Personal Data Protection Policy

This personal data protection policy, applicable from 29/10/2024, sets out how personal data (hereafter referred to as “the Personal Data”) of business prospects and customers, as well as customers acting in a personal capacity (hereafter jointly referred to as “the Users”), are collected and processed by Welcome Account:

for the provision of Welcome Account products and services through the contracts concluded with them;

when they visit the website https://welcomeaccount.com/ (hereafter referred to as “the Website”) and

when they log in to the Welcome Account Application (hereafter referred to as “the Application”).

The Personal Data collected are processed in accordance with European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), the Act No. 78-17 of 6 January 1978 on data processing, files and freedoms (the “Data Protection Act”), and this Personal Data Protection Policy (hereafter referred to as the “DPP”).-

Controller and purposes

The Personal Data, collected through different communication channels (the Website, the Application, by telephone or by e-mail), are collected by Welcome Account in its capacity as controller within the meaning of the GDPR.

The nature of the operations carried out on the Personal Data is collection, recording, consultation, matching, consolidation, retention and communication by transmission in order to ensure compliance with the legal and regulatory obligations applicable to Welcome Account, as a payment services agent.

Purposes	Legal basis
If you use the payment services offered by Welcome Account
Manage our business relationship with the Users for the provision of Welcome Account products and services in order to: subscribe to and open the payment account (including the provision of payment instruments) and other products and services (in particular payment services); manage the payment account and other products and services (in particular the processing of payment transactions and related pricing) directly or through third-party payment service providers, including related communications; make payment instruments available to you so that you can use them. ensure the proper execution of payment transactions (credit and debit). process changes in the customer’s situation having an impact on the management of the account and other products and services (including the closure of products and services), and related communications; handle incidents related to transactions on the payment account or electronic money	Performance of the contract between Welcome Account and the Users.
Allow you to access the Application (and authenticate yourself)	Our legitimate interest in being able to provide the Users with a functional Application.
To develop our offers: subscription to and sending of personalised commercial communications; management of the business relationship; offering personalised offers and services.	If you are a User and you use our products and services: our legitimate interest in offering you similar products and services. If you are a prospect: we will ask for your consent. In both cases, you can object to marketing by clicking on the dedicated link included in the e-mails we send you.
Record telephone and session calls for the purpose of improving service quality. Carry out satisfaction surveys and respond to other reviews of the products and services offered by Welcome Account. Carry out statistical studies. Develop, maintain and improve the Application.	Our legitimate interest in improving our products and services.
Process, monitor and/or resolve complaints, pre-litigation and litigation matters and recovery operations.	Our legitimate interest in ensuring your satisfaction, and where we have not succeeded, in protecting our interests.
Assess and manage the risk of default, ensure the security of property and people and prevent fraud.	Our legitimate interest in protecting our financial interests and yours and ensuring the security and integrity of our services.
Provide you with an automatic personal conversational agent, capable of assisting you in navigating the Application and carrying out your steps.	Performance of the contract between Welcome Account and the Users.
If you act on behalf of the Users’ sponsor
Manage our business relationship, send you invoices, keep our accounts and give you access to the application for tracking the use of our services.	Performance of the contract concluded between Welcome Account and the sponsor.
If you apply for a job
When you apply for a vacancy, process your application and conduct job interviews.	Performance of pre-contractual measures in most cases. Your consent when we wish to keep your CV in our candidate database.
When you browse the Website
Use cookies and other trackers on the Website for the following purposes: personalised content and advertising, enriching customer / prospect knowledge, sharing (social networks), audience measurement, and technical purposes.	Our legitimate interest in making the Website work, where a functional cookie is involved. Your consent, where required, in particular for advertising cookies.
In any event
Subscribe to and make our declarations to authorised third parties; Combat money laundering and terrorist financing and comply with asset-freezing measures and other international sanctions; Respond to and take the necessary measures following your requests to exercise rights under the GDPR.	Our legal and regulatory obligations.
Respond to your questions and complaints (relating to the operation of the Website or the Application and the products and services offered by Welcome Account).	Depending on the subject of your request, the legal basis is either: If your request is not linked to a product / service already purchased / subscribed to from Welcome Account: Welcome Account’s legitimate interest, more specifically its economic interest in offering a high-quality customer service / support. If your request is linked to a product / service already purchased / subscribed to from Welcome Account: performance of the contract between you and Welcome Account.
Carry out all types of capital transactions (including in particular acquisitions, disposals, mergers, demergers, contributions, partial contributions of assets, universal transfer of assets, restructuring or any other transfer of securities or corporate combination transactions), whether partial or total, at Welcome Account level.	Welcome Account’s legitimate interest, more specifically its interest (social and economic) in carrying out the proposed transaction.

