FINTECTURE Privacy Policy

March 20, 2023 version

INTRODUCTION

The protection of personal data is a major concern for FINTECTURE. We are therefore committed to handle the Personal Data we process with the utmost transparency and in accordance with the applicable French and European regulations (hereinafter the " Applicable Regulation ") and in particular the Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the " RGPD ") and the Law n° 78-17 of January 6, 1978 as amended by the law of June 20, 2018 (hereinafter the " Data Protection Act ").

The terms " Personal Data "(hereinafter " Data "), " Processing ", " Processor ", " Subcontractor ", " Recipient "and " Data Subject used in this Privacy Policy (hereinafter the "Policy"). Policy ") refer to the terms defined inArticle 4 of the GDPR.

The Policy presents the way in which FINTECTURE SAS, a payment institution, authorized and supervised by the ACPR under number 17248, having its registered office at 5 avenue du général de gaulle 94160 Saint-Mandé, and registered with the Créteil Trade and Companies Register under number 834 500 548 (hereinafter " us "), processes your personal data in its capacity as data controller in accordance with the Applicable Regulations. The Policy will also enable you to understand how to exercise your rights under the Applicable Regulations.

To ensure that FINTECTURE processes your personal information in accordance with the Applicable Regulation and this Policy and to answer any questions you may have regarding FINTECTURE's Processing of your Data, we have appointed a Data Protection Officer (hereinafter "DPO") to assist us in the processing of your personal information. DPO ") who can be contacted by email at dpo@fintecture.com.

1. WHO IS AFFECTED BY THE DATA PROTECTION POLICY?

You are affected by the Policy if you are :

- A user of FINTECTURE services (hereinafter referred to as "User User A User of FINTECTURE services (hereinafter "User"), i.e. a natural person or the representative of a legal entity (company, public authority...) using the FINTECTURE solution to make a payment to a merchant or to benefit from a payment or refund from a merchant;

- A FINTECTURE customer (hereinafter referred to as "FINTECTURE Customer A FINTECTURE Customer (hereinafter "Customer"), i.e. a natural person or the representative of a legal entity who has entered into or is in the process of entering into a service contract with FINTECTURE to collect payments and/or make payments or refunds;

- A FINTECTURE prospect (hereinafter referred to as a " Prospect A FINTECTURE prospect (hereinafter "Prospect"), i.e. the representative of a legal entity likely to be interested in FINTECTURE's services;

- A visitor to the FINTECTURE website (hereinafter referred to as "the Visitor ").

2. WHAT DATA DO WE PROCESS?

In the context of the Processing that we carry out, we may process the following categories of Data

People involved	Categories of data processed
User	- Collected data transmitted by the merchant: last name, first name, email, postal address, phone number (optional), payment transaction amount, currency, payment transaction beneficiary, order reference (in case of refund) ; - Data collected from you or generated by FINTECTURE (e.g. when you provide it to us via the payment module): name of your bank, account number / IBAN, date of the payment transaction, payment transaction reference, internal User number, data related to your payment account when you authorize us to access it as part of our account information services, IP address, technical information related to the device/browser used when you use our services ; - Data transmitted by your bank: account number / IBAN, information about the status of the payment transaction initiated by FINTECTURE (in the context of a payment) ; - Where applicable, information about your correspondence with us, via our website or by email, telephone or post; - Information about your interactions with the conversational tool: browser location, tool navigation data, conversations with the tool.
Customer	- Contact information: last name, first name, email, telephone number and postal address of the company, information about your company; - Identity verification information, such as your identity documents and residence; - Information about how you use our services and how a specific service is used; - Information about your correspondence with us, via our website or by email, telephone or post; - Technical information about the device/browser used when you use our services; - Information about your interactions with the conversational tool: browser location, tool navigation data, conversations with the tool.
Brochure	Telephone or e-mail contact details of the Prospect, information about the legal entity.
Visitor	- Connection data and technical information about the device used when you visit our website; - Where applicable, information about your correspondence with us via our website or by email, telephone or post.

However, unless required by law, we do not process "sensitive" Data. sensitive We do not process "sensitive" Data, i.e. Data that reveal racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, personal data concerning health, or personal data concerning a natural person's sex life or sexual orientation.

