1. Essentials
  2. Terms and conditions
  3. Lydia Solutions privacy policy

Data Privacy Policy Lydia Solutions

Updated on February 23, 2026

The purpose of this personal data protection policy is to inform the Clients and, where applicable, candidates for a job offer as well as any visitor to a Lydia Solutions website and/or mobile application (hereinafter the« Person Concerned») on how Lydia Solutions collects, uses and protects their personal data, in accordance with the General Data Protection Regulation (GDPR) and applicable regulations.

In the course of providing its services, Lydia Solutions processes the personal data necessary for account management, payment processing, customer relations and compliance with its legal and regulatory obligations, particularly in the fight against money laundering and terrorist financing.
These processing operations are based on appropriate legal grounds such as the performance of the contract, compliance with legal obligations, the legitimate interest of Lydia Solutions and its clients or, where required, the consent of the user.

The data processed is strictly limited to what is necessary for the purposes pursued and is subject to appropriate security measures to guarantee its confidentiality and integrity.

Personal data is retained for periods defined according to the purposes of the processing and applicable legal requirements. Users have rights over their data which they can exercise at any time in accordance with current regulations.

Aware of the importance of respecting your privacy and the security of your data, Lydia Solutions affirms through this policy its commitment to being a trusted player in the processing of your personal data.

In this document (hereinafter “Data Protection Policy”), “we”, “us” and “our” refer to “Lydia Solutions”; and “you”, “your” and “your” refer alternatively to “Customers” or the “Data Subject”.

Article 1: Legal Notices

Lydia Solutions, a simplified joint-stock company with a capital of1,794,792 euros, registered with the Paris Trade and Companies Register under the unique identification number 534 479 589, located at 14 avenue de l’Opéra, 75001, Paris, France,

Approved and supervised by the Prudential Control and Resolution Authority (“ACPR”, 4 place de Budapest CS 92459 75436 Paris Cedex 09, as an electronic money institution authorized to provide payment services, under bank code (CIB) 17598 and REGAFI identifier 62677.

Registered on the Single Register of Insurance, Banking and Finance Intermediaries, maintained by ORIAS under number 18007465, as a tied agent of an investment service provider.

Lydia Solutions complies with all applicable French and European regulations relating to the protection of personal data, in particularRegulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the “GDPR”), as well as Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms (known as the “Data Protection Act”).

Article 2: Purpose

In its capacity as the data controller of your personal data (hereinafter referred to as “Personal data”) Lydia Solutions wishes to inform you through this Data Protection Policy about:

  • The categories of your Personal Data that we collect and process;
  • The objectives pursued by the processing of your data (its purposes) and the data retention periods associated with each processing operation;
  • The legal bases on which the processing operations are based;
  • Recipients and categories of recipients;
  • Transfers outside the European Economic Area;
  • Your rights regarding your personal data;
  • The security of your personal data.

This Data Protection Policy applies to you as a customer or prospective customer of Lydia Solutions. It also applies to you if you are:

  • A person interested in the products, services or content of Lydia Solutions (newsletters…), who subscribes to Lydia Solutions news alerts, who interacts directly or indirectly with Lydia Solutions (in particular via its customer service or social networks), or who consults the sites and/or mobile applications or participates in an event organised by Lydia Solutions;
  • A candidate interested in the job offers published by Lydia Solutions on its website.

The Data Protection Policy is updated regularly to reflect changes in Lydia Solutions’ practices and any potential changes in regulations applicable to personal data. Lydia Solutions encourages you to review it regularly to stay informed of any modifications or updates.

Article 3: Legal basis for the processing carried out

The data processing carried out by Lydia Solutions is based on one of the following legal grounds:

  • The execution of the contract concluded with you(examples: managing an electronic money or payment account, issuing means of payment, providing information on transactions carried out via Lydia Solutions).

This legal basis, relating to the execution of the contract between the Client and Lydia Solutions, forms the basis for the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation and economic and financial information, financial and transactional data, data relating to the products and services subscribed to and data from correspondence and communications between you and us.

The purposes of these processing operations are: the management of the business relationship, the account opened in the books of Lydia Solutions and/or the products and services subscribed to, its management, the provision of information concerning the services of Lydia Solutions (update of contracts / terms of use of the services or information relating to the execution of the services of Lydia Solutions).

  • Compliance with legal and regulatory obligations which are the responsibility of Lydia Solutions as an electronic money institution authorized to provide payment services.

This legal and/or regulatory basis supports the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to subscribed products and services, data from correspondence and communications between you and us and any other information or document necessary to investigate the origin and destination of funds from transactions carried out with your account.

The purposes of these processing operations are: customer knowledge, operational risk management, constant vigilance on the business relationship, the fight against money laundering and terrorist financing, the application of sanctions and embargo measures, obligations related to the determination of your tax status and compliance with associated tax regulations, ethics and the fight against corruption and fraud, the management of dormant accounts and data related to the search for persons concerned, data protection and all other obligations relating to the management and control of compliance risks.

  • Pursuit of the legitimate interests of Lydia Solutions (examples: surveys and sending personalized communications, fraud prevention, analysis of customer use of Lydia Solutions services and application, or the creation of datasets to test the effectiveness of the compliance tools implemented by Lydia Solutions).

This legal basis, constituted by the legitimate interest of Lydia Solutions, underpins the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to subscribed products and services, connection data relating to the use of our services, cookies essential to the operation of applications and sites and enabling audience measurement, data from correspondence and communications between you and us and geolocation data.

The purposes of these processing operations are: fraud prevention, non-payment prevention, debt recovery and litigation management (amicable, over-indebtedness and legal disputes), claims management, estate management, prevention and management of incivilities towards our employees, the security of our networks, the analysis of our risk in terms of entering into business relationships, research and development activities, the management of statistical studies and satisfaction surveys for the purpose of improving customer knowledge, marketing profiling and segmentation and our communication activities.

