Lydia Solutions privacy policy

Aware of the importance of respecting your privacy and the security of your data, Lydia Solutions hereby reaffirms its commitment to being a trusted player in the processing of your personal data.

In this document (hereinafter "Privacy Policy"), "Lydia", "we", "us" and "our" refer to "Lydia Solutions".

Lydia Solutions, a French company (“société par actions simplifiée”) with capital of €1,786,707, registered in the Trade and Companies Register of Paris under number 534 479 589, domiciled at 14 avenue de l'Opéra, 75001, Paris, France, 

Authorised and supervised by the Autorité de Contrôle Prudentiel et de Résolution Authority ("ACPR", 4 place de Budapest CS 92459 75436 Paris Cedex 09, 01.49.95.40.00) as an electronic money institution authorised to provide payment services, under bank code (CIB) 17598 and REGAFI identifier 62677.

Registered with ORIAS, the French insurance, banking and finance intermediaries' register, under number 18007465, as a non-exclusive banking and payment services agent, insurance intermediary agent, tied agent for investment service providers and banking and payment services intermediary agent.

Lydia Solutions complies with all applicable French and European regulations relating to the protection of personal data, in particular the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as the "GDPR") and the Law of 6 January 1978 relating to information technology, files and freedoms (known as the "Loi Informatique et Libertés").

As the controller of your personal data (hereinafter referred to as the "Personal Data"), Lydia Solutions wishes to inform you through this Privacy Policy about :

This Privacy Policy is directed at and applies to you as an individual customer and prospective customer of Lydia Solutions. It also applies to you if you are:

The Privacy Policy is updated regularly to reflect changes in Lydia Solutions' practices as well as potential changes in the regulations applicable to Personal Data. Lydia Solutions invites you to consult it regularly in order to take note of any changes or updates made.

Lydia Solutions may collect and process the following categories of Personal Data: 

This Personal Data is collected either directly from you by Lydia Solutions or, if necessary, indirectly:

As part of our legal and regulatory obligations to monitor business relationships, we may also collect and process information from persons with whom we do not have a direct relationship: a member of your family, a close friend, your employer, your legal representative or a personal contact. The collection and processing of this information is necessary for the purposes of tracing the origin and destination of funds from transactions carried out with your account. 

Certain categories of data or Personal Data collected by Lydia Solutions may be combined in order to better meet the purposes described in Article 4. These reconciliations are carried out by Lydia Solutions taking care to use only the data strictly necessary to achieve the purpose of the processing (in compliance with the principle of data minimisation, provided for by the GDPR).

Lydia Solutions processes the categories of Personal Data referred to in Article 3 on a case-by-case basis to meet different objectives or purposes. Each of these categories is associated with a data retention period after which the data is no longer used, is archived and then anonymised and/or deleted. The purposes justifying the processing of your Personal Data are as follows: 

Your Personal Data collected and processed in accordance with the aforementioned purposes may be kept for an additional period if the defence of a right or interest so requires, or in order to meet the requirements of French or European authorities such as the ACPR or the Autorité des marchés financiers ("AMF"). In this case, your Personal Data will not be used for any other purpose, it will be kept in an intermediate archive and will only be accessible to authorised persons with a need to know (e.g. legal department, compliance department, audit and inspection bodies).

In order to verify your identity remotely and to comply with its legal and regulatory obligations relating to identification, verification of identity and knowledge of its customers, Lydia Solutions is required to collect the following Personal Data directly from you:

To do this, you shall authorise Lydia Solutions to access your mobile phone's microphone and front and back cameras, then film yourself for a few seconds and say a random phrase orally. The videos recorded in this way are viewed by one of our specially authorised staff in order to authenticate you. Once authenticated, the video can no longer be accessed by our employees: it is automatically stored in a semi-intermediate archive.

Nota Bene: Specific technical processing of biometric data (within the meaning of Article 4.14 of the GDPR), captured during the video of your face, is carried out by Lydia Solutions for the purposes of verifying your identity remotely. This specific technical processing of facial images makes it possible to confirm the unique identification of a customer on the basis of their physical, physiological or behavioural characteristics. It also detects the 'living' character of the customer's face to check that it has not been physically or digitally altered. This biometric data is deemed sensitive within the meaning of the GDPR. In order to use this processing in accordance with Article 9 of the GDPR, we shall demonstrate a specific need to identify our customers to enable access to our services, under the supervision of the Commission Nationale de l'Informatique et des Libertés (CNIL) committee.

