Transparency in the handling of personal data is a fundamental value for Powens

 

We attach great importance to respecting privacy, and in this regard, we comply with the provisions of the French Data Protection Act (law n°78-17 of January 6, 1978) in its current version and the Regulation (EU) n°2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

As part of your use of our services, we may collect and process some of your personal data. Therefore, we invite you to carefully read the following to understand our practices in this matter.

Furthermore, we are committed to making ongoing efforts and evolving this policy to enhance the security and management of your personal data. We encourage you to regularly check for any changes that may have been made.

 

Who are we?

Powens is a French payment institution authorized by the Autorité de Contrôle Prudentiel et de Résolution (ACPR). Our main activity is to provide banking and financial services, as well as document aggregation.

 

Categories of processed data

As part of your use of our services, we collect personal data.

These data may be collected directly from you or indirectly from account holders, with your express authorization.

When using our services, you acknowledge that Powens has the ability to act on your behalf to access and transmit your information from all financial and/or billing product and service providers holding data.

This information can include:

Processing	Data
Payment initiation Service	Connection data: Credentials (banking information/passwords), login history logs Beneficiary data: Name, IBAN Details of initiated transfer: Sender and recipient accounts, amount, description, execution date Details of payment requests: Amount, description, selection of recipient account
Account information, categorization, and data enrichment service	Connection data: Credentials (banking information/passwords), login history logs Balances and transactions of aggregated information made available through the API or on the website (in case of direct access) of the Service Provider authorized by the User Information available on the website of the data holder authorized by the User
Bank account identity verification service	Connection data: Credentials (banking information/passwords), login history logs Account label First name, last name, and/or corporate name of each account holder Role of the account holder IBAN or other account identification value
Other assets management service	Connection data: Credentials (banking information/passwords), login history logs Banking identifiers Information available on the website of the data holder authorized by the User.
Document management service	Credentials for accessing subscriptions/accounts generating invoices Invoices and associated metadata Information available on the website of the designated and authorized Supplier by the User.
Bank data analysis service	Connection data: Credentials (banking information/passwords), login history logs Balances and transactions of aggregated accounts Information available on the website of the account management Payment Service Provider.
Meet or regulatory obligations	Identity information Any personal information enabling us to comply with our regulatory obligations
Providing support	Email address Any personal information enabling us to process your request and ensure its legitimacy
Handling requests and complaints	Email address Any personal information enabling us to process your request and ensure its legitimacy
Creation of anonymized datasets	No personal data processed
Statistical data processing	No personal data processed

 

Use of your data

Your Personal Data is collected and further processed by Powens, in a manner that is adequate, relevant and limited to what is necessary for the purposes described below, on the basis of the following legal bases.

 

To enable the performance of the contract :

• Enable the provision of services and their maintenance;
• Provide user support (handling requests, complaints, or disputes)

 

To ensure compliance with Powens’ legal obligations, including:

• Anti-money laundering and counter-terrorism financing;
• Fraud prevention;
• Security of personal data.

 

To pursue Powens’ legitimate interests, for the purposes of:

• Ensuring the improvement and development of Powens’ services;
• Create anonymous datasets from collected historical and future data that can be shared with partners;
• Conduct statistical, economic, commercial, or usage data analyses of the Services using data that does not allow for your identification.

 

Your consent when necessary :

• Processing of sensitive personal data.

 

Sharing and retention of your data

 

→ Recipients

Your personal data may only be transmitted to individuals or legal entities who have a legitimate need to process them, namely:

• Authorized employees of Powens, within the scope of their functions and duties;
• The partner through which Powens’ services are provided to you;
• Payment service providers managing the receiving account for the transfer;
• Subcontractors of Powens for the purposes described below;
• Any entities and individuals designated by regulations, as well as anyone to whom you expressly authorize disclosure.

 

→ Data Retention

Your personal data is retained until the termination of the service.

