Lydia Personal Data Protection Policy

Lydia Personal Data Protection Policy

The french version of this document is available here and prevails over the others.

Conscious of the importance of respecting your privacy and the security of your data,  Lydia Solutions reaffirms its commitment to be a trusted actor in the processing of your  personal data. 

In this Privacy Policy, "Lydia", "we" and "our" refer to "Lydia Solutions". 

Article 1 : Legal requirements

Lydia Solutions, a simplified joint stock company with a capital of 1,785,979 euros, registered in  the Paris Trade and Companies Register under the unique identification number 534 479 589, with registered address at 14 avenue de l'Opéra, 75001, Paris, France, 

Authorized and supervised by the Autorité de Contrôle Prudentiel et de Résolution ("ACPR", 4  place de Budapest CS 92459 75436 Paris Cedex 09, 01.49.95.40.00) as an electronic money  institution authorized to provide payment services, under the bank  code (CIB) 17598 and the REGAFI identifier 62677. 

Registered on the unique Register of intermediaries in insurance, banking and finance, held by  the ORIAS under the number 18007465, on a secondary basis as: non-exclusive agent in  banking operations and payment services (French MOBSP), agent of insurance intermediary (French MIA), tied agent of  investment service provider and agent of intermediary in banking operations and payment  services (French ALPSI). 

Lydia complies with all applicable French and European regulations relating to the protection of  personal data, in particular the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as the "GDPR") and the Law of 6 January 1978 relating to information technology, files  and freedoms (known as the "Information Technology and Freedoms Law"). 

Article 2 : Purpose

As the controller of your personal data (hereinafter referred to as "Personal Data"), Lydia wishes  to inform you through this Data Protection Policy about: 

- The categories of your personal data that we collect and process; 

- The objectives for which your data is processed (its purposes) and the data retention periods  associated with each processing operation; 

- The legal bases on which the processing is carried out; 

- Recipients and categories of recipients; 

- Transfers outside the European Economic Area; 

- Your rights regarding your personal data; 

- The security of your personal data. 

This Privacy Policy is directed at and applies to you as an individual customer and prospect of  Lydia. It also applies to you if you are: 

- A person who is interested in Lydia's products, services or content (newsletters, etc.), who  subscribes to Lydia's news alerts, who interacts directly or indirectly with Lydia (via its customer  service or social networks), or who consults the sites or participates in an event organized by Lydia; 

- A candidate interested in the job offers published by Lydia on its website. 

The Data Protection Policy is updated regularly to reflect changes in Lydia's practices and  potential changes in applicable data privacy regulations. Lydia encourages you to review it  regularly for any changes or updates.

Article 3 : Personal data collected and processed

Lydia may collect and process the following categories of personal data: 

- Civil status and identification data: surname, first name(s), gender, date and place of birth,  nationality, videos of both sides of one or several identity document(s), proof of identity, and authentication videos  (which may be subject to biometric processing); 

- Contact information: postal addresses, email addresses, telephone numbers;- Data related to your personal situation: family situation, marital status; 

- Data related to your professional situation: professional situation ; 

- Economic and financial information: income (amount, sources and supporting documents), tax  residences, financial and tax situation, accounting data, consumption habits and customs; 

- Financial and transactional data (nature of operations, date, card payments, wires direct  debits, amount, description of operations, bank details and other account data aggregated to your  Lydia account etc.); 

- Connection data related to the use of our services: identification and authentication data, logs,  cookies and other tracers, navigation data on Lydia's websites and applications; 

- Data from correspondence and communications between you and us, carried out remotely:  interviews and telephone calls, postal and electronic mail, instant messaging, communications on  social networks, claims or complaints or any other type of communication; 

- Connection data, data from the device used to connect to the application and data associated with the use of the Lydia application (such as dates and times of access to the Lydia service, computer or telephone hardware data, data associated with the use of the device, unique identifiers, crash data or cookies).

- Data related to the products and services subscribed (type of product, method of payment,  maturity, amount); 

- Geolocation data (IP address or GPS data of the terminal used); 

- Data and information intended to be communicated to the public and shared with other customers within the Lydia application: profile and wallpaper photos, images, photos related to  operations performed (which may be subject to biometric processing), comments and other messages; 

- Data provided as part of additional services such as loyalty card information provided by the Customer or numbers and email addresses in the Customer's address book (only if the Customer chooses to link his contact directories to the Lydia application in order to know which of his contacts are using the Lydia application, and provided that this transmitted information is stored encrypted, by one-way public key) ;

- Any other information or documents necessary to trace the origin and destination of funds for  transactions made with your account.