The choice of this legal basis is made after a rigorous balancing of the interests pursued by Lydia Solutions with your interests, if you are affected by the processing, and an assessment of reasonable expectations in this regard. We implement safeguards to protect your interests, rights, and fundamental freedoms (examples: rights to information, the right to object, and the right to restrict processing).

  • Consent for specific treatments.

This legal basis supports the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, economic and financial information, financial and transactional data, data relating to subscribed products and services, connection data related to the use of our services, data from correspondence and communications between you, geolocation data, data and other information intended to be communicated to the public and shared with other customers within any application belonging to Lydia Solutions.

The purposes of these processing operations are: commercial prospecting by postal or electronic mail, by SMS/MMS, by telephone call, the deposit and reading of advertising cookies, the management of promotional offers and games and the hosting of public communication areas within any application belonging to Lydia Solutions.

  • The client’s legitimate interest (example: recording part of customer calls in order to assess the quality level of our services, the fight against fraud).

This legal basis supports the processing based on the following data: civil status data, identification data, contact details, data related to your personal and professional situation, recordings of some customer calls.

The purpose of this data processing is: to evaluate the quality of Lydia Solutions’ services, to improve the user experience, to prevent fraud, and to communicate with support teams.

The choice of this legal basis is made after a rigorous balancing of the interests pursued by Lydia Solutions with your interests, if you are affected by the processing, and an assessment of reasonable expectations in this regard. We implement safeguards to protect your interests, rights, and fundamental freedoms (examples: rights to information, the right to object, and the right to restrict processing).

Article 4: Personal data collected and processed

Lydia Solutions may be required to collect and process the following categories of Personal Data:

  • Civil status data and identification data: name, first name(s), gender, date and place of birth, nationality, front and back videos of one or more valid identity documents, proof of identity, and authentication videos (which may be subject to biometric processing);
  • Contact details postal addresses, email addresses, telephone numbers;
  • Data related to your personal situation: family situation, matrimonial regime;
  • Data related to your professional situationsocio-professional category;
  • Economic and financial information: income (amount, sources and supporting documents), tax residences, financial and tax situation, accounting data, consumption habits and practices;
  • Financial and transactional data: nature of operations, date, card payment, transfer, direct debit, amount, description, justification of operations, bank details and other data of accounts aggregated to your account opened in the books of Lydia Solutions etc);
  • Connection data related to the use of our services: identification and authentication data, logs, cookies and other trackers, browsing data on sites and applications belonging to Lydia Solutions;
  • Data from correspondence and communications between you and us, conducted remotely: interviews and telephone calls, calls made in the application by our customer service, surveys, postal and electronic mail, instant messaging and voice note recordings, social media communications, complaints or claims or any other type of communication;
  • Connection data, data from the device used to connect to the application, and data associated with the use of any application belonging to Lydia Solutions: dates and times of access to the Lydia Solutions service, data on computer or telephone equipment, data associated with the use of the device, unique identifiers, crash data or cookies.
  • Data related to subscribed products and services: type of product, method of payment, due date, amount;
  • Geolocation data: IP address or GPS data of the terminal used;
  • Data and information intended to be communicated to the public and shared with other clients within any application belonging to Lydia Solutions: profile and wallpaper photos, images, photos related to transactions carried out (which may be subject to biometric processing), comments and other messages;
  • Data provided as part of additional services such as loyalty card information provided by the Customer or telephone numbers and email addresses in the Customer’s address book (only if the Customer chooses to link their contact directories to any application belonging to Lydia Solutions in order to know which of their contacts use any application belonging to Lydia Solutions, and it being specified that this transmitted information is stored encrypted, by one-way public key);
  • Any other information or document necessary to investigate the origin and destination of the funds transactions carried out with your account.

This personal data is collected either directly from you by Lydia Solutions, or, if necessary, indirectly:

  • With the National Directory for the Identification of Natural Persons;
  • At the Directorate General of Public Finances;
  • With all judicial or financial authorities, state agencies or public bodies, within the limits of what is authorized by regulations;
  • With the financial institution in whose books you have opened an account, which you can aggregate to your Lydia Solutions account, as part of the provision of payment initiation and account information services.
  • Thanks to publications and databases made accessible by official authorities or authorized third parties, or
  • Thanks to websites and social networks containing information that you have chosen to make public.

As part of our legal and regulatory obligations regarding due diligence in business relationships, we may also collect and process information about individuals with whom we do not have a direct relationship: a family member, a close friend, your employer, your legal representative, a personal contact, or the counterparty (initiator or beneficiary) of a transaction carried out or received. The collection and processing of this information are necessary for the purpose of investigating the origin and destination of funds from transactions carried out with your account.

Certain categories of data or Personal Data collected by Lydia Solutions may be combined in order to better meet the purposes described in Article 5. These combinations are carried out by Lydia Solutions taking care to use only the data strictly necessary to achieve the purpose of the processing (in accordance with the principle of data minimization, provided for by the GDPR).

Article 5: Purposes of processing and retention period of personal data

1 – General Provisions

Lydia Solutions processes the categories of Personal Data referred to in Article 4 according to the circumstances, to meet different objectives or purposes. Each of these categories is associated with a data retention period after which the data is no longer used, is archived, then anonymized and/or deleted.

The retention periods mentioned below take into account the legal and regulatory obligations applicable to Lydia Solutions as an electronic money institution, applicable statutes of limitations, anti-fraud, anti-money laundering and counter-terrorist financing (AML/CFT) measures, and dispute resolution. Notwithstanding the retention periods indicated below, personal data may be retained beyond these periods when necessary for the establishment, exercise, or defense of legal claims, until the final resolution of the dispute or proceedings.

Personal data may be kept beyond the periods indicated in intermediate archiving when this is necessary for the establishment, exercise or defense of a right or in order to comply with a legal obligation or a request from a competent authority.

