Privacy poliy - GDPR

As an Electronic Money Institution authorized by the ACPR (authorization no. 17138), CENTRALPAY processes personal data in accordance with the General Data Protection Regulation (GDPR – EU 2016/679) and applicable French law.

This policy clearly and transparently outlines the processing of personal data carried out.

Last updated: May 6, 2026

Données collectées

CENTRALPAY collects only the data strictly necessary to provide its payment services and to comply with its legal and regulatory obligations.

Identification data

  • Last name, first name, title
  • Date and place of birth
  • Nationality
  • Status (executive, legal representative, UBO)

Identification data

  • Email address
  • Phone number (mobile or landline)
  • Business or personal mailing address (as applicable)

Payment data

  • Bank details: IBAN and BIC
  • Card details: card number (collected only in a PCI DSS-secured environment and immediately tokenized), expiration date, card type (Visa, Mastercard, etc.), issuing country, last 4 digits
  • Important: CENTRALPAY never exposes the full number or the security code to the merchant

Transaction data

  • Transaction ID, date and time
  • Amount, currency, payment status
  • Order reference (orderId)
  • Transaction history (one-time, recurring, split payments, refunds)

Security and anti-fraud data

  • Connection IP address
  • Technical fingerprint of the device (browser, language, screen resolution) during 3DS authentication
  • Internal anti-fraud results and scores
  • Any monitoring status (technical blacklist)

KYC/AML-CFT compliance data

  • Identification documents (ID card, passport, residence permit)
  • Proof of address (utility bill, rent receipt)
  • Company legal documents (Kbis, articles of incorporation, beneficial owner register)
  • Information on UBOs (names, ownership percentages)

Technical data (related to services)

  • Application and technical logs (API logs)
  • Processing events (webhooks sent to merchants)
  • Technical tracking identifiers (transactionId, customerId, etc.)

Data processing purposes

CENTRALPAY processes your personal data solely for specific, explicit, and legitimate purposes. Each processing operation is based on a legal basis that complies with the GDPR.

Payment processing and service management

  • Purpose: to process your payment transactions (SEPA, card, direct debit, wire transfer, recurring or split payments), handle billing, and manage financial flows
  • Data concerned: bank details (IBAN, BIC), card data (token, scheme, country, masked PAN), transaction identifiers, amounts, currencies, order references
  • Legal basis: performance of the contract (Art. 6.1.b GDPR)

Identity verification and regulatory obligations (KYC/AML-CFT)

  • Purpose: to comply with legal obligations regarding anti-money laundering and counter-terrorist financing (AML-CFT), and with the supervisory requirements of the ACPR
  • Data concerned: identification data (last name, first name, date of birth, nationality), identification documents, proof of address, company legal documents, information on UBOs
  • Legal basis: legal obligation (Art. 6.1.c GDPR, Monetary and Financial Code Art. L561-1 et seq.)

Fraud Prevention and Detection

  • Purpose: to secure transactions, prevent unauthorized or fraudulent payments, and enforce strong authentication rules (PSD2/3DS)
  • Data involved: IP address, browser/device fingerprint, card issuer scheme and country, results of anti-fraud checks, potential monitoring status
  • Legal basis: legal obligation (PSD2) and legitimate interest (payment security – Art. 6.1.f GDPR)

Customer relationship and support management

  • Purpose: to communicate with customers and users (transaction confirmations, sending payment links, notifications), respond to support requests, and follow up on complaints and disputes
  • Data concerned: email, phone number, customer credentials, associated transactional data
  • Legal basis: performance of the contract (Art. 6.1.b GDPR) and legitimate interest (customer relationship management)

Compliance with accounting, tax, and evidentiary obligations

  • Purpose: to retain certain data to meet legal retention obligations (Commercial Code, General Tax Code), and to produce accounting and evidentiary records
  • Data concerned: transactional data (amounts, currencies, dates, statuses, references), bank details related to transactions
  • Legal basis: legal obligation (Art. 6.1.c GDPR)

Improvement of our services and technical security

  • Purpose: to analyze the use of our services, optimize performance, ensure resilience and cybersecurity, in accordance with the DORA regulation
  • Data concerned: technical logs, events (webhooks), technical identifiers, anonymized usage statistics
  • Legal basis: legitimate interest (Art. 6.1.f GDPR)

Data processing legal basis

Each processing activity is based on a clearly defined legal basis:

  • Performance of a contract (Art. 6.1.b GDPR): processing of payments, account management, customer relations, support
  • Legal obligation (Art. 6.1.c GDPR): AML/CFT compliance (Art. L561 CMF), accounting and tax obligations (Commercial Code, CGI), regulatory obligations (PSD2, ACPR)
  • Legitimate interest (Art. 6.1.f GDPR): fraud prevention, system security, dispute management, service improvement
  • Consent (Art. 6.1.a GDPR): only for certain optional marketing communications or if required by law

Data recipient

The recipient of the data is CENTRALPAY and its French parent company, INNOVEST.

Your data may only be shared with:

  • CENTRALPAY internal departments (operations, compliance, support, security)
  • Payment partners and banking institutions (acquirers, SEPA settlement systems, card schemes)
  • Technical service providers (cloud hosting, KYC provider, SMS/email delivery), subject to contractual clauses compliant with the GDPR
  • Competent authorities (ACPR, TRACFIN, Banque de France, judicial authorities)

We never sell your data to third parties.

