Lydia Personal Data Protection Policy
The french version of this document is available here and prevails over the others.
Conscious of the importance of respecting your privacy and the security of your data, Lydia Solutions reaffirms its commitment to be a trusted actor in the processing of your personal data.
Article 1 : Legal requirements
Lydia Solutions, a simplified joint stock company with a capital of 1,785,979 euros, registered in the Paris Trade and Companies Register under the unique identification number 534 479 589, with registered address at 14 avenue de l'Opéra, 75001, Paris, France,
Authorized and supervised by the Autorité de Contrôle Prudentiel et de Résolution ("ACPR", 4 place de Budapest CS 92459 75436 Paris Cedex 09, 01.49.95.40.00) as an electronic money institution authorized to provide payment services, under the bank code (CIB) 17598 and the REGAFI identifier 62677.
Registered on the unique Register of intermediaries in insurance, banking and finance, held by the ORIAS under the number 18007465, on a secondary basis as: non-exclusive agent in banking operations and payment services (French MOBSP), agent of insurance intermediary (French MIA), tied agent of investment service provider and agent of intermediary in banking operations and payment services (French ALPSI).
Lydia complies with all applicable French and European regulations relating to the protection of personal data, in particular the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as the "GDPR") and the Law of 6 January 1978 relating to information technology, files and freedoms (known as the "Information Technology and Freedoms Law").
Article 2 : Purpose
As the controller of your personal data (hereinafter referred to as "Personal Data"), Lydia wishes to inform you through this Data Protection Policy about:
- The categories of your personal data that we collect and process;
- The objectives for which your data is processed (its purposes) and the data retention periods associated with each processing operation;
- The legal bases on which the processing is carried out;
- Recipients and categories of recipients;
- Transfers outside the European Economic Area;
- Your rights regarding your personal data;
- The security of your personal data.
- A person who is interested in Lydia's products, services or content (newsletters, etc.), who subscribes to Lydia's news alerts, who interacts directly or indirectly with Lydia (via its customer service or social networks), or who consults the sites or participates in an event organized by Lydia;
- A candidate interested in the job offers published by Lydia on its website.
The Data Protection Policy is updated regularly to reflect changes in Lydia's practices and potential changes in applicable data privacy regulations. Lydia encourages you to review it regularly for any changes or updates.
Article 3 : Personal data collected and processed
Lydia may collect and process the following categories of personal data:
- Civil status and identification data: surname, first name(s), gender, date and place of birth, nationality, videos of both sides of one or several identity document(s), proof of identity, and authentication videos (which may be subject to biometric processing);
- Contact information: postal addresses, email addresses, telephone numbers;- Data related to your personal situation: family situation, marital status;
- Data related to your professional situation: professional situation ;
- Economic and financial information: income (amount, sources and supporting documents), tax residences, financial and tax situation, accounting data, consumption habits and customs;
- Financial and transactional data (nature of operations, date, card payments, wires direct debits, amount, description of operations, bank details and other account data aggregated to your Lydia account etc.);
- Connection data related to the use of our services: identification and authentication data, logs, cookies and other tracers, navigation data on Lydia's websites and applications;
- Data from correspondence and communications between you and us, carried out remotely: interviews and telephone calls, postal and electronic mail, instant messaging, communications on social networks, claims or complaints or any other type of communication;
- Connection data, data from the device used to connect to the application and data associated with the use of the Lydia application (such as dates and times of access to the Lydia service, computer or telephone hardware data, data associated with the use of the device, unique identifiers, crash data or cookies).
- Data related to the products and services subscribed (type of product, method of payment, maturity, amount);
- Geolocation data (IP address or GPS data of the terminal used);
- Data and information intended to be communicated to the public and shared with other customers within the Lydia application: profile and wallpaper photos, images, photos related to operations performed (which may be subject to biometric processing), comments and other messages;
- Data provided as part of additional services such as loyalty card information provided by the Customer or numbers and email addresses in the Customer's address book (only if the Customer chooses to link his contact directories to the Lydia application in order to know which of his contacts are using the Lydia application, and provided that this transmitted information is stored encrypted, by one-way public key) ;
- Any other information or documents necessary to trace the origin and destination of funds for transactions made with your account.
