xVous visitez le site Payplug en anglais.Visitez le site en français

Privacy Policy

Last updated on: 2024/05/13

Who is this policy for?

This personal data protection policy is addressed to all natural persons:

  • Visitor to the Website;
  • Prospect; or
  • Payer using PAYPLUG ENTERPRISE SAS services.

Who is the data controller?

The data controller is PAYPLUG ENTERPRISE SAS, registered under number 443 222 682 at Paris Trade and Companies Register. PAYPLUG ENTERPRISE SAS headquarters is located at 110 Avenue de France, 75013 Paris.

What is the purpose of this policy?

The present policy specifies in particular the purposes of the processing of personal data implemented by Payplug in its capacity as data controller, the duration of storage and the rights that you can exercise.

For which purposes does PAYPLUG ENTERPRISE SAS act as a data controller ? 

Payplug is a data controller for the following data processing: 

  • Navigating the Website ; 
  • Prevention of money laundering and terrorist financing risks;
  • Prevention of fraud risks;
  • Customer relationship management;
  • Client development; 
  • Recruitment management. 

For what purposes are your personal data processed and on which legal basis?

Data processingPurpose of the processingLegal basisCategory of persons concernedRetention period
Navigating the WebsitePayplug can be brought to collect personal data (in particular at the time of the consultation, or the sending of messages on the form envisaged for this purpose) to better inform the Visitor and, possibly, to address to him/her the information which he/she wishes to receive.ConsentWebsite visitorsMaximum retention period from collection : 
• Cookies requiring user consent: 6 months.
• Audience measurement cookies: 13 months. 
• Personal data collected via the contact form: 3 years.
Prevention of money laundering and terrorist financing risksAs a result of our activities, we are exposed to certain risks: money laundering, terrorist financing. As a payment institution, we are legally obliged to implement certain measures to combat these risks.Legal obligationOur clients; Payers5 years from the execution of the transaction that was subject to an alert.
5 years from the closure of the account for data and documents relating to the identity of customers.
Prevention of fraud risksPayplug and the companies of Groupe BPCE are moreover held, as payment and credit institutions, with a certain number of legal obligations, in particular for prudential matters. To this end, we must analyse information concerning our clients but also their customers (payers) in order, for instance, to avoid bank card fraud, via Smart 3-D Secure.Legal obligation
Legitimate interest
Our clients; PayersA maximum of 5 years from the closure of the fraud file.
When legal proceedings are initiated, personal data are kept until the end of the legal proceedings.
Managing our customer relationshipsWe process personal data of our customers in order to manage our commercial relationships: to carry out transfers to their bank account, to assist them in case of need, to manage complaints, to offer them personalized solutions.

We also assist merchants who have opened an account on our site in the various stages of activating their account.
Execution of a contract
Legitimate interest
Our clients and their staff5 years after the account is closed.
Developing our customer baseWe may contact professionals who may be interested in our payment solution in order to introduce them to our services. These are professionals (i) who have entered their details on our website; or (ii) who have been put in touch with us by one of our partners; or (iii) whom we have determined by our own means likely to be interested in our solution.
Where customers have been referred to us by partners, and in particular Groupe BPCE, we provide them with information to monitor the referral relationship. This information allows them to follow the progress of the contracting with these customers and to check the calculation of the commissions possibly paid to them by Payplug.
Legitimate interestOur prospects3 years from the date of collection of the prospect's information or the last contact from them.
Recruitment management PAYPLUG ENTERPRISE SAS collects and processes the personal data of its candidates.Legitimate interestOur candidates2 years after the last contact with an unsuccessful candidate.

How long is your personal data stored?

Your personal data will only be kept for the time necessary for the purposes for which they are processed, or for the time prescribed by law or regulation. This retention period is indicated for each processing operation in the table above.

Cookies and other trackers

Browsing the Website may result in the installation of cookie(s) on your equipment (computers, smartphones, digital tablets, etc.). A cookie is a small file that records information relating to browsing on the Website. The data collected in this way is intended in particular to optimize subsequent browsing on the Website, and is also intended to enable various traffic measurements to be taken. The User may configure his browser to refuse the installation of cookies. Refusing to install a cookie may make it impossible to access certain services.

