of a contract, and request the portability of this data to a third party,
  • Request a restriction on the processing of your Personal Data when : 
  • You contest the accuracy of the Personal Data for a period of time that allows the data controller to verify the accuracy of the Personal Data, 
  • You object to the deletion of your Personal Data even though the processing is unlawful,
    We no longer need the Personal Data but it is still necessary for the establishment, exercise or defence of legal claims
  • You have objected to the processing of your Personal Data, during the verification as to whether Lydia Solutions' legitimate reasons override yours.
  • Where processing is based on your consent, you may withdraw that consent at any time, and there is no other legal basis for doing so. 

You also have the option of giving us instructions regarding the storage, deletion and communication of your data after your death, which instructions may also be registered with a "certified digital trusted third party". These directives may also be registered with a "certified digital trusted third party". These directives may designate a person to be in charge of executing them. These rights may not, however, have the effect of infringing the rights of heirs or allowing the communication of information to which only the latter may legitimately have access.

You can exercise your rights and contact Lydia Solutions' Data Protection Officer in the following ways:

  • By post sent to the following address Lydia Solutions, Data Protection Officer, 14 avenue de l'Opéra, 75001 Paris, France.
  • By email sent to the following address: dpo@lydia-app.com. 

Finally, you have the right to lodge a complaint with the CNIL (3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - www.cnil.fr), the supervisory authority responsible in France for ensuring compliance with obligations relating to personal data.

Article 8: Commercial prospecting

1 - Commercial prospecting by e-mail and automatic call machines

If you are a natural person not acting for professional purposes, we may canvass you by e-mail, automatic calling machine or text message when you have given your consent at the time of collecting your e-mail address or personal details, or when you are already a customer and the prospecting concerns products or services similar to those already subscribed to. Each commercial prospecting e-mail contains a link allowing you to unsubscribe. 

If you are a natural person acting in a professional capacity, your e-mail address may be used to send you commercial prospecting by e-mail for purposes related to your profession. You may exercise your right to object to commercial prospecting at any time. 

Generic business addresses allocated to a legal entity (company) are not subject to the principles of consent, prior information or the right to object.

Messages and notifications relating to the administrative management of a previously subscribed product or service (alerts, changes to contractual and pricing documentation, etc.) do not fall within the scope of commercial prospecting. 

The settings for the messages and notifications that you may receive from us can be made as part of the service subscribed to, it being understood that some of these notifications may come under regulatory obligations and be of an imperative nature.

2 - Telephone prospecting

We may also contact you by telephone. In accordance with article L.223-2 of the French Consumer Code, you are informed that you can register on a Bloctel telephone anti-solicitation list. However, despite this registration, we may contact you by telephone if there is an ongoing contractual relationship, unless you have previously objected or if you object at the time of the call.

Article 9: Transfers outside the European Economic Area (EEA)

The processing of your Personal Data by Lydia Solutions in accordance with the agreed purposes (see Article 5) may involve transfers to countries outside the European Economic Area (EEA), whose personal data protection laws differ from those of the European Union. 

In particular, your Personal Data may, to the extent permitted by the applicable regulations, be communicated to official bodies and to the competent administrative and judicial authorities of countries that are not members of the EEA, in particular in the context of regulations on the fight against money laundering and the financing of terrorism, international sanctions and embargoes, the fight against fraud and the determination of your tax status.

When personal data is transferred to countries outside the EEA, a precise and stringent legal framework governs the transfer, in accordance with the applicable European regulations, in particular through the signature of standard contractual clauses approved by the European Commission. In addition, appropriate security measures are put in place to ensure the protection of personal data transferred outside the EEA. 

The standard contractual clauses are available on the CNIL website (www.cnil.fr). 

For more information about these international transfers of personal data, you may contact Lydia Solutions' Data Protection Officer in accordance with the procedures set out in Article 7 hereof.

Article 10: Security

Lydia Solutions takes all necessary physical, technical and organisational measures to protect the confidentiality, integrity and availability of your Personal Data, in particular against loss, accidental destruction, alteration and unauthorised access.

Lydia Solutions also takes great care to maintain a high standard of security and confidentiality of your Personal Data by raising awareness of our employees and business partners and by training our employees in data protection, by implementing content controls, by implementing tools and practices aimed at obfuscation, anonymization, encryption and data encryption to ensure the protection of your Personal Data against internal and external risks of data leakage. 

