Privacy Policy

Last update: May 2024

See also:

Politique de Confidentialité 🇫🇷
Privacy Policy 🇬🇧
Privacybeleid 🇳🇱
Datenschutzerklärung 🇩🇪
Política de Confidencialidad 🇪🇸
Informativa sulla Privacy 🇮🇹

1. Who we are and how to contact us ? 

SlimPay, a limited company having its registered office at 12 rue Godot de Mauroy 75009 Paris, registered in the Trade and Companies Register of Paris under 518 991 336 (here after “SlimPay”, “we”) is a payment services provider specialised in account-to-account payments. SlimPay is authorised and supervised by the Autorité de Contrôle Prudentiel et de Résolution (ACPR) as a payment institution. In the context of this Privacy Policy (hereinafter “the Policy”), SlimPay is the Data Controller.

You can contact our Data Protection Officer at any time at the following address: dpo@slimpay.com.

2. The purpose of the Privacy Policy

The protection of Personal Data is a priority for us, which is why we are committed to complying with the applicable regulations and in particular the General Data Protection Regulation (EU) 2016/679 and the French Data Protection Act (“Loi Informatique et Libertés”) of January 6, 1978 as amended (hereinafter the “Applicable Regulations”). This Policy thus aims to inform data subjects about the processing of Personal Data conducted by SlimPay.

3. Definitions

The terms used in this Policy have the following meaning: 

Affiliates: means any company which, directly or indirectly, controls SlimPay, is controlled by SlimPay or is under the same control as SlimPay, the concept of control being that defined in Article L. 233-3 of the French Commercial Code.

Beneficial Owner: means a legal representative of a SlimPay Merchant.

Data Controller: in accordance with the Regulation (EU) 2016/679 means the legal or natural person who determines the purposes and means of processing Personal Data.

Data Processor: in accordance with Regulation (EU) 2016/679 means the natural or legal person who processes data on behalf of another organisation (“the Data Controller”), as part of a service or provision.

Merchant: means a business customer of SlimPay.

Merchant or Partner Contact Person: means a person employed by the Merchant or the Partner.

Partner: means any company with which SlimPay has contracted (excluding Merchants) as part of a partnership or service provision.

Personal Data: means all personal data as defined by the General Data Protection Regulation (EU) 2016/679 (GDPR).

Prospect: means a business potentially interested in SlimPay’s services or a website visitor.

User: refers to the Merchant’s end customer who wishes to purchase goods or services offered by the Merchant. 

4.  How do we process your Personal Data?

You are interacting with us if you are in one of the following categories:

  • a User
  • a Merchant or Partner Beneficial Owner 
  • a Merchant or Partner Contact Person
  • a Prospect 

If you are applying for a job at SlimPay, you will find our policy on job applicants when you submit your application.

You will find, below, details concerning the collection, purposes, legal bases and categories of Personal Data processed by SlimPay according to each category of data subject.

4.1 If you are a User of our services

This paragraph applies to you if you are a customer of a Merchant who uses SlimPay’s services

How is data collected ? Your Personal Data is transferred to us through the Merchant who provides you with the goods and services you require, through a SlimPay partner or through your bank’s API for our SlimCollect service.

Your Personal Data is processed as follows. Depending on the services to which your Merchant has subscribed with us, certain processing operations may not be applicable to you.