This personal data is collected either directly from you by Lydia or, if necessary, indirectly:
- With the National Directory of Identification of Natural Persons (Répertoire National d’Identification des Personnes Physiques) ;
- To the Tax administration (Direction Générale des Finances Publiques) ;
- To any judicial or financial authorities, state agencies or public bodies, to the extent permitted by regulation;
- At the financial institution, in whose books you have opened an account, which you may aggregate with your Lydia account, in connection with the provision of payment initiation and account information services.
- Through publications and databases made available by official authorities or authorized third parties, or
- Through websites and social networks that contain information you have chosen to make public.
As part of our legal and regulatory obligations to monitor the business relationship, we may also collect and process information from persons with whom we have no direct relationship: a member of your family, a close friend, your employer, your legal representative, a personal contact. The collection and processing of this information is necessary for the purposes of tracing the origin and destination of funds from transactions made with your account.
Certain categories of data or data collected by Lydia may be matched in order to better meet the purposes described in Article 4. Such reconciliations are performed by Lydia in a manner that ensures that only data that is strictly necessary for the purpose of the processing is used (in compliance with the data minimization principle, as provided for by the GDPR).
Article 4 : Purpose of processing and retention period of personal data
1. General provisions
Lydia processes the categories of personal data referred to in Section 3 on a case-by-case basis to meet different purposes or goals. Each of these categories is associated with a data retention period after which the data is no longer used, archived and then anonymized and/or deleted. The purposes that justify the processing of your personal data are the following:
- Management of the business relationship, the Lydia account and/or the products and services subscribed to, in particular for evidential purposes. Your personal data may be kept for a period of five (5) years from the end of the business relationship or, if applicable, from the end of any legal or collection proceedings and/or the expiration of applicable statutes of limitation.
- The realization of opinion and satisfaction surveys and statistical studies. Your personal data may be kept for a period of three (3) years from the date of the study.
- The fight against fraud (e.g.: establishment of ratings or scores, detection of atypical transactions). Your personal data may be kept for a maximum period of five (5) years from the closing of the file of proven fraud or the issuing of an alert in our systems.
- Compliance with Lydia's legal and regulatory obligations, including Know Your Customer obligations, operational risk management (including computer network security, customer protection, supervision and internal control, transaction security, and security in the use of international payment networks) financial security obligations (anti-money laundering and antiterrorist financing obligations and obligations relating to sanctions and embargoes), obligations relating to the determination of your tax status and compliance with related tax regulations, ethics and anti-corruption; data protection and any other obligations relating to the management and monitoring of compliance risks. Your personal data will be kept for a period of five (5) years as from the generating event provided for by the regulations in force (e.g.: as regards activation, loading and use of electronic money, five years as from the execution of these operations).
- Prevention and detection of criminal offences and/or taking legal action (e.g. for the identification of seriously reprehensible behaviour or acts such as violence against Lydia staff). Your personal data may be retained for a period of five (5) to twenty (20) years, depending on the nature of the offence, from the date of its discovery. Where legal proceedings are initiated, the data will be retained until the end of such proceedings and the expiration of any applicable statute of limitations.
- The management of dormant accounts and data related to the search for the persons concerned. Your data may be kept for a maximum period of thirty (30) years depending on the cases provided for by the regulations in force.
- The recording of your conversations and communications with Lydia, regardless of the medium (emails, letters, telephone conversations, etc.). Depending on applicable regulations, your personal data may be retained for varying periods of time, but not longer than five (5) years from the time of recording. The recording media or their reproduction will be kept for periods proportionate to the purpose of the recording in question (from 6 months for staff training purposes, to 5 years when the telephone recording is likely to be used as evidence).
- Accounting processing: accounting data may be kept for a period of ten (10) years in accordance with the legal provisions in force.
- Cookies and other tracers. The life span of cookies is thirteen (13) months maximum.
- Research or analytical activity for process improvement and model development purposes. Your data may be used to improve our internal control procedures or to assist in risk and compliance management. Data is retained for a specified period of time for each of these sub purposes.
- Commercial prospecting, the proposal of commercial offers adapted to your situation and your consumption profile, the realization of promotional offers and games, commercial animations and advertising campaigns. The data may be kept for a maximum of three (3) years from the end of the commercial relationship or for prospects, from the last contact. This data may be anonymized and aggregated in order to establish statistical reports.
Your data collected and processed in accordance with the above-mentioned purposes may be kept for an additional period of time if the defense of a right or interest so requires, or in order to meet the requirements of French or European authorities such as the ACPR or the Autorité des marchés financiers ("AMF"). In this case, your data will not be used for any other purpose, it will be kept in intermediate storage and will only be accessible to authorized persons with a need to know (e.g. legal department, compliance department, audit and inspection bodies).