This personal data is collected either directly from you by Lydia or, if necessary, indirectly: 

- With the National Directory of Identification of Natural Persons (Répertoire National d’Identification des Personnes Physiques) ; 

- To the Tax administration (Direction Générale des Finances Publiques) ; 

- To any judicial or financial authorities, state agencies or public bodies, to the extent permitted  by regulation; 

- At the financial institution, in whose books you have opened an account, which you may  aggregate with your Lydia account, in connection with the provision of payment initiation and account information services. 

- Through publications and databases made available by official authorities or authorized third  parties, or 

- Through websites and social networks that contain information you have chosen to make public. 

As part of our legal and regulatory obligations to monitor the business relationship, we may also  collect and process information from persons with whom we have no direct relationship: a  member of your family, a close friend, your employer, your legal representative, a personal  contact. The collection and processing of this information is necessary for the purposes of tracing  the origin and destination of funds from transactions made with your account. 

Certain categories of data or data collected by Lydia may be matched in order to better meet the  purposes described in Article 4. Such reconciliations are performed by Lydia in a manner that  ensures that only data that is strictly necessary for the purpose of the processing is used (in  compliance with the data minimization principle, as provided for by the GDPR). 

Article 4 : Purpose of processing and retention period of personal data

1. General provisions 

Lydia processes the categories of personal data referred to in Section 3 on a case-by-case basis  to meet different purposes or goals. Each of these categories is associated with a data retention  period after which the data is no longer used, archived and then anonymized and/or deleted. The  purposes that justify the processing of your personal data are the following: 

- Management of the business relationship, the Lydia account and/or the products and services  subscribed to, in particular for evidential purposes. Your personal data may be kept for a period  of five (5) years from the end of the business relationship or, if applicable, from the end of any legal or collection proceedings and/or the expiration of applicable statutes of limitation.

- The realization of opinion and satisfaction surveys and statistical studies. Your personal data may be kept for a period of three (3) years from the date of the study.  

- The fight against fraud (e.g.: establishment of ratings or scores, detection of atypical  transactions). Your personal data may be kept for a maximum period of five (5) years from the  closing of the file of proven fraud or the issuing of an alert in our systems. 

- Compliance with Lydia's legal and regulatory obligations, including Know Your Customer  obligations, operational risk management (including computer network security, customer  protection, supervision and internal control, transaction security, and security in the use of  international payment networks) financial security obligations (anti-money laundering and antiterrorist financing obligations and obligations relating to sanctions and embargoes), obligations  relating to the determination of your tax status and compliance with related tax regulations, ethics  and anti-corruption; data protection and any other obligations relating to the management and  monitoring of compliance risks. Your personal data will be kept for a period of five (5) years as  from the generating event provided for by the regulations in force (e.g.: as regards activation,  loading and use of electronic money, five years as from the execution of these operations). 

- Prevention and detection of criminal offences and/or taking legal action (e.g. for the  identification of seriously reprehensible behaviour or acts such as violence against Lydia staff).  Your personal data may be retained for a period of five (5) to twenty (20) years, depending on the  nature of the offence, from the date of its discovery. Where legal proceedings are initiated, the  data will be retained until the end of such proceedings and the expiration of any applicable statute  of limitations. 

- The management of dormant accounts and data related to the search for the persons  concerned. Your data may be kept for a maximum period of thirty (30) years depending on the  cases provided for by the regulations in force. 

- The recording of your conversations and communications with Lydia, regardless of the medium  (emails, letters, telephone conversations, etc.). Depending on applicable regulations, your  personal data may be retained for varying periods of time, but not longer than five (5) years from  the time of recording. The recording media or their reproduction will be kept for periods  proportionate to the purpose of the recording in question (from 6 months for staff training  purposes, to 5 years when the telephone recording is likely to be used as evidence). 

- Accounting processing: accounting data may be kept for a period of ten (10) years in  accordance with the legal provisions in force. 

- Cookies and other tracers. The life span of cookies is thirteen (13) months maximum.

- Research or analytical activity for process improvement and model development purposes.  Your data may be used to improve our internal control procedures or to assist in risk and  compliance management. Data is retained for a specified period of time for each of these sub purposes. 

- Commercial prospecting, the proposal of commercial offers adapted to your situation and your  consumption profile, the realization of promotional offers and games, commercial animations and  advertising campaigns. The data may be kept for a maximum of three (3) years from the end of  the commercial relationship or for prospects, from the last contact. This data may be anonymized  and aggregated in order to establish statistical reports. 