You are always free to choose whether or not to make an authentication video. You can choose to complete the alternative identity verification process proposed by Lydia Solutions, without any additional constraints, incentives or special considerations.

Lydia Solutions may ask you to take an authentication video (a video of your face known as a "video selfie") in order to allow you to carry out requests, deemed sensitive, relating to the modification of your security data and or during the process of recovering access to your Lydia Solutions account (examples: password recovery, telephone number change or blocked account). 

To do this, you shall authorise Lydia Solutions to access your mobile phone's microphone and front and back cameras, then film yourself for a few seconds and state your request orally. The videos recorded in this way are viewed by one of our specially authorised employees for the purpose of authenticating you. Once you have been authenticated, the video is no longer accessible to our employee: it is automatically stored in a semi-intermediate archive. Lydia Solutions does not process these images biometrically. 

You are always free to choose whether or not to make an authentication video. You may choose to use the alternative route for processing requests deemed sensitive, as proposed by Lydia Solutions, without any additional constraints, incentives or special consideration.

Lydia Solutions carries out profiling processing, i.e. processing that consists of evaluating certain aspects of its customers concerning their economic situation, their personal preferences or centres of interest, the analysis of their behaviour, or their location and movements.

This profiling is used for various purposes, mainly to secure your transactions, combat fraud, personalise the relationship, prospect for new business or to better meet our obligations relating to the management and monitoring of compliance risks. 

In the case of commercial prospecting, the processing consists of analysing some of your Personal Data in order to establish profiles that correspond to you. These profiles enable us to send you personalised offers that are better adapted to your needs, expectations or situation.

For each of these profiling processing operations, an in-depth analysis is carried out in order to determine whether the processing should be based on your consent, Lydia Solutions' legitimate interest, or on another legal basis (performance of a contract, legal obligation).

If the profiling is based on your consent: we ensure that your consent is obtained, after having informed you in an explicit and transparent manner about the use of your Personal Data. We also allow you to withdraw your consent at any time. 

If the profiling is based on Lydia Solutions' legitimate interests: we will have carried out a prior analysis enabling us to ensure, for each processing operation envisaged, that your interests and fundamental rights are respected and that you can reasonably expect your data to be used in this context. We allow you to object to such processing at any time, under the conditions provided for by the regulations and in accordance with the procedures described in article 6. 

Where Lydia Solutions carries out data processing involving fully automated decision-making, including profiling, which produces legal effects relating to you or which significantly affects you, such processing shall be based on one of the following legal grounds: your consent, the performance of a contract, Lydia Solutions' legitimate interest or a legal obligation. This processing is carried out in accordance with the applicable regulations and is accompanied by appropriate guarantees.

If this profiling has legal consequences for you, you may request the intervention of a human being, in particular in order to obtain a re-examination of your situation, to express your own point of view, to obtain an explanation of the decision taken or to contest the decision. 

Cookies or other trackers are trackers deposited and read, for example, when visiting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used. 

You are informed that during your visits to our sites or when using one of our mobile applications, cookies and trackers may be installed on your terminal equipment. 

Where necessary, we obtain your consent prior to installing such cookies on your terminal equipment and also when we access data stored on your equipment. 

For more information, you can consult Lydia's Cookies and Trackers Policy at any time. 

Telephone conversations between you and our customer services departments (customer service, compliance, anti-fraud, etc.) may be recorded for the purposes of staff training, evaluating or improving the quality of our products and services, providing evidence in the fight against fraud, money laundering and the financing of terrorism and for the purposes of verifying your identity in order to exercise your rights in relation to your Personal Data. Prior to any recording, we will inform you and you have the right to object. 