4.1.1 Service provision

Purpose of the processingLegal basePersonal data processed
Provision of signature service of SEPA mandate and/or document (including management via SlimPay dashboard)*Legitimate interest in providing our services to MerchantsIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Provision of the SEPA mandate preparation service to the Merchant’s bank (including management via the SlimPay dashboard)*Legitimate interest in providing our services to MerchantsIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Provision of the SEPA direct debit acquiring service (including management via the SlimPay dashboard)*Legitimate interest in providing our services to MerchantsIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Transactional data (Merchant name, date, transaction description and amount, transaction reference)
Provision of the account information service (SlimCollect Verify) (including management via the SlimPay dashboard)*
Performance of a contract with the UserIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (name of your bank, BIC, IBAN)
Transactional data (Merchant name, date, transaction description and amount, transaction reference)
Provision of payment initiation service (SlimCollect Pay) (including management via SlimPay dashboard)
Performance of a contract with the UserIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (name of your bank, BIC, IBAN)
Transactional data (Merchant name, date, transaction description and amount, transaction reference)
Sharing information with SlimPay Affiliates
SlimPay may transfer your data to its Affiliates in order to improve our products and services.
Legitimate interest in improving our products and servicesIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (name of your bank, BIC, IBAN)
Transactional data (Merchant name, date, transaction description and amount, transaction reference)

* For any use of the account information service followed by the service of signature, preparation of SEPA mandates and then SEPA direct debit acquiring service after 30 April 2024 via the SlimPay platform, SlimPay will collect and process your data as a joint Data Controller with the company Trustly Group AB. More information about this joint controllership can be found in article 5.4 below. 

4.1.2. Transaction analysis

Purpose of the processingLegal basePersonal data processed
Mandate analysis before importLegitimate interest in ensuring that mandates comply with EPC rulebooks and are consistent with KYCIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Monitoring and analysis of atypical payment transactions (Transaction Monitoring)Legal obligation
Article L561-6 of the French Monetary and Financial Code
Identification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Transactional data (Merchant name, date, transaction description and amount, transaction reference
Analysis of your transactions for anti-fraud purposes
Legitimate interest in preventing fraudIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Financial data (BIC, IBAN)
Transactional data (name of the Merchant you are paying, date, description and amount of the transaction, transaction reference)

4.2 If you are a Beneficial Owner of one of our Merchants or Partners 

This paragraph applies to you if you are a Beneficial Owner of a SlimPay direct Merchant or Partner or if you sign deeds on behalf of a Beneficial Owner. As a French payment institution approved by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), we are subject to regulatory obligations, in particular as part of the fight against money laundering and combating the financing of terrorism (AML-CFT). We are therefore required to collect and analyse the necessary information to know our customers before starting a business relationship and throughout its duration.

How is data collected ? We collect your Personal Data directly by filling in a form or indirectly through our control tools (see article 5.3) or through SlimPay’s Affiliates.

Your personal data is processed as follows :

Purpose of the processingLegal basePersonal data processed
“Know Your Business” (KYB) procedure
In accordance with our regulatory obligations, we verify your identity, including identifying Politically Exposed Persons (“PEP”) and ensuring that your name does not appear on any sanctions or asset freeze lists.
Legal obligationArticles L561-5 et seq. and article R561-12 of the French Monetary and Financial Code
As the information constitutes sensitive data, the legal basis is that processing is necessary for public interest reasons (Article 9(2)(g) of the GDPR).
Identification data (surname, first name, date of birth, identity document, postal address, business email address, business telephone number)
Details of professional life (name of the company you work for and your job title)
Sensitive data (when applicable, information on political opinions and/or religious beliefs contained in PEP lists and data relating to criminal convictions or offences if you appear on a sanctions list)
Sharing KYB information with SlimPay’s Affiliates
In the event that the Merchant wishes to subscribe to the services of a company within the Trustly group to which SlimPay belongs, SlimPay will share your KYB information with that company.
Legitimate interest of SlimPay’s Affiliates in obtaining KYB information to carry out their own mandatory KYB due diligence
As the information constitutes sensitive data, the legal basis is that processing is necessary for public interest reasons (Article 9(2)(g) of the GDPR).
Identification data (surname, first name, date of birth, identity document, postal address, business email address, business telephone number)
Details of professional life (name of the company you work for and your job title)
Sensitive data (when applicable, information on political opinions and/or religious beliefs contained in PEP lists and data relating to criminal convictions or offences if you appear on a sanctions list)

4.3 If you are a Contact Person of one of our Merchants or Partners

This paragraph applies to you if you are an employee of a SlimPay direct Merchant or Partner, with whom we interact in the context of the business relationship, between SlimPay and the Merchant or the Partner.