Your data collected and processed in accordance with the above-mentioned purposes may be  kept for an additional period of time if the defense of a right or interest so requires, or in order to  meet the requirements of French or European authorities such as the ACPR or the Autorité des  marchés financiers ("AMF"). In this case, your data will not be used for any other purpose, it will  be kept in intermediate storage and will only be accessible to authorized persons with a need to  know (e.g. legal department, compliance department, audit and inspection bodies). 

2. Specific provisions for remote identity verification 

In order to verify your identity at a distance and to comply with its legal and regulatory obligations  relating t o identification, verification of identity and knowledge of its customers, Lydia is required  to collect the following data directly from you: 

- A color video of both sides of your official identity document (national identity card or European  passport or valid residence permit) and, 

- An authentication video, i.e. a video of your face called a "video selfie", taken in color with the  front camera of your cell phone, of sufficient quality and brightness and without any digital  alteration (presence of filters). 

To do so, you must allow Lydia access to the microphone and the front and back cameras of your  cell phone, then film yourself for a few seconds and say a random phrase orally. The recorded  videos are viewed by one of our specially trained staff members for the purpose of authenticating  you. Once authenticated, the video is no longer accessible by our collaborator: it is automatically  stored in a semi-intermediate archive. 

Nota Bene: A specific technical processing of biometric data (as defined in Article 4.14 of the  GDPR), captured during the video of your face, is performed by Lydia for the purpose of verifying  your identity at a distance. This specific technical processing of facial images makes it possible to  confirm the unique identification of a customer based on his physical, physiological or behavioral  characteristics. It also allows the detection of the "living" character of the customer's face to verify  that it has not been physically or digitally altered. These biometric data are considered sensitive  in the sense of the GDPR. In order to use this processing in accordance with Article 9 of the GDPR, we justify a specific need to identify our customers to allow access to our services, under  the control of the Commission Nationale de l'Informatique et des Libertés (known as "CNIL"). 

You are always free to choose whether or not to make an authentication video. You can choose  to perform the alternative identity verification process offered by Lydia, without any additional  constraints, incentives or compensation.

3. Specific provisions for requests deemed sensitive 

Lydia may ask you to take an authentication video (a video selfie of your face) in order to allow  you to make requests, deemed sensitive, relating to the modification of your security data and or  during the process of recovering access to your Lydia account (e.g., forgetting your password,  changing your phone number, or blocking your account). 

To do so, you must allow Lydia access to the microphone and the front and back cameras of your  cell phone, then film yourself for a few seconds and verbally state your request. The recorded  videos are viewed by one of our specially authorized staff members in order to authenticate you.  Once authenticated, the video is no longer accessible by our employee: it is automatically stored  in a semi-intermediate archive. No biometric processing of these images is performed by Lydia. 

You are always free to choose whether or not to make an authentication video. You can choose  to perform the alternative path for processing sensitive requests, proposed by Lydia, without any  additional constraint, incentive or special consideration. 

4. Specific provisions for profiling 

Lydia engages in profiling, which is the process of assessing certain aspects of its customers'  economic situation, personal preferences or interests, behavioral analysis, or location and  movements. 

These profiling processes have different purposes, mainly to secure your operations, to fight  against fraud, to personalize the relationship, for commercial prospecting or to better meet our  obligations relating to the management and monitoring of compliance risks. 

In the case of commercial prospecting, the processing consists in analyzing some of your data in  order to establish profiles that correspond to you. These profiles allow us to send you  personalized offers that are better adapted to your needs, expectations or situation. 

For each of these profiling processes, a thorough analysis is performed to determine whether the  processing should be based on your consent, Lydia's legitimate interest, or another legal basis  (performance of a contract, legal obligation). 

If profiling is based on your consent: we ensure that your consent is obtained, after having  informed you in an explicit and transparent manner about the use of your personal data. We also  allow you to withdraw your consent at any time. 

If the profiling is based on Lydia's legitimate interest: we will have conducted a prior analysis to  ensure, for each proposed processing, that your interests and fundamental rights are respected  and that you have a reasonable expectation that your data will be used in this context. We allow  you to object to such processing at any time, in accordance with the conditions set forth in the  regulations and in the manner described in Article 6. 

5. Specific provisions for fully automated decisions 

In cases where Lydia implements data processing involving fully automated decision-making,  including profiling, and producing legal effects you

We may also use your personal information to process data about you or that significantly affects  you on one of the following legal bases: your consent, the performance of a contract, Lydia's  legitimate interest or a legal obligation. Such processing is carried out in accordance with  applicable regulations and with appropriate safeguards. 

