Lydia Personal Data Protection Policy
The french version of this document is available here and prevails over the others.
Lydia Solutions ("Lydia") is a simplified joint-stock company registered in Paris under RCS number 534 479 589 with capital of € 1,785,979, established at 14, avenue d’Opéra, 75001 Paris.
Conscious of the importance of respecting the privacy and fundamental rights and freedoms of its customers, Lydia reaffirms its commitment to be a trusted actor in the processing of the personal data of its Individual Customers, by setting out its personal data protection policy below.
1. PURPOSE OF THIS PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy is applicable to all its customers and prospects, consumers within the meaning of the preliminary Article of the French Consumer Code, and for the provision of products and services related to electronic money and payment accounts as defined in the General Terms and Conditions of Use of the Lydia Solution for Individuals (hereinafter the "Service").
This policy is updated regularly to reflect changes in Lydia's practices as well as potential changes in the regulations applicable to personal data. Lydia invites its Individual Customers to consult it regularly in order to take note of any changes or updates made.
As a French company, Lydia complies with all applicable French and European regulations relating to the protection of personal data, in particular the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, known as the "RGPD", and the Law of 6 January 1978 relating to information technology, files and freedoms, known as the "Loi Informatique et Libertés”.
2. CORE PRINCIPLES
As Lydia attaches great importance to the protection and respect of the privacy of its Individual Customers, it also wishes to inform them of the implementation of appropriate organisational and technical measures and the carrying out of continuous controls in order to ensure the confidentiality and security of its Users' personal data.
Lydia takes great care to maintain a high standard of security and confidentiality of its Individual Customers' personal data by raising the awareness of its employees and business partners and by training its employees in data protection, by implementing tools and practices aimed at obfuscation, anonymisation, encryption and data encryption in order to ensure the protection of its Individual Customers' personal data from internal and external risks of data leakage.
Lydia works with certified financial partners. Lydia and its Partners are jointly controllers of the natural persons personal data, within the meaning of GDPR article 26.
Lydia and its Partners jointly determine the treatment's purpose and means. The natural persons personal data are transferred to Lydia’s Partners in the only aim to properly perform the contract between the natural person and Lydia.
Lydia and its Partners have a duty of mutual information, in particular regarding under the following situations :
- Any breach of personal data concerning natural persons;
- Any subcontractor who is treating Consumers personal data outside of the EEA and on behalf of Lydia.
As part of the provision of optional services, Lydia may also share your personal data with partners (such as BitPanda, PayLead and Floa). Please note that PayLead analyses bank transaction data to provide you with personalised offers based on your transaction history and consumption habits.
4. INFORMATION LYDIA COLLECTS ABOUT ITS CLIENTS
As a data processor within the meaning of the GDPR, Lydia collects and processes the following data:
- Information transmitted directly by the Individual Customer, in particular, when registering for the Service and verifying his/her identity, when purchasing additional products or services in the Application or when contacting Lydia's support department;
- Information collected indirectly when the Individual Customer uses the Lydia Service, in particular when making payment transactions, consulting certain content and subscribing to certain additional services in the Application or by referring to the dedicated platforms of commercial partners.
4.1 Information Clients submit
Creating a Lydia account
When a Client creates a Lydia payment account, he/she provides Lydia with his/her mobile telephone number, first name, and surname. He/She may then provide other information such as his/her email addresses, a profile photo, as well setting a password and a secret question and answer in case he/she forgets his/her password.
To access additional Lydia Services, the Client may provide Lydia with information about his/her payment cards, loyalty cards that he/she wishes to link to the Lydia app, and his/her bank account details. When creating a money pot, the Client may submit a title, a description, and a cover photo for the money pot created.
To verify his/her identity and comply with regulation, Lydia may request copies of the Client’s official proof of identity, a complementary proof of identity, and a video of authentication).
The Client has several ways to prove his identity in order to obtain the "Verified Profile" status and to make requests for changes to his Lydia account security data (e.g. in case of forgotten password, change of phone number or blocked account). If the request is deemed sensitive and the Client expressly consents, it can be made by means of an authentication video called "selfie-video".
To do so, the Client must authorize access to Lydia, the microphone and the camera of his phone and then film himself for a few seconds to state his request. The recorded videos are viewed by an authorized Lydia Agent who authenticates the Client. After this authentication, the video is no longer accessible by the Agent: it is kept in a semi-intermediate archive.
Nota Bene: a specific technical processing of biometric data (as defined in Article 4.14 of the RGPD), captured during the video selfie, is performed by Lydia when the Client wishes to obtain the "Verified Profile" status. This specific technical processing of the Client's facial images allows or confirms the unique identification of the User based on his physical, physiological or behavioral characteristics.