How is data collected ? We may collect your Personal Data directly from you.

Your personal data is processed as follows :

Purpose of the processingLegal basePersonal data processed
Business relationship management (contract follow-up, complaints)Contract executionIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Conducting surveys and polls on our products and services and assessing customer satisfactionLegitimate interest in improving our products and servicesIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
B2B marketing campaignsLegitimate interest in commercial prospectingIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Sharing information with SlimPay’s AffiliatesLegitimate interest in sharing your data with SlimPay’s Affiliates for commercial prospection purposesIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)

4.4 If you are a Prospect 

This paragraph applies to you if you are a potential future SlimPay customer or a visitor to our website.

How is data collected ? SlimPay has collected your data using the forms on our website, through a legally obtained business contact list, directly online through an email address verification service , from your company’s email address domain name or through SlimPay’s Affiliates.

Purpose of the processingLegal basePersonal data processed
Propose content on our services (guides, white papers, webinars…)Legitimate interest in providing you with requested content and sending you B2B marketing campaignsIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Send B2B marketing campaignsLegitimate interest in commercial prospecting
In order to comply with regulations on B2B commercial prospecting, we undertake to contact only professional email addresses with solicitations related to the profession of the person contacted, and to inform people of the processing conducted and the possibility of objecting.
Identification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Get connected with our teamsLegitimate interest in putting you in contact with our teams and sending you B2B marketing campaignsIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Sharing information with SlimPay’s AffiliatesLegitimate interest in sharing your data with SlimPay’s Affiliates for commercial prospection purposesIdentification data (surname, first name, professional email address, professional telephone number)
Details of professional life (name of the company you work for and your job title)
Cookies and other tracking data
To know more about cookies, please consult our dedicated policy
Consent (through the cookies module at the bottom left of the screen)Connection data (IP address, logs, device type, operating system and browser information)

If you no longer wish to be contacted by SlimPay, you can unsubscribe at any time by clicking on the “Unsubscribe” link at the bottom of our emails.

4.5 Other Personal Data Processing 

Depending on the circumstances, such processing may potentially concern all categories of people of whom SlimPay processes Personal Data.

Purpose of the processingLegal basePersonal data processed
Responding to your requests to exercise your rights
In this context, and in consideration of the nature of the data we process, we may be required, in certain cases,  to verify your identity in order to ensure that we do not disclose Personal Data to the wrong person.
Legal obligationIdentification data (surname, first name, professional email address, professional telephone number, copy of identity document if necessary)
Defending SlimPay’s interestsLegitimate interest in defending SlimPay’s interestsIdentification data (surname, first name, email address, telephone number, postal address, customer reference)
Details of professional life (name of the company you work for and your job title)
Financial data (BIC, IBAN)
Transaction data (name of the Merchant you are paying, transaction details and amount, transaction reference)

5. Recipients of Personal Data

For the purposes of the processing identified above, SlimPay transfers your Personal Data to the following recipients :

5.1 SlimPay teams

Your personal data is only available internally at SlimPay to specifically authorised teams. SlimPay also ensures that all people involved in the processing of Personal Data at SlimPay are bound by an appropriate obligation of confidentiality and have received appropriate training in the processing and protection of Personal Data.

5.2 SlimPay’s Affiliates

SlimPay may share your data with its Affiliates to improve our products and services if you are a User (see article 4.1.1 above), for KYB purposes if you are a Beneficial Owner (see article 4.2 above) or for commercial prospection purposes if you are a Contact Person or Prospect (see articles 4.3 and 4.4 above).

5.3 SlimPay Data Processors

SlimPay also uses Data Processors for the purposes detailed in article 4 above.  SlimPay warrants that it has selected its Data Processors, in particular, on the basis of the sufficient guarantees they offer in terms of security and data protection. SlimPay undertakes to enter into a processor contract with each of its Data Processors and to ensure that each Data Processor fulfils all the obligations imposed by the GDPR. For a list of SlimPay’s Data Processors, click here.

