Privacy Policy
Last updated on: 2024/09/13
Payplug Enterprise SAS is committed to ensure that the processing of personal data that it implements complies with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Liberté).
The purpose of this privacy policy is to provide you with detailed information on how Payplug Enterprise SAS, acting as data controller, processes and protects your personal data. In particular, it sets out the purposes for which personal data is processed, how long your data is kept and the rights you may exercise.
Who is this policy intended for?
This personal data protection policy is intended for all natural persons:
- Visitor of PAYPLUG ENTERPRISE SAS Internet website;
- Client of PAYPLUG ENTERPRISE SAS;
- Prospect of PAYPLUG ENTERPRISE SAS;
- Applicants for employment with PAYPLUG ENTERPRISE SAS;
- Payer (end customer) using the services of PAYPLUG ENTERPRISE SAS.
Data controller
The data controller is PAYPLUG ENTERPRISE SAS, registered with Paris’ trade and company register under number 443 222 682, whose registered office is located at 110 Avenue de France, 75013 Paris.
PAYPLUG ENTERPRISE SAS is a payment institution approved by the Autorité de Contrôle Prudentiel et de Résolution under bank code (CIB) 16378.
What are the purposes for which Payplug is acting as a data controller ?
Payplug is a data controller for the following processing operations:
- Client relationship management;
- Developing our client base;
- Prevention of money laundering and terrorist financing risks;
- Prevention of the risk of fraud;
- Recruitment management;
- Navigation on the PAYPLUG ENTERPRISE SAS website(s).
For what purposes are your personal data processed and on which legal basis?
| Data processing | Purpose of the processing | Legal basis | Data collection | Category of persons concerned | Retention period |
| Managing our clients relations | We process our client’s personal data in order to optimize the follow-up of each business relationship (activation of the Payplug account, personalized support, management of any complaints). | Performance of a contract | We collect personal data directly when we enter into a relationship with our clients and during the course of the business relationship ; We collect personal data indirectly from public or private databases (e.g. infogreffe.fr, Ellipro, Fircosoft, our customers' websites) and from payers (whom we occasionally ask to confirm that their purchases have been properly executed). | Our clients | 5 years from the end of the business relationship with the client. |
| Developing our client base | We may contact professionals who might be interested in our payment solution in order to present them with our services. | Legitimate interest (business prospects only) | Collection of personal data from professionals (i) who have entered their details on our website; or (ii) who have been put in contact with us by one of our partners; or (iii) who we have determined by our own means are likely to be interested in our solution. | Our prospects | 3 years from the date of collection of the prospect's information or the last contact from them. |
| Prevention of money laundering and terrorist financing risks | As a payment institution, Payplug is required to implement measures to combat money laundering and the financing of terrorism, such as the identification and verification of the regulatory Know Your Customer (KYC) file, the monitoring of transactions and the prohibition on dealing with persons subject to sanctions. | Legal obligation | We collect our Client’s personal data (KYC) when we enter into a business relationship and during the course of the business relationship; We collect Payers' personal data when payments are made. | Our clients ; Payers | 5 years from the end of the business relationship with the client. |
| Prevention of fraud risks | In accordance with the legal and regulatory requirements imposed by our status as a payment institution, and for the purposes of monitoring our performance, we are required to implement processes to detect attempted fraud (3D Secure). | Legal obligation | We collect Payers' personal data when payments are made. | Payers | 5 years from the closure of the fraud file, where applicable. |
| Recruitment management | We collect and process the personal data of our candidates. | Legitimate interest | We collect candidates' personal data when they apply. | Our candidates | 2 years after the last contact with an unsuccessful candidate. |
| Navigating the website | Payplug may collect personal data via cookies in order to ensure the smooth operation of the site and to improve the user experience, in particular by making it possible to remember your preferences on subsequent visits (language, personalized settings). Personal data about visitors to the website may also be collected via our contact form. | Consent | We collect personal data via cookies on the Website. | Visitor of our website | Maximum retention period from collection : - Cookies requiring user consent: 6 months. - Audience measurement cookies: 13 months. - Personal data collected via the contact form: 3 years. |
How long is your personal data kept?
Your personal data is kept for a limited period necessary for the purposes for which it is processed. In some cases, the retention period is prescribed by law or regulation. The retention periods are indicated for each processing operation in the table above.