In the event of a breach of your Personal Data that poses a risk to your rights and freedoms, we will notify the CNIL within the regulatory timeframe. In the event that this breach presents a high risk to your rights and freedoms, we will inform you as soon as possible of the nature of the breach and the measures implemented to remedy it.

Article 11: Lydia Solutions' capacity as host

Lydia Solutions hosts public communication areas allowing you to participate in discussion forums, instant messaging systems or to post content. These public communication areas are places over which Lydia Solutions has no control and over which only you and other customers have control and can publish. As a result, Lydia Solutions cannot be deemed to be the publisher of the content, but only the host, whose mission is to provide its customers with the technical means to directly and permanently store information that is intended to be communicated to the public. In this respect, Lydia Solutions complies with the definition set out in article 6.I.2 of law no. 2004-575 of 21 June 2004 on confidence in the digital economy ("LCEN")

Article 6(I)(5) of the LCEN law states that :

"Knowledge of the disputed facts is presumed to have been acquired by the persons designated in 2 (of article 6 I 2 of the LCEN, i.e. hosting providers) when they are notified of the following: the date of notification; if the notifier is a natural person: his surname, first names, profession, domicile, nationality, date and place of birth; if the applicant is a legal person: its legal form, name, registered office and the body which legally represents it; the name and domicile of the addressee or, if it is a legal person, its name and registered office; a description of the facts in dispute and their precise location; the reasons why the content shall be withdrawn, including a reference to the legal provisions and the justification for the facts; a copy of the correspondence sent to the author or publisher of the disputed information or activities requesting their interruption, withdrawal or modification, or justification for the fact that the author or publisher could not be contacted. ". 

Once Lydia Solutions has been notified of the allegedly illegal or indelicate nature of a content under the conditions provided for in paragraph 5 of I of article 6 of the LCEN law as indicated above, we will promptly implement the necessary measures to ensure that the content is no longer accessible. These measures may range from deletion of the content to a temporary or permanent ban on the content hosting service, depending on the seriousness and repetition of the infringements observed. Lydia Solutions does not also carry out general monitoring of content beyond assisting in the repression of, in particular, glorification of crimes against humanity, incitement to racial hatred and child pornography, incitement to violence, in particular incitement to violence against women, and offences against human dignity in accordance with the provisions of paragraph 7 of I of article 6 of the LCEN law. 

In addition, Lydia Solutions is not liable for the content it hosts and shall not be liable for any activity or information stored at your request if Lydia Solutions did not have actual knowledge of its unlawful nature or of facts and circumstances indicating such unlawful nature or if, upon becoming aware of such unlawful nature, Lydia Solutions acted expeditiously to remove or disable access to such information. In this respect, Lydia Solutions reserves the right to remove or suspend access to any content following receipt of a notification or if it has actual knowledge of the manifestly unlawful nature of the content. Lydia Solutions shall in no event be liable for such removal. In any event, Lydia Solutions shall not be liable in any manner whatsoever for any content shared by you.

Article 12: Data controller

12.1. General provisions

Lydia Solutions collaborates, under mandate, with an account information service provider approved by a supervisory authority equivalent to the ACPR and based in the European Union, jointly responsible for the processing of customers' personal data, in accordance with Article 26 of the GDPR. 

Thus, Lydia Solutions and this establishment jointly define the purposes and means of such processing. customers' personal data are only shared with these co-controllers for the purposes of executing the contracts established with Lydia Solutions.

 The list of service providers is given below:

  • Tink AB also enables Lydia Solutions to provide bank account aggregation services and linked account information to Lydia Solutions customers. Tink AB's Privacy Policy is available here.

Lydia Solutions and this entity are bound by mutual information obligations, in particular with regard to the following events: 

  • Any violation of customers' personal data;
  • Any recourse to a new processor carrying out processing of customers' personal data outside the European Economic Area (EEA) and on behalf of Lydia Solutions.

As part of the provision of additional services, Lydia Solutions may also share your Personal Data with partners (such as BitPanda, PayLead and Floa). Please note that PayLead analyses bank transaction data in order to provide you with personalised offers, defined on the basis of your transaction history and your consumption habits.