It also allows the detection of the "living" character of the User to verify that it has not been physically or digitally altered. These biometric data are considered sensitive in the sense of the RGPD. In order to use this processing in accordance with Article 9 of the RGPD, Lydia therefore justifies a specific need to identify its users to allow access to the Service, under the control of the French Commission Nationale de l'Informatique et des Libertés (hereinafter the "CNIL").
The Client is always free to choose whether or not to take a video selfie during the remote identity verification process in order to obtain the "Verified Profile" status ("Know Your Customer" identity verification process) or during the process of recovering access to his Lydia Account (in case of forgotten password, change of phone number or blocking of his Customer Account) and may choose to use another authentication method offered by Lydia, without any additional constraint, incentive or special consideration.
4.2 Information Lydia receives indirectly about the Client whe he/she uses Lydia Services
Additional personal information
When the Client provides Lydia with a proof of identity, Lydia collects information on the date of birth, place of birth and nationality.
When the Client uses certain Lydia features, Lydia may receive information on the location, as determined by data like the IP address or the phone’s or computer’s GPS of the Client, in order to provide him/her with a better user experience and to enhance security (e.g. geolocalisation can act as check in the case of fraud). Most mobile phones let the Client control or disable usage of localisation services by apps within the device’s settings.
Lydia receives information about Clients’ interactions with the Lydia app, such as content consulted, transactions made, or general use of the app (e.g. the date the Client added his/her payment card to the app).
Network and device data
Lydia automatically collects network and device data when the Client uses Lydia Services. This information includes his/her IP address, date and time of use of Lydia Services, data on his/her computer or mobile hardware, data linked to usage of his/her device, unique identifiers, crash analytics, or cookies.
Bank account details
When the Client links his/her bank account to the Lydia app, by providing the log-in details used for online banking, the IBAN number and payees linked to this account are automatically imported into the Lydia app to facilitate transfers between the Customer's Lydia Account and the registered external accounts.
Contacts with Lydia
The Client can link his/her mobile phone address book to the Lydia app to see which of his/her contacts uses the Lydia app. To make the link between a contact in the Client’s phone list and someone who has just signed up to the app, Lydia collects the mobile numbers and email addresses in the Client’s address book. Lydia does not make any other use of this information. As Lydia only needs an imprint of this data, and not the raw data, this data is transferred and stored using encryption, by a unique public key. The Client can disable this feature in the Settings tab of the app.
Communication with the Lydia support teamLydia keeps a record of communications that the Client may have with Lydia support team, e.g. email conversations, telephone calls, or a summary of telephone discussions.
Follow-ups of actions carried out by Lydia staff
Lydia staff may be involved in the management of the Clients’ Lydia account. In this instance, the actions performed are also stored in the form of comments (e.g. a Lydia account might be temporarily blocked in the case of suspected fraud).
Information about the bank account aggregation service
In the case where the Client uses the bank account aggregation service allowing him/her to aggregate his/her bank account(s) to the Lydia app, the data relating to this / these aggregated account(s) are collected by Lydia: name of the bank, types of bank account (current account, credit account, savings account), realized transactions and account's balance.
4.3 How long Lydia retains Clients' information
In compliance with the regulations against fraud and financing terrorism and as indicated in Lydia’s Terms of Service, Lydia is required by the French Law to retain the following information in intermediate archiving (restricted access, intermediate step before deletion) for five years starting from the date the Client close his/her account or terminate his/her contractual relationship with Lydia:
- Documents relating to the Client’s identity, whether he/she is a frequent or occasional user;
- Documents and information relating to operations the Client has made;
- Any information collected as part of compliance procedures (fight against fraud, fight against money laundering or terrorism financing...).
Also, as mentioned in our Terms of Service, the Client is no longer considered to be a frequent or occasional user if no transactions have been made in his/her Lydia account for a period of 24 consecutive months.
5. HOW LYDIA USES INFORMATION IT COLLECTS ON CLIENTS
Lydia may use Clients’ personal data to:
- Let them know about payments via Lydia Services that are pending, have been executed, or are to come;
- Inform them that one of their contacts uses the Lydia app;
- Evaluate the effectiveness of its communication, and to adapt the way Lydia communicates with users;
- Let them communicate with the Lydia support team in order to have replies to their questions or requests;
- Manage loyalty programs, giveaways, competitions, or other promotional activities executed by Lydia or its commercial partners;
- Calculate usage levels and rewards, based on payments made with Lydia Services;
- Identify Clients in order to allow them to access services to which they have subscribed (e.g. in case they forget their password) and to authenticate their identity information (e.g. by comparing the photo of their proofs of identity to a selfie they send Lydia by mobile);
- Detect and prevent fraud, abuse, security incidents, and other activities that are forbidden by Lydia (e.g. betting, sales of means of payment);
- Ensuring that their personal data are protected (e.g. by deleting their data upon request and/or as the result of a legal deadline for data retention);
- Provide them with the services that they signed up for (e.g. transferring money with another Lydia user);
- Let them personalize certain aspects of their profile or of Lydia products (e.g. when creating a money pot) in order to improve the user experience;
- Understand and analyze their usage of the Lydia app so that Lydia can offer them and/or develop new features that meet their needs;
- Ensure full compliance with current regulation, with Lydia Terms of Service, and with this Personal Data Protection Policy;
- Resolve any contentious issues and honour contracts with third parties.