Lydia Solutions allows you to link your mobile phone's contact list to any Lydia Solutions-owned mobile application to find out which of your contacts use our services as you do. To do this, we need to collect the numbers and email addresses in your address book. We do not process this data in any other way (only an imprint and not the collection of raw data is carried out). This information is transmitted and stored encrypted, using a one-way public key. You may disable this feature at any time in any Lydia Solutions-owned mobile application.

The processing carried out by Lydia Solutions is based on one of the following legal bases: 

Your Personal Data may be communicated for the following purposes: 

In application of article L. 511-34 of the French Monetary and Financial Code, the personal information collected may be transmitted by our partners to other entities belonging to the same group of companies (branches and subsidiaries).

Under the conditions and within the limits authorised by the applicable regulations, you have the following rights: 

You also have the option of giving us instructions regarding the storage, deletion and communication of your data after your death, which instructions may also be registered with a "certified digital trusted third party". These directives may also be registered with a "certified digital trusted third party". These directives may designate a person to be in charge of executing them. These rights may not, however, have the effect of infringing the rights of heirs or allowing the communication of information to which only the latter may legitimately have access.

You can exercise your rights and contact Lydia Solutions' Data Protection Officer in the following ways:

Finally, you have the right to lodge a complaint with the CNIL (3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - www.cnil.fr), the supervisory authority responsible in France for ensuring compliance with obligations relating to personal data.

If you are a natural person not acting for professional purposes, we may canvass you by e-mail, automatic calling machine or text message when you have given your consent at the time of collecting your e-mail address or personal details, or when you are already a customer and the prospecting concerns products or services similar to those already subscribed to. Each commercial prospecting e-mail contains a link allowing you to unsubscribe. 

If you are a natural person acting in a professional capacity, your e-mail address may be used to send you commercial prospecting by e-mail for purposes related to your profession. You may exercise your right to object to commercial prospecting at any time. 

Generic business addresses allocated to a legal entity (company) are not subject to the principles of consent, prior information or the right to object.

Messages and notifications relating to the administrative management of a previously subscribed product or service (alerts, changes to contractual and pricing documentation, etc.) do not fall within the scope of commercial prospecting. 

The settings for the messages and notifications that you may receive from us can be made as part of the service subscribed to, it being understood that some of these notifications may come under regulatory obligations and be of an imperative nature.

We may also contact you by telephone. In accordance with article L.223-2 of the French Consumer Code, you are informed that you can register on a Bloctel telephone anti-solicitation list. However, despite this registration, we may contact you by telephone if there is an ongoing contractual relationship, unless you have previously objected or if you object at the time of the call.

The processing of your Personal Data by Lydia Solutions in accordance with the agreed purposes (see Article 5) may involve transfers to countries outside the European Economic Area (EEA), whose personal data protection laws differ from those of the European Union. 

In particular, your Personal Data may, to the extent permitted by the applicable regulations, be communicated to official bodies and to the competent administrative and judicial authorities of countries that are not members of the EEA, in particular in the context of regulations on the fight against money laundering and the financing of terrorism, international sanctions and embargoes, the fight against fraud and the determination of your tax status.

When personal data is transferred to countries outside the EEA, a precise and stringent legal framework governs the transfer, in accordance with the applicable European regulations, in particular through the signature of standard contractual clauses approved by the European Commission. In addition, appropriate security measures are put in place to ensure the protection of personal data transferred outside the EEA. 

The standard contractual clauses are available on the CNIL website (www.cnil.fr). 

For more information about these international transfers of personal data, you may contact Lydia Solutions' Data Protection Officer in accordance with the procedures set out in Article 7 hereof.

Lydia Solutions takes all necessary physical, technical and organisational measures to protect the confidentiality, integrity and availability of your Personal Data, in particular against loss, accidental destruction, alteration and unauthorised access.

Lydia Solutions also takes great care to maintain a high standard of security and confidentiality of your Personal Data by raising awareness of our employees and business partners and by training our employees in data protection, by implementing content controls, by implementing tools and practices aimed at obfuscation, anonymization, encryption and data encryption to ensure the protection of your Personal Data against internal and external risks of data leakage. 

In the event of a breach of your Personal Data that poses a risk to your rights and freedoms, we will notify the CNIL within the regulatory timeframe. In the event that this breach presents a high risk to your rights and freedoms, we will inform you as soon as possible of the nature of the breach and the measures implemented to remedy it.