2. Specific provisions for remote identity verification
In order to verify your identity at a distance and to comply with its legal and regulatory obligations relating t o identification, verification of identity and knowledge of its customers, Lydia is required to collect the following data directly from you:
- A color video of both sides of your official identity document (national identity card or European passport or valid residence permit) and,
- An authentication video, i.e. a video of your face called a "video selfie", taken in color with the front camera of your cell phone, of sufficient quality and brightness and without any digital alteration (presence of filters).
To do so, you must allow Lydia access to the microphone and the front and back cameras of your cell phone, then film yourself for a few seconds and say a random phrase orally. The recorded videos are viewed by one of our specially trained staff members for the purpose of authenticating you. Once authenticated, the video is no longer accessible by our collaborator: it is automatically stored in a semi-intermediate archive.
Nota Bene: A specific technical processing of biometric data (as defined in Article 4.14 of the GDPR), captured during the video of your face, is performed by Lydia for the purpose of verifying your identity at a distance. This specific technical processing of facial images makes it possible to confirm the unique identification of a customer based on his physical, physiological or behavioral characteristics. It also allows the detection of the "living" character of the customer's face to verify that it has not been physically or digitally altered. These biometric data are considered sensitive in the sense of the GDPR. In order to use this processing in accordance with Article 9 of the GDPR, we justify a specific need to identify our customers to allow access to our services, under the control of the Commission Nationale de l'Informatique et des Libertés (known as "CNIL").
You are always free to choose whether or not to make an authentication video. You can choose to perform the alternative identity verification process offered by Lydia, without any additional constraints, incentives or compensation.
3. Specific provisions for requests deemed sensitive
Lydia may ask you to take an authentication video (a video selfie of your face) in order to allow you to make requests, deemed sensitive, relating to the modification of your security data and or during the process of recovering access to your Lydia account (e.g., forgetting your password, changing your phone number, or blocking your account).
To do so, you must allow Lydia access to the microphone and the front and back cameras of your cell phone, then film yourself for a few seconds and verbally state your request. The recorded videos are viewed by one of our specially authorized staff members in order to authenticate you. Once authenticated, the video is no longer accessible by our employee: it is automatically stored in a semi-intermediate archive. No biometric processing of these images is performed by Lydia.
You are always free to choose whether or not to make an authentication video. You can choose to perform the alternative path for processing sensitive requests, proposed by Lydia, without any additional constraint, incentive or special consideration.
4. Specific provisions for profiling
Lydia engages in profiling, which is the process of assessing certain aspects of its customers' economic situation, personal preferences or interests, behavioral analysis, or location and movements.
These profiling processes have different purposes, mainly to secure your operations, to fight against fraud, to personalize the relationship, for commercial prospecting or to better meet our obligations relating to the management and monitoring of compliance risks.
In the case of commercial prospecting, the processing consists in analyzing some of your data in order to establish profiles that correspond to you. These profiles allow us to send you personalized offers that are better adapted to your needs, expectations or situation.
For each of these profiling processes, a thorough analysis is performed to determine whether the processing should be based on your consent, Lydia's legitimate interest, or another legal basis (performance of a contract, legal obligation).
If profiling is based on your consent: we ensure that your consent is obtained, after having informed you in an explicit and transparent manner about the use of your personal data. We also allow you to withdraw your consent at any time.
If the profiling is based on Lydia's legitimate interest: we will have conducted a prior analysis to ensure, for each proposed processing, that your interests and fundamental rights are respected and that you have a reasonable expectation that your data will be used in this context. We allow you to object to such processing at any time, in accordance with the conditions set forth in the regulations and in the manner described in Article 6.
5. Specific provisions for fully automated decisions
In cases where Lydia implements data processing involving fully automated decision-making, including profiling, and producing legal effects you
We may also use your personal information to process data about you or that significantly affects you on one of the following legal bases: your consent, the performance of a contract, Lydia's legitimate interest or a legal obligation. Such processing is carried out in accordance with applicable regulations and with appropriate safeguards.
In the event that this profiling has legal consequences for you, you may request the intervention of a human being, in particular in order to obtain a re-examination of your situation, to express your own point of view, to obtain an explanation of the decision taken or to challenge the decision.
6. Specific provisions for cookies and other tracers
By cookies or other tracers, we mean tracers deposited and read, for example, when consulting a website, reading an email, installing or using software or a mobile application, regardless of the type of terminal used.
