La version française du document est accessible ici.
Lydia Solutions ("Lydia") is a simplified joint-stock company registered in Paris under RCS number 534 479 589 with capital of € 1,546,417, established at 14, avenue d’Opéra, 75001 Paris.
Lydia is registered with the Autorité de contrôle prudentiel et de résolution - ACPR, established at 4 Place de Budapest - 75436 Paris Cedex 09, under number 534 479 589.
1. PURPOSE OF THIS PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy presents how Lydia Solutions, hereafter known as Lydia, as a Data Processor, collects, uses, and/or shares personal data that the Client (natural person) provides or that Lydia collects indirectly during his/her usage of Lydia Services.
This Personal Data Protection Policy applies to Lydia Users and to Lydia Services as defined in our Terms of Service.
As a payment services provider based in France, Lydia is regulated by the French law.
2. CORE PRINCIPLES
Lydia is committed to protecting and respecting its Clients’ privacy. Therefore, Lydia has taken organizational and technical measures to ensure the confidentiality and security of its Clients’ personal data.
Lydia commits to:
- Maintaining a high standard of security and confidentiality of its Clients’ data, both by raising awareness of data protection issues amongst Lydia staff, and also by putting tools into place to ensure the protection of data against internal and external risks (e.g. by obfuscating, anonymizing, or encrypting certain data);
- Acting in its Clients’ best interest - honestly, fairly, and professionally;
- Replying to its Clients’ queries transparently, and to provide correct, clear, and honest information.
Lydia works with certified financial partners. Lydia and its Partners are jointly controllers of the natural persons personal data, within the meaning of GDPR article 26.
Lydia and its Partners jointly determine the treatment's purpose and means. The natural persons personal data are transferred to Lydia’s Partners in the only aim to properly perform the contract between the natural person and Lydia.
Lydia and its Partners have a duty of mutual information, in particular regarding under the following situations :
- Any breach of personal data concerning natural persons;
- Any subcontractor who is treating Consumers personal data outside of the EEA.
4. INFORMATION LYDIA COLLECTS ABOUT ITS CLIENTS
- Information submitted directly by Clients to Lydia;
- Information received indirectly when Clients use Lydia Services.
4.1 Information Clients submit
Creating a Lydia account
When a Client creates a Lydia payment account, he/she provides Lydia with his/her mobile telephone number, first name, and surname. He/She may then provide other information such as his/her email addresses, a profile photo, as well setting a password and a secret question and answer in case he/she forgets his/her password.
To access additional Lydia Services, the Client may provide Lydia with information about his/her payment cards, loyalty cards that he/she wishes to link to the Lydia app, and his/her bank account details. When creating a money pot, the Client may submit a title, a description, and a cover photo for the money pot created.
To verify his/her identity and comply with regulation, Lydia may request copies of the Client’s official proof of identity, a complementary proof of identity, and a video of authentication).
The Client has several ways to prove his identity in order to obtain the "Verified Profile" status and to make requests for changes to his Lydia account security data (e.g. in case of forgotten password, change of phone number or blocked account). If the request is deemed sensitive and the Client expressly consents, it can be made by means of an authentication video called "selfie-video".
To do so, the Client must authorize access to Lydia, the microphone and the camera of his phone and then film himself for a few seconds to state his request. The recorded videos are viewed by an authorized Lydia Agent who authenticates the Client. After this authentication, the video is no longer accessible by the Agent: it is kept in a semi-intermediate archive.
Nota Bene: a specific technical processing of biometric data (as defined in Article 4.14 of the RGPD), captured during the video selfie, is performed by Lydia when the Client wishes to obtain the "Verified Profile" status. This specific technical processing of the Client's facial images allows or confirms the unique identification of the User based on his physical, physiological or behavioral characteristics.
It also allows the detection of the "living" character of the User to verify that it has not been physically or digitally altered. These biometric data are considered sensitive in the sense of the RGPD. In order to use this processing in accordance with Article 9 of the RGPD, Lydia therefore justifies a specific need to identify its users to allow access to the Service, under the control of the Commission Nationale de l'Informatique et des Libertés (hereinafter the "CNIL").
The Client is always free to choose whether or not to take a video selfie during the remote identity verification process in order to obtain the "Verified Profile" status ("Know Your Customer" identity verification process) or during the process of recovering access to his Lydia Account (in case of forgotten password, change of phone number or blocking of his Customer Account) and may choose to use another authentication method offered by Lydia, without any additional constraint, incentive or special consideration.
4.2 Information Lydia receives indirectly about the Client whe he/she uses Lydia Services
Additional personal information
When the Client provides Lydia with a proof of identity, Lydia collects information on the date of birth, place of birthand nationality.
When the Client uses certain Lydia features, Lydia may receive information on the location, as determined by data like the IP address or the phone’s or computer’s GPS of the Client, in order to provide him/her with a better user experience and to enhance security (e.g. geolocalisation can act as check in the case of fraud). Most mobile phones let the Client control or disable usage of localisation services by apps within the device’s settings.
