Who is this policy for?
This personal data protection policy is addressed to all natural persons:
- Visitor to the Website;
- Prospect; or
- Payer using the “Payplug SMB” services marketed by PAYPLUG.
This policy does not apply to Payers using the “Payplug Enterprise” services marketed by PAYPLUG ENTERPRISE.
What is the purpose of this policy?
The present policy specifies in particular the purposes of the processing of personal data implemented by Payplug in its capacity as data controller or joint data controller, the duration of storage and the rights that you can exercise.
Who is the data controller?
Payplug is the data controller for the following processing operations:
- Prevention of money laundering and terrorism financing risks;
- Prevention of fraud risks;
- Managing our customer relationships;
- Developing our customer base.
Payplug has the capacity of joint controller for the following processing operations:
- Payment processing;
- Storage of payment card information to facilitate future purchases;
- Implementation of the Smart 3D-Secure.
Payplug is registered at the register of commerce and companies of Paris under the number RCS 751 658 881; its head office is located at 110 avenue de France, 75013 Paris. It is a payment institution registered with the Autorité de Contrôle Prudentiel et de Résolution (ACPR) under number 16778.
For what purposes are your personal data processed and on what basis?
|Treatment||Purpose of the processing||Legal basis||Category of persons concerned||Retention period|
|Navigating the Website||Payplug can be brought to collect personal data (in particular at the time of the consultation, or the sending of messages on the form envisaged for this purpose) to better inform the Visitor and, possibly, to address to him/her the information which he/she wishes to receive.||Consent||Website visitors||For a maximum period of three (3) years.|
|Payment processing||We process personal data to provide our service of acquiring payment orders (card payments, refunds), and to confirm the correct execution of these operations where necessary.||Execution of a contract||“Payplug SMB” payer||A maximum of 5 years from the end of the contractual relationship with the customer.|
The complete credit card data of our client’s customers is kept only for the duration of the payment.
|Card data retention||We also retain the credit card details of our customers who have requested it in order to facilitate future purchases or to process split payments, subscriptions or deferred payments.||Consent||“Payplug SMB” payer||The complete credit card data of our clients’ customers is kept until the withdrawal of consent when they have requested the retention of this data.|
|Prevention of money laundering and terrorism financing risks||As a result of our activities, we are exposed to certain risks: money laundering, terrorist financing. As a payment institution, we are legally obliged to implement certain measures to combat these risks.||Legal obligation||“Payplug SMB” payer||5 years from the execution of the transaction for information to justify the transaction.|
5 years from the closure of the account for data and documents relating to the identity of customers.
|Prevention of fraud risks||Payplug and the companies of Groupe BPCE are moreover held, as payment and credit institutions, with a certain number of legal obligations, in particular for prudential matters. To this end, we must analyse information concerning our clients but also their customers (in order to avoid bank card fraud, via Smart 3D Secure).||Legal obligation|
|Our clients and their customers||A maximum of 5 years from the closure of the fraud file.|
When legal proceedings are initiated, personal data are kept until the end of the legal proceedings.
|Managing our customer relationships||We process personal data of our customers in order to manage our commercial relationships: to carry out transfers to their bank account, to assist them in case of need, to manage complaints, to offer them personalised solutions. We also assist merchants who have opened an account on our site in the various stages of activating their account.||Execution of a contract|
|Our clients and their staff||5 years after the account is closed.|
|Developing our customer base||We may contact professionals who may be interested in our payment solution in order to introduce them to our services. These are professionals (i) who have entered their details on our website; or (ii) who have been put in touch with us by one of our partners; or (iii) whom we have determined by our own means likely to be interested in our solution.|
Where customers have been referred to us by partners, and in particular Groupe BPCE, we provide them with information to monitor the referral relationship. This information allows them to follow the progress of the contracting with these customers and to check the calculation of the commissions possibly paid to them by Payplug.
|Legitimate interest||Our prospects and clients||3 years from the date of collection of the prospect’s information or the last contact from them.|
|Compilation of statistics||We process personal data for statistical purposes to improve our knowledge of our customers and the services we offer. We also conduct customer satisfaction surveys and measurement.||Legitimate interest||Our clients and their staff||5 years after the account is closed.|
How long is your personal data stored?
Your personal data will only be kept for the time necessary for the purposes for which they are processed, or for the time prescribed by law or regulation. This retention period is indicated for each processing operation in the table above.
