The authority responsible for processing personal data under the General Regulation on the protection of individuals with regard to the processing of personal data ("RGPD", R. EU 2016/679):

Wari Pay,

91 boulevard National 92250 La Garenne-Colombes

support@wari-pay.com

Wari Pay has appointed a Data Protection Officer (DPO).

Contact : dpo@wari-pay.com

II. Confidentiality of data

Wari Pay is an entity approved by the Prudential Control and Resolution Authority attached to the Banque de France. As such, Wari Pay is subject to banking secrecy. Wari Pay further undertakes not to ask the user for authorization to disclose or transfer their personal data to third parties. Wari Pay may, however, provide access to or transfer this data for the purposes of subcontracting services to companies in the Wari Pay group or if the law, a regulatory, judicial or regulatory authority requires it to Wari Pay.

III. Data collected on Wari Pay websites

Consulting the websites generates cookies. Their use is governed by the Cookie Management Policy available on the Wari Pay website..

IV. Data collected for the provision of Services by Wari Pay

This personal data protection policy identifies the data collected for processing (1) and the purposes of their processing (2) ...

1. Identification of personal data

Personal data refers to all the information making it possible to identify a natural person, directly (name, telephone number, address, etc.), or indirectly (transaction reference, etc.). The personal data of the users that Wari Pay processes may include:

• identification data (name, address, telephone number, email address, etc.)
• personal characteristics (date of birth, place of birth)
• identifiers issued by public bodies (passport number, identity card, residence permit, etc.)
• asset information (income from work or assets, etc.)
• data from payment transactions initiated by the user
• information transmitted by IT devices (IP address, cookies, see Wari Pay cookie management policy, etc.)

2. Purposes of the processing of personal data by Wari Pay

The processing of the user's personal data is necessary for the provision of the Wari Pay Payment Services. The processing of this personal data is carried out in accordance with the provisions of the Data Protection Act n ° 78-17 of 6 January 1978 in its current version and the GDPR. The processing of personal data that Wari Pay operates under its responsibility are detailed below:

I. Payment services

Processing

Provision of payment services, in electronic money or by payment account

Recipient (s)

Operations (s)

Nature of operations

Association of users's personal data with payment transactions

Purpose of processings

Operation of Wari Pay Payment Services and User management

Categories of data subjects

Users

Legal basis

Processing necessary for the performance of the contract

II. Prospects and clients

Processing

Prospects and clients

Recipient (s)

Commerce and Marketing

Nature of operations

Newsletter, targeted marketing

Operation of Wari Pay Payment Services and User management

Wari Pay service proposals

Categories of data subjects

Users and individuals representing merchants

Legal basis

Processing necessary for the purposes of legitimate interest (GDPR, cons. 47)

III. Fight against money laundering

Processing

Fight against money laundering

Recipient (s)

Compliance and risk Nature of operations

Identification and verification of user identity

Operation of Wari Pay Payment Services and User management

Prevention of the fight against money laundering, the financing of terrorism and fraud

Categories of data subjects

End users and merchants

Legal basis

Processing necessary for compliance with a legal obligation

IV. Customer support

Processing

Customer support

Recipient (s)

Operations Nature of operations Communications with clients

Operation of Wari Pay Payment Services and User management

Assistance to end customers

Categories of data subjects

End users

Legal basis

Processing necessary for the purposes of legitimate interest (GDPR, cons. 47)

Transfer to countries outside the European Union

User right of objection

v. Security of information systems

Processing

Security of information systems

Recipient (s)

Security manager

Nature of operations

Systems monitoring

Operation of Wari Pay Payment Services and User management

Systems protection

Categories of data subjects

Users, website visitors

Legal basis

Processing necessary for the purposes of legitimate interest (GDPR, cons. 47)

VI. Identity verification procedure

A. Conduct of the identity verification procedure:

1. User credentials collected by Wari Pay are sent to the identity verification service provider.

2. In return, the user receives a request (email or SMS) inviting him to connect to verify his identity.

3. The user sends a scanned copy of an ID, an ID photo and a selfie photo to their device in real time (selfie). Depending on the method chosen by the user, the identity verification service provider may perform facial recognition processing for the purpose of identifying the holder of the identity document or manual processing.

B. The data is processed by the provider of identity verification services and accessible to Wari Pay in the context of the fight against money laundering and the financing of terrorism.

C. Data is sent and stored encrypted. The size of the keys corresponds to ANSSI requirements. The providers, listed as trusted service providers by ANSSI, are audited every year.

VII. Transfer of personal data outside the EEA

The personal data collected is processed and stored on servers in the territory of the European Union. Wari Pay may use service providers located outside the European Economic Area to delegate customer support functions of a technical or commercial nature for the benefit of users of its products. Where such a medium requires access to the personal data of users, it is considered to be processing carried out outside the EEA. These service providers are selected and are monitored by Wari Pay in order to verify that they comply with sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and guarantees the protection of the rights of users. By contract, Wari Pay prohibits these service providers from subcontracting their services. The user has, at any time, the right to object to the transfer of his personal data outside the EEA. The user must then inform Wari pay to support@wari-pay.com

VIII. User rights over their personal data

Wari Pay responds free of charge to requests for information from its users on the processing of their personal data. Personal data protection legislation also provides that the user can request the rectification or deletion of certain data. These requests will require verification of the identity of the User so that Wari Pay can ensure that the requesting person is the owner of the data. The user who has consented to the processing of his personal data has the right to revoke his consent at any time. The revocation of the consent has only effect for the future and may lead to the legal impossibility for Wari Pay to provide a payment service to the user. Requests for information, rectification, deletion or revocation should be addressed to Wari Pay customer service at contact@wari-pay.com or by post to the address indicated in the Legal Notice.

IX. Retention period of personal data

The personal data of users of Wari Pay services are, in principle, kept for the period necessary to achieve each purpose. However, this data can be kept longer.

1. When legal or regulatory requirements are applicable to the retention period of this data or
2. To establish, exercise or defend rights in legal proceedings, investigations or similar proceedings or
3. Again if the user wishes.

X. Wari Pay electronic newsletter

Anyone can request to receive the electronic newsletter from Wari Pay. In order to avoid any registration without his knowledge, the user will receive an email which he must confirm by clicking on a link in the email. Since no response means the user does not wish to subscribe, it is important to look carefully in the spam folder if the message is not visible in the inbox.

XI. Update of the data protection policy

The privacy and data protection policy is subject to change. In such a case, the changes will be notified to the user at the time of their entry into force.