Personal Data processed

The Personal Data collected and processed by Welcome Account are:

Category of data	Data processed
Civil status, identification, identification data, image (surname, first name, nickname, date of birth, identification number, postal or e-mail address, image…)	Surname(s), forename(s), gender, date and place of birth, postal address, e-mail address, telephone number, nationality, proof of identity (identity cards, residence permits, passport, receipt for a residence permit application or asylum application, visa), video authentication recordings (video selfie), proof of address.
Personal life (lifestyle habits, family situation…)	Family situation, marital regime, lifestyle habits and consumption patterns (via financial data and data arising from correspondence and communications between Welcome Account, the User and any intermediary).
Professional life (CV, schooling, vocational training, distinctions…)	Profession, employer or any private or public legal entity (sponsor), including associations governed by the Act of 1 July 1901, sector of activity.
Economic and financial information (income, financial situation, tax situation…)	Financial situation (resources and income, supporting documents), tax situation (tax residence).
Banking and payment information	Bank details, bank account details, transactional data (amount and wording of payment transactions, sender and beneficiary, payment instruments, sources of payment, value date, supporting documents), login data, account synchronisation data and retrieval of history of aggregated accounts, and any other information or document necessary to determine the origin and destination of the funds involved in payment transactions carried out with your account.
Information arising from your use of the Website and the Application.	When you use the conversational agent, any information revealed by the questions you ask it. The information revealed in the reviews you leave about our services and, where applicable, in the video and telephone extracts we have recorded. The information arising from your complaints addressed to our customer service.
Login data (IP address, logs…)	Logs, cookies and other trackers (SDK etc.), IP address (city, country), merchant location data (payment transactions).
Data processed as part of a capital transaction	The nature of the data depends on the legal nature of the proposed transaction.

Retention period for Personal Data and storage

Processing activities	Retention period
Managing the business relationship with the customer for the provision of Welcome Account products and services and related communications	5 years from: – the payment transaction for data relating to that transaction, – the end of the contract for data relating to that contract. 10 years for accounting and tax documents, and associated supporting documents (account statements, invoices …) from the close of the relevant accounting year.
Access to the application	For the entire duration of the contract between Welcome Account and the Users.
The development of our offers	3 years from the end of the business relationship for the customer and from the last contact from the prospect, as regards data relating to business prospecting.
Improving our Application (telephone and session call recordings, satisfaction surveys, statistical studies)	The information arising from your feedback on our products is kept for 3 years from collection so that we have time to draw the necessary lessons from it. The recordings of telephone calls are kept for 6 months and the analysis documents for 1 year.
Risk assessment and management, security, fraud prevention	5 years from the closure of the file for proven fraud or the issuance of a relevant alert From the day of the offence and for the applicable statutory limitation periods.
Provision of the automatic conversational agent	The conversations you have with the conversational agent are kept for 12 months from the end of our contractual relationship.
Processing your applications	Your data are processed for the duration of the recruitment process. If your application is rejected, your data will be kept for 3 months, to allow us, where applicable, to explain the reasons for our refusal to you. Your data may be kept in archive for 6 years for evidential purposes.
Placing cookies and other trackers for audience measurement and advertising purposes.	13 months maximum for strictly necessary cookies (25 months for data collected through these cookies) and 6 months maximum for cookies that are not strictly necessary.
Compliance with legal and regulatory obligations	5 years from the closure of the account or the end of the contractual relationship. 5 years from the performance of the transaction.
Carrying out all types of capital transactions	Processing of data from the opening of legal audit phases (i.e., due diligence) until the proposed transaction is completed.
Responding to your questions and complaints	If your request is not linked to a product/service already purchased/subscribed to from Welcome Account, we will keep your personal data for 5 years after the request is closed (except for very basic requests for which your personal data will not be kept). If your request is linked to a product/service already purchased/subscribed to from Welcome Account, we will keep your personal data for 5 years from the end of the contractual relationship.