Cookies and other trackers
Browsing the Website may result in the installation of cookie(s) on your equipment (computers, smartphones, digital tablets, etc.). A cookie is a small file that records information relating to browsing on the Website. The data collected in this way is intended in particular to optimize subsequent browsing on the Website, and is also intended to enable various traffic measurements to be taken. The User may configure his browser to refuse the installation of cookies. Refusing to install a cookie may make it impossible to access certain services.
The cookie policy that we implement is available here.
Which personal data do we collect?
For the purposes indicated above, we collect the following data:
| Data categories | List of data |
| Identity and contact data of our Customers; Where applicable, identity and contact details of our Customers' directors and beneficial owners. | Surname, first name, postal address, telephone number, email address, date of birth, nationality, bank details, proof of identity and/or address, commercial register number. |
| Payers payment data | Data relating to the payer's identity (surname, first name, email address, telephone number if applicable), bank card data (PAN, CVV, expiry date), transaction date and time, transaction amount, billing and shipping data (postal address), browsing data and payment characteristics, connection data (IP address), location data (postcode, IP country, card country). |
| Navigation data and cookies | IP address, language preferences and other data relating to the consultation of our sites, date and time of last connection, number of connections. |
Who can access your personal data?
Payplug takes all necessary measures to guarantee the professional secrecy and ensure the safety and confidentiality of your personal data it collects, i.e. to ensure that only authorised people have access to it.
Only the persons authorised by reason of their activities within the competent services of Payplug in charge of the corresponding processes, have access to your personal data within the limit of their authorisations.
We might transmit your personal data to third parties such as:
- The service providers or subcontractors to whom Payplug entrusts operational functions (in particular our banking and financial partners), other services (lodging, messaging, managing customer relationships), or with which Payplug checks that its customers are not on lists of international sanctions;
- The judicial, financial authorities (in particular Tracfin) or other governmental organizations;
- Certain regulated professions, such as lawyers, bailiffs, notaries or auditing firms;
- Other entities of Groupe BPCE, within the framework of the legal obligations applying to the banking and payment services sectors;
- Partners such as web agencies or e-commerce software publishers.
In the context of the business relationships in place with BPCE and Groupe BPCE institutions, we may also transmit to them our customers' identity and contact data as well as payment data. This information is provided for the purpose of monitoring the business relationships.
Can your data be transferred outside the European Union?
Some of the third parties to whom we transfer your data may process it outside the European Union. In all cases, we take care to implement appropriate safeguards: adequacy decision or standard contractual data protection clauses adopted by the European Commission.
What are your rights regarding your personal data?
You have various rights in relation to your personal data within the limits and conditions permitted by the regulations, including the following rights:
- Access to your personal data: you can obtain information about the processing of your personal data and a copy of it. Note that access to data collected in the context of our obligations of vigilance towards our clients can only be exercised through the CNIL, in accordance with Article L. 561-45 of the Monetary and Financial Code;
- Rectify, update your personal data: if you consider that your personal data is inaccurate or incomplete, you have the right to have this personal data amended accordingly;
- Deletion: you can request the deletion of your personal data;
- Request a restriction on the processing of your personal data by us;
- Request portability of your personal data: you have the right to request the recovery of the personal data you have provided to us or to have it transferred to a third party if technically possible;
- Withdraw your consent at any time for the processing of your personal data subject to your consent;
- To object to the processing of your personal data: you can, for legitimate reasons related to your particular situation, object to the processing of your personal data based on the legitimate interest of Payplug, but also object, at any time, to the processing of your personal data for prospecting purposes;
- To file a complaint with a control authority (in France, the CNIL).
How to exercise your rights
You can exercise your rights with regard to any personal data we process by contacting us by e-mail (privacy@payplug.com) or by post, stating your full name, contact details and providing proof of your identity (Payplug - Délégué à la Protection Des Données - 110, avenue de France 75013 Paris).
You may, at any time, lodge a complaint with the competent supervisory authority, i.e. that of the country of the European Economic Area in which you habitually reside, or where you work, or where the alleged breach of regulations was committed.
Modifications
The present data protection policy may be modified at any time to take account of changes in current regulations or the development of our services.