Lydia Solutions hosts public communication areas allowing you to participate in discussion forums, instant messaging systems or to post content. These public communication areas are places over which Lydia Solutions has no control and over which only you and other customers have control and can publish. As a result, Lydia Solutions cannot be deemed to be the publisher of the content, but only the host, whose mission is to provide its customers with the technical means to directly and permanently store information that is intended to be communicated to the public. In this respect, Lydia Solutions complies with the definition set out in article 6.I.2 of law no. 2004-575 of 21 June 2004 on confidence in the digital economy ("LCEN"). 

Article 6(I)(5) of the LCEN law states that :

"Knowledge of the disputed facts is presumed to have been acquired by the persons designated in 2 (of article 6 I 2 of the LCEN, i.e. hosting providers) when they are notified of the following: the date of notification; if the notifier is a natural person: his surname, first names, profession, domicile, nationality, date and place of birth; if the applicant is a legal person: its legal form, name, registered office and the body which legally represents it; the name and domicile of the addressee or, if it is a legal person, its name and registered office; a description of the facts in dispute and their precise location; the reasons why the content shall be withdrawn, including a reference to the legal provisions and the justification for the facts; a copy of the correspondence sent to the author or publisher of the disputed information or activities requesting their interruption, withdrawal or modification, or justification for the fact that the author or publisher could not be contacted. ". 

Once Lydia Solutions has been notified of the allegedly illegal or indelicate nature of a content under the conditions provided for in paragraph 5 of I of article 6 of the LCEN law as indicated above, we will promptly implement the necessary measures to ensure that the content is no longer accessible. These measures may range from deletion of the content to a temporary or permanent ban on the content hosting service, depending on the seriousness and repetition of the infringements observed. Lydia Solutions does not also carry out general monitoring of content beyond assisting in the repression of, in particular, glorification of crimes against humanity, incitement to racial hatred and child pornography, incitement to violence, in particular incitement to violence against women, and offences against human dignity in accordance with the provisions of paragraph 7 of I of article 6 of the LCEN law. 

In addition, Lydia Solutions is not liable for the content it hosts and shall not be liable for any activity or information stored at your request if Lydia Solutions did not have actual knowledge of its unlawful nature or of facts and circumstances indicating such unlawful nature or if, upon becoming aware of such unlawful nature, Lydia Solutions acted expeditiously to remove or disable access to such information. In this respect, Lydia Solutions reserves the right to remove or suspend access to any content following receipt of a notification or if it has actual knowledge of the manifestly unlawful nature of the content. Lydia Solutions shall in no event be liable for such removal. In any event, Lydia Solutions shall not be liable in any manner whatsoever for any content shared by you.

12.1. General provisions

Lydia Solutions collaborates, under mandate, with an account information service provider approved by a supervisory authority equivalent to the ACPR and based in the European Union, jointly responsible for the processing of customers' personal data, in accordance with Article 26 of the GDPR. 

Thus, Lydia Solutions and this establishment jointly define the purposes and means of such processing. customers' personal data are only shared with these co-controllers for the purposes of executing the contracts established with Lydia Solutions.

 The list of service providers is given below:

Lydia Solutions and this entity are bound by mutual information obligations, in particular with regard to the following events: 

As part of the provision of additional services, Lydia Solutions may also share your Personal Data with partners (such as BitPanda, PayLead and Floa). Please note that PayLead analyses bank transaction data in order to provide you with personalised offers, defined on the basis of your transaction history and your consumption habits.

Lydia Solutions may also communicate the personal data of its customers to one of its suppliers or partners, provided that such data has first been anonymised. This anonymisation consists of removing the following elements: surname and first name, e-mail address, telephone number, postal address and any other element allowing the customer to be identified or contacted directly.

All of Lydia Solutions' customers' personal data is covered by professional secrecy under the terms of Article L.511-33 of the French Monetary and Financial Code.

These partners only have access to the data that is strictly necessary for them to carry out the contracts established with Lydia Solutions.