In the event that this profiling has legal consequences for you, you may request the  intervention of a human being, in particular in order to obtain a re-examination of your situation, to  express your own point of view, to obtain an explanation of the decision taken or to challenge the decision. 

6. Specific provisions for cookies and other tracers 

By cookies or other tracers, we mean tracers deposited and read, for example, when consulting a  website, reading an email, installing or using software or a mobile application, regardless of the  type of terminal used. 

You are informed that during your visits to our sites or when using one of our applications,  cookies and tracers may be installed on your terminal equipment. 

Where necessary, we obtain your consent prior to installing such cookies on your terminal  equipment and also when we access data stored on your equipment. 

For more information, you may review Lydia's Tracking and Cookie Usage Policy at any time. 

7. Specific provisions for access to your phone book and phone records 

Telephone conversations between you and our customer service departments (customer service,  compliance, anti-fraud, etc.) may be recorded for the purposes of staff training, evaluating or  improving the quality of our products and services, for evidence in the fight against fraud, money  laundering and the financing of terrorism, and for the purposes of verifying your identity in  connection with the exercise of your rights to your personal data. Before any recording, we inform  you and you have the right to object to it. 

Lydia allows you to link your cell phone's contact list to the Lydia application to find out which of  your contacts use our services as you do. To do this, we need to collect the numbers and email  addresses in your address book. We do not further process this data (only a fingerprint and not a  collection of raw data is done). This information is transmitted and stored encrypted, using a one 

way public key. You can disable this feature at any time in the Lydia application.

Article 5 : Legal basis for carrying out data processing

The processing carried out by Lydia is based on one of the following legal bases: 

- Fulfillment of the contract concluded with you (for example: the management of an  electronic money or payment account, the delivery of means of payment, the subscription to a

 insurance in case of loss or theft of payment means, information on transactions made via Lydia). 

● This legal basis is the basis for the processing of the following data: personal data, identification data, contact details, data relating to your personal and professional situation and  economic and financial information, financial and transactional data, data relating to the  products and services subscribed to and data from correspondence and communications  between you and us. 

● The purposes of such processing are: the management of the business relationship, the Lydia  account and/or the products and services subscribed to the management as well as the setting up of associated insurance, the provision of information  concerning Lydia services (updating of contracts / terms of use of the services or information  relating to the execution of Lydia services). 

- Compliance with the legal and regulatory obligations incumbent on Lydia as an electronic money institution authorized to provide payment services.

● This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data relating to your personal and professional situation,  economic and financial information, financial and transactional data, data relating to the products and services subscribed to, data from correspondence and communications between  you and us and any other information or document necessary for the research of the origin  and destination of the funds of the operations carried out with your account. 

● The purposes of this processing are: customer knowledge, operational risk management,  constant vigilance over the business relationship, the fight against money laundering and the  financing of terrorism, the application of sanctions and embargoes, obligations linked to the  determination of your tax status and compliance with associated tax regulations, ethics and the  fight against corruption, the management of dormant accounts and data linked to the search  for the persons concerned, data protection and all other obligations relating to the  management and monitoring of compliance risks. 

- Pursuit of Lydia's legitimate interests (e.g., commercial prospection, surveys and personalized  communications, fraud prevention, analysis of customer usage of Lydia's services and  application, or building datasets to test the effectiveness of Lydia's compliance tools). 

● This legal basis is the basis for the processing of the following data: civil status data,  identification data, contact details, data related to your personal and professional situation,  economic and financial information, financial and transactional data, data related to the  products and services subscribed to, connection data related to the use of our services,  cookies, data resulting from correspondence and communications between you and us and  geolocation data. 

● The purpose of this processing is to: prevention of fraud, prevention of non-payment, collection  and management of litigation (amicable, overindebtedness and legal disputes), management  of claims, management of estates, fight against financial crime, prevention and management  of incivilities towards our employees, security of our networks, surveillance of our premises, in  particular by means of a video surveillance system, analysis of our risk in terms of entering into  business relations,  activities of

research and development, the management of statistical studies and satisfaction surveys for  the purpose of improving customer knowledge, commercial prospecting, profiling and  marketing segmentation and our communication activities. 

● The choice of this legal basis is made after a careful balancing of the interests pursued by  Lydia with your interests, if you are concerned by the processing, and the assessment of  reasonable expectations in this respect. We put in place safeguards to protect your interests,  rights and fundamental freedoms (e.g., rights to information, right to object and right to limit processing). 

- Consent for specific treatments. 

● This legal basis is the basis for the processing of the following data: personal data,  identification data, contact information, data related to your personal and professional  situation, economic and financial information, financial and transactional data, data related to  the products and services you have subscribed to, connection data related to the use of our  services, data resulting from correspondence and communications between you, geolocation  data, data and other information intended to be communicated to the public and shared with  other customers within the Lydia application. 

