Privacy and data protection policy

1. IN GENERAL

1.1 Your Personal data are processed by:

Rise Financials BV/SRL

Registered office: Avenue du Roi 107, 1190 Brussels (Belgium)

Company number: 0741.614.389

Representative: Morgan Wirtz, CEO

‍

1.2 By providing our Services to you, RISE shall be considered as responsible regarding the processing of your Personal data (i.e. Data Controller) except for Payment Services as specified in Article 2 of this Privacy Policy. With respect to the Payment Services, Treezor will act as a Data Controller and we act as Treezor’s Processor. However, some of your Personal Data is collected both by RISE in its capacity as Treezor’s Processor and in its capacity as a Data Controller. For some of this data, RISE and TREEZOR will therefore be considered both as Controllers.

‍

1.3 All the data/information collected by us are related to the provision of our Services. Generally, we collect (1) the data it needs to enable you to use our Services and (2) the data we may use to provide you with enhanced and/or additional features. We will also inform you about our new products and services.

‍

1.4 This Privacy Policy may be amended, supplemented or updated, in particular to comply with any legal, regulatory, case law or technical developments that may arise. However, your Personal data will always be processed in accordance with the policy in force at the time of the data collection, unless a compulsory legal prescription determines otherwise and must be enforced retroactively. Amendments to the Privacy Policy will only become applicable after a period of 30 business days from the date of the amendment. We will revise the date of the last update at the top of the Privacy Policy for this purpose. It is your responsibility to inform yourself as to the content of the Privacy Policy, and only the updated version available online is considered current. We encourage you to check this page frequently for changes.

2. TREEZOR

2.1 RISE operates as a (payment service provider) agent of the french company Treezor SAS. Treezor SAS is an electronic money institution, within the meaning of Article L.525-1 of the French Monetary and Financial Code, approved and registered by the Autorité de Contrôle Prudentiel et de Résolution (ACPR). In this capacity, we market the "Payment Services" provided by Treezor (as defined in our General Conditions or in the Framework Agreement with Treezor).

‍

2.2 With respect to the "Payment Services", Treezor will act as a Data Controller, in accordance with Article 20 of the Framework Agreement as well as Treezor's privacy policy (https://www.treezor.com/en/privacy-policy/). Treezor limits the processing of your personal data to the purposes necessary to provide the Payment Services. In the context of these Payment Services, we collect your Personal data for the sole purpose of performing these Payment Services by Treezor. In this respect, we act as a Treezor’s Processor in the sense of article 4 of the GDPR.

‍

2.3 For the processing of your Personal data in the context of the Payment Services, the Data Controller is therefore:

TREEZOR SAS

Registered office: avenue de Wagram 33, 75017 Paris

Company number: 807 465 059

Representative: Eric Lassus, General Director

(hereinafter referred to as “Treezor”)

‍

2.4 Therefore, WE URGE YOU TO CAREFULLY READ Article 20 of the Framework Agreement you have entered into with Treezor and their privacy policy : https://www.treezor.com/en/privacy-policy/. In our opinion, the main points of these processing operations are the following:

2.4.1 Involved Personal data:

In the course of providing the Payment Services, the following Personal data is collected for Treezor:

• Identification and authentication data (surname, first name, date of birth, identity card and passport number, postal and e-mail address, telephone number, tax residence and legal status);
• Data relating to you professional situation;
• Data related to your patrimonial situation;
• Data related to the operations and transactions carried out using the Payment Services (payments, transfers)
• Bank Data (IBAN, card number, balance)
• Identification and authentication data related to use
• Identification data or digital authentication linked to use (connection and usage logs, IP address etc.).

‍

2.4.2 Legal basis and purposes:

1. The Processing of your Personal data by Treezor, by virtue of a legal obligation, has the following purposes:

• The knowledge of the the user of the Payment Services and the updating of his/her Personal data;
• The maintenance and management of the payment account(s);
• Risk management, control and monitoring related to Treezor’s internal control;
• Security and prevention of unpaid bills and fraud, collection, litigation;
• Compliance with legal and regulatory obligations and, in particular, the identification of inactive accounts, the fight against money laundering and terrorist financing, the automatic exchange of information relating to accounts in tax matters;
• Segmentation for regulatory purposes;
• Carrying out statistical studies and making data more reliable for computer security purposes; and
• Follow-up of your requests and the exercise of your rights.

Those processings of your Personal data by Treezor is mandatory. Your refusal to communicate all or part of these Personal data may lead to the rejection of the application to open a payment account by Treezor.