The cookie policy that we implement is available here.

Which personal data do we collect?

For the purposes indicated above, we collect the following data:

Data categoriesList of data
Identity and contact data of our clients and, where applicable, of the directors of our clients and their beneficial owners (natural persons who control the activity of client companies)Surname, first name, address, telephone number, email address, date of birth, nationality, bank details, proof of identity and/or residence, registration number.
Payment and payers dataCredit card data (PAN, CVV, expiration date), identity data (email, last name, first name, telephone number, email address), transaction date and time, transaction amount, billing and shipping data (postal address), navigation data and payment characteristics, connection data (IP address), location data (zip code, IP country, card country).
Navigation data and cookiesIP address, language preferences and other data relating to the consultation of our sites.

From whom do we collect data?

As part of our risk prevention policy, we collect identity and contact data from our clients and their managers or beneficial owners, as well as data relating to their business:

  • Either directly from them when they fill in forms or respond to our requests for additional information;
  • Or indirectly: on public or private databases (e.g. infogreffe.fr, Ellipro, Fircosoft), on the Internet (e.g. our clients' websites and user reviews); and from our clients' customers (who we occasionally ask to confirm the correct execution of their purchases).

Who can access your personal data?

Payplug takes all necessary measures to guarantee the professional secrecy and ensure the safety and confidentiality of your personal data it collects, i.e. to ensure that only authorised people have access to it.

Only the persons authorised by reason of their activities within the competent services of Payplug in charge of the corresponding processes, have access to your personal data within the limit of their authorisations.

We also transmit your personal data to third parties such as:

  • The service providers or subcontractors to whom Payplug entrusts operational functions (in particular our banking and financial partners), other services (lodging, messaging, managing customer relationships), or with which Payplug checks that its customers are not on lists of international sanctions;
  • The judicial, financial authorities (in particular Tracfin) or other governmental organisations;
  • Certain regulated professions, such as lawyers, bailiffs, notaries or auditing firms;
  • Other entities of Groupe BPCE, within the framework of the legal obligations applying to the banking and payment services sectors;
  • Partners such as web agencies or e-commerce software publishers.
  • In the context of the business relationships in place with BPCE and Groupe BPCE institutions, we may also transmit to them our customers' identity and contact data as well as payment data. This information is provided for the purpose of monitoring the business relationships.

Can your data be transferred outside the European Union?

Some of the third parties to whom we transfer your data may process it outside the European Union. In all cases, we take care to implement appropriate safeguards: adequacy decision or standard contractual data protection clauses adopted by the European Commission.

What are your rights regarding your personal data?

You have various rights in relation to your personal data within the limits and conditions permitted by the regulations, including the following rights: 

  • Access to your personal data: you can obtain information about the processing of your personal data and a copy of it. Note that access to data collected in the context of our obligations of vigilance towards our clients can only be exercised through the CNIL, in accordance with Article L. 561-45 of the Monetary and Financial Code;
  • Rectify, update your personal data: if you consider that your personal data is inaccurate or incomplete, you have the right to have this personal data amended accordingly;
  • Deletion: you can request the deletion of your personal data;
  • Request a restriction on the processing of your personal data by us;
  • Request portability of your personal data: you have the right to request the recovery of the personal data you have provided to us or to have it transferred to a third party if technically possible;
  • Withdraw your consent at any time for the processing of your personal data subject to your consent;
  • To object to the processing of your personal data: you can, for legitimate reasons related to your particular situation, object to the processing of your personal data based on the legitimate interest of Payplug, but also object, at any time, to the processing of your personal data for prospecting purposes;
  • To lodge a complaint with a control authority (in France, the CNIL).

How to exercise your rights

You can exercise your rights with regard to any personal data we process by contacting us by e-mail (privacy@payplug.com) or by post, stating your full name, contact details and providing proof of your identity (Payplug - Délégué à la Protection Des Données - 110, avenue de France 75013 Paris).

You may, at any time, lodge a complaint with the competent supervisory authority, i.e. that of the country of the European Economic Area in which you habitually reside, or where you work, or where the alleged breach of regulations was committed.


The present data protection policy may be modified at any time to take account of changes in current regulations or the development of our services.