● The purposes of this processing are: commercial prospecting by postal or email, by  text message, by telephone call, the deposit and reading of advertising cookies, the management  of promotional offers and games and the hosting of public communication areas within the Lydia application. 

- The legitimate interest of the customer (e.g., the constitution of data sets to test the  effectiveness of compliance tools implemented by Lydia, the recording of a portion of customer  calls in order to evaluate the quality level of our services, the fight against fraud, the management  of rewards programs and in particular "cashback" (discount/refund)) 

● The legal basis for the processing is the following data: personal data, identification data,  contact data, data related to your personal and professional situation, recordings of part of the  customer calls. 

● The purpose of this processing is to evaluate the quality of Lydia's services, to improve the  user experience, to prevent fraud, to communicate with Lydia's support and anti-fraud teams.) 

● The choice of this legal basis is made after a careful balancing of the interests pursued by  Lydia with your interests, if you are concerned by the processing, and the assessment of  reasonable expectations in this respect. We put in place safeguards to protect your interests,  rights and fundamental freedoms (e.g., rights to information, right to object and right to limit  processing). 

Article 6 : Recipients

Your personal data may be communicated according to the purposes pursued: 

- To Lydia's partners, principals, agents, intermediaries and insurers, subcontractors and service  providers (Floa, PayLead, Treezor, Bitpanda, Braze, Google Cloud Platform). This  communication only takes place in the context of a processing operation that pursues one of the  purposes described in article 2;

- In compliance with applicable regulations, to third parties in France or abroad for the purpose  of establishing, safeguarding or defending a right in court, in the context of administrative or  criminal investigations by one or more regulators, to ensure compliance with commitments made  to them or in the context of legal proceedings of any kind. 

- To certain regulated professions such as auditors, lawyers, in order to provide regulatory  reports or to act in defense of our rights. 

- To payment originators and account information service providers, only with your consent or at  your request (examples: Budget Insight, Tink).

Under article L. 511-34 of the French Monetary and Financial Code, the personal information collected may be transmitted by our partners to other entities belonging to the same group of companies (branches and subsidiaries).

Article 7 : Your rights

Under the conditions and within the limits authorized by the applicable regulations you have the  following rights: 

- Access your personal data, 

- To have your personal data rectified, updated and deleted, it being specified that deletion can  only occur when: 

• Personal data is no longer required for the purposes for which it was collected or otherwise  processed, 
• You have withdrawn your consent on which the processing was based and there is no  other legal basis for it, 
• You have objected to the processing of your data for reasons relating to your particular  situation and there is no compelling legitimate reason to continue, 
• Personal data have been processed unlawfully, 
• Personal data must be deleted in order to comply with a legal obligation under EU law or  under French law to which Lydia is subject, 

- You object to the processing of your personal data for reasons relating to your particular  situation and there is no compelling legitimate reason to continue, 

- Oppose the processing of your personal data for commercial prospecting purposes, including  profiling related to this prospecting (see Article 8); 

- Receive the personal data about you that you have provided to us, for automated processing  based on your consent or the performance of a contract, and request the portability of such data  to a third party, 

- Request a restriction on the processing of your personal data by us when: 

• You challenge the accuracy of the personal data for a period of time that allows the data  controller to verify the accuracy of the personal data, 
• You object to the deletion of your data when the processing is unlawful,
• We no longer need the data but they are still necessary for the establishment, exercise or  defense of legal claims, 
• You have objected to the processing of your data, during the verification of whether Lydia's  legitimate reasons override yours. 

- Where processing is based on your consent, withdrawal of that consent at any time, and there is no other legal basis for it. 

In addition, you have the option of providing us with instructions regarding the retention, deletion  and disclosure of your data after your death, which instructions may also be registered with a  "certified digital trusted third party." These instructions may designate a person to carry out the  instructions. These rights cannot, however, have the effect of infringing on the rights of heirs or  allowing the communication of information to which only the latter may legitimately have access. 

You can exercise your rights and contact Lydia's Data Protection Officer as follows: 

- By mail sent to the following address Lydia Solutions, Data Protection Officer, 14 avenue de  l'Opéra, 75001 Paris, France. 

- By email sent to the following address: dpo@lydia-app.com. 

Finally, you have the right to lodge a complaint with the CNIL (3, place de Fontenoy - TSA 80715  - 75334 PARIS CEDEX 07 - www.cnil.fr), the supervisory authority in charge of compliance with  personal data obligations in France. 

