Personal Data
Protection Policy

Personal Data Protection Policy – CentralPay

Last update: 15/09/2025

At CentralPay, the protection of personal data is at the heart of our commitments. As an Electronic Money Institution authorised by the ACPR (authorisation no. 17138), we process personal data in accordance with the General Data Protection Regulation (GDPR – EU 2016/679) and applicable French legislation.

This policy clearly and transparently outlines how we process personal data.

1. Who is responsible for processing?

The data controller is:
CentralPay – 19 rue Edouard VAILLANT – 37000 TOURS
DPO contact: dpo@centralpay.com

2. What data do we collect?

CentralPay only collects data that is strictly necessary for the provision of its payment services and to comply with its legal and regulatory obligations.

Identification details
  • Surname, first name, title
  • Date and place of birth
  • Nationality
  • Function (director, legal representative, UBO)
Identification details
  • E-mail
  • Telephone number (mobile or landline)
  • Business or personal postal address (as applicable)
Payment data
  • Bank details: IBAN and BIC
  • Card details: card number (collected only in a PCI DSS secure environment and immediately tokenised), expiry date, scheme (Visa, Mastercard, etc.), issuing country, last 4 digits
  • Important: CentralPay never discloses the full card number or security code to the merchant.
Transactional data
  • Transaction ID, date and time
  • Amount, currency, payment status
  • Order reference (orderId)
  • Transaction history (one-off, recurring, split payments, refunds)
Security and anti-fraud data
  • Connection IP address
  • Technical fingerprint of the terminal (browser, language, screen resolution) during 3DS authentication
  • Internal anti-fraud results and scores
  • Possible monitoring status (technical blacklist)
KYC/AML-CFT compliance data
  • Identity documents (national identity card, passport, residence permit)
  • Proof of address (utility bill, receipt)
  • Company legal documents (Kbis, articles of association, register of beneficial owners)
  • Information on UBOs (names, ownership percentages)
Technical data (related to services)
  • Application and technical logs (API logs)
  • Processing events (webhooks sent to merchants)
  • Technical tracking identifiers (transactionId, customerId, etc.)

3. For what purposes do we use your data?

CentralPay processes your personal data solely for specific, explicit and legitimate purposes. Each processing operation is based on a legal basis that complies with the GDPR.


a) Payment execution and service management
  • Purpose: to execute your payment transactions (SEPA, card, direct debit, transfer, recurring or split payments), to ensure invoicing and to manage financial flows
  • Data concerned: bank details (IBAN, BIC), card data (token, scheme, country, masked PAN), transaction identifiers, amounts, currencies, order references.
  • Legal basis: performance of the contract (Art. 6.1.b GDPR)

b) Identity verification and regulatory obligations (KYC/AML-CFT)
  • Purpose: to comply with legal obligations to combat money laundering and terrorist financing (AML-CFT) and with the supervisory requirements of the ACPR
  • Data concerned: identification data (surname, first name, date of birth, nationality), identity documents, proof of address, legal documents relating to the company, information on UBOs
  • Legal basis: legal obligation (Art. 6.1.c GDPR, Monetary and Financial Code Art. L561-1 et seq.)

c) Fraud prevention and detection
  • Purpose: to secure transactions, prevent unauthorised or fraudulent payments, apply enhanced authentication rules (PSD2/3DS)
  • Data concerned: IP address, browser/device technical fingerprint, card issuer and country, anti-fraud check results, possible monitoring status
  • Legal basis: legal obligation (PSD2) and legitimate interest (payment security – Art. 6.1.f GDPR)

d) Customer relationship management and support
  • Purpose: to communicate with customers and users (confirmation of transactions, sending payment links, notifications), respond to support requests, follow up on complaints and disputes
  • Data concerned: email, telephone number, customer identifiers, associated transactional data
  • Legal basis: performance of a contract (Art. 6.1.b GDPR) and legitimate interest (customer relationship management)

e) Compliance with accounting, tax and evidentiary obligations
  • Purpose: to retain certain data in order to comply with legal retention obligations (Commercial Code, General Tax Code), and to produce accounting and evidentiary documents.
  • Data concerned: transactional data (amounts, currencies, dates, statuses, references), bank details related to transactions.
  • Legal basis: legal obligation (Art. 6.1.c GDPR)
f) Improvement of our services and technical security
  • Purpose: analysing the use of our services, optimising performance, ensuring resilience and cybersecurity, in accordance with the DORA regulation
  • Data concerned: technical logs, events (webhooks), technical identifiers, anonymised usage statistics
  • Legal basis: legitimate interest (Art. 6.1.f GDPR)

4. What is the legal basis for this processing?

Each processing operation has a clearly defined legal basis:

  • Performance of a contract (Art. 6.1.b GDPR): payment processing, account management, customer relations, support
  • Legal obligation (Art. 6.1.c GDPR): AML/CFT compliance (Art. L561 CMF), accounting and tax obligations (Commercial Code, CGI), regulatory obligations (DSP2, ACPR)
  • Legitimate interest (Art. 6.1.f GDPR): fraud prevention, system security, dispute management, service improvement
  • Consent (Art. 6.1.a GDPR): only for certain optional marketing communications or if required by law

5. How long do we keep your data?

CentralPay applies a strict retention schedule in accordance with the requirements of the GDPR, the Monetary and Financial Code and the Commercial Code.