Lydia Solutions may also communicate the personal data of its customers to one of its suppliers or partners, provided that such data has first been anonymised. This anonymisation consists of removing the following elements: surname and first name, e-mail address, telephone number, postal address and any other element allowing the customer to be identified or contacted directly.

All of Lydia Solutions' customers' personal data is covered by professional secrecy under the terms of Article L.511-33 of the French Monetary and Financial Code.

These partners only have access to the data that is strictly necessary for them to carry out the contracts established with Lydia Solutions.

12.2. Provisions specific to discount services

In order to provide the Remittance Service (as this term is defined in the contractual documentation made available by Lydia Solutions), Lydia Solutions and its partner PayLead act as joint data controllers. 

PAYLEAD is a société par actions simplifiée (simplified joint stock company) with its registered office at 9 rue de Condé, 33064 Bordeaux (France), registered in the Bordeaux Trade and Companies Register under number B 821 725 579. 

PayLead and Lydia Solutions have jointly determined how the Rebate Service works and how your Personal Data is used to provide this service.

PayLead also acts as an independent data controller for the further processing described in section 1.

1. Purposes of processing

The purposes for which we use your Personal Data and the legal basis used are detailed below. The operations carried out on the basis of the performance of the contract are essential for the provision of the Discount Service.

GENERAL PURPOSEPROCESSINGLIABLE  PARTY
LEGAL BASIS
Program implementationImplementation of the Cashback ServiceLydia SolutionsContract performance
Data analysis for establishing user profile and corresponding dealsPayleadContract performance
Data analysis for Cashback generation and management based on transaction historyPayleadContract performance
Transaction data analysis for geographical coherence of deals displayed to the userPayleadContract performance
Analysis of personnalised user experience data based on user purchasing preferencesPayleadConsent
Sending Cashback to the userLydia SolutionsContract performance
Technical support for user claimsPayleadContract performance
Creation of statistics on the performance of deals and of Cashback ServicePayleadContract performance
Regulatory complianceManaging user requests regarding GDPRLydia Solutions and PayLeadLegal obligation

The Discount Service is based on an analysis of your banking transactions: on the basis of the catalogue of offers displayed, PayLead identifies the transactions eligible for the payment of a discount.

PayLead also analyses your bank transaction data to provide you with personalised offers based on your transaction history and spending habits. Offer eligibility criteria are defined by the partner retailers and Lydia Solutions. 

The essence of the Discount Service is to enable you to use your bank details to benefit from personalised and relevant offers from partner retailers.

Further processing (within the meaning of Article 13.3 of the GDPR)

PayLead uses your Personal Data for the further processing described below. This processing is carried out by PayLead independently and under its sole responsibility.

GENERAL PURPOSEPROCESSINGLEGAL BASIS
Regulatory complianceArchiving data that enabled the cashback - for administrative control and potential litigationLegal obligation
Commercial useCreating reports and statistics on the monitoring the deals and their performancefor partner company on monitoring of deals and their performance with partner companiesLegitimate interests
Security and services performanceOperation, security and updating of Paylead's technical platformsLegitimate interests
Monitoring and improvement of servicesCreating aggregated and non-nominative statistics for monitoring the use and quality of Paylead servicesLegitimate interests

As required by applicable regulations, we have verified that the pursuit of our legitimate interests does not infringe the rights and freedoms of users:

  • A user can reasonably anticipate that PayLead will have to report to its partner retailers to keep them informed about the performance and follow-up of its offers.
  • The studies carried out by PayLead do not focus on an individual person, but on a set of aggregated, non-nominative data.
  • PayLead's research is based on pseudonymised data.

2. Personal data processed 

The following Personal Data are communicated to PayLead by Lydia Solutions : 

  • Name of your bank
  • Bank transactions: transaction name, date, place, amount, merchant, truncated PAN number (last 4 digits)
  • unique user identifier (token)

PayLead identifies you only by means of a unique user identifier, called a "token", made up of a series of numbers and letters. This is known as pseudonymisation.

By analysing your banking data, PayLead also processes your consumer habits (your favourite brands, your favourite shops, the geographical areas where you usually shop, your average basket), your average salary, your exceptional income or life events that can be deducted from your purchases (such as weddings, births, etc).