3. WHY DO WE PROCESS YOUR DATA?

We process your Data for the following purposes and in accordance with the following legal bases:

Goals	Legal basis (Article 6.1 of the GDPR)
Creation and management of your FINTECTURE customer account (including the associated accounting).	Processing necessary for the performance of our contract with you
Provision of our payment services as a payment institution (payment initiation and account information services) to our Customers and Users.
Management of your possible requests to the customer service.
Facilitation of subsequent payments by our Users.	Processing carried out on the basis of your consent
Compliance with anti-money laundering and terrorist financing obligations, monitoring of politically exposed persons and sanctions lists to which we are subject. When, as a Customer, you choose to use our payment service provider partner to open a payment account in your name in the partner's books, we act as a non-exclusive intermediary in banking and payment services (IOBSP) mandated by the partner, by collecting and transmitting to the partner the information and documents you provide to us for the opening of the account and facilitate the subscription of the payment services offered by the partner. This information and documents requested by the partner are necessary to comply with the obligations of vigilance and reporting of suspicious transactions to the competent authorities applicable to the fight against money laundering and the financing of terrorism as defined in Articles L561-1 et seq. of the Monetary and Financial Code.	Processing necessary to meet our legal obligations
Compliance with other laws or regulations applicable to the financial sector, including the implementation of the internal control system.
Informing Users and Clients of the status of initiated payments.
Prevention, investigation and detection of payment fraud, in order to secure payments and limit the risk of unauthorised transactions.	Processing carried out in accordance with a legitimate interest of FINTECTURE
Provision of a conversational tool between Fintecture's support department and Clients to provide you with relevant, accurate and personalised information.
Understanding the use of our services in order to improve them.
Management of possible claims and disputes, in order to defend our rights.
Sending marketing communications to our Customers by email or other agreed form of communication, to ensure that you are always up to date with our services. We will respect your right to object and your stored marketing preferences.
Commercial prospecting to develop our business.

However, we do not process any Data that leads to an automated decision that has legal effect, concerns you or significantly affects you.

4. HOW LONG WILL YOUR DATA BE KEPT?

We keep your Data for the period of time necessary for the purpose of the Processing. In particular, the Data processed by FINTECTURE are kept for the following periods:

Data concerned	Shelf life
Data related to the management of your FINTECTURE customer account as well as those related to the processing of your possible requests to the customer service.	Duration of the contract with you.
Data concerning the contractual relationship between Fintecture and its Clients.	10 years from invoice payment (for payment and billing data) and at the end of the contract (for contract data).
Data related to a payment transaction (payment or refund).	Thirteen (13) months from the confirmation of the execution of the payment transaction
Data required to comply with our obligations to combat money laundering and terrorist financing and to monitor politically exposed persons and sanctions lists.	Documents and information relating to the business relationship are kept for five (5) years after the end of the business relationship. The data relating to a payment transaction is kept for five (5) years as from their execution.
Data used for payment fraud prevention.	Maximum twenty-four (24) months from the date of collection. In the event of a proven fraud, the data relating to the fraud is kept for a maximum of five (5) years
Data necessary for the management of a dispute or a claim.	Applicable statutory limitation/forclosure periods.
Data relating to the personalisation of our services and the use of our services.	Duration of the contract with you.
Data about your use of the conversational tool.	Duration of the contract with you.
Data relating to the sending of marketing communications to our Customers and Prospects.	Three (3) years maximum from the end of the commercial relationship with the Client or the last contact with the Prospect.

5. WHO HAS ACCESS TO YOUR DATA?

As a payment institution, we are bound by professional secrecy and may only share your Data under strict conditions or with your consent.

As such, only members of the staff FINTECTURE staff members duly authorized are likely to access the Data. These persons are subject to strict obligations of security and confidentiality.

In addition, we only share your Data with External Recipients to the following recipients:

- To entities involved in the payment transaction you initiated or for which you are the beneficiary. The Data necessary for the initiation of a payment or the reimbursement of a transaction by FINTECTURE are communicated in a secure manner to your bank. Within the framework of a request for payment or refund of a transaction carried out via the services of FINTECTURE, your IBAN is likely to be accessible by the merchant with whom you placed the order as well as by his bank. For operational reasons, your name and email address may be communicated in a secure manner to the merchant with whom you place the order. This allows for the reconciliation of your payment with your order and the more efficient processing of your purchase order.

- To our external service providers and suppliers acting on our behalf as Subcontractors, in accordance with our documented instructions and for the sole purpose of carrying out the Processing for which it was originally collected. These contractors are not permitted to sell or disclose your Data to third parties. Examples include the host of your Data (Google Cloud Platform) or the provider of email delivery in connection with the use of our services.

- To certain regulated professions such as lawyers, notaries or auditors.

- to law enforcement or any administrative or judicial control authority or authorized third party in order to comply with the legal and regulatory obligations to which we are subject (for example to report illegal activity) or in the context of litigation to protect us against any infringement of our rights.

6. WHERE IS YOUR DATA STORED?

We store and process your Data in data centers located in the European Economic Area (EEA). In addition, Data related to payment transactions is not transferred outside the EEA or a country covered by Article 45 of the GDPR.