The processing of personal data described below is based on regulatory and legal grounds:

  • Managing business relationships, payment accounts, or electronic money opened in the books of Lydia Solutions and/or subscribed products and services, particularly for evidentiary purposes. Your personal data may be kept for a period of five (5) years from the end of the business relationship or, where applicable, from the end of any legal or recovery proceedings and/or the expiry of the applicable limitation periods.
  • The personal data of active customers relating to payment transactions(transfers, card payments, payment initiation service, account statements and associated transaction data) are stored according to a standard term of twelve (12) years from the date of execution of each transaction. This period includes an additional time which can go up to twelve (12) months corresponding to the technical time required for the effective deletion of data in Lydia Solutions’ information systems.
  • The fight against fraud(examples: establishing ratings or scores, detecting unusual transactions): your personal data may be kept for a maximum duration of five (5) years from the date of closure of the proven fraud case or the issuance of an alert in our systems.

When the data is necessary for the establishment, exercise or defense of a right, this period may be extended until the final closure of the proceedings and the expiry of the applicable limitation periods.

  • Compliance with the legal and regulatory obligations incumbent upon Lydia Solutions, in particular the obligations relating to customer due diligence (known as “Know Your Customer“), operational risk management (including IT network security, customer protection, internal supervision and control, transaction security, and the security of using international payment networks), financial security obligations (anti-money laundering and counter-terrorist financing, and sanctions and embargo obligations), obligations related to determining your tax status and complying with associated tax regulations, identification of Politically Exposed Persons (PEPs), ethics and anti-corruption, and obligations related to Verification of Payee regulations (before a transfer is made, a verificationLydia Solutions verifies that the first name, last name, or company name of the beneficiary entered by the Client matches those associated with the IBAN registered with the beneficiary’s bank; the Client is informed of any discrepancies.); data protection and all other obligations relating to the management and control of compliance risks. Your personal data will be kept for a period of five (5) years from the end of the business relationship.
  • As part of a specific offer is available to customers in financially vulnerable situations Lydia Solutions may use personal data on Clients provided by the Banque de France to identify Clients who may be eligible for this offer. This personal data is kept for a maximum period of five (5) years from the end of the business relationship
  • Lydia Solutions can collect a video of your ID card (front and back) and an authentication video called “selfie video“In order to verify your identity and secure access to your account, in accordance with our legal and regulatory obligations. This identification data is kept for the duration of the business relationship while the account is active, and then deleted two (2) years after the account was closed.

Lydia Solutions may also collect a separate authentication video, including a video selfie, to secure access to or recovery of your account; this authentication video is deleted after thirteen (13) months for active accounts and fifteen (15) days for closed accounts.

The facial video is processed strictly for the purpose of confirming your identity and detecting whether your face is “alive.” Providing video authentication remains optional; an alternative identity verification process is offered without any additional requirements or special compensation.

Other personal data processed in the context of identity verification (identity documents, data from KYC checks) are kept for a maximum period of five (5) years from the end of the business relationship.

  • The prevention and detection of criminal offenses and/or the pursuit of legal action (for example, to identify seriously reprehensible behavior or acts such as violence against Lydia Solutions staff). Your personal data may be retained for a period of from five (5) to twenty (20) years old,Depending on the nature of the offense, data is retained from the day it is discovered. When legal proceedings are initiated, the data is kept until the end of those proceedings and the expiry of the applicable limitation periods.
  • The management of dormant accounts and data related to the search for the persons concernedYour personal data may be kept for a period of time.Maximum duration of ten (10) years for living Clients, of three (3) after death for deceased Clients and five (5) years from the date of transfer of funds and closure of the account in accordance with applicable legal and regulatory obligations.

When a client dies and beneficiaries have come forward and been identified, personal data may be processed to allow for the freezing of the account, the inventory and transfer of assets, and the verification of the heirs’ rights. In this respect, personal data may be retained for a period of time.a period of five (5) years from the end of the business relationship or the closing of the estate; this period may be extended when necessary for the handling of disputes.

  • Recording your conversations and communications with Lydia Solutions, regardless of the medium(emails, letters, telephone conversations, voice notes, etc.): depending on applicable regulations, your Personal Data may be kept for varying periods, which will not, however, exceed a period of five (5) years from the date of their registration or a duration of five (5) years from the end of the business relationship. Recording media or their reproduction will be kept for periods proportionate to the purpose of the recording in question (from 6 months for staff training purposes, to 5 years when the telephone recording is likely to be used for evidentiary purposes).Calls or videos made via the Application can be kept for a limited period of up tot three (3) months subject to obtaining the user’s consent.
  • Accounting treatments: accounting data may be kept for a period often (10) years in accordance with applicable legal provisions.
  • Cookies and other trackers:  When you browse our websites or use our applications, Lydia Solutions may place and read cookies or other tracking technologies on your device, regardless of the type of equipment used, to ensure the proper functioning of the services and, where applicable, to improve their use. The lifespan of these tracking technologies is limited to a maximum of thirteen (13) months. Where required by law, your prior consent will be obtained before installing these tracking technologies or accessing data stored on your device.

For more information, you can consult the Policy on the use of trackers and cookies at any time.

  • Personal data may be processed in order to respond to requests originating from competent judicial or administrative authoritiesThey are kept for a period of five (5) years from the end of the business relationship of the client in question.
  • Personal data may also be processed to respond to seizure requests as provided for by current regulations; when they are received via the Apex platform they are preserved three (3) months from the date on which the file was submitted and fully processed; when they are received via Securact no data is retained by Lydia Solutions, the data being deposited on the third-party interface; when they are received by email  they are kept for a period of five (5) years from the date of their receipt; a log of the seizure request is kept for a period of five (5) years for the purposes of evidence.

When the processing of personal data is not based on a legal or regulatory obligation, it is based on the performance of the contract binding the Client to Lydia Solutions and/or on the legitimate interest pursued by Lydia Solutions and/or consent within the meaning of Article 6 of the GDPR:

  • Conducting opinion and satisfaction surveys and statistical studies. Your personal data may be kept for a period of three (3) years from the date of completion of the study.
  • Research or analysis activities for process improvement and model development: Your personal data may be used to improve our internal control procedures or contribute to risk and compliance management. This personal data is retained for a specific period for each of these sub-purposes.
  • Sales prospecting, proposing commercial offers tailored to your situation and consumption profile, creating promotional offers and games, organizing sales events and advertising campaignsPersonal data may be kept for a maximum period of three (3) yearsThis personal data will be collected from the end of the business relationship, or, for prospective clients, from the date of the last contact. This personal data may be anonymized and aggregated to generate statistical reports.