5.4 Joint Data Controllers

For any use of the account information service followed by the service of signature, preparation of SEPA mandates and then SEPA direct debit acquiring service after 30 April 2024 via the SlimPay platform, SlimPay will collect and process your Personal Data as a joint Data Controller with the company Trustly Group AB (a limited liability company with registered office at Rådmansgatan 40, 113 57 Stockholm, Sweden, registered number 556754-8655). 

SlimPay and Trustly Group AB, are obliged under the GDPR to determine and allocate our respective responsibilities for compliance with the obligations under the GDPR. We are also obliged to make the essence of this arrangement available to you. Please see below for such information.

SlimPay is responsible under the GDPR to provide you with information on how your personal data is processed for the purpose of the service referred to in this article. SlimPay is also the primary recipient of requests related to your rights under the GDPR (see article 9 below), such as your right to get access to what Personal Data SlimPay and/or Trustly Group AB process about you. However, you are free to exercise your rights towards Trustly Group AB if you wish.

You can find more information on how Trustly Group AB processes your personal data, such as the legal basis that Trustly Group AB relies on and the ways to exercise data subject rights against Trustly Group AB, here.

5.5 Separate Data Controllers

SlimPay may transmit your personal data to the Merchant as part of the provision of services.

In providing our payment services, SlimPay also provides your Personal Data to another partner, BNP Paribas, which is a direct participant in the European interbank exchange systems and acts as a separate Data Controller. To obtain further information about the processing of your Personal Data by BNP Paribas, please consult this notice.

5.6 The competent public authorities

In specific situations, your Personal Data may be communicated to the competent public authorities, upon judicial request, and to organisations involved in the fight against money laundering and the financing of terrorism pursuant to legal or regulatory provisions.

6. Location of Personal Data

SlimPay’s servers are located entirely within the European Union by our hosting provider Amazon Web Services.

As stated in article 5.3 of this Policy, SlimPay will transfer your personal data to its Data Processors in the course of providing its services. 

Some Data Processors are located in countries outside the European Union. SlimPay undertakes to ensure that such transfers outside the EU are covered :

– By an adequacy decision by the European Commission recognising the third country as having an adequate level of protection of Personal Data, in accordance with Article 45 of the GDPR; or

– By appropriate safeguards, in accordance with Article 46 of the GDPR, such as the Standard Contractual Clauses (SCC) adopted by the European Commission.

7. Retention of personal data

SlimPay retains your personal data for as long as necessary to provide our payment services or for the duration of the business relationship. SlimPay may also need to retain your personal data for longer periods in order to comply with legal and statutory requirements, such as anti-money laundering and financing of terrorism requirements, and to comply with retention periods for evidential or accounting purposes. The retention periods applicable to SlimPay are detailed below. Once these retention periods have expired, SlimPay will delete or anonymise your personal data.

Category of Concerned PersonCategories of Personal DataData retention periodConservation justification
UsersIdentification data Financial dataTransaction dataFive (5) years from the execution of the transaction    Fighting against money laundering/ payment fraud/ financing of terrorism (Article L.561-12 of the French Monetary and Financial Code)
UsersData contained in SEPA mandates (identification data; financial data)Five (5) years from the end of the mandate : – either from its revocation by the debtor;- or from the expiry of the mandate (where no SEPA Direct Debit order has been submitted for a period of 36 months)Preservation for probationary purposes (Article 2224 of the French Civil Code)
UsersData contained in SEPA mandates (identification data; financial data)Ten (10) years from the creation of the trust fileRetention of trust files as part of an additional archiving service at the request of the Merchant (Article L.123-22 of the French Commercial Code; General Requirements ETSI 319 411-1)
Merchant’s or Partner’s Beneficial OwnersIdentification dataData relating to professional lifeSensitive dataFive (5) years from the end of the business relationshipFighting against money laundering/ payment fraud/ financing of terrorism (Article L.561-12 of the French Monetary and Financial Code; Article L110-4 of the French Commercial Code)
Merchant’s or Partner’s Contact PersonsIdentification dataData relating to professional lifeThree (3) years from the end of the business relationshipBusiness relationship management (CNIL recommendations)
ProspectsIdentification dataData relating to professional lifeThree (3) years from the last active contact of the prospectCommercial prospecting (CNIL recommendations)