Cookies and other trackers
Browsing the Website may result in the installation of cookie(s) on your equipment (computers, smartphones, digital tablets, etc.). A cookie is a small file that records information relating to browsing on the Website. The data collected in this way is intended in particular to optimise subsequent browsing on the Website, and is also intended to enable various traffic measurements to be taken. The User may configure his browser to refuse the installation of cookies. Refusing to install a cookie may make it impossible to access certain services.
What personal data do we collect?
For the purposes indicated above, we collect the following data:
|Data categories||List of data|
|Identity and contact data of our clients and, where applicable, of the directors of our clients and their beneficial owners (natural persons who control the activity of client companies):||Surname, first name, address, telephone number, email address, date of birth, nationality, bank details, proof of identity and/or residence, etc.|
|Data on the activity for which Payplug is used by our customers:||Website, SIRET number, turnover, average basket, types of products sold, etc.|
|Payment data and customer data of our customers:||Credit card data (PAN, CVV, expiry date), identity data (email, surname, first name), date, amount, navigation data and payment characteristics (e.g. shipping data), etc.|
|Browsing data and cookies||IP address, language preferences and other data relating to the consultation of our sites, etc.|
From whom do we collect data?
As part of our risk prevention policy, we collect identity and contact data from our clients and their managers or beneficial owners, as well as data relating to their business:
– Either directly from them when they fill in forms or respond to our requests for additional information;
– Or indirectly: on public or private databases (e.g. infogreffe.fr, Ellipro, Fircosoft), on the Internet (e.g. our clients’ websites and user reviews); and from our clients’ customers (who we occasionally ask to confirm the correct execution of their purchases).
Who can access your personal data?
Payplug takes all necessary measures to guarantee the professional secrecy and ensure the safety and confidentiality of your personal data it collects, i.e. to ensure that only authorised people have access to it.
Only the persons authorised by reason of their activities within the competent services of Payplug in charge of the corresponding processes, have access to your personal data within the limit of their authorisations.
We also transmit your personal data to third parties such as
– The service providers or subcontractors to whom Payplug entrusts operational functions (in particular our banking and financial partners), other services (lodging, messaging, managing customer relationships), or with which Payplug checks that its customers are not on lists of international sanctions;
– The judicial, financial authorities (in particular Tracfin) or other governmental organisations;
– Certain regulated professions, such as lawyers, bailiffs, notaries or auditing firms;
– Other entities of the Groupe BPCE, within the framework of the legal obligations applying to the banking and payment services sectors;
– Partners such as web agencies or e-commerce software publishers.
In the context of the business relationships in place with BPCE and Groupe BPCE institutions, we may also transmit to them our customers’ identity and contact data as well as payment data. This information is provided for the purpose of monitoring the business relationships.
Can your data be transferred outside the European Union?
Some of the third parties to whom we transfer your data may process it outside the European Union. In all cases, we ensure that appropriate safeguards are in place, such as choosing third parties who participate in the US-EU Privacy Shield or sign the standard data protection clauses adopted by the European Commission.
What are your rights regarding your personal data?
You have various rights in relation to your personal data within the limits and conditions permitted by the regulations, including the following rights
- Access to your personal data: you can obtain information about the processing of your personal data and a copy of it. Note that access to data collected in the context of our obligations of vigilance towards our clients can only be exercised through the CNIL, in accordance with Article L. 561-45 of the Monetary and Financial Code;
- Rectify, update your personal data: if you consider that your personal data is inaccurate or incomplete, you have the right to have this personal data amended accordingly;
- Deletion: you can request the deletion of your personal data;
- Request a restriction on the processing of your personal data by us;
- Request portability of your personal data: you have the right to request the recovery of the personal data you have provided to us or to have it transferred to a third party if technically possible;
- Withdraw your consent at any time for the processing of your personal data subject to your consent;
- To object to the processing of your personal data: you can, for legitimate reasons related to your particular situation, object to the processing of your personal data based on the legitimate interest of Payplug, but also object, at any time, to the processing of your personal data for prospecting purposes;
- To lodge a complaint with a control authority (in France, the CNIL: www.cnil.fr).
How to exercise your rights?
You can exercise your rights in relation to any personal data we process, including those we process in joint responsibility with our clients, by contacting us by email (firstname.lastname@example.org) or by postal mail by indicating, name, first name, coordinates of contact and by providing a copy of your identity paper (Payplug – Data Protection Officer – 110, avenue de France 75013 Paris).