The retention periods for Personal Data are necessarily extended for the duration of the statutory limitation period or limitation period for evidential purposes in the event of a dispute. In the latter case, the retention period for Personal Data is extended for the entire duration of the dispute.

After the periods set out above, the Personal Data are either deleted or kept after being anonymised, in particular for statistical purposes. It is reminded that deletion or anonymisation are irreversible operations and that Welcome Account is no longer able to restore them thereafter.

Storage and transfer of Personal Data outside the EU

Welcome Account stores the Personal Data on the servers of Microsoft Ireland Operations Limited located in Ireland.

The Personal Data of the Users (excluding data collected as part of legal and regulatory obligations, in particular for the purposes of combating money laundering and terrorist financing) may be transferred outside the European Economic Area to third countries. If this is the case, Welcome Account puts in place a precise and demanding framework, in line with the applicable European regulations, in particular by relying on an adequacy decision of the European Commission or by signing dedicated contractual clauses (European Commission standard contractual clauses) and security commitments offering the level of guarantee required by the GDPR.

Data transfers may be made to the following countries:

United States.

You may obtain a copy of these safeguards at any time by contacting Welcome Account using the contact details and in accordance with the terms set out in Article 11 of this DPP.

Recipient of Personal Data

Recipients means the natural or legal persons who receive communication of Personal Data (hereafter referred to as the “Recipients”).

Welcome Account ensures that the Personal Data are accessible only to authorised internal and external Recipients, including in particular:

the staff of the relevant departments of Welcome Account authorised to manage the relationship with customers and prospects; in this context, Welcome Account decides which Recipients may have access to which Personal Data according to an appropriate authorisation policy and ensures that they are subject to a duty of confidentiality;

Welcome Account’s service providers, who process Personal Data on behalf of Welcome Account and according to its instructions, without being able to use such data for purposes other than carrying out the outsourced operations;

Welcome Account’s partners, who process Personal Data on behalf of joint customers and in accordance with the terms of the contracts concluded directly with them;

the national or regional subsidiaries of the Crédit Agricole Group that need to know them, in particular Okali, as an electronic money institution, the principal of Welcome Account;

the authorities legally authorised to know them; in this context, Welcome Account is not responsible for the conditions in which the staff of these authorities access and use the Data. These transmissions are carried out in compliance with – among other things – the “Collection of Procedures – Authorised Third Parties” published by the French Data Protection Authority (the “CNIL”) ;

in the context of carrying out with this third party all types of capital transactions (including in particular acquisitions, disposals, mergers, demergers, contributions, partial contributions of assets, universal transfer of assets, restructuring or any other transfer of securities or corporate combination transactions), whether partial or total, at Welcome Account level.

profiling and fully automated decisions

Where Welcome Account implements data processing involving fully automated decision-making (including profiling) and producing legal effects concerning or significantly affecting the Users, such processing is then based on the Users’ explicit consent, the performance of a contract or specific legal provisions. Such processing is carried out in accordance with the applicable regulations and accompanied by appropriate safeguards.

Where such profiling has legal consequences for the Users, they may request human intervention, in particular in order to obtain a review of their situation, express their own point of view, obtain an explanation or contest the decision made.

remote identity verification

The remote identity verification service aims to validate, on the one hand, that the identity documents presented by the Users are genuine and, on the other hand, that the Users are the legitimate holders of those documents. The verdict is determined on the basis of personal identification data, acquired and verified by Share ID as a remote identity verification provider, certified by the National Cybersecurity Agency for Information Systems (ANSSI). The verdict, as well as the identity attributes and the identity document, are then communicated to Welcome Account.

The following identity attributes are deemed to characterise the uniqueness of an individual’s identity and are therefore collected by Share ID and transmitted to Welcome Account: birth surname, usual name (if any), forename(s), date of birth, place of birth, nationality, gender. Welcome Account invites Users wishing to verify their identity on the identity verification service web page. Users are then invited to capture their identity document and their face on video; Users are guided during this stage. Once the identification data have been captured, Welcome Account’s compliance team and/or its agents (in particular Okali) carry out the verification of this data asynchronously.