‍

2. The Processing of your Personal data by Treezor, based on its legitimate interests, has the following purposes:

• Keeping and management of payment accounts ;
• Prevention of the risks of fraud and abuse (including the control of abnormal transactions);
• IT management to ensure the availability, integrity and confidentiality of Personal data;
• Keeping the register relating to the management of requests from Data Subjects (in particular requests relating to the rights of individuals) ; and
• The segmentation of customers for regulatory purposes.

‍

2.4.3 Storage duration of your Personal data

Treezor undertakes to keep your Personal data for a period of five (5) years following the closure of your payment account.

‍

2.4.4 The Recipients of your Personal data with respect to the Payment Services provided by Treezor:

• Treezor’s employees:
• Treezor’s subcontractors (the host of the site, CRM tool, audience measurement and analysis service provider, e-mail provider, secure payment service provider, newsletter service provider, after-sales service provider, KYC service provider, expense categorisation service provider, card processor and manufacturer, mobile payment processor, SEPA banking network member, transfer and direct debit processor);
• us (RISE); and
• third parties for the purpose of complying with a legal or regulatory obligation or responding to a request from the supervisory authority, in particular the Autorité de contrôle prudentiel et de résolution (ACPR), the CNIL, judicial bodies, the tax authorities, TRACFIN etc.

3. COLLECTION AND SOURCE OF PERSONAL DATA

3.1 We process the Personal data of the following persons:

• You, in your capacity as a user/client/visitor of the Site/App/Services; and
• Any other person about whom you provide information to us through a communication channel indicated on the Site/App, including through social networks. The Personal data of such other persons is transmitted to us under your responsibility and you undertake to transmit it to us in accordance with the applicable legal provisions. We will only use this Personal data if it is necessary for the performance of our duties.

‍

3.2 We know how important it is for you to protect your children's data. We will only process data about your children if you have appointed them as the user of our Services.

‍

3.3 We may collect your Personal data directly (in particular via the collection forms available on our Site/App) or indirectly (in particular via our service providers). We will only use this Personal data if it is necessary for the performance of our duties.

‍

3.4 We undertake to obtain your consent and/or to allow you to object to the use of your Personal data for certain purposes whenever necessary/appropriate.

4. TYPES OF PERSONAL DATA COLLECTED AND USED BY US AS DATA CONTROLLER

We may specifically collect and process the following types of Personal data:

• Your identification and authentication data (surname, first name, type (parent/child), nationality, date/place of birth, gender, postal address, e-mail address, face and/or print ID, telephone number, family relationship, avatar, user name, password/PIN);
• Your socio-demographic data (marital status and family situation);
• Information about third parties such as Personal data relating to your family members where you provide this information directly to us;
• Your banking and financial data, data relating to transactions made by using our Services;
• Information you provide when filling in forms on the Site/App (e.g. for subscription purposes, to participate in surveys/contests, for marketing purposes); generally the content of your communication with us or when you actively provide information to us (e.g. when entering a contest, posting videos/photos/comments etc.)
• Data about your online behaviour and preferences; information about your interests;
• Information you provide when using the App such as screens visited, interaction patterns, device details, geographical location;
• Your geolocation data; and
• Your browsing data.

5. PERSONAL DATA THAT WE AUTOMATICALLY COLLECT AS DATA CONTROLLER

We collect some information automatically when you visit the Site/App in order to personalize and enhance your experience. We collect this information using various methods such as:

a. Cookies

A “cookie” is a small information file sent to your browser when you visit our Site/App and stored on your device. This file contains information such as the domain name, the internet access provider and the operating system as well as the date and time of access by the user. Cookies cannot damage your device in any way.

Cookies are not used to determine the identity of an individual who visits our Site/App. Cookies allow us to identify, in particular, your display language in order to improve your online browsing experience. They also enable us to process information about your visit to our Site/App, such as the pages viewed and the research conducted, in order to improve our Site/App content, to follow your areas of interest and offer you more suitable content.

If you do not want to receive cookies from our Site/App, you can adjust your browser settings accordingly. To manage your choices, each browser has a different configuration. These configurations are described in your browser’s help menu, which will explain how to change the settings to your desired cookies configuration. Note that for some cookies you can indicate your choice directly in the Cookie Settings.

We recommend, however, that you do not deactivate our cookies. Keep in mind that  some of our cookies are necessary for the proper functioning of our App/Site and if you block, turn off or reject these necessary cookies, some pages of our Site/App may not display properly or you may not be able to use some of the services we offer. In this case, we cannot be held liable for any consequences related to the reduced functionality of our Services arising from our inability to store or consult the cookies required for its functioning and which you have declined or deactivated.