When the registration process is not completed, personal data is kept for a maximum period of nine (9) days before automatic deletion.

Your personal data collected and processed in accordance with the aforementioned purposes may be retained for an additional period if required for the defense of a right or interest, or to comply with the requirements of French or European authorities such as the ACPR or the Autorité des marchés financiers (“AMF”). In this case, your personal data will not be used for any other purpose, will be kept in intermediate archiving, and will only be accessible to authorized personnel who have a need to know (examples: legal department, compliance department, audit and inspection body).

2– Specific provisions for profiling

Lydia Solutions implements profiling processes, that is to say, processes consisting of evaluating certain aspects of its Clients concerning their economic situation, their preferences or personal interests, the analysis of their behavior, or even their location and movements.

These profiling processes have different purposes, mainly to secure your operations, to combat fraud, to personalize the relationship, for commercial prospecting or to better meet our obligations relating to the management and control of compliance risks.

In the case of marketing, the processing involves analyzing some of your personal data to create profiles that match your profile. These profiles allow us to send you personalized offers that are better suited to your needs, expectations, or situation.

For each of these profiling operations, an in-depth analysis is carried out to determine whether the processing should be based on your consent, the legitimate interest of Lydia Solutions, or on another legal basis (the performance of a contract, a legal obligation).

If profiling is based on your consent: we ensure that your consent is obtained, after having informed you explicitly and transparently about the use of your personal data. We also allow you to withdraw your consent at any time.

If profiling is based on Lydia Solutions’ legitimate interest: we will have conducted a preliminary analysis to ensure, for each planned processing operation, that your interests and fundamental rights are respected and that you can reasonably expect your data to be used for this purpose. You may object to this processing at any time, under the conditions provided for by the regulations and in accordance with the procedures described in Article 6.

3– Specific provisions for fully automated decisions

Where Lydia Solutions processes data involving fully automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you, this processing is based on one of the following legal grounds: your consent, the performance of a contract, the legitimate interests of Lydia Solutions, or a legal obligation. This processing is carried out in accordance with applicable regulations and is subject to appropriate safeguards.

In the event that this profiling has legal consequences for you, you can request the intervention of a human being, in particular to obtain a review of your situation, to express your own point of view, to obtain an explanation of the decision taken or to contest the decision.

4– Specific provisions regarding access to your telephone directory and telephone recordings

Telephone conversations between you and our customer service departments (customer support, compliance, fraud prevention, etc.) may be recorded for staff training purposes, to evaluate or improve the quality of our products and services, as evidence in the fight against fraud, money laundering, and terrorist financing, and to verify your identity when you exercise your rights regarding your personal data. We will inform you before any recording takes place, and you have the right to object.

In addition, when the mobile application allows it and within the limits permitted by regulations and Lydia Solutions’ internal procedures, you can send us a short recorded message in the form of a voice note, which will be processed by our customer relations teams under the same conditions as those used for a message you might send us via another means of communication (e.g. telephone, email, etc.).

Lydia Solutions allows you to link your mobile phone’s contact list to any Lydia Solutions application to see which of your contacts also use our services. To perform this linking, we need to collect the phone numbers and email addresses in your address book. We do not process this data in any other way (only a fingerprint is created, not the raw data is collected). This information is transmitted and stored encrypted using a one-way public key. You can disable this feature at any time in any Lydia Solutions application.

5– Specific provisions for the use of technological tools

As part of the operational optimization of the services provided, Lydia Solutions may use technological tools, such as artificial intelligence tools and/or machine learning tools, which require the processing of certain personal data in compliance with applicable regulations, in particular Regulation (EU) 2024/1689 of 13 June 2024.establishing harmonized rules concerning artificial intelligence and the guidelines of the relevant authorities.

Lydia Solutions implements artificial intelligence systems for customer service, notably through virtual assistants accessible within the Lydia and Sumeria applications, as well as internal support tools primarily intended for customer service teams. Data from the use of these systems (such as interactions, requests, and user feedback) may be used by Lydia Solutions exclusively for quality monitoring, security, auditing, and continuous improvement of the tools.

Lydia Solutions also offers users of its Sumeria application an artificial intelligence system that assists each user in using Sumeria services. This system uses certain personal data of the user (for example: type of offer, bank statement) and/or data entered by the user in the application (for example: consultation of the list of beneficiaries, purpose of the transaction). It is based on the following guiding principles: using only the minimum information necessary, not retaining data after processing, and never using queries for training, improving, or developing models.

LThe personal data collected is not used to produce automated decisions having legal or similar significant effects on users nor to train generic artificial intelligence models. The processing is carried out in compliance with applicable regulations, including the GDPR and the recommendations of the CNIL, and is subject to appropriate data minimization, security and confidentiality measures.

Data sharing is strictly limited to the information necessary and only occurs when using the relevant functionalities. No personal data is processed outside of this explicit interaction, in accordance with the principles of data minimization and purpose limitation.Furthermore, personal data from the use of these systems may be kept by Lydia Solutions for a maximum period of 60 days. 