As part of the support procedure, we process additional personal data of any kind that you may communicate to us. On this occasion, we ask you to limit the information shared to what is strictly necessary, and in particular to what is required by us to respond to your request.

3. Data retention period

Your Personal Data is used for a specific period of time, strictly limited to the purposes for which it was collected:

  • Your bank transaction data is deleted after 2 years (from the transaction date) if it has not generated the payment of a discount;
  • Your transaction data is deleted after 5 years (from the transaction date) if it has generated the payment of a discount.

When you decide to unsubscribe from the Discount Service, PayLead deletes all of your Personal Data, with the exception of that relating to the payment of a discount, which is then retained for the aforementioned period of 5 years.

4. Communication to third parties

Your Personal Data is only accessible to PayLead staff who need to know it in order to carry out their duties and provide the Remittance Service.

Certain third parties may have access to your pseudonymised (or anonymised where applicable) Personal Data:

  • Any subcontractors and service providers of PayLead acting for technical and logistical reasons related to the proper execution of the Remittance Service (such as a payment service provider, external security auditors, etc.);
  • Partner retailers to whom PayLead sends a statement of transactions that have generated a discount (amount, time stamp, truncated PAN where applicable).

5. Storage of Personal Data

Your Personal Data is hosted and processed by PAYLEAD exclusively in the European Union (EU). However, PayLead reserves the right to use certain service providers outside the European Economic Area (EEA). In this event, PayLead will inform you of such transfers outside the EU and ensure that your Personal Data is adequately protected in accordance with the requirements of the GDPR. Upon request, PayLead will provide you with a copy of the applicable safeguards.

6. Safety measures

PayLead uses technical and organisational measures that comply with legal and regulatory requirements to keep your Personal Data secure and confidential, including :

  • pseudonymisation of data: PayLead does not know your identity directly
  • introduction of a policy for managing access rights to our tools and databases
  • implementation of a logs policy
  • data encryption
  • anti-virus
  • carrying out penetration tests
  • anonymisation of data where possible
  • training PayLead employees in data security and confidentiality

Under written agreements, PayLead requires its service providers and subcontractors to implement strong security measures to protect the personal data they process on behalf of PayLead.

7. Exercising your rights

Current regulations allow you to retain control over your Personal Data. In this respect, you have the following rights:

  • Right of access: you have the right to obtain a copy of all the personal data we hold about you.
  • Right of rectification: you can ask for your Personal Data to be updated if it is incorrect.
  • Right to object: you have the right to object, in certain cases, to the use of your Personal Data. You may object only to processing based on the legal grounds of "legitimate interests". You shall justify the legitimate reasons for which you wish to object to the use of your Personal Data by PayLead.
  • Right to withdraw your consent: if you have given your consent to a specific processing operation, you may withdraw this consent at any time, without justification. Withdrawal of consent is valid only for the future.
  • Right to limit processing: you have the right to request, in certain cases, that all or part of the processing of your Personal Data be suspended or limited.
  • Right to be forgotten: in certain cases, you may request that all your Personal Data be deleted.
  • Right to portability: you can ask to have your Personal Data returned to you in an understandable and readable format.
  • Right to object to profiling and automated individual decision-making: you have the right to object at any time to the profiling of your Personal Data for direct marketing purposes.

Please note that exercising certain rights may result in your unsubscribing from the Remittance Service insofar as certain processing operations are essential for the provision of the service.

In order to respond to your request, we may ask you to provide us with proof of your identity and/or additional supporting information.

We will do our utmost to respond to your request as quickly as possible.

You may exercise your rights by contacting Lydia Solutions at the address mentioned in Article 7 and/or PayLead at : 

PAYLEAD

For the attention of the DPO

58 bis rue de la Chaussée d'Antin, 75009 PARIS - France

dpo@paylead.fr

You may contact either Lydia Solutions and/or PayLead, who will jointly respond to your request. Please note, however, that as PayLead does not have direct knowledge of your identity, it is recommended that you address your initial request to Lydia Solutions.

Finally, you can lodge a complaint with the CNIL, the French Data Protection Authority (Commission Nationale Informatique et Libertés, located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 (more information at www.cnil.fr).