Privacy Policy
Last update: May 2024
See also:
→ Politique de Confidentialité 🇫🇷
→ Privacy Policy 🇬🇧
→ Privacybeleid 🇳🇱
→ Datenschutzerklärung 🇩🇪
→ Política de Confidencialidad 🇪🇸
→ Informativa sulla Privacy 🇮🇹
1. Who we are and how to contact us ?
SlimPay, a limited company having its registered office at 12 rue Godot de Mauroy 75009 Paris, registered in the Trade and Companies Register of Paris under 518 991 336 (here after “SlimPay”, “we”) is a payment services provider specialised in account-to-account payments. SlimPay is authorised and supervised by the Autorité de Contrôle Prudentiel et de Résolution (ACPR) as a payment institution. In the context of this Privacy Policy (hereinafter “the Policy”), SlimPay is the Data Controller.
You can contact our Data Protection Officer at any time at the following address: dpo@slimpay.com.
2. The purpose of the Privacy Policy
The protection of Personal Data is a priority for us, which is why we are committed to complying with the applicable regulations and in particular the General Data Protection Regulation (EU) 2016/679 and the French Data Protection Act (“Loi Informatique et Libertés”) of January 6, 1978 as amended (hereinafter the “Applicable Regulations”). This Policy thus aims to inform data subjects about the processing of Personal Data conducted by SlimPay.
3. Definitions
The terms used in this Policy have the following meaning:
Affiliates: means any company which, directly or indirectly, controls SlimPay, is controlled by SlimPay or is under the same control as SlimPay, the concept of control being that defined in Article L. 233-3 of the French Commercial Code.
Beneficial Owner: means a legal representative of a SlimPay Merchant.
Data Controller: in accordance with the Regulation (EU) 2016/679 means the legal or natural person who determines the purposes and means of processing Personal Data.
Data Processor: in accordance with Regulation (EU) 2016/679 means the natural or legal person who processes data on behalf of another organisation (“the Data Controller”), as part of a service or provision.
Merchant: means a business customer of SlimPay.
Merchant or Partner Contact Person: means a person employed by the Merchant or the Partner.
Partner: means any company with which SlimPay has contracted (excluding Merchants) as part of a partnership or service provision.
Personal Data: means all personal data as defined by the General Data Protection Regulation (EU) 2016/679 (GDPR).
Prospect: means a business potentially interested in SlimPay’s services or a website visitor.
User: refers to the Merchant’s end customer who wishes to purchase goods or services offered by the Merchant.
4. How do we process your Personal Data?
You are interacting with us if you are in one of the following categories:
- a User
- a Merchant or Partner Beneficial Owner
- a Merchant or Partner Contact Person
- a Prospect
If you are applying for a job at SlimPay, you will find our policy on job applicants when you submit your application.
You will find, below, details concerning the collection, purposes, legal bases and categories of Personal Data processed by SlimPay according to each category of data subject.
4.1 If you are a User of our services
This paragraph applies to you if you are a customer of a Merchant who uses SlimPay’s services
How is data collected ? Your Personal Data is transferred to us through the Merchant who provides you with the goods and services you require, through a SlimPay partner or through your bank’s API for our SlimCollect service.
Your Personal Data is processed as follows. Depending on the services to which your Merchant has subscribed with us, certain processing operations may not be applicable to you.