Article 6: Recipients

Your personal data may be disclosed depending on the purposes for which it is processed:

  • To the partners, intermediaries, subcontractors and service providers of Lydia Solutions (PayLead, Bitpanda, Google Cloud Platform, Mangopay, BNP…). This communication only occurs within the framework of processing which pursues one of the purposes described in article 3;
  • In compliance with applicable regulations, to third parties in France for the purposes of establishing, safeguarding or defending a right in court, in the context of administrative or criminal investigations by one or more regulators, compliance with commitments made to them or in the context of legal proceedings of any kind.
  • To comply with legal obligations regarding fraud prevention, the service provider MangoPay Poland provides Lydia Solutions with a fraud prevention tool. In this context, MangoPay Poland collects certain personal data from users (telephone number, name, details of transactions, etc.). MangoPay Poland uses the collected data to detect suspicious activity. The data is retained for a maximum of two years following the triggering event. Lydia Solutions acts as the data controller, and MangoPay Poland as the data processor.
  • To certain regulated professions such as auditors, lawyers, in order to provide regulatory reports or to act in defense of our rights.
  • To payment initiators and account information service providers, only if you consent or at your request (example: Tink AB).

Article 7: Sales prospecting

1 – Sales prospecting via email and automated calling system

If you are an individual not acting for professional purposes, we may contact you for marketing purposes via email, automated calling, or SMS/MMS if you have given your consent when your email address or personal details were collected, or if you are already a customer and the marketing relates to products or services similar to those you have already subscribed to. Each marketing email contains a link allowing you to unsubscribe.

Generic business addresses assigned to a legal entity (company) are not subject to the principles of consent, prior information and do not benefit from the right to object.

Messages and notifications related to the administrative management of a previously subscribed product or service (alerts, changes to contractual and pricing documentation, etc.) do not fall under commercial prospecting.

The settings for the messages and notifications that you may receive from us can be made within the framework of the subscribed service, it being understood that some of these notifications may be subject to regulatory obligations and be mandatory.

2 – Telephone prospecting

We may also contact you by telephone for marketing purposes. In accordance with Article L.223-2 of the French Consumer Code, you are hereby informed that you can register on the Bloctel telephone marketing opt-out list. However, even if you are registered, we may still contact you by telephone if there is an existing contractual relationship with you, unless you have previously objected to this or object during the call.

Article 8: Transfers outside the European Economic Area (EEA)

The processing of your Personal Data by Lydia Solutions in accordance with the agreed purposes (see article 5) may involve transfers to countries not members of the European Economic Area (EEA), whose laws regarding the protection of personal data differ from those of the European Union.

When personal data is transferred to countries outside the EEA, a precise and demanding legal framework governs this transfer, in accordance with applicable European regulations, notably through the signing of Standard Contractual Clauses approved by the European Commission. Furthermore, appropriate security measures are implemented to ensure the protection of personal data transferred outside the EEA.

Standard contractual clauses are available on the CNIL website (www.cnil.fr).

For more information regarding these international transfers of personal data, you can contact the Data Protection Officer of Lydia Solutions according to the terms in Article 7 herein.

Article 9: Security

Lydia Solutions takes all necessary physical, technical and organizational measures to protect the confidentiality, integrity and availability of your Personal Data, in particular against loss, accidental destruction, alteration and unauthorized access.

Lydia Solutions also strives with the utmost vigilance to maintain a high standard of security and confidentiality of your Personal Data by raising awareness among our employees and business partners and training our employees in data protection, by implementing continuous controls, by implementing tools and practices aimed at obfuscation, anonymization, encryption and encryption of data in order to ensure the protection of your Personal Data against internal and external risks of data leakage.

In the event of a personal data breach concerning you that poses a risk to your rights and freedoms, we will notify the CNIL (French Data Protection Authority) within the regulatory timeframe. If this breach presents a high risk to your rights and freedoms, we will inform you as soon as possible of the nature of the breach and the measures implemented to address it.

Article 10: Lydia Solutions’ Hosting Status

Lydia Solutions hosts public communication areas that allow you to participate in discussion forums, instant messaging systems, or to share content. These public communication areas are spaces over which Lydia Solutions has no control, and only you and other Clients have control over them and can publish. Therefore, Lydia Solutions cannot be considered a content publisher but solely a hosting provider whose mission is to make available to its Clients the technical means for the direct and permanent storage of information intended for public communication. In this respect, Lydia Solutions meets the definition in Article 6.I.2 of Law No. 2004-575 of June 21, 2004, on Confidence in the Digital Economy (“LCEN”).

Paragraph 5 of section I of Article 6 of the LCEN specifies that:

“Knowledge of the disputed facts is presumed to have been acquired by the persons designated in paragraph 2 (of Article 6 I 2 of the LCEN, i.e., the hosting providers) when they are notified of the following: the date of the notification; if the notifying party is a natural person: their surname, first names, occupation, address, nationality, date and place of birth; if the requesting party is a legal entity: its form, name, registered office and the body that legally represents it; the name and address of the recipient or, if it is a legal entity, its name and registered office; a description of the disputed facts and their precise location; the reasons why the content must be removed, including a reference to the legal provisions and factual justifications; a copy of the correspondence addressed to the author or publisher of the disputed information or activities requesting their cessation, removal or modification, or justification that the author or publisher could not be contacted.” 

As soon as Lydia Solutions is notified of the allegedly illegal or offensive nature of content under the conditions set forth in paragraph 5 of section I of Article 6 of the LCEN (Law for Confidence in the Digital Economy) indicated above, we will promptly implement the necessary measures to make the content inaccessible. These measures may range from the removal of the content to a temporary or even permanent ban on the content hosting service, depending on the seriousness and frequency of the observed violations. Lydia Solutions also does not engage in general content monitoring beyond assisting in the suppression of, in particular, the glorification of crimes against humanity, incitement to racial hatred, child pornography, incitement to violence (including incitement to violence against women), and attacks on human dignity, in accordance with the provisions of paragraph 7 of section I of Article 6 of the LCEN.

Furthermore, Lydia Solutions is not responsible for the content it hosts and cannot be held liable for any activities or information stored at your request if it was not actually aware of their illegal nature or of facts and circumstances revealing this nature, or if, upon becoming aware of it, it acted promptly to remove the information or make access to it impossible. In this regard, Lydia Solutions reserves the right to remove or suspend access to any content upon receipt of a notification or if it becomes aware of the manifestly illegal nature of the content. Lydia Solutions cannot be held liable under any circumstances for such removal. In any event, Lydia Solutions cannot be held liable in any way for any content you share.