8. Security and confidentiality

While your personal data is being stored, SlimPay takes all necessary measures to ensure its confidentiality and security in order to prevent it from being damaged, deleted or accessed by unauthorised parties.

Taking into account the state of the art, the costs of implementation and the nature, scope,  context and purposes of the processing as well as the risk for the rights and freedoms of natural persons, each Party undertakes to implement appropriate technical and organisational measures to ensure the confidentiality and security of Personal Data in accordance with Article 32 of the GDPR. 

These safety measures notably include the following:

  • Authentication measures and access management: Any person accessing the data is assigned a unique (non-generic) identifier and a password generated by a password generator, enabling all actions performed on the system to be associated with that person with certainty. The password must be renewed every 90 days. All personnel movements require a reassessment of access rights.
  • Connection logging and traceability: All actions on the SlimPay services hosting platform are traced and reported to our log centralization tools and aggregated on our monitoring/dashboarding tools.
  • Equipment security:  All user equipment is equipped with automatically updated protection against malware (antivirus, firewall). VPN-type technology must be used to secure and authenticate user access via external connections.
  • Network compartmentalisation: Development/operations, validation, pre-production/production networks are logically disjointed.
  • Cryptographic measures and data backup: All backed-up data is encrypted using a standard AES-256 encryption algorithm. A full data backup is performed daily, with backup date and time criteria.
  • Controlling physical access to business premises: All business premises are closed to the public thanks to a badge-based access security system, supervised by cameras which store recordings in compliance with current regulations.

9. Exercising of rights

In accordance with the provisions of the Applicable Regulations (and in particular Chapter III of GDPR), you may exercise the following rights : 

  • The right of access : you can obtain a copy of your Personal Data processed by SlimPay and other information on processing.
  • The right to request the rectification : you can request the modification of your Personal Data if it is incorrect or incomplete, in order to limit the use or distribution of false information.
  • The right to erasure : you can request that Slimpay delete your Personal Data if one of the grounds of Article 17 of the GDPR is applicable.
  • The right to restriction of processing : you can request that the processing of your data be blocked for a certain period of time when one of the elements of Article 18 of the GDPR is applicable. 
  • The right to data portability : you have to recover your Personal Data in an machine-readable format for your own use or to provide it to another organization.
  • The right to object : you can object at any time to the processing of your data on the basis of legitimate interests. You may also object at any time to the processing of your data for prospecting purposes.
  • The right to withdraw your consent: you may withdraw your consent at any time for processing operations based on this legal basis.
  • The right to digital death: you have the right to define directives concerning the conservation, deletion and communication of your Personal Data after your death.

To exercise these rights and for any request relating to personal data, you can contact our Data Protection Officer at the following address: dpo@slimpay.com.

We also remind you that in accordance with Article 77 of the GDPR you can lodge a complaint with a control authority.

10. Modification of the Privacy Policy

SlimPay may modify this Privacy Policy at any time, especially in case of new recommendations from the CNIL, changes in the processing of Personal Data or changes in the applicable law. 

SlimPay will publish its Privacy Policy on its website in the latest available version and will provide you with the date of the last update.

See also:

Politique de Confidentialité 🇫🇷
Privacy Policy 🇬🇧
Privacybeleid 🇳🇱
Datenschutzerklärung 🇩🇪
Política de Confidencialidad 🇪🇸
Informativa sulla Privacy 🇮🇹