Note: A specific technical processing of the biometric data captured during the face video is carried out by the above-mentioned provider for the purpose of verifying Users’ identity. This specific technical processing of facial images makes it possible to confirm the unique identification of an individual from their physical, physiological or behavioural characteristics. It also allows the detection of the “liveness” of the individual’s face to check that it has not been physically or digitally altered. These biometric data are considered sensitive within the meaning of the GDPR. In order to use this processing in accordance with the GDPR, Welcome Account justifies a specific need to identify Users in order to allow access to its products and services, under the supervision of the CNIL.

Alternative to remote identity verification: Users who do not wish or are unable to use the identity verification service under the conditions offered may request an alternative identity verification method from Welcome Account’s compliance team and/or its agents, without any additional constraint, inducement or particular consideration. To benefit from this, Users are invited to contact Welcome Account customer service at the following e-mail address: support@welcomeaccount.com .

Share ID’s certification by the ANSSI and this provider’s remote identity verification policy may be consulted at any time at the following addresses:

https://www.shareid.ai/privacy
https://www.ssi.gouv.fr/entreprise/produits-certifies/prestataires-de-verification-didentite-a-distance-pvid/. https://www.ssi.gouv.fr/entreprise/produits-certifies/prestataires-de-verification-didentite-a-distance-pvid/.

Personal Data security

Welcome Account reaffirms its commitment to ensuring that the security of Users’ Personal Data is at the heart of all its actions. The solutions used by Welcome Account to store or process its Users’ Personal Data are subject to our rigorous validation and certification procedures.

Failure to provide Personal Data

Users are not required to answer all the questions asked of them in the various collection media and contact forms offered by Welcome Account: fields marked with an asterisk are mandatory, others are optional.

However, failure to provide this Data may result in Welcome Account being unable to process the User’s request, or prevent them from being able to benefit from certain Welcome Account products and services.

rights over Personal Data

Users have rights over the Personal Data concerning them, collected and processed by Welcome Account in connection with the provision and promotion of its products and services.

Their rights are as follows:

a right of access to, rectification and erasure of Personal Data (inaccurate, incomplete, ambiguous or out-of-date):

Welcome Account guarantees Users access to their Personal Data collected or processed in the context of the business relationship;

a right to object to the processing of Personal Data at any time in the context of business prospecting:

Welcome Account allows Users to object to commercial prospecting processing without justification.

a right to restrict the processing of Personal Data under the conditions provided for by applicable regulations:

if Users wish certain of their Personal Data no longer to be processed, they have the option of restricting their use under the conditions provided for by the applicable regulations.

a right to the portability of Personal Data:

Welcome Account will return the Users’ Personal Data at their request, in an electronic, commonly used format so that they may, where applicable, transmit it to the organisation of their choice.

a right to withdraw their consent at any time:

Users may accept or refuse at any time for Welcome Account to process some of their Personal Data. However, this may result in the registration process or access to the Website being stopped.

a right to lodge a complaint with a supervisory authority:

Users have the right to lodge a complaint at any time with the CNIL as the French supervisory authority for personal data protection regulations.

a right to communicate to Welcome Account as controller their instructions concerning their Personal Data in the event of death:

Users may communicate their instructions on what should be done with their data after their death.

Users may exercise their rights with Welcome Account’s DPO by writing to the e-mail address data@welcomeaccount.com or by post at the postal address: DPO Welcome Place – Station F

44 rue Eugène Freyssinet

75013 Paris

France

Welcome Account undertakes to respond to any request within a maximum of one month from receipt of the request. This period may be extended by two (2) months if the request is particularly complex.

In that case, Users will be informed of such extension and of its reasons within a maximum period of one (1) month from receipt of the request.

In the event of a dispute, Users may lodge a complaint with the CNIL whose website is accessible at the following address https://www.cnil.frand whose registered office is located at 3 Place de Fontenoy, 75007 Paris.

Modification of the DPP

The DPP may be modified or amended at any time in the event of changes in law, case law, decisions and recommendations of the CNIL, usage or changes in the practices and Personal Data processing activities carried out by Welcome Account.

Any new version of the DPP will be brought to the Users’ attention by any means Welcome Account deems appropriate and relevant, including electronic means and publication on the Website.