You are informed that during your visits to our sites or when using one of our applications, cookies and tracers may be installed on your terminal equipment.
Where necessary, we obtain your consent prior to installing such cookies on your terminal equipment and also when we access data stored on your equipment.
For more information, you may review Lydia's Tracking and Cookie Usage Policy at any time.
7. Specific provisions for access to your phone book and phone records
Telephone conversations between you and our customer service departments (customer service, compliance, anti-fraud, etc.) may be recorded for the purposes of staff training, evaluating or improving the quality of our products and services, for evidence in the fight against fraud, money laundering and the financing of terrorism, and for the purposes of verifying your identity in connection with the exercise of your rights to your personal data. Before any recording, we inform you and you have the right to object to it.
Lydia allows you to link your cell phone's contact list to the Lydia application to find out which of your contacts use our services as you do. To do this, we need to collect the numbers and email addresses in your address book. We do not further process this data (only a fingerprint and not a collection of raw data is done). This information is transmitted and stored encrypted, using a one
way public key. You can disable this feature at any time in the Lydia application.
Article 5 : Legal basis for carrying out data processing
The processing carried out by Lydia is based on one of the following legal bases:
- Fulfillment of the contract concluded with you (for example: the management of an electronic money or payment account, the delivery of means of payment, the subscription to a
insurance in case of loss or theft of payment means, information on transactions made via Lydia).
● This legal basis is the basis for the processing of the following data: personal data, identification data, contact details, data relating to your personal and professional situation and economic and financial information, financial and transactional data, data relating to the products and services subscribed to and data from correspondence and communications between you and us.
- Compliance with the legal and regulatory obligations incumbent on Lydia as an electronic money institution authorized to provide payment services.
● This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to the products and services subscribed to, data from correspondence and communications between you and us and any other information or document necessary for the research of the origin and destination of the funds of the operations carried out with your account.
● The purposes of this processing are: customer knowledge, operational risk management, constant vigilance over the business relationship, the fight against money laundering and the financing of terrorism, the application of sanctions and embargoes, obligations linked to the determination of your tax status and compliance with associated tax regulations, ethics and the fight against corruption, the management of dormant accounts and data linked to the search for the persons concerned, data protection and all other obligations relating to the management and monitoring of compliance risks.
- Pursuit of Lydia's legitimate interests (e.g., commercial prospection, surveys and personalized communications, fraud prevention, analysis of customer usage of Lydia's services and application, or building datasets to test the effectiveness of Lydia's compliance tools).
● This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data related to your personal and professional situation, economic and financial information, financial and transactional data, data related to the products and services subscribed to, connection data related to the use of our services, cookies, data resulting from correspondence and communications between you and us and geolocation data.
● The purpose of this processing is to: prevention of fraud, prevention of non-payment, collection and management of litigation (amicable, overindebtedness and legal disputes), management of claims, management of estates, fight against financial crime, prevention and management of incivilities towards our employees, security of our networks, surveillance of our premises, in particular by means of a video surveillance system, analysis of our risk in terms of entering into business relations, activities of
research and development, the management of statistical studies and satisfaction surveys for the purpose of improving customer knowledge, commercial prospecting, profiling and marketing segmentation and our communication activities.
● The choice of this legal basis is made after a careful balancing of the interests pursued by Lydia with your interests, if you are concerned by the processing, and the assessment of reasonable expectations in this respect. We put in place safeguards to protect your interests, rights and fundamental freedoms (e.g., rights to information, right to object and right to limit processing).
- Consent for specific treatments.
● This legal basis is the basis for the processing of the following data: personal data, identification data, contact information, data related to your personal and professional situation, economic and financial information, financial and transactional data, data related to the products and services you have subscribed to, connection data related to the use of our services, data resulting from correspondence and communications between you, geolocation data, data and other information intended to be communicated to the public and shared with other customers within the Lydia application.
● The purposes of this processing are: commercial prospecting by postal or email, by text message, by telephone call, the deposit and reading of advertising cookies, the management of promotional offers and games and the hosting of public communication areas within the Lydia application.
- The legitimate interest of the customer (e.g., the constitution of data sets to test the effectiveness of compliance tools implemented by Lydia, the recording of a portion of customer calls in order to evaluate the quality level of our services, the fight against fraud, the management of rewards programs and in particular "cashback" (discount/refund))
● The legal basis for the processing is the following data: personal data, identification data, contact data, data related to your personal and professional situation, recordings of part of the customer calls.
