Privacy and Data Management Policy

This document describes the processing of personal data operated by Alma in the context of the provision of its payment solution in several instalments.

1. Definitions and Vocabulary Used

The following definitions apply to the entire Privacy and Data Management Policy:

  • "Alma": means the simplified joint stock company registered in the Nanterre Trade and Companies Register under number 839 100 575, whose registered office is located at 176 avenue Charles de Gaulle in Neuilly-sur-Seine (92200).

  • "Customer": means any natural person making a purchase on the Internet site or store of a Seller.

  • "Concerned Person": means a Customer, a member of a Seller or a Visitor.

  • "Regulations": means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR**") as well as Law No. 78-17 of 6 January 1978 relating to information technology, data files and civil liberties in its latest version in force.

  • "Website": means Alma's website accessible using the address https://getalma.eu.

  • "Solution": means the digital solution developed by Alma and provided to Sellers who offer it to Customers in order for them to benefit from payment services.

  • "Subcontractor": means the company or partner whose services are used by Alma in the context of the implementation of the various personal data processing operations described below.

  • "Transaction": means any purchase made by a Customer from a Seller using the Solution.

  • "Seller": means any legal person selling goods or services that makes the Solution available to its Customers.

  • "Visitor": means any person consulting or browsing the Website.

Unless otherwise required by the context, definitions in the singular include the plural, and vice versa.

2. Personal Data Collected and Alma's Role

2.1 Personal Data of Customers (collected by the Seller)

Alma may be entrusted by the Seller with personal data of Customers that Seller has collected directly. In this context, Alma acts as a subcontractor of the Seller, in the sense of the Regulations, for the following data:

  • First and last name.

  • E-mail address.

  • Delivery and billing addresses.

  • Means of delivery (carrier used).

  • Customer's bank details.

  • Customer's telephone number.

  • Date and place of birth of the Customer.

  • Contents of the Customer's shopping cart.

  • History of the Customer's purchases from the Seller.

2.2 Personal Data of Visitors and Customers (collected by Alma)

Alma may collect personal data directly from Visitors and Customers. In this context, Alma acts as a data controller, in the sense of the Regulations, for the following data:

  • The data identifying the Visitor (last name, first name, email address, telephone) and the company in which he works (company name, Internet site, e-commerce platform used).

  • Cookie identifying the Visitor of the Website in order to propose more adapted content and for statistical purposes.

  • The Customer's connection data (IP address, connection data, unique number associated with a unique cookie, language used, browser user agent, telecom operator or IAP, browsing history and data etc.).

  • Customer's telephone number.

  • Identity document after explicit acceptance by the Customer.

  • Bank data (transaction history) after explicit acceptance by the Customer.

2.3 Personal Data of the Sellers' Members

Alma also collects the personal data of the Sellers' members who use the Solution. In this context, Alma acts as a data controller, in the sense of the Regulations, for the following data:

  • The data identifying the contact points at the Seller (last name, first name, telephone number, email, role within the company, connection data).

  • The data allowing the KYC of the Seller (in particular data and identity documents of the legal representative of the Seller and of its beneficial owners, Kbis extract).

3. Processing Operations, their Purposes and their Legal Bases

1) Identification of Customer

  • Purposes: to identify the Customer when they use the Solution.

  • Legal basis: performance of the contract to allow the Customer to pay in instalments.

2) Payment

  • Purposes: to enable the execution of payment transactions authorised by the Customer.

  • Legal basis: performance of the contract to allow the Customer to pay in instalments.

3) Risk assessment

  • Purposes: to evaluate the financial risk borne by Alma, particularly in the event of default by the Customer.

  • Legal basis: performance of the contract to allow the Customer to pay in instalment.

4) Fraud

  • Purposes: to prevent fraud and any financial scams of Customers, including, but not limited to, the use of stolen bank cards.

  • Legal basis: Alma's legitimate interest in preventing fraud in the use of the Solution.

5) Recovery

  • Purposes: to allow for possible financial recovery, especially in the event of default by the Customer.

  • Legal basis: Alma's legitimate interest in recovering the owed sums.

6) Service improvement

  • Purposes: to continuously improve Alma's tools, notably through statistics.

  • Legal basis: Alma's legitimate interest in using data to improve the Solution.

7) Prospection and analysis of Visitors

  • Purposes: to identify the Visitors of the Website, in particular for marketing purposes and to make available the most suitable content according to the activity of the Visitors.

  • Legal basis: consent.

8) Identification of Seller

  • Purposes: to identify the Seller when they use the Solution.

  • Legal basis: performance of the contract to enable the Seller to offer the Solution to Customers.

9) Interactions with the Seller

  • Purposes: to allow the follow-up of the contractual relationship and its development.

  • Legal basis: performance of the contract to allow the Customer to pay in instalments.

10) Fight against fraud and money laundering

  • Purposes: enable Alma to fight against fraud and money laundering by Sellers.

  • Legal basis: compliance with a legal obligation.

4. Operational Procedures for Each Processing Operation

The personal data of the Concerned Persons are processed by Alma in the following ways (depending on the processing operation):

  • Data collection: Processes 1 to 10.

  • Secure storage of data on Alma's authorised servers or the authorised servers of its suppliers (especially hosting solutions): Processes 1 to 10.

  • Automated processing of banking data, by Alma's Subcontractors, in order to carry out the payment authorised by the Customer: Process 2.

  • Automated data processing and profiling, through algorithms to combat bank fraud and algorithms to assess fraud risk and credit risk: Processes 3, 4 and 6.