Lastly, by clicking on the dedicated icons of social networks such as Instagram, Facebook, Linkedin, Tiktok etc., if these are displayed on our Site/App, and if you have agreed that cookies may be downloaded while you are browsing our Site/App, the social networks in question may also download cookies to your devices (computer, tablet or mobile phone). You can, however, at any time revoke your consent to these social networks downloading these types of cookies.

For more information, notably concerning the duration of storage and the type of cookies used, please consult our Cookie Policy.

‍

b. IP addresses

An IP address is a unique identifier that some electronic devices use to identify themselves and communicate with each other over the Internet. When you visit the Site/App, we may use the IP address of the device you are using to connect to it. We use this information to determine the general physical location of the device and to understand what geographic region visitors to the Site/App are from.

‍

c. Statistics

The Site/App uses Google Analytics to generate statistical reports. These reports tell us, for example, how many users have visited the Site/App, which pages have been visited, and from which geographical area the users of the Site/App come. Information collected through the use of statistics may include, for example, your IP address, the website from which you arrived at our Site/App and the type of device you are using. Your IP address is masked on our systems and will only be used as necessary to troubleshoot technical problems, to administer the Site/App and to understand the preferences of its visitors. Information about traffic on the Site/App is available only to authorized personnel. We do not use any of this information to identify visitors and we do not share it with third parties.

6. SOCIAL NETWORKS

You have the option to click on the dedicated icons of social networks such as  Instagram, Facebook, Linkedin etc. that appear on our Site/App.

Social networks create a friendlier atmosphere on the website and assist in promoting the Site/App via sharing. Video sharing services enrich the video content of our Site/App and increase its visibility.

When you click on these buttons, we may have access to the personal information that you have made public and accessible via your profiles on the social networks in question. We neither create nor use any separate databases from these social networks based on the personal information that you have published there and we do not process any data relating to your private life through these means.

If you do not want us to have access to your personal information published in the public spaces of your profile or your social accounts, then you should use the procedures provided by the social networks in question to limit access to this information.

7. PURPOSES, LEGAL BASIS AND STORAGE DURATION

7.1 As Data Controller, we use your Personal data specifically for the following purposes:

(*i) for marketing purposes, i.e. to provide you with our targeted communications, promotions, offerings and other advertisements of RISE. Unless you are an existing customer and who we wish to target with our own marketing material, we will only send you communications, promotions, offerings, newsletters and other advertisements via e-mail or other person-to-person electronic communication channels if you explicitly consented to receiving such communications, promotions, offerings, newsletters and other advertisements. You understand that an essential aspect of our marketing efforts pertains to making our marketing materials more relevant to you. This means that we may use your Personal data to provide you with communications, promotions, offerings, newsletters and other advertisements about products and services that may interest you. If you are registered to receive communications, promotions, offerings, newsletter and other advertisements via e-mail or other person-to-person electronic communication channels, you can change your preferences for receiving such communications, promotions, offerings, newsletter and other advertisements by following the opt-out link provided in such communications.

(*ii) particularly in the context of the prevention of money laundering and terrorist financing.

(*iii) Your Personal data may be transferred upon our own initiative to the police or the judicial authorities as evidence or if there are justified suspicions of an unlawful act or crime committed by you through your use of or registration with our Site, App, our Services, our social media channels or other communication with us.

(*iv) If your use of registration with our Site/App, social media channels or other communication channels can be considered (a) a violation of any applicable terms of use of our Site/App or the intellectual property rights or any other right of a third party, (b) a danger or threat to the security or integrity of our Site/App, social media channels or other communication channels or our or any of our affiliates’ subcontractors’ underlying IT systems due to viruses, Trojan horses, spyware, malware or any other form of malicious code, or (c) in any way hateful, obscene, discriminating, racist, slanderous, spiteful, hurtful or in some other way inappropriate or illegal.

‍

7.2 PLEASE NOTE: If you are under thirteen (13) years of age, you must give your consent together with your parent. Otherwise, we invite the involved parents to inform us so that we can immediately stop processing the involved Personal data.

8. STORAGE PERIOD OF YOUR PERSONAL DATA

8.1 We will retain your Personal data for no longer than is necessary for the purposes for which it is collected and processed, extended, where appropriate, by the periods of applicable legal or regulatory requirements.

In general, we apply the following principles/ storage periods:

• Up to ten (10) years after the end of the contractual relationship (which is equivalent to the time-limitation period under Belgian law in accordance with Article 2262 bis of the Civil Code);
• Where the processing is based on legal obligations to which we are bound, your Personal data is retained for as long as is necessary to comply with those legal obligations (e.g. the law regarding the prevention of money laundering and terrorist financing provides for a retention period of 10 years after the end of the relationship);
• Where processing is based on our legitimate interest, we process your Personal data for as long as necessary for the proper organisation and performance of our Services;
• With respect to processing carried out on the basis of your consent, you may at any time ask us to stop processing your Personal data for those purposes, without affecting the lawfulness of processing based on your consent prior to its withdrawal; and
• With respect to your participation in a contest, your Personal data will only be processed for the time necessary for the implementation of that contest and in accordance with the rules of the contest in question.