12.2. Provisions specific to discount services

In order to provide the Remittance Service (as this term is defined in the contractual documentation made available by Lydia Solutions), Lydia Solutions and its partner PayLead act as joint data controllers. 

PAYLEAD is a société par actions simplifiée (simplified joint stock company) with its registered office at 9 rue de Condé, 33064 Bordeaux (France), registered in the Bordeaux Trade and Companies Register under number B 821 725 579. 

PayLead and Lydia Solutions have jointly determined how the Rebate Service works and how your Personal Data is used to provide this service.

PayLead also acts as an independent data controller for the further processing described in section 1.

The purposes for which we use your Personal Data and the legal basis used are detailed below. The operations carried out on the basis of the performance of the contract are essential for the provision of the Discount Service.

The Discount Service is based on an analysis of your banking transactions: on the basis of the catalogue of offers displayed, PayLead identifies the transactions eligible for the payment of a discount.

PayLead also analyses your bank transaction data to provide you with personalised offers based on your transaction history and spending habits. Offer eligibility criteria are defined by the partner retailers and Lydia Solutions. 

The essence of the Discount Service is to enable you to use your bank details to benefit from personalised and relevant offers from partner retailers.

Further processing (within the meaning of Article 13.3 of the GDPR)

PayLead uses your Personal Data for the further processing described below. This processing is carried out by PayLead independently and under its sole responsibility.

As required by applicable regulations, we have verified that the pursuit of our legitimate interests does not infringe the rights and freedoms of users:

The following Personal Data are communicated to PayLead by Lydia Solutions : 

PayLead identifies you only by means of a unique user identifier, called a "token", made up of a series of numbers and letters. This is known as pseudonymisation.

By analysing your banking data, PayLead also processes your consumer habits (your favourite brands, your favourite shops, the geographical areas where you usually shop, your average basket), your average salary, your exceptional income or life events that can be deducted from your purchases (such as weddings, births, etc).

As part of the support procedure, we process additional personal data of any kind that you may communicate to us. On this occasion, we ask you to limit the information shared to what is strictly necessary, and in particular to what is required by us to respond to your request.

Your Personal Data is used for a specific period of time, strictly limited to the purposes for which it was collected:

When you decide to unsubscribe from the Discount Service, PayLead deletes all of your Personal Data, with the exception of that relating to the payment of a discount, which is then retained for the aforementioned period of 5 years.

Your Personal Data is only accessible to PayLead staff who need to know it in order to carry out their duties and provide the Remittance Service.

Certain third parties may have access to your pseudonymised (or anonymised where applicable) Personal Data:

Your Personal Data is hosted and processed by PAYLEAD exclusively in the European Union (EU). However, PayLead reserves the right to use certain service providers outside the European Economic Area (EEA). In this event, PayLead will inform you of such transfers outside the EU and ensure that your Personal Data is adequately protected in accordance with the requirements of the GDPR. Upon request, PayLead will provide you with a copy of the applicable safeguards.

PayLead uses technical and organisational measures that comply with legal and regulatory requirements to keep your Personal Data secure and confidential, including :

Under written agreements, PayLead requires its service providers and subcontractors to implement strong security measures to protect the personal data they process on behalf of PayLead.

Current regulations allow you to retain control over your Personal Data. In this respect, you have the following rights:

Please note that exercising certain rights may result in your unsubscribing from the Remittance Service insofar as certain processing operations are essential for the provision of the service.

In order to respond to your request, we may ask you to provide us with proof of your identity and/or additional supporting information.

We will do our utmost to respond to your request as quickly as possible.

You may exercise your rights by contacting Lydia Solutions at the address mentioned in Article 7 and/or PayLead at : 

PAYLEAD

For the attention of the DPO

58 bis rue de la Chaussée d'Antin, 75009 PARIS - France

dpo@paylead.fr

You may contact either Lydia Solutions and/or PayLead, who will jointly respond to your request. Please note, however, that as PayLead does not have direct knowledge of your identity, it is recommended that you address your initial request to Lydia Solutions.

Finally, you can lodge a complaint with the CNIL, the French Data Protection Authority (Commission Nationale Informatique et Libertés, located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 (more information at www.cnil.fr).