Data retention period

CENTRALPAY follows a strict retention schedule that complies with the requirements of the GDPR, the Monetary and Financial Code, and the Commercial Code.
We distinguish between:

Financial transactions (accounting and evidentiary records)

  • Retained for ten (10) years in accordance with accounting and evidentiary obligations (Art. L123-22 of the Commercial Code)
  • Data concerned: transaction identifiers (transactionId), date, amount, currency, status, order reference (orderId)
  • This information is necessary for contractual proof and accounting purposes and is not anonymized

Personal data associated with transactions

  • Retained for a maximum of twenty-four (24) months, then irreversibly anonymized
  • Data concerned:
    • Payer contact information (email, phone)
    • IP address, browser/device fingerprint (3DS)
    • Card data (token, masked PAN, expiration date, scheme, issuing country)
    • Anti-fraud results (score, blacklist status)

  • This information is no longer retained beyond twenty-four (24) months as it is no longer required either legally or contractually

Payment card data

  • Retained for up to twenty-four (24) months after the card’s expiration date, then deleted/anonymized
  • CentralPay never discloses the full PAN or CVC outside its PCI DSS environment

Bank account data (IBAN/BIC) and SEPA mandates

  • Retained for the duration of the mandate + ten (10) years (contractual evidence), then deleted/anonymized

KYC / AML-CFT data

  • Retained for five (5) years after the end of the business relationship (Art. L561-12 CMF), then deleted/anonymized
  • Data concerned: identity documents, proof of address, company legal documents, information on UBOs

Subscriptions and installment payments

  • Retained for the duration of the subscription + five (5) years (evidentiary requirements), then anonymized
  • Data concerned: subscription ID, payment schedule, link to payment method

Technical logs and webhooks

  • Retained for a maximum of twenty-four (24) months, then anonymized
  • Data concerned: API logs, processing events, technical identifiers (customerId, eventId), statuses, timestamps

Data storage and processing

Data is hosted within the European Union, primarily in France.
In the event of a transfer outside the EU (e.g., SMS or email service providers), standard contractual clauses (SCCs) and additional measures are implemented to ensure an equivalent level of protection

Rights of data subjects

In accordance with Articles 15 through 22 of the GDPR, you have the following rights:

  • Right of access, rectification, and erasure
  • Right to restriction, objection, and data portability
  • Right to withdraw consent (if applicable)
  • Right to lodge a complaint with the CNIL

You may exercise these rights by sending an email to dp*@********ay.eu or by mail to the following address: CentralPay – 19 rue Edouard Vaillant – 37000 Tours.
You may also, at any time and free of charge, without having to provide a reason for your request, object to the use of your data for commercial marketing purposes.
If, for any reason, you consider our response to be unsatisfactory, you may file a complaint with the French Data Protection Authority (CNIL); website: cnil.fr.

Security

CENTRALPAY implements a security policy aligned with PCI DSS, ISO 27001/27005 standards, and the European DORA (Digital Operational Resilience Act) regulation. Our measures cover the entire lifecycle of data and payment services to ensure their confidentiality, integrity, and availability.

Security is primarily ensured through clear governance and proactive risk management. We have a risk management framework approved by senior management, which includes a risk appetite policy, a risk map aligned with ISO and DORA standards, and risk indicators that are monitored regularly. This framework is implemented through a three-line-of-defense structure and overseen by a security and compliance committee.

Data protection relies on systematic encryption, both in transit (TLS 1.2/1.3) and at rest (AES-256), with centralized key management. Payment data is processed exclusively in a PCI DSS Level 1 certified environment and undergoes irreversible tokenization, which prevents any exposure of full card numbers or security codes. Additionally, we enforce strict policies for the automatic deletion and anonymization of personal data at the end of the retention periods specified by the GDPR.

Access to systems is strictly controlled through centralized identity management based on the principle of least privilege. Every employee is required to undergo strong two-factor authentication (MFA), and access permissions are reviewed regularly to ensure they remain appropriate.

Our infrastructure is monitored around the clock. Sensitive operations are comprehensively logged and time-stamped, and a real-time monitoring system, coupled with a SIEM, enables rapid detection of security incidents.

Operational resilience is ensured by a continuity plan aligned with DORA. CENTRALPAY has implemented a Business Continuity and Emergency Plan (BCEP) that includes regularly tested business continuity and disaster recovery components. Penetration tests and crisis management exercises are conducted annually, while a strict ICT outsourcing policy ensures the continuous evaluation of critical service providers and the maintenance of a regulatory information register.

Incident management follows a formalized procedure for detection, classification, and handling. In the event of a major incident, we comply with regulatory notification deadlines to the ACPR and the CNIL, and a systematic review of lessons learned is conducted to continuously improve the security framework.

Finally, CENTRALPAY is committed to continuous improvement. Internal and external audits, including independent PCI DSS and cybersecurity audits, are conducted on a regular basis. Our ongoing monitoring and periodic audit procedures are reviewed annually to ensure their effectiveness and compliance with international standards and regulatory requirements.

Contact

If you have any question, please contact our Data Protection Officer (DPO) at the following address: dp*@********ay.eu.