4.1.1 Service provision
Purpose of the processing | Legal base | Personal data processed |
Provision of signature service of SEPA mandate and/or document (including management via SlimPay dashboard)* | Legitimate interest in providing our services to Merchants | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) |
Provision of the SEPA mandate preparation service to the Merchant’s bank (including management via the SlimPay dashboard)* | Legitimate interest in providing our services to Merchants | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) |
Provision of the SEPA direct debit acquiring service (including management via the SlimPay dashboard)* | Legitimate interest in providing our services to Merchants | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) Transactional data (Merchant name, date, transaction description and amount, transaction reference) |
Provision of the account information service (SlimCollect Verify) (including management via the SlimPay dashboard)* | Performance of a contract with the User | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (name of your bank, BIC, IBAN) Transactional data (Merchant name, date, transaction description and amount, transaction reference) |
Provision of payment initiation service (SlimCollect Pay) (including management via SlimPay dashboard) | Performance of a contract with the User | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (name of your bank, BIC, IBAN) Transactional data (Merchant name, date, transaction description and amount, transaction reference) |
Sharing information with SlimPay Affiliates SlimPay may transfer your data to its Affiliates in order to improve our products and services. | Legitimate interest in improving our products and services | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (name of your bank, BIC, IBAN) Transactional data (Merchant name, date, transaction description and amount, transaction reference) |
* For any use of the account information service followed by the service of signature, preparation of SEPA mandates and then SEPA direct debit acquiring service after 30 April 2024 via the SlimPay platform, SlimPay will collect and process your data as a joint Data Controller with the company Trustly Group AB. More information about this joint controllership can be found in article 5.4 below.
4.1.2. Transaction analysis
Purpose of the processing | Legal base | Personal data processed |
Mandate analysis before import | Legitimate interest in ensuring that mandates comply with EPC rulebooks and are consistent with KYC | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) |
Monitoring and analysis of atypical payment transactions (Transaction Monitoring) | Legal obligation Article L561-6 of the French Monetary and Financial Code | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) Transactional data (Merchant name, date, transaction description and amount, transaction reference |
Analysis of your transactions for anti-fraud purposes | Legitimate interest in preventing fraud | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Financial data (BIC, IBAN) Transactional data (name of the Merchant you are paying, date, description and amount of the transaction, transaction reference) |
4.2 If you are a Beneficial Owner of one of our Merchants or Partners
This paragraph applies to you if you are a Beneficial Owner of a SlimPay direct Merchant or Partner or if you sign deeds on behalf of a Beneficial Owner. As a French payment institution approved by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), we are subject to regulatory obligations, in particular as part of the fight against money laundering and combating the financing of terrorism (AML-CFT). We are therefore required to collect and analyse the necessary information to know our customers before starting a business relationship and throughout its duration.
How is data collected ? We collect your Personal Data directly by filling in a form or indirectly through our control tools (see article 5.3) or through SlimPay’s Affiliates.
Your personal data is processed as follows :
Purpose of the processing | Legal base | Personal data processed |
“Know Your Business” (KYB) procedure In accordance with our regulatory obligations, we verify your identity, including identifying Politically Exposed Persons (“PEP”) and ensuring that your name does not appear on any sanctions or asset freeze lists. | Legal obligationArticles L561-5 et seq. and article R561-12 of the French Monetary and Financial Code As the information constitutes sensitive data, the legal basis is that processing is necessary for public interest reasons (Article 9(2)(g) of the GDPR). | Identification data (surname, first name, date of birth, identity document, postal address, business email address, business telephone number) Details of professional life (name of the company you work for and your job title) Sensitive data (when applicable, information on political opinions and/or religious beliefs contained in PEP lists and data relating to criminal convictions or offences if you appear on a sanctions list) |
Sharing KYB information with SlimPay’s Affiliates In the event that the Merchant wishes to subscribe to the services of a company within the Trustly group to which SlimPay belongs, SlimPay will share your KYB information with that company. | Legitimate interest of SlimPay’s Affiliates in obtaining KYB information to carry out their own mandatory KYB due diligence As the information constitutes sensitive data, the legal basis is that processing is necessary for public interest reasons (Article 9(2)(g) of the GDPR). | Identification data (surname, first name, date of birth, identity document, postal address, business email address, business telephone number) Details of professional life (name of the company you work for and your job title) Sensitive data (when applicable, information on political opinions and/or religious beliefs contained in PEP lists and data relating to criminal convictions or offences if you appear on a sanctions list) |
4.3 If you are a Contact Person of one of our Merchants or Partners
This paragraph applies to you if you are an employee of a SlimPay direct Merchant or Partner, with whom we interact in the context of the business relationship, between SlimPay and the Merchant or the Partner.
How is data collected ? We may collect your Personal Data directly from you.