Article 8 : Commercial prospecting

1. Commercial prospecting by email and automatic call machine 

If you are a natural person not acting for professional purposes, we may prospect you by email,  automatic call machine or SMS/MMS when you have given your consent at the time of the  collection of your email address or your personal details, or when you are already a customer  and the prospecting concerns products or services similar to those already subscribed. Each  commercial prospecting email contains a link allowing you to unsubscribe. 

If you are a natural person acting in a professional capacity, your email address may be used to  send you commercial prospecting by email for purposes related to your profession. You may at  any time exercise your right to object to commercial prospecting. 

Generic business addresses assigned to a legal entity (company) are not subject to the principles  of consent, prior information and the right to object. 

Messages and notifications related to the administrative management of a product or service  previously subscribed to (alerts, changes in contractual and pricing documentation, etc.) are not  considered commercial prospecting. 

The settings of the messages and notifications that you may receive from us can be made within  the framework of the subscribed service, it being understood that some of these notifications may  come under regulatory obligations and present an imperative character.

2. Telephone prospecting 

We may also have to prospect you by telephone. In accordance with Article L.223-2 of the  Consumer Code, you are informed that you can register on a list of opposition to telephone  canvassing Bloctel. However, despite this registration, we may contact you by telephone if there is an ongoing contractual relationship, unless you have previously objected or if you object at the  time of the call.

Article 9 : Transfers outside the european economic area (5EEA)

The processing of your personal data by Lydia in accordance with the agreed purposes (see  Article 5) may involve transfers to countries outside the European Economic Area (EEA), whose  personal data protection laws differ from those of the European Union. 

In particular, your personal data may, to the extent permitted by applicable regulations, be  communicated to official bodies and authorized administrative and judicial authorities of non-EEA  countries, in particular in the context of regulations on the fight against money laundering and the  financing of terrorism, international sanctions and embargoes, the fight against fraud and the  determination of your tax status. 

When personal data is transferred to countries outside the EEA, a precise and demanding legal  framework governs this transfer, in accordance with the applicable European regulations, in  particular by the signing of standard contractual clauses approved by the European Commission.  In addition, appropriate security measures are put in place to ensure the protection of personal  data transferred outside the EEA. 

The standard contractual clauses are available on the CNIL website (www.cnil.fr). 

For more information regarding these international transfers of personal data, you may contact  Lydia's Data Protection Officer as described in Section 7 hereof.

Article 10 : Security

Lydia takes all necessary physical, technical and organizational measures to protect the  confidentiality, integrity and availability of your personal data, including against loss, accidental  destruction, alteration and unauthorized access. 

Lydia also takes great care to maintain a high standard of security and confidentiality of your  personal data by educating our employees and business partners and training our employees on  data protection, by implementing content controls, by implementing tools and practices aimed at  obfuscation, anonymization, encryption and data wiping to ensure the protection of your personal  data from internal and external data leakage risks 

In case of violation of your personal data, presenting a risk for your rights and freedoms, we will  notify the CNIL within the regulatory deadline. In the event that this violation presents a high risk  to your rights and freedoms, we will promptly inform you of the nature of the violation and the steps taken to remedy it. 

Article 11 : Lydia's status as host

Lydia hosts public communication areas that allow you to participate in discussion forums, instant  messaging systems or post content. These public communication areas are places over which  Lydia has no control and over which only you and other customers have control and can publish.  Therefore, Lydia cannot be considered as a content publisher but exclusively as a host whose  mission is to provide its customers with technical means to directly and permanently store  information intended to be communicated to the public. In this respect, Lydia complies with the  definition o f article 6.I.2 of the law n° 2004-575 of June 21, 2004 for confidence in the digital  economy ("LCEN"). 

Paragraph 5 of I of Article 6 of the LCEN states that: 

"Knowledge of the disputed facts is presumed to have been acquired by the persons designated  in 2 (of article 6 I 2 of the LCEN, i.e. the hosts) when they are notified of the following elements:  the date of the notification; if the notifier is a natural person: his surname, first names, profession,  domicile, nationality, date and place of birth; if the applicant is a legal person: its form, name,  registered office and the body that legally represents it; the name and domicile of the addressee  or, if it is a legal person, its name and registered office; the description of the disputed facts and  their precise location; the reasons for which the content must be removed, including the legal  provisions and justifications of the facts; a copy of the correspondence addressed to the author or  publisher of the litigious information or activities requesting their interruption, removal or  modification, or the justification that the author or publisher could not be contacted. ". 