When you use the conversational tool provided to you, the Data related to the use of this tool is transferred to the United States by our provider on the basis of the European Commission's standard contractual clauses.

FINTECTURE may extend its activities outside the EEA and offer services or address customers in countries outside the EEA. If you are concerned by the services or become a Customer and you reside in a country outside the EEA, FINTECTURE will ensure that the transfer of your Data to your country of residence is subject to adequate safeguards or one of the exceptions provided for by the Applicable Regulation and in particular the principles set out in Chapter V of the GDPR.

7. HOW DO WE ENSURE THE SECURITY OF YOUR DATA?

Respect for privacy, banking secrecy and the security and confidentiality of your Data is our priority. In this respect, we implement, with regard to the nature of the Data and the risks presented by the Processing, all appropriate technical and organisational measures to protect our information systems as well as the Data concerning you against any unauthorised access, modification, disclosure or destruction of the Data under our responsibility. In particular, we implement and use encryption mechanisms for this purpose, especially for the transmission of Data.

In accordance with our commitments, we choose our subcontractors and service providers with care and make every effort to use only subcontractors with sufficient guarantees to ensure the protection of your Data. We undertake to enter into contracts with our subcontractors, in accordance with legal and regulatory obligations, which precisely define the terms and conditions of the processing of personal data, as well as our obligations and rights as data controller.

As the security and confidentiality of the Data depends on the good practices of each individual, we remind you that you are responsible for the security of your account access identifiers. Do not share it with anyone. WE NEVER ASK FOR YOUR CREDIT CARD DETAILS OR PASSWORDS TO ACCESS YOUR BANK ACCOUNT.

Please always verify that the site on which you are asked for financial or payment information in connection with our services is operated by either FINTECTURE or your bank. If you receive a suspicious request, do not provide your information and report it by contacting our customer service.

8. WHAT ARE YOUR RIGHTS TO YOUR DATA?

As a Data Subject, you may at any time, within the limits provided for by the Applicable Regulations, request to exercise the following rights in relation to your Data processed by FINTECTURE:

- Right of access Right of access: you can ask FINTECTURE to confirm whether or not your Data are processed and, if so, you can ask to receive a copy of all your Data;

- Right of rectification Right of rectification: You may ask FINTECTURE to rectify or update incorrect or incomplete Data about you. In this case, we may ask you to verify the new Data provided;

- Right to erasure in certain cases provided for inArticle 17 of the RGPDyou may request FINTECTURE to delete your Data. The Applicable Regulation provides for exceptions to the exercise of this right, in particular when processing is necessary to comply with a legal obligation that requires the Processing of your Data, such as the fight against money laundering and terrorist financing.

- Right to object In accordance with Article 21 of the GDPR, you may object at any time on grounds relating to your particular situation to the Processing of your Data based on our legitimate interest, including for profiling purposes, unless compelling legitimate grounds prevail or for the establishment, exercise or defence of legal claims. Where your Data is processed for the purpose of canvassing, you have the right to object at any time to such Processing, including to profiling related to such canvassing;

- Right to limitation in certain cases provided for inArticle 18 of the GDPRyou can ask FINTECTURE to limit the processing of your Data to certain purposes and under several conditions;

- Right to portability Right to portability: Where Data is required for the performance of a contract with you or is processed on the basis of your consent, you may request FINTECTURE to provide you with your Data in a structured, commonly used and machine-readable format. Where technically possible, you also have the right to have your Data transmitted directly to a third party;

- Withdrawal of your consent When your Data is processed on the basis of your consent, you can withdraw this consent at any time, in particular to unsubscribe from our newsletter or to stop receiving marketing communications;

- Right to make post-mortem directives under the conditions provided for in articles 84 to 86 of the Data Protection ActYou can define and transmit to us directives relating to the conservation, the erasure and the communication of your Data after your death. These directives are general or particular.

You can exercise your rights by sending an email to our Data Protection Officer at the following address contact@fintecture.com .. A means of identification may be requested in case of doubt concerning your identity and we may ask you for additional information or documents depending on the rights exercised.

If you believe, after having contacted us that your rights have not been respected, you have the right to file a complaint with a supervisory authority, in particular with the Commission Nationale de l'Informatique et des Libertés (CNIL).

9. COOKIE MANAGEMENT

When you use our products and services, we may use the standard practice of placing tiny data files called cookies or other tracers and tracking tools on your computer or other devices that you use when you interact with us ( Cookies ").

The conditions of use of these cookies are detailed in our Cookie Management Policy.

Transfer solutions

For your business