Your personal data is processed as follows :
Purpose of the processing | Legal base | Personal data processed |
Business relationship management (contract follow-up, complaints) | Contract execution | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Conducting surveys and polls on our products and services and assessing customer satisfaction | Legitimate interest in improving our products and services | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
B2B marketing campaigns | Legitimate interest in commercial prospecting | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Sharing information with SlimPay’s Affiliates | Legitimate interest in sharing your data with SlimPay’s Affiliates for commercial prospection purposes | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
4.4 If you are a Prospect
This paragraph applies to you if you are a potential future SlimPay customer or a visitor to our website.
How is data collected ? SlimPay has collected your data using the forms on our website, through a legally obtained business contact list, directly online through an email address verification service , from your company’s email address domain name or through SlimPay’s Affiliates.
Purpose of the processing | Legal base | Personal data processed |
Propose content on our services (guides, white papers, webinars…) | Legitimate interest in providing you with requested content and sending you B2B marketing campaigns | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Send B2B marketing campaigns | Legitimate interest in commercial prospecting In order to comply with regulations on B2B commercial prospecting, we undertake to contact only professional email addresses with solicitations related to the profession of the person contacted, and to inform people of the processing conducted and the possibility of objecting. | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Get connected with our teams | Legitimate interest in putting you in contact with our teams and sending you B2B marketing campaigns | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Sharing information with SlimPay’s Affiliates | Legitimate interest in sharing your data with SlimPay’s Affiliates for commercial prospection purposes | Identification data (surname, first name, professional email address, professional telephone number) Details of professional life (name of the company you work for and your job title) |
Cookies and other tracking data To know more about cookies, please consult our dedicated policy | Consent (through the cookies module at the bottom left of the screen) | Connection data (IP address, logs, device type, operating system and browser information) |
If you no longer wish to be contacted by SlimPay, you can unsubscribe at any time by clicking on the “Unsubscribe” link at the bottom of our emails.
4.5 Other Personal Data Processing
Depending on the circumstances, such processing may potentially concern all categories of people of whom SlimPay processes Personal Data.
Purpose of the processing | Legal base | Personal data processed |
Responding to your requests to exercise your rights In this context, and in consideration of the nature of the data we process, we may be required, in certain cases, to verify your identity in order to ensure that we do not disclose Personal Data to the wrong person. | Legal obligation | Identification data (surname, first name, professional email address, professional telephone number, copy of identity document if necessary) |
Defending SlimPay’s interests | Legitimate interest in defending SlimPay’s interests | Identification data (surname, first name, email address, telephone number, postal address, customer reference) Details of professional life (name of the company you work for and your job title) Financial data (BIC, IBAN) Transaction data (name of the Merchant you are paying, transaction details and amount, transaction reference) |
5. Recipients of Personal Data
For the purposes of the processing identified above, SlimPay transfers your Personal Data to the following recipients :
5.1 SlimPay teams
Your personal data is only available internally at SlimPay to specifically authorised teams. SlimPay also ensures that all people involved in the processing of Personal Data at SlimPay are bound by an appropriate obligation of confidentiality and have received appropriate training in the processing and protection of Personal Data.
5.2 SlimPay’s Affiliates
SlimPay may share your data with its Affiliates to improve our products and services if you are a User (see article 4.1.1 above), for KYB purposes if you are a Beneficial Owner (see article 4.2 above) or for commercial prospection purposes if you are a Contact Person or Prospect (see articles 4.3 and 4.4 above).
5.3 SlimPay Data Processors
SlimPay also uses Data Processors for the purposes detailed in article 4 above. SlimPay warrants that it has selected its Data Processors, in particular, on the basis of the sufficient guarantees they offer in terms of security and data protection. SlimPay undertakes to enter into a processor contract with each of its Data Processors and to ensure that each Data Processor fulfils all the obligations imposed by the GDPR. For a list of SlimPay’s Data Processors, click here.
5.4 Joint Data Controllers
For any use of the account information service followed by the service of signature, preparation of SEPA mandates and then SEPA direct debit acquiring service after 30 April 2024 via the SlimPay platform, SlimPay will collect and process your Personal Data as a joint Data Controller with the company Trustly Group AB (a limited liability company with registered office at Rådmansgatan 40, 113 57 Stockholm, Sweden, registered number 556754-8655).