Lydia receives information about Clients’ interactions with the Lydia app, such as content consulted, transactions made, or general use of the app (e.g. the date the Client added his/her payment card to the app).
Network and device data
Lydia automatically collects network and device data when the Client uses Lydia Services. This information includes his/her IP address, date and time of use of Lydia Services, data on his/her computer or mobile hardware, data linked to usage of his/her device, unique identifiers, crash analytics, or cookies.
Bank account details
When the Client links his/her bank account to the Lydia app, by providing the log-in details used for online banking, the IBAN number and payees linked to this account are automatically imported into the Lydia app to facilitate payments from his/her Lydia account to external saved accounts.
Contacts with Lydia
The Client can link his/her mobile phone address book to the Lydia app to see which of his/her contacts uses the Lydia app. To make the link between a contact in the Client’s phone list and someone who has just signed up to the app, Lydia collects the mobile numbers and email addresses in the Client’s address book. Lydia does not make any other use of this information. As Lydia only needs an imprint of this data, and not the raw data, this data is transferred and stored using encryption, by a unique public key. The Client can disable this feature in the Settings tab of the app.
Communication with the Lydia support team
Lydia keeps a record of communications that the Client may have with Lydia support team, e.g. email conversations, telephone calls, or a summary of telephone discussions.
Follow-ups of actions carried out by Lydia staff
Lydia staff may be involved in the management of the Clients’ Lydia account. In this instance, the actions performed are also stored in the form of comments (e.g. a Lydia account might be temporarily blocked in the case of suspected fraud).
Information about the bank account aggregation service
In the case where the Client uses the bank account aggregation service allowing him/her to aggregate his/her bank account(s) to the Lydia app, the data relating to this / these aggregated account(s) are collected by Lydia: name of the bank, types of bank account (current account, credit account, savings account), realized transactions and account's balance.
4.3 How long Lydia retains Clients' information
In compliance with the regulations against fraud and financing terrorism and as indicated in Lydia’s Terms of Service, Lydia is required by the French Law to retain the following information in intermediate archiving (restricted access, intermediate step before deletion) for five years starting from the date the Client close his/her account or terminate his/her contractual relationship with Lydia:
- Documents relating to the Client’s identity, whether he/she is a frequent or occasional user;
- Documents and information relating to operations the Client has made;
- Any information collected as part of compliance procedures (fight against fraud, fight against money laundering or terrorism financing...).
Also, as mentioned in our Terms of Service, the Client is no longer considered to be a frequent or occasional user if no transactions have been made in his/her Lydia account for a period of 24 consecutive months.
5. HOW LYDIA USES INFORMATION IT COLLECTS ON CLIENTS
Lydia may use Clients’ personal data to:
- Let them know about payments via Lydia Services that are pending, have been executed, or are to come;
- Inform them that one of their contacts uses the Lydia app;
- Evaluate the effectiveness of its communication, and to adapt the way Lydia communicates with users;
- Let them communicate with the Lydia support team in order to have replies to their questions or requests;
- Manage loyalty programs, giveaways, competitions, or other promotional activities executed by Lydia or its commercial partners;
- Calculate usage levels and rewards, based on payments made with Lydia Services;
- Identify Clients in order to allow them to access services to which they have subscribed (e.g. in case they forget their password) and to authenticate their identity information (e.g. by comparing the photo of their proofs of identity to a selfie they send Lydia by mobile);
- Detect and prevent fraud, abuse, security incidents, and other activities that are forbidden by Lydia (e.g. betting, sales of means of payment);
- Ensuring that their personal data are protected (e.g. by deleting their data upon request and/or as the result of a legal deadline for data retention);
- Provide them with the services that they signed up for (e.g. transferring money with another Lydia user);
- Let them personalize certain aspects of their profile or of Lydia products (e.g. when creating a money pot) in order to improve the user experience;
- Understand and analyze their usage of the Lydia app so that Lydia can offer them and/or develop new features that meet their needs;
- Ensure full compliance with current regulation, with Lydia Terms of Service, and with this Personal Data Protection Policy;
- Resolve any contentious issues and honour contracts with third parties.
6. TRANSFER OF PERSONAL DATA
6.1 To Lydia's banking partners, suppliers and operational contractors
All of Clients’ personal data held by Lydia are protected and kept confidential in accordance with article L.511-33 of the monetary and financial code. Lydia Solutions may share Clients’ personal data with its Principals (OKALI, Budget Insight and Treezor) and with its suppliers and operational service providers with whom Lydia is contractually tied, in order to provide certain services and process transactions, under condition that these third parties guarantee a sufficient level of protection of the data shared in compliance with article 561-7 II b of the monetary and financial code and in respect with the GDPR. These partners and service providers only have access to the data that is strictly necessary for the execution of the contracts established with Lydia Solutions.
Lydia may also share its Clients’ personal data to third party service providers or partners, under condition that these data are anonymised beforehand. Anonymising data means removing the following elements: phone number, address, and any other information that could identify the Client or allow him/her to be contacted directly.