6. TRANSFER OF PERSONAL DATA
6.1 To Lydia's banking partners, suppliers and operational contractors
All of Clients’ personal data held by Lydia are protected and kept confidential in accordance with article L.511-33 of the monetary and financial code. Lydia Solutions may share Clients’ personal data with its Principals (Budget Insight Treezor and Tink) and with its suppliers and operational service providers with whom Lydia is contractually tied, in order to provide certain services and process transactions, under condition that these third parties guarantee a sufficient level of protection of the data shared in compliance with article 561-7 II b of the monetary and financial code and in respect with the GDPR. These partners and service providers only have access to the data that is strictly necessary for the execution of the contracts established with Lydia Solutions.
Lydia may also share its Clients’ personal data to third party service providers or partners, under condition that these data are anonymised beforehand. Anonymising data means removing the following elements: phone number, address, and any other information that could identify the Client or allow him/her to be contacted directly.
Lydia stores its Clients personal data in the European Union. However, when a Client uses Lydia Services, his/her data may be transferred to another country, which may have less rigorous data protection laws that those in place in the country in which he/she live.
This is notably the case for data Lydia transfers to third party service providers operating outside of the European Union, especially in the United States of America. Lydia may use their services to reply to users’ enquiries, to moderate photographs published on Lydia platforms, to provide online payment tools, to provide commercial or advertising services, or SMS or email services.
In this type of transfer, Lydia ensures that the processing is carried out in accordance with this policy and that it complies with the European Commission standard contractual clauses which guarantee a sufficient level of protection of Clients’ personal privacy and basic rights.
6.2 To supervisory authorities
Lydia may disclose information about Clients, including their personal data, to the court, governmental or law enforcement authorities or to authorised third parties, if required or permitted by law, or if such disclosure is reasonably deemed necessary: (i) to comply with its legal obligations, (ii) to comply with legal procedures, and to respond to claims against Lydia, (iii) to respond to verified claims in connection with a criminal investigation (enquête judiciaire) or alleged or suspected illegal activity or any other activity that may expose Lydia or its Users to legal liability, (iv) to perform or execute its Terms of Service or (v) to protect the rights, property or personal safety or Lydia, its employees, users or the public.
If necessary, Lydia may inform its Client of these legal requests, except in the following cases: (i) when any notification is prohibited by the court proceedings, by order of the court or in accordance with existing laws, or (ii) if Lydia is of the opinion that informing the Client would be irrelevant, ineffective, could constitute a risk of injury or personal injury to an individual or a group or create or intensify a risk of fraud concerning our assets or those of its users.
7. COMMERCIAL INTERESTS
In accordance with the relevant laws and with Clients’ consent when required, Lydia may use Clients’ personal data for commercial interest (e.g. to send Clients newsletters, invitations to events or other communication that may be of interest to them, and to display targeted advertising on social media platforms or third-party sites).
The Client can always unsubscribe from Lydia’s email newsletter by setting his/her “Preferences” in the last tab of the Application, by clicking on the unsubscribe link provided in each of Lydia’s communications or by contacting Lydia’s support team by email at: firstname.lastname@example.org.
With regard to targeted advertising on social media platforms (e.g. Facebook, Twitter), the Client can block his/her exposure to targeted social media advertising by configuring the advertising parameters in his/her account settings on these platforms.
8. CLIENTS’ LEGAL RIGHTS
8.1 Request access to personal data
Clients have the right to obtain from Lydia the limitation of the processing of his personal data (for example if they think that their data is inaccurate) or to object at any time, for reasons relating to their particular situation, to the processing of their personal data.
They also have the right to refuse to be the subject of a decision based exclusively on automated processing, including profiling.
8.5 Right to portability
The Clients have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit them to another controller. If technically possible, they can also ask Lydia for their personal data to be transmitted directly to another data controller.
8.6 Complaints to the supervisory authority
Clients have the right to make a complaint at any time to the relevant supervisory authority the CNIL, and the right to obtain compensation from the competent courts if he considers that Lydia has not respected his rights to the protection of data. personal data
9. LINKS TO OTHER WEBSITES AND SOCIAL NETWORKS
Lydia’s communications may occasionally contain links to the partners’ or third party companies’ websites. These websites have their own privacy policies and Lydia refuses any responsibility for how
- Email : email@example.com
- Address : Data Protection Officer, 14 avenue de l’Opera, 75001 Paris