We distinguish between:

a) Financial transactions (accounting and probative entries)
  • Retained for 10 years in accordance with accounting and probative obligations (Art. L123-22 of the Commercial Code)
  • Data concerned: transaction identifiers (transactionId), date, amount, currency, status, order reference (orderId)
  • This information is necessary for contractual proof and accounting purposes and is not anonymised.
b) Personal data associated with transactions
  • Kept for a maximum of 24 months and then irreversibly anonymised.
  • Data concerned:
    • Payer details (email, telephone number)
    • IP address, browser/device fingerprint (3DS)
    • Card details (token, masked PAN, expiry date, scheme, issuing country)
    • Anti-fraud results (score, blacklist status)
  • This information is no longer retained beyond 24 months as it is no longer necessary either legally or contractually.
c) Payment card data
  • Stored for up to 24 months after the card expiry date, then deleted/anonymised
  • CentralPay never exposes the full PAN or CVC outside its PCI DSS zone
d) Data relating to bank accounts (IBAN/BIC) and SEPA mandates
  • Retained for the duration of the mandate + 10 years (contractual evidence), then deleted/anonymised
e) KYC/LCB-FT data
  • Kept for 5 years after the end of the business relationship (Art. L561-12 CMF), then deleted/anonymised
  • Data concerned: identity documents, proof of address, legal documents relating to the company, information on UBOs
f) Subscriptions and instalment payments
  • Kept for the duration of the subscription + 5 years (evidential requirements), then anonymised.
  • Data concerned: subscription ID, payment schedule, link to payment method.
g) Technical logs and webhooks
  • Kept for a maximum of 24 months, then anonymised.
  • Data concerned: API logs, processing events, technical identifiers (customerId, eventId), statuses, timestamps.

You can exercise these rights by sending an email to dpo@centralpay.eu or by post to the following address: CentralPay – 19 rue Edouard vaillant – 37000 Tours.

You may also, at any time and free of charge, without having to justify your request, object to your data being used for commercial prospecting purposes.

If, for any reason whatsoever, you consider that our response is not satisfactory, you may lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL); website: cnil.fr.

6. Who are the recipients of your data?

Your data may only be transmitted to:

  • CentralPay internal departments (operations, compliance, support, security)
  • Payment partners and banking institutions (acquirers, SEPA payment systems, card schemes)
  • Technical service providers (cloud hosting, KYC provider, SMS/email delivery), subject to contractual clauses compliant with the GDPR
  • Competent authorities (ACPR, TRACFIN, Banque de France, judicial authorities)

We never resell your data to third parties.

7. Where is your data processed?

  • The data is hosted in the European Union, mainly in France.
  • In the event of transfer outside the EU (e.g. SMS or email service providers), standard contractual clauses (SCCs) and additional measures are put in place to ensure an equivalent level of protection.

8. What are your rights?

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access, rectification, erasure
  • Right to restriction, objection, portability
  • Right to withdraw consent (where applicable)
  • Right to lodge a complaint with the CNIL

You may exercise your rights by writing to: dpo@centralpay.com (response within 30 days).

9. Security

CentralPay implements a security policy aligned with PCI DSS, ISO 27001/27005 standards and the European DORA (Digital Operational Resilience Act) regulation. Our measures cover the entire lifecycle of data and payment services to ensure their confidentiality, integrity and availability.

Security is primarily ensured through clear governance and proactive risk management. We have a risk management framework approved by senior management, which includes a risk appetite policy, mapping aligned with ISO and DORA standards, and risk indicators that are monitored regularly. This framework is implemented through a three lines of defence organisation and steered by a security and compliance committee.

Data protection is based on systematic encryption, both in transit (TLS 1.2/1.3) and at rest (AES-256), with centralised key management. Payment data is processed exclusively in a PCI DSS Level 1 certified environment and undergoes irreversible tokenisation, which prevents the exposure of full card numbers or cryptograms. In addition, we apply strict policies for the automatic purging and anonymisation of personal data at the end of the retention periods specified by the GDPR.

Access to systems is strictly controlled through centralised identity management based on the principle of least privilege. Each employee is subject to strong two-factor authentication (MFA), and authorisations are reviewed regularly to ensure they remain relevant.

Our infrastructure is monitored continuously. Sensitive operations are logged comprehensively and time-stamped, and a real-time monitoring system, coupled with a SIEM, enables security incidents to be detected quickly.

Operational resilience is ensured by a continuity plan aligned with DORA. CentralPay has implemented a Contingency and Business Continuity Plan (PUPA) including BCP and PRI components, which are regularly tested. Penetration tests and crisis management exercises are organised each year, while a strict ICT outsourcing policy ensures the continuous assessment of critical service providers and the maintenance of a regulatory information register.

Incident management follows a formalised procedure for detection, classification and handling. In the event of a major incident, we comply with the regulatory notification deadlines set by the ACPR and the CNIL, and systematic feedback is organised in order to continuously improve the security system.

Finally, CentralPay is committed to continuous improvement. Internal and external audits, including independent PCI DSS and cybersecurity audits, are conducted regularly. Our ongoing monitoring and periodic audit procedures are reviewed annually to ensure their effectiveness and compliance with international standards and regulatory requirements.

10. Policy update

This policy may be amended to reflect changes in processing and legal obligations. Any updates will be published on our website and, where necessary, communicated to affected customers.