  • Manual processing of data, by operators specialised in the fight against bank fraud who may manually analyse a Transaction, in order to finalise a decision impacting the Customer: Processes 3, 4 and 10.

  • Anonymisation followed by manual processing of data, by specialised engineers, with the sole aim of improving internal tools for combating bank fraud, assessing the risk of default and analysing cases of recovery: Process 6.

  • Automatic data processing, using algorithms to optimise Alma's collection actions: Process 5.

  • Manual processing of data, by Subcontractors specialised in debt collection, with the sole aim of analysing a Customer's file and possibly contacting them: Processing 5.

  • Automatic and statistical processing in order to understand the profile of the Website Visitors and to adapt the content to their preferences: Process 7.

5. Automated Decision Making

In the context of fraud risk and recovery management, the personal data of the Customers are processed by Alma via profiling tools. Alma implements in particular decisions based exclusively on automated processing producing legal effects or significantly affecting the Customer within the meaning of the Regulations.

These decisions make it possible to identify the Customers and the orders for which a Transaction can be carried out, which makes them necessary for the preparation and performance of a contract. These decisions are based on the analysis of different variables related, in particular, to the type of products or services ordered, to the Customer's profile but also on the taking into consideration of data deduced or derived by Alma. It is specified that no sensitive data in the sense of the list of special categories of data provided for by Article 9 GDPR is taken into consideration in these decisions taken in an exclusively automated way.

If, in view of these variables, the risk of fraud and non-payment is considered too great, the Transaction cannot be carried out. Regarding decisions based exclusively on automated processing, the Customer has the right to obtain human intervention, to express their point of view to the resource designated to process their file and to contest the automatic decision that has been opposed, by writing to Alma at the following address: dpo@getalma.eu.

6. Recipient of Personal Data

The personal data of the Concerned Persons are processed for the pursuit of all the aforementioned purposes and are exclusively intended for Alma's internal management services as well as, if necessary, for its Subcontractors (these Subcontractors offering in particular data hosting and fraud prevention services). These Subcontractors are bound to respect strict confidentiality, to ensure the security of the data to which they have access, to use it exclusively within the context of the missions entrusted to them and to respect the Regulations.

7. Duration of Storage of Personal Data

The personal data of the Customers are processed by Alma from the moment they are collected directly from them or from the moment they are transmitted by the Seller. The Customers' personal data are used by Alma throughout the contractual relationship and are stored for a period of 5 years, starting from the last monthly payment of the last Transaction.

The personal data of the members of the Sellers are collected from the conclusion of the general terms of sale or of any contract for the provision of the Solution and are stored for the duration of the contractual relationship. Starting from the end of the relationship with the Seller, this personal data is stored for a period of 5 years.

The personal data of the Concerned Persons are stored for the purposes of (i) prevention of bank fraud and non-payment; (ii) statistics and improvement of Alma's tools; (iii) prevention of disputes; (iv) administrative management of files; and (iv) compliance with legal obligations imposed on Alma.

8. Rights of the Concerned Persons

The Concerned Person has the rights provided for by the Regulations, in particular the right to request from Alma access to personal data, the rectification or deletion thereof, or a restriction of the processing relating to the Concerned Person or the right to object to the processing and the right to data portability. Where processing is based on consent, you have the possibility to withdraw your consent at any time, without prejudice to the lawfulness of the processing based on consent carried out prior to the withdrawal thereof. These rights can be exercised by writing to the following address: dpo@getalma.eu.

The exercise of the rights offered is not unlimited and each of them is subject to conditions imposed by the Regulations. As such, the following elements are specified:

  • Identity: it is necessary for the Concerned Person to prove their identity and indicate the address at which they wish to be contacted.

  • Response time: requests are processed by Alma within a reasonable period of time, taking into account the complexity, the number of requests made and the Regulations.

  • Free of charge: the exercise of rights is in principle free of charge. In cases where a request would involve significant costs, the Concerned Person may be required to pay a fee.

These requirements must be met, otherwise applications will not be processed.

Any Concerned Person may contact the Commission nationale de l'informatique et des libertés (CNIL) if they believe that Alma has not complied with the Regulations (information on how to contact the CNIL is provided directly on their site).

9. Data Transfers

Alma limits as much as possible the choice of Subcontractors who process personal data in a country outside the European Union. Nonetheless, in the context of the fulfilment of the purposes detailed in this Privacy and Data Management Policy, Alma may need to transfer personal data to countries outside the European Union that do not offer adequate protection. In this case, Alma undertakes to implement all appropriate technical and organizational measures to ensure the security of the personal data of the Concerned Persons. Furthermore, Alma requires the Subcontractors to comply with the obligations set forth in the Regulations.

10. Cookies

A "cookie" is a small computer file, a tracer, deposited and read, for example, when consulting an Internet site, reading an email, installing or using a software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, object connected to the Internet, etc.).

In accordance with Article 82 of the French Data Protection Act, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless they have been informed beforehand, by the data controller or their representative of: (i) the purpose of any action aimed at accessing, by way of electronic transmission, information already stored in their electronic communications terminal equipment or at entering information into this equipment; and (ii) the means available to them to oppose such action. Such access or storage may only take place if the subscriber or user, after having received this information, has expressed their consent. Alma uses third-party cookies for which consent is requested.

It is also provided that these rules do not apply if the access to or entering of information in the user's terminal equipment: (i) is solely for the purpose of enabling or facilitating communication by electronic means; or (ii) is strictly necessary for the provision of an online communication service at the express request of the user.

11. Data Protection Officer

Alma's Data Protection Officer can be contacted at the following address: dpo@getalma.eu.