Once Lydia has been notified of the allegedly illegal or indelicate nature of a content under the  conditions provided for in paragraph 5 of I of Article 6 of the LCEN indicated above, we will  promptly implement the necessary measures to ensure that the content is no longer accessible.  These measures may range from deletion of the content to temporary or permanent banning of  the content hosting service in view of the seriousness and repetition of the infringements found.  

Lydia also does not carry out general monitoring of content beyond assisting in the repression of, among other things, crimes against humanity, incitement to racial hatred and child pornography, incitement to violence, including incitement to violence against women, and offenses against  human dignity in accordance with the provisions of paragraph 7 of Article 6 of the LCEN. 

In addition, Lydia is not responsible for the content it hosts and will not be liable or responsible for  any activity or information stored at your request if it did not have actual knowledge of the  unlawfulness of the content or of facts and circumstances indicating that it was unlawful or if,  upon becoming aware of such unlawfulness, it acted expeditiously to remove or disable access to  the content. In this regard, Lydia reserves the right to remove or suspend access to any content  following upon reception of a notification or if it has actual knowledge of the manifestly unlawful nature of  the content. Lydia shall not be liable for such removal. In any event, Lydia will not be liable in any way for any content you share.

Article 12 : Cashback service

12.1. General provisions

Lydia collaborates, under mandate, with payment and electronic money institutions and account information service providers approved by the ACPR, all of which are jointly responsible for processing the personal data of Customers, in accordance with Article 26 of the GDPR. 

Thus, Lydia and these institutions jointly define the purposes and means of such processing. Customers' personal data are only shared with these joint controllers for the purpose of performing the contracts established with Lydia.

 The list of these service providers is set out below:

• Powens enables Lydia to provide its bank account aggregation and linked account information services to Customers. Powens Privacy Policy is available here. 
• Tink AB also allows Lydia to provide bank account aggregation services and information on linked accounts of Lydia Customers. Tink AB’s Privacy Policy can be found here.
• Treezor is a issuer of Lydia IBANs. Treezor's Privacy Policy can be found here. 

Lydia and these entities are bound by mutual disclosure obligations, including with respect to the following events: 

• Any breach of Customer personal data;
• Any use of a new sub-contractor processing Customer personal data outside the European Economic Area (EEA) and on behalf of Lydia.

In the course of providing additional optional services, Lydia may also disclose your personal data to partners (such as BitPanda, PayLead and Floa). Please note that PayLead analyses your bank transaction data to provide you with personalised offers based on your transaction history and spending habits.

Lydia may also communicate the personal data of its Customers to one of its suppliers or partners, provided that these data have been anonymised beforehand. This anonymisation consists in removing the following elements: first and last name, email address, telephone number, postal address and any other element that would allow the Customer to be identified or contacted directly.

All personal data of Lydia's Customers are covered by professional secrecy under the conditions of Article L.511-33 of the Monetary and Financial Code.

These partners only have access to data that is strictly necessary for the performance of the contracts established with Lydia.

12.2. Provisions specific to the cashback service

To provide the Cashback Service, Lydia and its partner PayLead act as joint processors. 

PAYLEAD is a société par actions simplifiée (simplified joint stock company) whose registered office is located at 9 rue de Condé, 33064 Bordeaux (France), registered with the Registre du Commerce et des Sociétés (RCS) of Bordeaux under number B 821 725 579. 

PayLead and Lydia have jointly determined how the Cashback Service operates and how your personal data is used to provide that service.

PayLead also acts as an independent data controller for the further processing set forth in Section 1.

1. Purposes of Processing

The purposes for which we use your personal data and the legal basis for doing so are detailed in the table below. The operations carried out on the basis of the performance of the contract are essential for the provision of the Cashback Service.

The Cashback Service is based on the analysis of your bank transactions: based on the displayed offer catalog, PayLead identifies the transactions that are eligible for a cashback payment.

PayLead also analyzes your bank transaction data to provide you with personalized offers based on your transaction history and spending habits. The eligibility criteria for the offers are defined by the retail partners and Lydia. 

The essence of the Cashback Service is thus to allow you to use your banking data to benefit from personalized and relevant offers from the partner companies.

Further processing (in accordance with Article 13.3 of the GDPR)

PayLead uses your personal data for the further processing described below. These further processing operations are carried out by PayLead on its own initiative and under its sole responsibility.

As required by applicable regulations, we have verified that the pursuit of our legitimate interests does not infringe on the rights and freedoms of users:

• A user can reasonably anticipate that PayLead must obligatorily carry out reporting to the partner companies to inform them about the performance and monitoring of offers.
• The studies conducted by PayLead do not focus on an individual person, but on a set of aggregated and non-nominative data.
• PayLead's studies are based on pseudonymized data.