For more details, we also refer you to the indications in the table in article 7.1.

‍

8.2 We undertake to delete or anonymise your Personal data at the end of the storage period described above, plus a period of a few days or weeks, in proportion to the period indicated above, if this is necessary to ensure the deletion or anonymisation of the Personal data concerned in practice, unless there is a compelling reason to do otherwise.

‍

8.3 At the end of this period, strictly relevant Personal data may be stored (i) for evidential purposes (in the event of litigation or in the event of an inspection by authorised bodies) and/or (ii) to comply with a contractual obligation with our customers.

9. DISCLOSURE OF PERSONAL DATA

9.1 We restrict access to your Personal data only to members of our staff who need to have this information in order to process your request or to provide the requested service.

‍

9.2 We do not disclose your Personal data to any unauthorized third parties. We may, however, share your Personal data with entities within the RISE group and with authorized service providers/subcontractors (i.e. processors) whom we may call upon for the purpose of providing our services.

These service providers/subcontractors include (this may change):

• IT service providers responsible for hosting and maintaining the Site/App and for providing cloud computing services;
• Service providers responsible for your authentication;
• Service provider responsible for producing the RISE payment card;
• Service providers who process your RISE subscription payments;
• Service providers who supply our IT tools including our CRM and email tools;
• Marketing and cookie service providers;
• Providers of audience measurement and analysis;
• Service providers who monitor the quality of services (call centres); and
• Our legal, financial and accounting advisors.
• ‍

9.3 We do not authorize our service providers to use or disclose your Personal data, except to the extent necessary to deliver the services on our behalf or to comply with legal obligations. Furthermore, we may share Personal data concerning you (i) if the law or a legal procedure requires us to do so, (ii) in response to a request by public authorities or other officials or (iii) if we are of the opinion that transferring this Personal data is necessary or appropriate to prevent any physical harm or financial loss or in respect of an investigation concerning a suspected or proven unlawful activity.

‍

9.4 In accordance with article 2 of the Privacy Policy, we share data with Treezor in our capacity as a processor of Treezor.

10. TRANSFER OF PERSONAL DATA

10.1 We process your Personal data within the European Economic Area (EEA). However, in order to process your Personal data for the purposes outlined in article 7 above, we may also transfer your Personal data to other entities of the RISE Group or to third parties which process on our behalf outside the EEA. Each entity outside the EEA that processes your Personal data will be bound to observe adequate safeguards with regard to the processing of your Personal data. Such safeguards will be the consequence of the recipient country having legislation in place which may be considered equivalent to the protection offered within the EEA; or a contractual arrangement between us and that entity.

‍

10.2 We may transfer anonymized and/or aggregated data to organizations outside the EEA. If such transfer takes place, we will ensure that there are safeguards in place to ensure the safety and integrity of your data and all rights with respect to your Personal data that you enjoy under applicable mandatory law.

11. SECURITY

11.1 You are responsible for ensuring that any Personal data you provide us with is secure.

‍

11.2 We implement all possible technical and organizational security measures to ensure security and confidentiality in processing your Personal data. To this end, we take all necessary precautions given the nature of the Personal data and the risks related to its processing, in order to maintain data security and in particular to prevent distortion, damage or unauthorized third-party access (physical protection of the premises, authentication procedures with personal, secured access via identifiers and confidential passwords, a connection log, encryption of certain data etc.).

12. YOUR RIGHTS

12.1 Sodexo is committed to ensure protection of your rights under applicable laws. You will find below a table summarizing your different rights:

12.2 If your administrative data changes, you must notify us as soon as possible and in any event within one month of the change.

‍

12.3 In order to exercise these rights, you may:

• access your profile by logging in to the Site/App to modify your Personal data;
• make a written request via the online form or by email: dpo@risecard.eu.

‍

12.4 In order to exercise your rights in relation to the Processing carried out in the context of the provision of the Payment Services, you may also contact Treezor directly by email at dpo@treezor.com or in writing at Treezor SAS, Avenue de Wagram 33, 75017 Paris.

‍

13. UNSUBSCRIBING

If you have subscribed to certain services via our Site/App and you no longer want to receive emails, please consult the “unsubscribe” page corresponding to the service you are subscribed to.

14. HOW TO CONTACT US

If you have any questions or comments with regard to this Privacy Policy, please do not hesitate to contact us at the following address: dpo@risecard.eu.