Privacy policy.

At PayLead, we make the protection of your personal data our priority.

We are committed to processing your personal data in a transparent, and secure manner that is in compliance with the laws and regulations in force, including the General Data Protection Regulations (GDPR) (2016/679/EU).

When you use our platforms or subscribe to our service through one of our banking partners, we process information that belongs to you. That is why we have implemented a strict privacy policy to respect your privacy and to reduce the use of personal data to a strict minimum. In the event that our service is provided to you through one of our banking partners, we invite you to refer to the common confidentiality policy set up specifically within the framework of this partnership.

What is the purpose of this privacy policy?

This privacy policy explicitly explains how we process, store and protect your personal data on a daily basis. Through this policy, we would like to inform you about a number of points as clearly and transparently as possible:

  • Where do the data we collect come from?
  • What type of data we collect;
  • How we collect this data;
  • What we do with it;
  • How long we keep it;
  • If we pass on your personal data to partners and if so, under what controls;
  • How we secure all the data we process;
  • How we update, retrieve or delete your personal data;
  • How to contact us, because we know that sometimes it is just easier to discuss it.

Where do we collect personal data?

As part of subscribing to our services, we collect with your consent information that is personal to you. Indeed, we collect them automatically in order to meet the need for the execution of a contract, a legal obligation or in the legitimate interest of our business.

Our sources of personal data are the following:

  • Our website and websites related to our activities or our business;
  • Our partners;
  • When you register on our site and when you use our mobile application.

What type of data do we collect?

We apply a principle of data minimization that commits us to collect only the data necessary for the proper functioning of our service.

In the case where you subscribe directly to our service via our website or our application we collect:

  • Personal information allowing us to identify you directly, such as your name, your first name, your address, your telephone number;
  • Your bank identifiers in order to make payments;
  • Access to your banking transaction data.

In the event that you use our service as a merchant, we are legally obliged (art. R561-5 of the French Monetary and Financial Code) to collect the following additional information:

  • Copy of the identity document;
  • Articles of Association of the company;
  • KBIS extract;
  • Declaration of beneficiaries.

Within the framework of our reimbursement service via a banking partner, the latter gives us access to the following information:

  • Your bank identifiers in order to proceed with the payments;
  • Access to your bank transaction data in order to identify payments entitling you to cashback.

In the context of security and monitoring

  • Technical information related to your connections to our services (IP address, browser, operating system version);
  • The pages you visit on our site;
  • The accesses and requests you make to our servers;

In the case of the optimization of our services, and after obtaining your consent

  • The pages you visit on our site;
  • Your interactions with the site (time spent on a page, clicks, etc.)
  • The accesses and requests you make to our servers.

If you contact our sales department or our after-sales service:

  • All correspondence elements (emails, web chat);
  • Contact information when you use our online forms;
  • Your contact information to reach you (email address or social network identifiers).

If you register or fill out forms to receive marketing information:

  • Your contact information to reach you
  • Your company information to properly address you and provide relevant content

How do we collect this data?

We collect personal data in different ways. Some of this data is collected directly from you:

  • When you register on our site or our application;
  • When you interact with our website or our APIs;
  • When you contact us for information or support;
  • When you register for our newsletter or marketing events or download our analysis and research.

Some data may come from our bank partners.

Why do we process this data?

We process this data for the following purposes.

Concerning the website:

  • Presentation of the Paylead website;
  • To improve your experience on our services and websites;
  • To enable you to access our services;
  • Fight against fraud and more specifically, money laundering;
  • To collect statistical information on the use of our services;
  • To ensure the protection and security of our infrastructure and services;

Concerning our APIs:

  • To allow you to access our services;
  • To allow us to issue invoices regarding the use of our services;
  • To fight against fraud and more particularly, money laundering;
  • Collect statistical information on the use of our services;
  • Within the framework of a dedicated consent: to communicate personalized promotional offers to you;
  • To ensure the protection and security of our infrastructures and services;

Sales and after-sales service:

  • To respond to your requests for assistance;

Marketing efforts:

  • To provide the most relevant marketing information and product news

What is our ethical commitment?

We wish to guarantee a relationship of trust between us. PayLead is committed to many aspects concerning the ethical and responsible nature of the processing of banking transaction data that we are led to analyze.