2. Personal data processed 

The following personal data are provided to PayLead by Lydia: 

• Name of your bank
• Bank transactions: transaction name, date, place, amount, merchant, truncated PAN number (last 4 digits)
• Unique user ID (token)

PayLead identifies you only through a unique user ID, called a "token", consisting of a series of numbers and letters. This is called pseudonymization.

Through the analysis of your banking data, PayLead also processes your consumption habits (your favorite brands, your favorite stores, the usual geographical areas of your purchases, your average basket), your average salary, your exceptional income or life events that can be deducted from your purchases (such as marriage, birth, etc).

As part of the support process, we process additional personal data of any kind that you may provide to us. Please limit the information shared to what is necessary, including what is required by us to respond to your request.

3. Retention Periods

Your personal data is used for a specific period of time, strictly limited to the purposes for which it was collected:

• Your bank transaction data is deleted after 2 years (from the transaction date) if it has not generated the payment of a cashback;
• Your transaction data is deleted after 5 years (from the transaction date) if it has generated the payment of a cashback.

When you decide to unsubscribe from the Cashback Service, PayLead will delete all of your personal data, except for data related to the payment of a Cashback, which will be retained for the 5-year period mentioned above.

4. Communication to third parties

Your personal data is only accessible to PayLead personnel who need to know it in order to perform their duties and provide the Cashback Service.

Certain third parties may have access to your pseudonymized (or anonymized where applicable) personal data:

• PayLead's possible subcontractors and service providers acting for technical and logistical reasons related to the proper performance of the Cashback Service (such as a payment service provider, external security auditors, etc);
• Partner Companies to whom PayLead communicates a record of transactions that have generated a cashback (amount, time stamp, truncated PAN if applicable).

5. Storage of personal data

Your personal data is hosted and processed by PAYLEAD exclusively in the European Union. However, PayLead reserves the right to use certain service providers outside the European Economic Area (EEA). In this event, PayLead will inform you of such transfers outside the EU and ensure that your personal data is properly protected in accordance with the requirements of the GDPR. Upon request, PayLead will provide you with a copy of the applicable safeguards.

6. Security Measures

PayLead uses technical and organizational measures that comply with legal and regulatory requirements to keep your personal data secure and confidential, including:

• pseudonymization of data: PayLead does not know your identity directly
• implementation of a policy for managing access rights to our tools and databases
• implementation of a logs policy
• data encryption
• anti-virus
• carrying out intrusion tests
• anonymization of data when possible
• training of PayLead employees in data security and privacy

Under written agreements, PayLead requires its service providers and subcontractors to implement strong security measures to protect the personal data they process on behalf of PayLead.

7. Exercising your rights

Current regulations allow you to maintain control over your personal data. As such, you have the following rights:

• Right of access: you have the right to obtain a copy of all personal data we hold about you.
• Right of rectification: you may request that your personal data be updated if it is incorrect
• Right to object: you have the right to object, in certain cases, to the use of your personal data. Only processing based on the legal basis "legitimate interests" can be objected to by you. You must justify the legitimate reasons why you wish to object to the use of your personal data by PayLead.
• Right to withdraw your consent: If you have given your consent to a specific processing, you may withdraw that consent at any time, without justification. Withdrawal of consent is only valid for the future.
• Right to limit processing: you have the right to request, in certain cases, to suspend or limit all or part of the processing carried out on your personal data.
• Right to be forgotten: you can ask, in certain cases, for the deletion of all your personal data.
• Right to portability: you can ask to have your personal data returned to you in an understandable and readable format.
• Right to object to profiling and automated individual decision: you have the right to object at any time to the profiling processing carried out on your personal data for direct marketing purposes.

Please note that the exercise of certain rights may result in your unsubscribing from the  Cashback Service insofar as certain processing is essential for the provision of the service.

In order to respond to your request, we may ask you to provide us with proof of your identity and/or additional supporting information.

We will make every effort to respond to your request as soon as possible.

You may exercise your rights by contacting Lydia at the address mentioned in Article 7 and/or PayLead at : 

PAYLEAD

To the DPO

58 bis rue de la Chaussée d'Antin, 75009 PARIS

dpo@paylead.fr

You may contact either Lydia and/or PayLead who will jointly respond to your request. Please note, however, that since PayLead does not have direct knowledge of your identity, it is recommended that you address your initial inquiry to Lydia.

Finally, you may file a complaint with the CNIL, the French National Data Protection Authority (Commission Nationale Informatique et Libertés), located at 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 (more information at www.cnil.fr)