Banking data undergoes intermediate archiving for a period of five (5) years from the end of the contractual relationship between Powens and you, in accordance with the regulations for the prevention of money laundering and the financing of terrorism (L.516-12 of the Monetary and Financial Code).

The data will be deleted once the specified period has elapsed.

 

→ Subcontracting and Data transfer

To provide our services, we may work with other companies.

Subcontractor	Country	Service
OVH	France	Data Hosting (Backups)
SEWAN	France	Data Hosting (Production)
AWS	France	Data Hosting (Production)
GEMALTO	France	Encryption of credentials
UNNAX	Spain	Data categorization

We ensure that, when choosing our partners, they provide guarantees in terms of quality, security, reliability, and resources to implement technical and organizational measures, including data security.

We have a Data Processing Agreement in place with all our subcontractors. When necessary, we sign Standard Contractual Clauses (SCCs) and ensure that additional measures have been implemented.

Lastly, in response to a request from competent public authorities, we may be required to disclose your personal data to comply with our legal obligations.

 

Security

We are committed to taking all necessary measures to ensure the security and confidentiality of personal data, including preventing them from being damaged, deleted, or accessed by unauthorized third parties.

In the event of a security incident affecting your personal data (such as destruction, loss, alteration, or disclosure), we undertake to take all necessary steps to address the situation.

If such an incident occurs, we will inform you and report the incident to the relevant data protection authorities, such as the National Commission for Data Protection and Liberties (CNIL), in accordance with applicable laws and regulations.

We implement various security measures, including technical and organizational measures, to protect personal data against unauthorized access, loss, or alteration. These measures include secure data storage, encryption, access controls, regular system monitoring, and employee training on data protection.

Please be aware that no method of data transmission or storage is completely secure. However, we strive to maintain a high level of security and continuously review and update our security practices to protect your personal data to the best of our abilities.

 

Your Rights

You have the following rights:

• Right of access: You have the right to obtain confirmation as to whether or not we process your personal data and, if so, to request access to the personal data we hold about you.
• Right of rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request the correction or updating of such data.
• Right to erasure: You have the right to request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or if you withdraw your consent and there is no other legal basis for processing.
• Right to object: You have the right to object to the processing of your personal data, except when we have legitimate grounds for processing that override your interests, rights, and freedoms, or when the processing is necessary for the establishment, exercise, or defense of legal claims.
• Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where the processing is based on consent or the performance of a contract.
• Right to restriction of processing: You have the right to request the restriction of the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful, but you oppose erasure.
• Right to give instructions regarding the processing of your data after your death: You have the right to provide instructions on the storage, erasure, and disclosure of your personal data after your death.

Any request you make must be clear, specific, justified, and accompanied by a copy of an identification document, in accordance with applicable legal requirements.

You also have the right to lodge a complaint with the relevant data protection authority, which in France is the Commission Nationale de l’Informatique et des Libertés (CNIL).

3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

Tél : 01 53 73 22 22 / Fax : 01 53 73 22 00

You can visit their website at www.cnil.fr for more information on how to submit a complaint.

Please note that we encourage you to contact us first to address any concerns or issues regarding the processing of your personal data, as we are committed to resolving any privacy-related matters in a timely and satisfactory manner.

You are also informed that if you oppose the processing of your personal data or provide inaccurate or fictitious data, the services related to the collection of data may not be provided, and Powens cannot be held liable in any way for this.

Furthermore, the collection of certain data may be required for regulatory or contractual reasons. Therefore, you are obligated to provide the requested personal data.

It is important to provide accurate and up-to-date information to ensure the proper provision of services and compliance with legal obligations. Failure to provide the necessary data may result in the inability to access certain services or comply with legal requirements.

 

Contact us

Please send any questions, comments, or requests regarding this privacy policy to dpo@powens.com. We will make every effort to address your inquiries and respond to your concerns in a timely manner.

Your satisfaction and the protection of your personal data are of great importance to us, and we are here to assist you as needed. Feel free to reach out to us if you have any further questions or concerns regarding our privacy policy.