Article 11: Your rights

Subject to the conditions and limitations permitted by applicable regulations, you have the following rights:

  • Access your personal data,
  • To have your Personal Data rectified, updated and erased, it being specified that erasure can only occur when:
  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You have withdrawn your consent on which the processing was based, and there is no other legal basis justifying it.
  • You have objected to the processing of your Personal Data for reasons relating to your particular situation and there is no overriding legitimate ground to continue it,
  • The personal data has been processed unlawfully.
  • Personal data must be erased to comply with a legal obligation under European Union law or French law to which Lydia Solutions is subject.
  • You have the right to object to the processing of your Personal Data for reasons relating to your particular situation and where there is no overriding legitimate ground to continue it.
  • You have the right to object to the processing of your Personal Data for commercial prospecting purposes, including profiling related to such prospecting (see article 8);
  • To receive the personal data concerning you that you have provided to us, for automated processing based on your consent or on the performance of a contract, and to request the portability of this data to a third party,
  • Request a limitation on the processing of your personal data that we carry out when:
  • You contest the accuracy of the Personal Data, and this for a period enabling the data controller to verify the accuracy of the Personal Data,
  • You object to the erasure of your personal data when the processing is unlawful.
  • We no longer need the Personal Data, but you still require it for the establishment, exercise, or defense of legal claims.
  • You objected to the processing of your Personal Data, pending verification of whether the legitimate grounds pursued by Lydia Solutions prevail over your own.
  • Where processing is based on your consent, you may withdraw that consent at any time, unless there is another legal basis to do so.

Furthermore, you have the option of providing us with instructions regarding the retention, deletion, and disclosure of your data after your death. These instructions can also be registered with a certified digital trusted third party. These instructions may designate a person responsible for their execution. However, these rights cannot infringe upon the rights of your heirs or allow the disclosure of information to which only they have a legitimate right of access.

You can exercise your rights and contact the Data Protection Officer of Lydia Solutions according to the following procedures:

  • By post sent to the following address: Lydia Solutions, Data Protection Officer, 14 avenue de l’Opéra, 75001 Paris, France.
  • By email sent to the following address: dpo@isbs.eu

You finally have the right to lodge a complaint with the CNIL (the supervisory authority in France responsible for ensuring compliance with obligations regarding personal data – www.cnil.fr)

  • 3, Place de Fontenoy

TSA 80715

75334 PARIS CEDEX 07

Article 12: Data Controller

Lydia Solutions collaborates, under mandate, with an account information service provider approved by a supervisory authority equivalent to the ACPR and based in the European Union, jointly responsible for the processing of personal data of thePerson Concerned, in accordance with Article 26 of the GDPR.

Thus, Lydia Solutions and this establishment jointly define the purposes and means of these processing operations. The personal data of thePerson Concernedare shared with these joint data controllers only for the purpose of performing the contracts established with Lydia Solutions.

The account information service provider is Tink AB, which enables Lydia Solutions to provide bank account aggregation and linked account information services for Lydia Solutions customers. Tink AB’s Privacy Policy is available here(available in English only).

Lydia Solutions and this entity are bound by mutual information obligations, particularly with regard to the following events:

  • Any breach of personal data of thePerson Concerned ;
  • Any recourse to a new subcontractor carrying out personal data processing of thePerson Concernedoutside the European Economic Area (EEA) and on behalf of Lydia Solutions.

As part of providing additional services, Lydia Solutions may also share your Personal Data with partners (such as BitPanda, PayLead).

Note that PayLead analyzes bank transaction data to offer you personalized offers, defined on the basis of your transaction history and consumption habits.

Lydia Solutions may also share its Clients’ personal data with one of its suppliers or partners, provided that, except in exceptional circumstances, this data has been anonymized beforehand. Anonymization involves removing the following information: first and last name, email address, telephone number, postal address, and any other element that could identify or directly contact the Client.

All personal data of Lydia Solutions’ Clients are covered by professional secrecy under the conditions of Article L.526-35 of the Monetary and Financial Code.

These partners only have access to the data that is strictly necessary for the purposes of executing the contracts established with Lydia Solutions.

APPENDIX

Specific provisions for remittance services- partnership with PayLead

To provide the Remittance Service (as defined in the contractual documentation made available by Lydia Solutions), Lydia Solutions and its partner PayLead act as joint data controllers.

PayLead is a simplified joint-stock company whose registered office is located at 9 rue de Condé, 33064 Bordeaux (France), registered with the Trade and Companies Register (RCS) of Bordeaux under number B 821 725 579.

PayLead and Lydia Solutions have jointly determined how the Remittance Service operates and how your Personal Data is used to provide this service.

PayLead also acts as an independent data controller for the subsequent processing operations described in subsection 1.

1. Purposes of processing

The purposes for which we use your Personal Data and the legal basis for this processing are detailed below. The operations carried out on the basis of the performance of the contract are essential for the provision of the Remittance Service.

GENERAL PURPOSE PROCESSING OPERATION TECHNICAL CONTROLLER LEGAL BASIS
Program Implementation Transmission of banking transactions to PayLead Lydia Solutions Performance of contract
Data analysis for user profile creation and matching offer catalog PayLead Performance of contract
Data analysis for generation and management of Rewards based on transaction history PayLead Performance of contract
Transaction data analysis for geographical consistency of offers displayed to the user PayLead Performance of contract
Data analysis for personalization of customer experience based on user consumption habits PayLead Consent
Payment of the Reward to the user Lydia Solutions Performance of contract
Technical support for user claim management PayLead Performance of contract
Statistical reporting on offer monitoring and Reward service performance PayLead Performance of contract
Regulatory Compliance Management of user GDPR requests Lydia Solutions and PayLead Legal obligation

The Rebate Service is based on the analysis of your bank transactions: based on the catalogue of offers displayed, PayLead identifies the transactions eligible for payment of a rebate.

