From the Xpollens.com website, Xpollens in its capacity as Data Controller may collect and process information identifying you (for example, your name and IP address). This information notice explains how Xpollens collects and processes personal data.

We are required to collect personal data in order to comply with our legal and regulatory obligations as an Electronic Money Institution.   In this information notice and in accordance with the GDPR, “personal data” is information relating to an identified natural person or a person who can be identified directly or indirectly from that data, and “processing” means any operation(s) on personal data, regardless of the process used.


We collect and process personal data as part of the services offered by the Partner Area.  In this capacity, we act as Data Controller. We are not alone in providing these services. We are part of a larger group of companies, Groupe BPCE, and we partner with other companies.

All of these companies can be involved in the services provided to you, and they are committed to the same principles. To this end, they may have access to your personal data for the specific purposes related to the products and services subscribed to.

2.    HOW DO WE OBTAIN YOUR PERSONAL DATA?

The personal data are collected when you sign up for this service in the Partner Area.

The following personal data are retained:

  • Identification data (first and last name, email)
  • Connection data (IP address)

EXCLUSION OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, personal health data, or personal data concerning the sex life or sexual orientation of a natural person shall not be processed under any circumstances in the context of this Service.

Unless required by law, Xpollens does not collect personal data in these special categories.

In any case, if we need to process these special categories of personal data, provided that it is not prohibited by applicable law or regulation, your consent will be obtained beforehand.

3.    WHO HAS ACCESS TO YOUR DATA?

As an electronic money institution, we are bound by confidentiality laws and can only share your data under strict conditions or with your consent.

This same principle of secrecy and confidentiality applies to all those involved, whether they are our employees, our service providers, our partners or our partners’ employees.

Your data may be transmitted to or accessed by:

  • Subsidiaries and branches of the BPCE Group in France and abroad, of which Xpollens is a member;  
  • Our service providers for the sole purpose of carrying out the processing for which the data were initially collected. In this context, our service providers are personal data processors within the meaning of the regulations, acting on our instructions and on our behalf. They are not allowed to sell or disclose them to other third parties;
  • Commercial and banking partners;
  • Certain regulated professions such as lawyers, notaries or auditors;
  • Any public, administrative or judicial authority or authorised third party mandated to comply with the legal, regulatory, statutory or contractual obligations to which we are subject.

4.   WHY DO WE PROCESS YOUR PERSONAL DATA?

As part of our relationship, we use your personal data for the purposes described below and on the following basis:

  • To execute the contract for the service subscribed by your company;
  • To meet our legal and regulatory obligations, including those related to money laundering, terrorist financing and tax evasion, international sanctions and embargoes;
  • To meet our legitimate interests in order to implement and develop our services, optimise risk management or defend our interests in court;
  • To carry out certain processing with your consent and for formally identified purposes.

The processing of personal data carried out as part of this service does not lead to any automated decision-making that has legal effects, concerns you or significantly affects you.

If we process your data for purposes other than those described in section 3, we will inform you and, if necessary, seek your consent.

5.   HOW LONG WILL YOUR DATA BE RETAINED?

The data are retained for the time necessary for your use of the service and until the expiry of the applicable legal retention periods.

  • the common law retention period in civil and commercial matters is 5 years. For example, data relating to the subscription to the service will be kept for a period of 5 years after the closure of your account or the termination of our relationship;
  • the retention period under specific laws, such as anti-money laundering and anti-terrorist financing, is five years;
  • the period necessary for the purpose, as, for example, in the fight against fraud, which is five years;

These periods may be longer in certain specific situations where required by law. They may also be longer in the event of legal action. In this case, the data are kept until the end of the legal proceedings and then archived according to the applicable legal retention periods.

In any event, where personal data is collected for more than one purpose, it shall be retained for the longest retention or archiving period.

Once the purposes of data processing have been achieved, and taking into account any legal or regulatory obligations to retain certain data, we will delete or anonymise your data.

6.   HOW DO WE ENSURE THE SECURITY AND CONFIDENTIALITY OF YOUR DATA?

It is our priority to respect your privacy and comply with banking secrecy, and to keep personal data provided by our customers secure and confidential.

In view of the nature of the personal data and the risks presented by the processing, we take all technical and organisational measures necessary to preserve the security of your data and, in particular, to prevent it from being altered, damaged, accessed by unauthorised third parties or used improperly.