SlimPay and Trustly Group AB, are obliged under the GDPR to determine and allocate our respective responsibilities for compliance with the obligations under the GDPR. We are also obliged to make the essence of this arrangement available to you. Please see below for such information.
SlimPay is responsible under the GDPR to provide you with information on how your personal data is processed for the purpose of the service referred to in this article. SlimPay is also the primary recipient of requests related to your rights under the GDPR (see article 9 below), such as your right to get access to what Personal Data SlimPay and/or Trustly Group AB process about you. However, you are free to exercise your rights towards Trustly Group AB if you wish.
You can find more information on how Trustly Group AB processes your personal data, such as the legal basis that Trustly Group AB relies on and the ways to exercise data subject rights against Trustly Group AB, here.
5.5 Separate Data Controllers
SlimPay may transmit your personal data to the Merchant as part of the provision of services.
In providing our payment services, SlimPay also provides your Personal Data to another partner, BNP Paribas, which is a direct participant in the European interbank exchange systems and acts as a separate Data Controller. To obtain further information about the processing of your Personal Data by BNP Paribas, please consult this notice.
5.6 The competent public authorities
In specific situations, your Personal Data may be communicated to the competent public authorities, upon judicial request, and to organisations involved in the fight against money laundering and the financing of terrorism pursuant to legal or regulatory provisions.
5.7 Mergers and Acquisitions
We may need to share your personal data and information in connection with planned and/or finalized company acquisitions or restructuring of SlimPay. If SlimPay is to be restructured, e.g. is divided into several different operations, or if an outside party wishes to acquire SlimPay, we will disclose your and other customers’ personal data to the acquiring company. This may entail any personal data which you have provided to us or that we have collected in connection with our Services.
This processing is carried out on the basis of our legitimate interest in enabling an acquisition or restructuring process. If SlimPay ceases to exist, e.g. through a merger, liquidation or bankruptcy, we will transfer or delete your personal data as long as we do not need to save them to meet legal requirements. If SlimPay is acquired by an acquiring company or split up in connection with a restructuring, we will continue to save and use your personal data according to the terms herein, unless you receive other information in connection with the transfer/such acquisition.
6. Location of Personal Data
SlimPay’s servers are located entirely within the European Union by our hosting provider Amazon Web Services.
As stated in article 5.3 of this Policy, SlimPay will transfer your personal data to its Data Processors in the course of providing its services.
Some Data Processors are located in countries outside the European Union. SlimPay undertakes to ensure that such transfers outside the EU are covered :
– By an adequacy decision by the European Commission recognising the third country as having an adequate level of protection of Personal Data, in accordance with Article 45 of the GDPR; or
– By appropriate safeguards, in accordance with Article 46 of the GDPR, such as the Standard Contractual Clauses (SCC) adopted by the European Commission.
7. Retention of personal data
SlimPay retains your personal data for as long as necessary to provide our payment services or for the duration of the business relationship. SlimPay may also need to retain your personal data for longer periods in order to comply with legal and statutory requirements, such as anti-money laundering and financing of terrorism requirements, and to comply with retention periods for evidential or accounting purposes. The retention periods applicable to SlimPay are detailed below. Once these retention periods have expired, SlimPay will delete or anonymise your personal data.