PayLead also analyzes your bank transaction data to offer you personalized deals, based on your transaction history and spending habits. Eligibility criteria for these offers are defined by partner retailers and Lydia Solutions.

The essence of the Discount Service is therefore to allow you to leverage your banking data to benefit from personalized and relevant offers from partner retailers.

Further processing (within the meaning of Article 13.3 of the GDPR)

PayLead uses your Personal Data for the further processing described below. This processing is carried out by PayLead independently and under its sole responsibility.

As required by applicable regulations, we have verified that the pursuit of our legitimate interests does not infringe upon the rights and freedoms of users:

  • A user can reasonably anticipate that PayLead must provide reporting to partner retailers to inform them about the performance and monitoring of offers.
  • The studies carried out by PayLead do not focus on an individual person, but on a set of aggregated and non-nominative data.
  • PayLead bases its studies on pseudonymized data.

2. Personal data processed

The following personal data is communicated to PayLead by Lydia Solutions:

  • Company name of your bank
  • Bank transactions: transaction description, date, location, amount, merchant, truncated PAN number (last 4 digits)
  • unique user identifier (token)

PayLead identifies you solely through a unique user identifier, called a “token”, consisting of a series of numbers and letters. This is called pseudonymization.

By analyzing your bank data, PayLead also processes your consumption habits (your favorite brands, your favorite stores, the usual geographical areas of your purchases, your average basket), your average salary, your exceptional income or life events that can be deducted from your purchases (such as marriage, birth, etc.).

As part of the support process, we process additional personal data of any kind that you may provide. We therefore ask you to limit the information shared to what is strictly necessary, and in particular to what we request in order to respond to your inquiry.

3. Data retention

Your personal data is used for a specific period, strictly limited to the purposes for which it was intended:

  • Your bank transaction data is deleted after 2 years (from the transaction date) if it has not generated the payment of a discount;
  • Your transaction data is deleted after 5 years (from the transaction date) if it generated the payment of a discount.

When you decide to unsubscribe from the Rebate Service, PayLead deletes all of your Personal Data, with the exception of data related to the payment of a rebate, which is then kept for the aforementioned period of 5 years.

4. Communication to third parties

Your personal data is only accessible to PayLead staff who need to know it to perform their duties and provide the Remittance Service.

Certain third parties may have access to your pseudonymized (or anonymized, where applicable) Personal Data:

  • PayLead’s potential subcontractors and service providers acting for technical and logistical reasons related to the proper execution of the Delivery Service (such as data hosts, external security auditors, ticketing tool providers, etc.);
  • Partner retailers to whom PayLead communicates a statement of transactions that generated a discount (amount, timestamp, truncated PAN if applicable).

5. Storage of Personal Data

Your personal data is hosted and processed by PayLead exclusively within the European Union (EU). However, PayLead reserves the right to use certain service providers outside the European Economic Area (EEA). In this event, PayLead will inform you of such transfers outside the EU and ensure that your personal data is properly protected in accordance with the requirements of the GDPR. Upon request, PayLead will provide you with a copy of the applicable protection measures.

6. Security Measures

PayLead uses technical and organizational measures that comply with legal and regulatory requirements to keep your Personal Data secure and confidential, including:

  • Data pseudonymization: PayLead does not directly know your identity
  • Implementation of a policy for managing access rights to our tools and databases
  • implementation of a logging policy
  • data encryption
  • anti virus
  • conducting penetration tests
  • anonymization of data where possible
  • PayLead employees trained in data security and confidentiality

Under written agreements, PayLead requires its service providers and subcontractors to implement strong security measures to protect the personal data they process on behalf of PayLead.

7. Exercising your rights

Current regulations allow you to maintain control over your personal data. As such, you have the following rights:

  • Right of access: you have the right to obtain a copy of all personal data we hold about you.
  • Right of rectification: you can request the updating of your Personal Data when it is incorrect or incomplete.
  • Right to object: You have the right to object, in certain cases, to the use of your Personal Data. Only processing based on the legal basis of “legitimate interests” may be subject to your objection. You must provide justification for the legitimate reasons why you wish to object to the use of your Personal Data by PayLead.
  • Right to withdraw your consent: If you have given your consent to specific processing, you may withdraw that consent at any time, without providing a reason. Withdrawal of consent is only valid for the future.
  • Right to restriction of processing: you have the right to request, in certain cases, to suspend or limit all or part of the processing carried out on your Personal Data.
  • Right to be forgotten: you can request, in certain cases, the deletion of all your Personal Data.
  • Right to data portability: you can request to retrieve your Personal Data, in an understandable and readable format.
  • Right to object to profiling and automated individual decision-making: you have the right to object at any time to profiling processing carried out on your Personal Data for direct marketing purposes.

Please note that exercising certain rights may result in your unsubscription from the Remittance Service, as some processing is essential for providing the service.

To respond to your request, we may ask you to provide proof of your identity and/or additional supporting information.

We will do everything we can to respond to your request as soon as possible.

You can exercise your rights by contacting Lydia Solutions and/or PayLead:

  • PAYLEAD

To the attention of the DPO

58 bis rue de la Chaussée d’Antin – 75009 PARIS

  • dpo@paylead.fr

You can contact either Lydia Solutions and/or PayLead, who will jointly respond to your request.

Please note, however, that PayLead does not directly know your identity; therefore, it is recommended that you send your initial request to Lydia Solutions.

You finally have the right to lodge a complaint with the CNIL (the supervisory authority in France responsible for ensuring compliance with obligations regarding personal data – www.cnil.fr)

  • 3, Place de Fontenoy

TSA 80715

75334 PARIS CEDEX 07

For more details on data processing methods and retention periods, please consult PayLead’s privacy policy:https://www.paylead.fr/fr/privacy-policy 

Provisions applicable to services provided by the Bitpanda group

1. Object and scope

In the context of providing, via the Lydia Solutions application, services relating to crypto-assets, precious metals and, where applicable, certain financial instruments provided by the Bitpanda group, Lydia Solutions and the Bitpanda group operate in accordance with the GDPR and applicable sector regulations.