We are committed to taking the necessary physical, technical and organisational security measures to:

  • safeguard the security of our customers’ personal data against destruction, loss, alteration, unauthorised disclosure of, or access to the personal data we hold,
  • protect our business.

We conduct regular internal and external audits to ensure the security of personal data and to safeguard against unauthorised access to our systems.

Nevertheless, the security and confidentiality of personal data depend on the best practices of each individual, so we encourage you to be vigilant.

In accordance with our commitments, we choose our subcontractors and service providers carefully and require them to:

  • provide a level of personal data protection equivalent to ours,
  • access and use personal data or information only as strictly necessary for the services they provide,
  • strictly comply with applicable laws and regulations regarding confidentiality, banking secrecy and personal data,
  • implement all appropriate measures to ensure the protection of the personal data that they process,
  • implement the technical and organisational measures necessary to ensure data security.

We undertake to enter into contracts with our subcontractors, in accordance with legal and regulatory obligations, which precisely define the terms and conditions for the processing of personal data.

7.    WHERE ARE YOUR DATA STORED?

Your personal data are stored in our information systems or those of our subcontractors or service providers.

We undertake to select subcontractors and service providers who meet the criteria of quality and security, and who offer sufficient guarantees, particularly in terms of specialist knowledge, reliability and resources, for the implementation of technical and organisational measures, including those relating to the security of processing.

As such, we require our subcontractors and service providers to maintain privacy standards at least equivalent to our own.

ARE YOUR DATA COMMUNICATED OR ACCESSIBLE FROM OUTSIDE THE EUROPEAN UNION?

Your personal data transmitted in accordance with the agreed purposes may, in the course of various operations, be transferred only to European Union countries.

Your personal data may be communicated to official bodies and administrative or judicial authorities or to third parties, at their request.

In all cases, we take the necessary and appropriate measures to ensure banking secrecy and the security of personal data.

8.   COOKIES AND OTHER TRACKERS

Cookies and other trackers are small text files installed on your device and read when you visit a website, read an e-mail, install or use a software or a mobile application.

You are informed that when you visit one of our websites, cookies and trackers may be installed on your computer or device. Where necessary, we obtain your consent prior to installing trackers on your computer or device and also when we access data stored on your computer or device.

The lifespan of the trackers is a maximum of 13 months from when they are first installed on your computer or device with your consent.

9.   YOUR RIGHTS

Within the limits and conditions laid down by the current legislation, you can:

Obtain access to all of your personal data,

Rectify, update and delete your personal data, it being specified that deletion can only take place when:

– the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,

– you have withdrawn your consent on which the processing was based,

– you have objected to the processing of your data and there are no compelling legitimate grounds for further processing,

– the personal data were processed unlawfully,

– the personal data must be deleted to comply with a legal obligation under EU or French law to which Xpollens is subject,

Receive your personal data that you have provided to us, for automated processing that requires your consent or the performance of a contract,

Request the restriction of processing of your personal data by us when:

– you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data,

– the processing is unlawful and you oppose the erasure of the personal data,

– we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims,

Lodge a complaint with a supervisory authority. In France, the supervisory authority is:

CNIL – 3 place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

In addition, you have the option to provide us with instructions regarding the retention, deletion and disclosure of your data after your death. Your instructions may also be registered with “a certified digital trusted third party” and you may designate a person to carry out the instructions. These rights may not, however, infringe the rights of heirs or allow the communication of data to which only the heirs legitimately have access.

10.  HOW DO YOU EXERCISE YOUR RIGHTS?

If you wish to know more about this information notice, or to contact our Data Protection Officer, you can write to us at the following address:

Groupe BPCE Data Protection Officer

BP 4 – 75060 Paris Cedex 02 France 9

You can exercise your rights by contacting the BPCE Data Protection Officer.

You must prove your identity by providing your full name and the address to which you wish the reply to be sent, sign your request and attach a photocopy of an identity document bearing your signature.

There is no cost involved in exercising your rights of access, rectification, opposition, erasure, or your right to restrict processing and data portability.

If you exercise your right of access, we will provide you with a copy of the personal data being processed. In the event of requests that are manifestly unfounded or excessive, particularly because of their repetitive nature, we may require payment of a reasonable fee to cover the administrative costs incurred in providing the information, making the communications or taking the measures requested, or we may refuse to respond to your request.