● The purpose of this processing is to evaluate the quality of Lydia's services, to improve the user experience, to prevent fraud, to communicate with Lydia's support and anti-fraud teams.)
● The choice of this legal basis is made after a careful balancing of the interests pursued by Lydia with your interests, if you are concerned by the processing, and the assessment of reasonable expectations in this respect. We put in place safeguards to protect your interests, rights and fundamental freedoms (e.g., rights to information, right to object and right to limit processing).
Article 6 : Recipients
Your personal data may be communicated according to the purposes pursued:
- To Lydia's partners, principals, agents, intermediaries and insurers, subcontractors and service providers (Floa, PayLead, Treezor, Bitpanda, Braze, Google Cloud Platform). This communication only takes place in the context of a processing operation that pursues one of the purposes described in article 2;
- In compliance with applicable regulations, to third parties in France or abroad for the purpose of establishing, safeguarding or defending a right in court, in the context of administrative or criminal investigations by one or more regulators, to ensure compliance with commitments made to them or in the context of legal proceedings of any kind.
- To certain regulated professions such as auditors, lawyers, in order to provide regulatory reports or to act in defense of our rights.
- To payment originators and account information service providers, only with your consent or at your request (examples: Budget Insight, Tink).
Under article L. 511-34 of the French Monetary and Financial Code, the personal information collected may be transmitted by our partners to other entities belonging to the same group of companies (branches and subsidiaries).
Article 7 : Your rights
Under the conditions and within the limits authorized by the applicable regulations you have the following rights:
- Access your personal data,
- To have your personal data rectified, updated and deleted, it being specified that deletion can only occur when:
- Personal data is no longer required for the purposes for which it was collected or otherwise processed,
- You have withdrawn your consent on which the processing was based and there is no other legal basis for it,
- You have objected to the processing of your data for reasons relating to your particular situation and there is no compelling legitimate reason to continue,
- Personal data have been processed unlawfully,
- Personal data must be deleted in order to comply with a legal obligation under EU law or under French law to which Lydia is subject,
- You object to the processing of your personal data for reasons relating to your particular situation and there is no compelling legitimate reason to continue,
- Oppose the processing of your personal data for commercial prospecting purposes, including profiling related to this prospecting (see Article 8);
- Receive the personal data about you that you have provided to us, for automated processing based on your consent or the performance of a contract, and request the portability of such data to a third party,
- Request a restriction on the processing of your personal data by us when:
- You challenge the accuracy of the personal data for a period of time that allows the data controller to verify the accuracy of the personal data,
- You object to the deletion of your data when the processing is unlawful,
- We no longer need the data but they are still necessary for the establishment, exercise or defense of legal claims,
- You have objected to the processing of your data, during the verification of whether Lydia's legitimate reasons override yours.
- Where processing is based on your consent, withdrawal of that consent at any time, and there is no other legal basis for it.
In addition, you have the option of providing us with instructions regarding the retention, deletion and disclosure of your data after your death, which instructions may also be registered with a "certified digital trusted third party." These instructions may designate a person to carry out the instructions. These rights cannot, however, have the effect of infringing on the rights of heirs or allowing the communication of information to which only the latter may legitimately have access.
You can exercise your rights and contact Lydia's Data Protection Officer as follows:
- By mail sent to the following address Lydia Solutions, Data Protection Officer, 14 avenue de l'Opéra, 75001 Paris, France.
- By email sent to the following address: firstname.lastname@example.org.
Finally, you have the right to lodge a complaint with the CNIL (3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - www.cnil.fr), the supervisory authority in charge of compliance with personal data obligations in France.
Article 8 : Commercial prospecting
1. Commercial prospecting by email and automatic call machine
If you are a natural person not acting for professional purposes, we may prospect you by email, automatic call machine or SMS/MMS when you have given your consent at the time of the collection of your email address or your personal details, or when you are already a customer and the prospecting concerns products or services similar to those already subscribed. Each commercial prospecting email contains a link allowing you to unsubscribe.
If you are a natural person acting in a professional capacity, your email address may be used to send you commercial prospecting by email for purposes related to your profession. You may at any time exercise your right to object to commercial prospecting.
Generic business addresses assigned to a legal entity (company) are not subject to the principles of consent, prior information and the right to object.