Access to these services involves the transmission by Lydia Solutions, depending on the service concerned, of the user’s personal data mentioned in article 5 to the entities legally responsible for the provision, collectively referred to as “Bitpanda”.

Bitpanda, as the Data Controller, processes all data necessary for opening a verified account, including name, address, verification data, and other Know Your Customer (KYC) information. This processing is based both on the performance of the contract and on compliance with legal obligations, particularly regarding identity verification.

Bitpanda, on the other hand, does not receive any data that is not necessary for the provision of its own services, and information exclusively required for the partner’s main service is not transmitted to it; these provisions apply only to Clients using Bitpanda services.

2. Distribution of roles

For the provision of Bitpanda services accessible via the Lydia Solutions application:

  • Lydia Solutions acts as a technology partner for the services provided by Bitpanda GmbH and Bitpanda Metals GmbH, which consists solely of providing the application interface and transmitting the strictly necessary data to the relevant entities.
  • Lydia Solutions acts as a tied agent (ORIAS No. 18 007 465) of Bitpanda Financial Services GmbH for services relating to financial instruments

Relevant entities of the Bitpanda group

The services offered in the Lydia Solutions application are provided by the following entities of the Bitpanda group:

Bitpanda GmbH

Austrian company located at Stella-Klein-Löw Weg 17 1020 Vienna (Austria), registered in the Commercial Register of the Vienna Commercial Court under number FN569240 v.

Bitpanda GmbH has an authorization as a Crypto-Asset Service Provider (CASP) issued by the FMA under the MiCA regulation and is registered with the Autorité des marchés financiers (AMF) (PSAN no. E2023-076).

It provides:

  • Services for the storage and purchase/sale of E-Tokens, which are digital representations of values ​​or rights that can be transferred and stored electronically using distributed ledger technology or equivalent.

Bitpanda Metals GmbH

Austrian company located at Stella-Klein-Löw-Weg 17, 1020 Vienna (Austria) registered under number FN511923 d in the Vienna Commercial Register.

Bitpanda Metals GmbH is authorized to conduct precious metals trading activities in accordance with the provisions of theTrade Regulations of 1994.

It provides:

  • Services for buying and selling precious metals (silver, gold, platinum, palladium) in the form of M-Tokens, which digitally represent the corresponding physical bars.

Bitpanda Financial Services GmbH

Austrian company located at Stella-Klein-Löw-Weg 17, 1020 Vienna (Austria) registered in the Commercial Register of the Vienna Commercial Court under number FN551181 k.

Bitpanda Financial Services GmbH is authorized in Austria as an investment services provider and is supervised by the Austrian Financial Market Authority (FMA) in accordance with the provisions of the Wertpapieraufsichtsgesetz 2018 (WAG 2018).

It provides:

  • Services relating to A-Tokens, namely derivative financial contracts referenced on various underlying assets

Lydia Solutions’ role in data processing

Independent data controller

Lydia Solutions acts as the data controller for:

  • The collection of data necessary for opening and managing the Lydia Solutions account
  • The implementation of user onboarding for users requesting access to Bitpanda services
  • The transmission to Bitpanda entities of information strictly necessary for the provision of services
  • The processing required by its legal obligations as an electronic money institution

Processing carried out within the framework of the Bitpanda Technology Solution (BTS)

When using the Bitpanda Technology Solution (“BTS”), certain operations strictly necessary for verifying the identity of users wishing to access the services offered by Bitpanda GmbH are performed within the Lydia Solutions application. No joint processing takes place between Lydia Solutions and Bitpanda.

These operations are nevertheless carried out solely for the needs of Bitpanda GmbH, which alone determines the purposes of the processing, the applicable regulatory requirements, and the essential means implemented. As such, Bitpanda acts as the Data Controller for all processing required for access to its services.

In this context:

  • Lydia Solutions implements the operations required solely for the purpose of executing the BTS service, in accordance with the instructions, regulatory requirements and operational requirements defined by Bitpanda
  • No joint responsibility within the meaning of Article 26 of the GDPR is established between Bitpanda and Lydia Solutions, the two parties act as independent data controllers.

Bitpanda receives and processes all personal data necessary for opening a verified account and fulfilling its legal obligations, particularly in terms of Know Your Customer (KYC), in accordance with the documentation applicable to the BTS solution.

3. Personal data processed by the Bitpanda group

Within the strictly defined framework above, Lydia Solutions may collect and transmit the following categories of information to Bitpanda:

KYC identification data

  • Civil status and contact information
  • Identity documents and supporting documents
  • Information necessary for onboarding and creating a customer file usable by Bitpanda entities

Tax identification data pursuant to theCouncil Directive 2023/2226 of 17 October 2023 (“DAC 8”)

Furthermore, in order to comply with the European reporting obligations imposed on crypto-asset service providers by Council Directive 2023/2226 of 17 October 2023 (“DAC 8”), applicable from 1 January 2026, Lydia Solutions collects the following additional information via the Sumeria application and transmits it to Bitpanda GmbH:

  • The Tax Identification Number (TIN)
  • The tax residence(s) declared by the user
  • User consent
  • Self-certification (optional)

Subsequently, Bitpanda entities will be required to report annually to the relevant tax authorities user information and aggregated transaction data. This includes customer identification data, transaction volumes covered by the “DAC8” Directive, and details regarding the presence or absence of valid self-certifications.

4. Purposes and retention period

Lydia Solutions :

  • Only transmits data that is strictly necessary for the provision of services;
  • Any processing that goes beyond this scope is prohibited;
  • Does not intervene in defining the specific purposes of the entities within the Bitpanda group;
  • Do not share any data outside of the entities concerned.

Each entity within the Bitpanda group remains fully responsible for the processing carried out within the framework of its regulatory obligations.

For more details on data processing methods and retention periods, please consult the Bitpanda Group Privacy Policy: https://www.bitpanda.com/fr/legal/bitpanda-group-privacy-notice