Category of Concerned Person | Categories of Personal Data | Data retention period | Conservation justification |
Users | Identification data Financial dataTransaction data | Five (5) years from the execution of the transaction | Fighting against money laundering/ payment fraud/ financing of terrorism (Article L.561-12 of the French Monetary and Financial Code) |
Users | Data contained in SEPA mandates (identification data; financial data) | Five (5) years from the end of the mandate : – either from its revocation by the debtor;- or from the expiry of the mandate (where no SEPA Direct Debit order has been submitted for a period of 36 months) | Preservation for probationary purposes (Article 2224 of the French Civil Code) |
Users | Data contained in SEPA mandates (identification data; financial data) | Ten (10) years from the creation of the trust file | Retention of trust files as part of an additional archiving service at the request of the Merchant (Article L.123-22 of the French Commercial Code; General Requirements ETSI 319 411-1) |
Merchant’s or Partner’s Beneficial Owners | Identification dataData relating to professional lifeSensitive data | Five (5) years from the end of the business relationship | Fighting against money laundering/ payment fraud/ financing of terrorism (Article L.561-12 of the French Monetary and Financial Code; Article L110-4 of the French Commercial Code) |
Merchant’s or Partner’s Contact Persons | Identification dataData relating to professional life | Three (3) years from the end of the business relationship | Business relationship management (CNIL recommendations) |
Prospects | Identification dataData relating to professional life | Three (3) years from the last active contact of the prospect | Commercial prospecting (CNIL recommendations) |
8. Security and confidentiality
While your personal data is being stored, SlimPay takes all necessary measures to ensure its confidentiality and security in order to prevent it from being damaged, deleted or accessed by unauthorised parties.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk for the rights and freedoms of natural persons, each Party undertakes to implement appropriate technical and organisational measures to ensure the confidentiality and security of Personal Data in accordance with Article 32 of the GDPR.
These safety measures notably include the following:
- Authentication measures and access management: Any person accessing the data is assigned a unique (non-generic) identifier and a password generated by a password generator, enabling all actions performed on the system to be associated with that person with certainty. The password must be renewed every 90 days. All personnel movements require a reassessment of access rights.
- Connection logging and traceability: All actions on the SlimPay services hosting platform are traced and reported to our log centralization tools and aggregated on our monitoring/dashboarding tools.
- Equipment security: All user equipment is equipped with automatically updated protection against malware (antivirus, firewall). VPN-type technology must be used to secure and authenticate user access via external connections.
- Network compartmentalisation: Development/operations, validation, pre-production/production networks are logically disjointed.
- Cryptographic measures and data backup: All backed-up data is encrypted using a standard AES-256 encryption algorithm. A full data backup is performed daily, with backup date and time criteria.
- Controlling physical access to business premises: All business premises are closed to the public thanks to a badge-based access security system, supervised by cameras which store recordings in compliance with current regulations.
9. Exercising of rights
In accordance with the provisions of the Applicable Regulations (and in particular Chapter III of GDPR), you may exercise the following rights :
- The right of access : you can obtain a copy of your Personal Data processed by SlimPay and other information on processing.
- The right to request the rectification : you can request the modification of your Personal Data if it is incorrect or incomplete, in order to limit the use or distribution of false information.
- The right to erasure : you can request that Slimpay delete your Personal Data if one of the grounds of Article 17 of the GDPR is applicable.
- The right to restriction of processing : you can request that the processing of your data be blocked for a certain period of time when one of the elements of Article 18 of the GDPR is applicable.
- The right to data portability : you have to recover your Personal Data in an machine-readable format for your own use or to provide it to another organization.
- The right to object : you can object at any time to the processing of your data on the basis of legitimate interests. You may also object at any time to the processing of your data for prospecting purposes.
- The right to withdraw your consent: you may withdraw your consent at any time for processing operations based on this legal basis.
- The right to digital death: you have the right to define directives concerning the conservation, deletion and communication of your Personal Data after your death.
To exercise these rights and for any request relating to personal data, you can contact our Data Protection Officer at the following address: dpo@slimpay.com.
We also remind you that in accordance with Article 77 of the GDPR you can lodge a complaint with a control authority.
10. Modification of the Privacy Policy
SlimPay may modify this Privacy Policy at any time, especially in case of new recommendations from the CNIL, changes in the processing of Personal Data or changes in the applicable law.
SlimPay will publish its Privacy Policy on its website in the latest available version and will provide you with the date of the last update.
See also:
→ Politique de Confidentialité 🇫🇷
→ Privacy Policy 🇬🇧
→ Privacybeleid 🇳🇱
→ Datenschutzerklärung 🇩🇪
→ Política de Confidencialidad 🇪🇸
→ Informativa sulla Privacy 🇮🇹