Messages and notifications related to the administrative management of a product or service previously subscribed to (alerts, changes in contractual and pricing documentation, etc.) are not considered commercial prospecting.
The settings of the messages and notifications that you may receive from us can be made within the framework of the subscribed service, it being understood that some of these notifications may come under regulatory obligations and present an imperative character.
2. Telephone prospecting
We may also have to prospect you by telephone. In accordance with Article L.223-2 of the Consumer Code, you are informed that you can register on a list of opposition to telephone canvassing Bloctel. However, despite this registration, we may contact you by telephone if there is an ongoing contractual relationship, unless you have previously objected or if you object at the time of the call.
Article 9 : Transfers outside the european economic area (5EEA)
The processing of your personal data by Lydia in accordance with the agreed purposes (see Article 5) may involve transfers to countries outside the European Economic Area (EEA), whose personal data protection laws differ from those of the European Union.
In particular, your personal data may, to the extent permitted by applicable regulations, be communicated to official bodies and authorized administrative and judicial authorities of non-EEA countries, in particular in the context of regulations on the fight against money laundering and the financing of terrorism, international sanctions and embargoes, the fight against fraud and the determination of your tax status.
When personal data is transferred to countries outside the EEA, a precise and demanding legal framework governs this transfer, in accordance with the applicable European regulations, in particular by the signing of standard contractual clauses approved by the European Commission. In addition, appropriate security measures are put in place to ensure the protection of personal data transferred outside the EEA.
The standard contractual clauses are available on the CNIL website (www.cnil.fr).
For more information regarding these international transfers of personal data, you may contact Lydia's Data Protection Officer as described in Section 7 hereof.
Article 10 : Security
Lydia takes all necessary physical, technical and organizational measures to protect the confidentiality, integrity and availability of your personal data, including against loss, accidental destruction, alteration and unauthorized access.
Lydia also takes great care to maintain a high standard of security and confidentiality of your personal data by educating our employees and business partners and training our employees on data protection, by implementing content controls, by implementing tools and practices aimed at obfuscation, anonymization, encryption and data wiping to ensure the protection of your personal data from internal and external data leakage risks
In case of violation of your personal data, presenting a risk for your rights and freedoms, we will notify the CNIL within the regulatory deadline. In the event that this violation presents a high risk to your rights and freedoms, we will promptly inform you of the nature of the violation and the steps taken to remedy it.
Article 11 : Lydia's status as host
Lydia hosts public communication areas that allow you to participate in discussion forums, instant messaging systems or post content. These public communication areas are places over which Lydia has no control and over which only you and other customers have control and can publish. Therefore, Lydia cannot be considered as a content publisher but exclusively as a host whose mission is to provide its customers with technical means to directly and permanently store information intended to be communicated to the public. In this respect, Lydia complies with the definition o f article 6.I.2 of the law n° 2004-575 of June 21, 2004 for confidence in the digital economy ("LCEN").
Paragraph 5 of I of Article 6 of the LCEN states that:
"Knowledge of the disputed facts is presumed to have been acquired by the persons designated in 2 (of article 6 I 2 of the LCEN, i.e. the hosts) when they are notified of the following elements: the date of the notification; if the notifier is a natural person: his surname, first names, profession, domicile, nationality, date and place of birth; if the applicant is a legal person: its form, name, registered office and the body that legally represents it; the name and domicile of the addressee or, if it is a legal person, its name and registered office; the description of the disputed facts and their precise location; the reasons for which the content must be removed, including the legal provisions and justifications of the facts; a copy of the correspondence addressed to the author or publisher of the litigious information or activities requesting their interruption, removal or modification, or the justification that the author or publisher could not be contacted. ".
Once Lydia has been notified of the allegedly illegal or indelicate nature of a content under the conditions provided for in paragraph 5 of I of Article 6 of the LCEN indicated above, we will promptly implement the necessary measures to ensure that the content is no longer accessible. These measures may range from deletion of the content to temporary or permanent banning of the content hosting service in view of the seriousness and repetition of the infringements found.
Lydia also does not carry out general monitoring of content beyond assisting in the repression of, among other things, crimes against humanity, incitement to racial hatred and child pornography, incitement to violence, including incitement to violence against women, and offenses against human dignity in accordance with the provisions of paragraph 7 of Article 6 of the LCEN.