Lydia stores its Clients personal data in the European Union. However, when a Client uses Lydia Services, his/her data may be transferred to another country, which may have less rigorous data protection laws that those in place in the country in which he/she live.
This is notably the case for data Lydia transfers to third party service providers operating outside of the European Union, especially in the United States of America. Lydia may use their services to reply to users’ enquiries, to moderate photographs published on Lydia platforms, to provide online payment tools, to provide commercial or advertising services, or SMS or email services.
In this type of transfer, Lydia ensures that the processing is carried out in accordance with this policy and that it complies with the European Commission standard contractual clauses which guarantee a sufficient level of protection of Clients’ personal privacy and basic rights.
6.2 To supervisory authorities
Lydia may disclose information about Clients, including their personal data, to the court, governmental or law enforcement authorities or to authorised third parties, if required or permitted by law, or if such disclosure is reasonably deemed necessary: (i) to comply with its legal obligations, (ii) to comply with legal procedures, and to respond to claims against Lydia, (iii) to respond to verified claims during an alleged or suspected illegal investigation or illegal activity or any other activity that may expose Lydia or its users to legal liability, (iv) to perform or execute its Terms of Service or (v) to protect the rights, property or personal safety or Lydia, its employees, users or the public.
If necessary, Lydia may inform its Client of these legal requests, except in the following cases: (i) when any notification is prohibited by the court proceedings, by order of the court or in accordance with existing laws, or (ii) if Lydia is of the opinion that informing the Client would be irrelevant, ineffective, could constitute a risk of injury or personal injury to an individual or a group or create or intensify a risk of fraud concerning our assets or those of its users.
7. COMMERCIAL INTERESTS
In accordance with the relevant laws and with Clients’ consent when required, Lydia may use Clients’ personal data for commercial interest (e.g. to send Clients newsletters, invitations to events or other communication that may be of interest to them, and to display targeted advertising on social media platforms or third-party sites).
The Client can always unsubscribe from Lydia’s email newsletter by setting his/her “Preferences” in the last tab of the Application, by clicking on the unsubscribe link provided in each of Lydia’s communications or by contacting Lydia’s support team by email at: firstname.lastname@example.org.
With regard to targeted advertising on social media platforms (e.g. Facebook, Twitter), the Client can block his/her exposure to targeted social media advertising by configuring the advertising parameters in his/her account settings on these platforms.
8. CLIENTS’ LEGAL RIGHTS
8.1 Request access to personal data
Clients have the right to request confirmation from Lydia whether their personal data are being processed or not and, if so, to obtain information on how these are being processed. Clients can also request a copy of the personal data Lydia holds about them. To respond to this request, Lydia may verify the Client’s identity and ask him/her to provide more information about this request. Lydia commits to responding to such requests within a reasonable period of time, in accordance with the law.
8.2 Request correction of the personal data that Lydia holds about its Clients
Via the Lydia app, a Partner Application, or Lydia’s support team, Clients can ask Lydia to correct, modify, delete, or complete any incomplete or inaccurate data Lydia holds about its Clients.
8.3 Request the right to erase (right to be forgotten)
Clients have the right to ask Lydia to delete their personal data within a reasonable timeframe, in particular when:
- There is no longer a good reason for Lydia to continue to process or collect these data;
- The client has withdrawn his/her consent or objected to the processing of his/her personal data;
- Client’s personal data have been subject to unlawful processing;
- Lydia is not legally bound by the French legislator to keep Client’s data in the fight against money laundering and financing terrorism (see 2.3 How long Lydia retains Clients’ information).
8.4 Request restriction of objection to processing of Clients’ personal data
Clients have the right to ask Lydia to restrict the processing of their personal data (e.g. if Clients think that their data are inaccurate) or to object to the processing of their personal data at any time, for reasons based on their own particular situation.
Clients can also object to Lydia using their data for certain types of automated processing, including direct marketing.
8.5 Request the transfer of Clients’ personal data
Clients have the right to request a copy of their personal data in a structured, commonly used, machine-readable format, which they can then transfer to another data controller. If technically possible, Clients may also ask Lydia to transfer their personal data directly to another controller.
8.6 Complaints to the supervisory authority
Clients have the right to make a complaint at any time to the relevant supervisory authority or to obtain legal compensation if they consider that Lydia has not respected their rights.
9. LINKS TO OTHER WEBSITES AND SOCIAL NETWORKS
Lydia’s communications may occasionally contain links to the partners’ or third party companies’ websites. These websites have their own privacy policies and Lydia refuses any responsibility for how these websites use information collected when Clients click on these links.
10. CHANGES TO THIS PERSONAL DATA PROTECTION POLICY
Lydia may occasionally change this Personal Data Protection Policy. When necessary, Lydia informs its Clients by the most appropriate means.
- Email : email@example.com
- Address : Data Protection Officer, 14 avenue de l’Opera, 75001 Paris