Among these commitments, we can note the following:

  • The pseudonymization of all the banking transaction data that we analyze. The banking transactions that we analyze are linked to external random tokens provided by banking partners, and do not allow us to identify natural and legal persons (only the partner bank is able to make the link and identify legal persons);
  • Paylead undertakes the commitment not to attempt to infer sensitive information falling under Article 9 of the GDPR, such as data on your health, your philosophical or religious opinions, or your sexual orientation;
  • By extension, we undertake the commitment not to infer data on political or trade union opinions.

In order to ensure even more protection regarding these data, you may request that PayLead does not retain banking transaction data concerning these categories. However, this could prevent the reimbursement of certain offers.

How long do we keep this data?

This data belongs to you, we only borrow it. The length of time we keep this data is variable and depends on the purpose.

As part of the fight against money laundering, and in compliance with our obligations under Articles L561-15 to L561-22 of the French Monetary and Financial Code, we keep personal data relating to your repayments (IBAN, account holder, address, amount) for a period of 5 years. If you have revoked your consent for the processing of your personal data, this legal obligation prevails and we will nevertheless be obliged to keep this data.

All other personal information will not be stored or processed beyond the validity of your consent or for a period of one year if the duration is not explicitly specified.

Do we pass on your personal data to third parties, and under what controls?

Within the framework of our refund offers and in order to transfer your money to you, we use a service provider who specializes in payments. We mandate MangoPay to carry out the transaction. The data that we provide to MangoPay for the transfer order is as follows:

  • Your IBAN
  • The amount and the reason for the transfer

Our payment service provider only acts on our behalf and is not permitted to use the data we provide for any purpose other than that for which they have been commissioned.

How do we secure the data?

PayLead is committed to the protection of your personal data. In addition to the principle of minimization mentioned in the paragraph "What type of data?" we also apply the principle of pseudonymization.

This process aims to protect your banking transactions when we retrieve them from a banking partner. When we retrieve this information, we obtain associated technical identifiers from our banking partner and we cannot identify you personally by means of this technical identifier.

In addition to this principle of pseudonymization, we implement encryption and protection measures on our servers to ensure the security of your personal data or banking transactions. This includes, but is not limited to, technical measures such as

  • Firewalls;
  • Database encryption;
  • Monitoring and surveillance of services;
  • Control and audit of data access.

But also organizational measures

  • Respect for the principle of least privilege;
  • The authorization process and clearance process for data access;
  • External audits.

How to update, retrieve or delete your personal data?

In accordance with Chapter III of the GDPR, you have the right to access, rectify, and in certain cases to oppose and delete your personal data, as well as the right to portability, i.e. to retrieve your personal data in a standardized format.

In order to exercise your personal data rights concerning the data in our mobile application, you can do so directly from our interface.

In the event that you wish to exercise your rights concerning the service that we offer via our banking partners, you can refer to the paragraph "How to contact us" to explain your situation.

It should be noted that under the very strict protection measures that we implement, it is possible that we may not be able to identify your pseudonymized personal data in our information system. In this case, we will contact the banking partner that connects you to our service in order to be able to retrieve your information.

There is, however, an exception to the possibility of requesting the deletion of your personal data. Indeed, under the laws and regulations in the fight against money laundering and the financing of terrorism, we may not be able to delete some of this data before the expiry of a period of 5 years (See paragraph "How long do we keep this data?").

Under Art. L561-45 of the CMF, you are also informed that you may not directly request from PayLead or the partner bank information on the anti-money laundering vigilance activities that may be carried out in your regard, in particular when they may concern possible suspicious transaction reports transmitted to the competent authorities. However, you may turn to the CNIL to exercise an indirect right of access to this information.

Updating of the privacy policy

We are committed to keeping you informed of any changes to our privacy policy. In the event that this modification would result in a significant change, impacting the purposes of processing your personal data or the types of data collected, we will inform you so that you can renew, if you wish, your consent for the new purposes or new types of data collected.

If you do not agree with the new privacy policy, you retain the right to withdraw your consent at any time and to require the deletion of all data we have collected about you in accordance with this privacy policy.

How do you contact us?

If you wish to contact us regarding the processing of your personal data, we will be happy to assist you. To do so, please contact our Data Protection Officer at the following e-mail address: dpo@paylead.fr.

If you wish, you can also contact us by mail :

Paylead
Data Protection Officer
69 rue d'Hauteville
75010 Paris

If we are not the data controller for the data for which you are contacting us for, we will indicate the contact point of the data controller or, if it is within our power, we will forward your request directly to the data controller.

For more information on your rights with regard to the protection of personal data, you can visit the site of the Commission Nationale de l'Informatique et des Libertés at www.cnil.fr.