In addition, Lydia is not responsible for the content it hosts and will not be liable or responsible for any activity or information stored at your request if it did not have actual knowledge of the unlawfulness of the content or of facts and circumstances indicating that it was unlawful or if, upon becoming aware of such unlawfulness, it acted expeditiously to remove or disable access to the content. In this regard, Lydia reserves the right to remove or suspend access to any content following upon reception of a notification or if it has actual knowledge of the manifestly unlawful nature of the content. Lydia shall not be liable for such removal. In any event, Lydia will not be liable in any way for any content you share.
Article 12 : Cashback service
12.1. General provisions
Lydia collaborates, under mandate, with payment and electronic money institutions and account information service providers approved by the ACPR, all of which are jointly responsible for processing the personal data of Customers, in accordance with Article 26 of the GDPR.
Thus, Lydia and these institutions jointly define the purposes and means of such processing. Customers' personal data are only shared with these joint controllers for the purpose of performing the contracts established with Lydia.
The list of these service providers is set out below:
Lydia and these entities are bound by mutual disclosure obligations, including with respect to the following events:
- Any breach of Customer personal data;
- Any use of a new sub-contractor processing Customer personal data outside the European Economic Area (EEA) and on behalf of Lydia.
In the course of providing additional optional services, Lydia may also disclose your personal data to partners (such as BitPanda, PayLead and Floa). Please note that PayLead analyses your bank transaction data to provide you with personalised offers based on your transaction history and spending habits.
Lydia may also communicate the personal data of its Customers to one of its suppliers or partners, provided that these data have been anonymised beforehand. This anonymisation consists in removing the following elements: first and last name, email address, telephone number, postal address and any other element that would allow the Customer to be identified or contacted directly.
All personal data of Lydia's Customers are covered by professional secrecy under the conditions of Article L.511-33 of the Monetary and Financial Code.
These partners only have access to data that is strictly necessary for the performance of the contracts established with Lydia.
12.2. Provisions specific to the cashback service
To provide the Cashback Service, Lydia and its partner PayLead act as joint processors.
PAYLEAD is a société par actions simplifiée (simplified joint stock company) whose registered office is located at 9 rue de Condé, 33064 Bordeaux (France), registered with the Registre du Commerce et des Sociétés (RCS) of Bordeaux under number B 821 725 579.
PayLead and Lydia have jointly determined how the Cashback Service operates and how your personal data is used to provide that service.
PayLead also acts as an independent data controller for the further processing set forth in Section 1.
1. Purposes of Processing
The purposes for which we use your personal data and the legal basis for doing so are detailed in the table below. The operations carried out on the basis of the performance of the contract are essential for the provision of the Cashback Service.
Implementation of the Cashback Service
Sending bank transactions to PayLead
Data analysis for establishing user profile and corresponding deals
Data analysis for Cashback generation and management based on transaction history
Transaction data analysis for geographical coherence of deals displayed to the user
Analysis of personnalised user experience data based on user purchasing preferences
Sending Cashback to the user
Technical support for user claims
Creation of statistics on the performance of deals and of Cashback Service
Managing user requests regarding GDPR
Lydia and PayLead
The Cashback Service is based on the analysis of your bank transactions: based on the displayed offer catalog, PayLead identifies the transactions that are eligible for a cashback payment.
PayLead also analyzes your bank transaction data to provide you with personalized offers based on your transaction history and spending habits. The eligibility criteria for the offers are defined by the retail partners and Lydia.
The essence of the Cashback Service is thus to allow you to use your banking data to benefit from personalized and relevant offers from the partner companies.
Further processing (in accordance with Article 13.3 of the GDPR)
PayLead uses your personal data for the further processing described below. These further processing operations are carried out by PayLead on its own initiative and under its sole responsibility.
Archiving data that enabled the cashback - for administrative control and potential litigation
Creating reports and statistics on the monitoring the deals and their performancefor partner company on monitoring of deals and their performance with partner companies
Creating aggregated and non-nominative statistics for commercial use purposes
Security and services performance
Operation, security and updating of Paylead's technical platforms
Monitoring and improvement of servicest
Creating aggregated and non-nominative statistics for monitoring the use and quality of Paylead services
As required by applicable regulations, we have verified that the pursuit of our legitimate interests does not infringe on the rights and freedoms of users:
- A user can reasonably anticipate that PayLead must obligatorily carry out reporting to the partner companies to inform them about the performance and monitoring of offers.
- The studies conducted by PayLead do not focus on an individual person, but on a set of aggregated and non-nominative data.
- PayLead's studies are based on pseudonymized data.
2. Personal data processed
The following personal data are provided to PayLead by Lydia:
- Name of your bank
- Bank transactions: transaction name, date, place, amount, merchant, truncated PAN number (last 4 digits)
- Unique user ID (token)
PayLead identifies you only through a unique user ID, called a "token", consisting of a series of numbers and letters. This is called pseudonymization.
Through the analysis of your banking data, PayLead also processes your consumption habits (your favorite brands, your favorite stores, the usual geographical areas of your purchases, your average basket), your average salary, your exceptional income or life events that can be deducted from your purchases (such as marriage, birth, etc).
As part of the support process, we process additional personal data of any kind that you may provide to us. Please limit the information shared to what is necessary, including what is required by us to respond to your request.
3. Retention Periods
Your personal data is used for a specific period of time, strictly limited to the purposes for which it was collected:
- Your bank transaction data is deleted after 2 years (from the transaction date) if it has not generated the payment of a cashback;
- Your transaction data is deleted after 5 years (from the transaction date) if it has generated the payment of a cashback.
When you decide to unsubscribe from the Cashback Service, PayLead will delete all of your personal data, except for data related to the payment of a Cashback, which will be retained for the 5-year period mentioned above.
4. Communication to third parties
Your personal data is only accessible to PayLead personnel who need to know it in order to perform their duties and provide the Cashback Service.
Certain third parties may have access to your pseudonymized (or anonymized where applicable) personal data:
- PayLead's possible subcontractors and service providers acting for technical and logistical reasons related to the proper performance of the Cashback Service (such as a payment service provider, external security auditors, etc);
- Partner Companies to whom PayLead communicates a record of transactions that have generated a cashback (amount, time stamp, truncated PAN if applicable).
5. Storage of personal data
Your personal data is hosted and processed by PAYLEAD exclusively in the European Union. However, PayLead reserves the right to use certain service providers outside the European Economic Area (EEA). In this event, PayLead will inform you of such transfers outside the EU and ensure that your personal data is properly protected in accordance with the requirements of the GDPR. Upon request, PayLead will provide you with a copy of the applicable safeguards.
6. Security Measures
PayLead uses technical and organizational measures that comply with legal and regulatory requirements to keep your personal data secure and confidential, including:
- pseudonymization of data: PayLead does not know your identity directly
- implementation of a policy for managing access rights to our tools and databases
- implementation of a logs policy
- data encryption
- carrying out intrusion tests
- anonymization of data when possible
- training of PayLead employees in data security and privacy
Under written agreements, PayLead requires its service providers and subcontractors to implement strong security measures to protect the personal data they process on behalf of PayLead.
7. Exercising your rights
Current regulations allow you to maintain control over your personal data. As such, you have the following rights:
- Right of access: you have the right to obtain a copy of all personal data we hold about you.
- Right of rectification: you may request that your personal data be updated if it is incorrect
- Right to object: you have the right to object, in certain cases, to the use of your personal data. Only processing based on the legal basis "legitimate interests" can be objected to by you. You must justify the legitimate reasons why you wish to object to the use of your personal data by PayLead.
- Right to withdraw your consent: If you have given your consent to a specific processing, you may withdraw that consent at any time, without justification. Withdrawal of consent is only valid for the future.
- Right to limit processing: you have the right to request, in certain cases, to suspend or limit all or part of the processing carried out on your personal data.
- Right to be forgotten: you can ask, in certain cases, for the deletion of all your personal data.
- Right to portability: you can ask to have your personal data returned to you in an understandable and readable format.
- Right to object to profiling and automated individual decision: you have the right to object at any time to the profiling processing carried out on your personal data for direct marketing purposes.
Please note that the exercise of certain rights may result in your unsubscribing from the Cashback Service insofar as certain processing is essential for the provision of the service.
In order to respond to your request, we may ask you to provide us with proof of your identity and/or additional supporting information.
We will make every effort to respond to your request as soon as possible.
You may exercise your rights by contacting Lydia at the address mentioned in Article 7 and/or PayLead at :
To the DPO
58 bis rue de la Chaussée d'Antin, 75009 PARIS
You may contact either Lydia and/or PayLead who will jointly respond to your request. Please note, however, that since PayLead does not have direct knowledge of your identity, it is recommended that you address your initial inquiry to Lydia.
Finally, you may file a complaint with the CNIL, the French National Data Protection Authority (Commission Nationale Informatique et Libertés), located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 (more information at www.cnil.fr)