Privacy Policy

Last update date: December 14, 2022

The PLEDG company is very attached to the respect of the privacy of individuals and to the protection of the personal data it processes within the framework of its activities and the financing services it provides. As such, the company PLEDG commits itself to act in accordance with all the regulations in force applicable to the protection of personal data and in particular with the EU Regulation N°2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD) and the Law N° 78-17 of 6 January 1978 relating to data processing, files and freedoms (Loi Informatique et Libertés).

The purpose of this privacy policy is to inform, in a clear, concise and understandable way, about the conditions of implementation of the personal data processing carried out by the company PLEDG as data controller and to inform all the persons concerned about their rights regarding data processing and freedoms as well as about the way to exercise them. It is addressed in particular to the visitors of the website of the company PLEDG, to the users and beneficiaries of the financing solutions.

1. Definitions

Personal data: Personal data is any information relating to an identified or identifiable natural person.

Sensitive" personal data: "Sensitive" personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health or data concerning the sex life or sexual orientation of a natural person, data relating to criminal convictions or offences.

Processing of personal data: is an operation, or set of operations, relating to personal data, whatever the process used (collection, recording, organization, conservation, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation).

Controller: The entity that, alone or jointly with others, determines the purposes and means of processing personal data.

Processor: This is the entity that processes personal data on behalf of the controller.

Recipient: This is the entity that receives communication of personal data.

Data subjects: these are the natural persons whose personal data are processed.

Transfer of personal data outside the EU: any communication, copy or movement of personal data that is intended to be processed in a country outside the European Union.

Data Protection Officer (DPO ): is the person in charge of ensuring the protection of personal data within the organization that has appointed him/her and monitoring compliance with the regulations in force.

Customer: any natural person placing an order for goods and/or services with a Merchant, whether on the Merchant's website, on a marketplace or in a physical sales outlet of the Merchant, and requesting a Deferred or instalment payment.

Merchant: any legal entity selling goods or services and offering to pay for goods and services via Deferred or instalment payment.

Deferred or instalment payment : any method of staggering the payment of goods and/or services purchased from a Merchant, granted to a Customer via the Solution.

Solution: the technological solution developed by PLEDG and made available to the Merchants in order to allow them to propose to their Customers to pay their purchases of goods and services in several times or in a deferred way.

2. Who is responsible for the processing of personal data?

The person in charge of the processing is the company PLEDG, whose head office is located at 2, pointe de Kervigorn, 29 830 - Saint-Pabu, registered at the RCS of BREST under the number 823 495 544 and represented by Mr. Nicolas Pelletier as President. The company PLEDG is registered as a broker in banking and payment services (COBSP) with the organization for the unique register of intermediaries in insurance, banking and finance (ORIAS), under the number : 21001402

You can contact the person in charge of the treatment by e-mail : contact@pledg.co or by post: PLEDG, 95 rue Saint-Lazare, 75009 Paris - FRANCE

3. What are the objectives (purposes) and the legal basis (legal basis) of the processing carried out?

In accordance with the applicable regulations, PLEDG ensures that all general principles applicable to the processing of personal data are respected.

In particular, PLEDG ensures that personal data are only collected for explicit, pre-determined purposes and undertakes not to process them further in a way that is incompatible with these purposes.

PLEDG also ensures that only personal data that are strictly necessary for the purpose of the processing are collected and ensures that for each processing it can validly invoke one of the legal bases authorizing the implementation of a processing of personal data. When the provision of personal data is compulsory and the conclusion of a contract depends on it, PLEDG ensures that the data subjects are informed in advance.

In order to be as transparent as possible regarding the processing of personal data, you will find below a table containing all the processing carried out by the company PLEDG as data controller, with the purposes of the processing as well as the legal bases used.

Personal data processing carried out by the company PLEDG

Purposes of the processing

Applicable legal bases

Management of the subscriptions to the PLEDG newsletter

Art. 6.1a GDPR: the consent of the data subject

Management of the requests for assistance and demonstration of the PLEDG technological solution received via the collection forms accessible from the website

Art. 6.1f of the RGPD: The processing is necessary for the purposes of the legitimate interests pursued by the company PLEDG which are to respond to all requests for information, in particular on the services provided and to communicate with its customers

Management of commercial prospecting actions (B to B)
(Relations with merchants)

Art. 6.1f of the RGPD: The processing is necessary for the purposes of the legitimate interests pursued by the company PLEDG which are to develop its clientele by presenting and offering its services and financing solutions to prospective customers

Customer relationship management
(Merchant relationship)

Art. 6.1b GDPR: Processing is necessary for the performance of a contract

Carrying out customer satisfaction surveys
(Merchant relations)

Art. 6.1f of the RGPD: The processing is necessary for the purposes of the legitimate interests pursued by PLEDG which are to appreciate and measure the satisfaction of its merchant customers in order to make its practices evolve within the framework of an approach of continuous improvement of the quality of its services

Management of email invitation operations for first-time referrals/customer testimonials
(Merchant relations)

Art. 6.1f of the RGPD: The processing is necessary for the purposes of the legitimate interests pursued by PLEDG which are to ensure the promotion of its services by collecting recommendations or testimonials from its merchant customers in order to reassure its prospects by publicly sharing authenticated opinions of satisfied customers

Management and processing of information requests received via the contact form accessible on the PLEDG page of the Trustfolio website

Art. 6.1f of the GDPR: the processing is necessary for the purposes of the legitimate interests pursued by PLEDG which are to process all requests for information submitted by persons wishing to know more about the services provided

Integration and maintenance support for PLEDG financing solutions
(Merchant relationship)

Art. 6.1b of the GDPR: The processing is necessary for the performance of a contract (Relationship with merchants)

Management of the validation of the deferred or split financing offer by means of a reliability score that can lead to a fully automated rejection decision and that takes into account:

- The automated assessment of the creditworthiness of the financing offer applicant made by a partner
- The automated assessment of the applicant's reliability made by the online payment management provider

(Consumer Relations)

Art. 6.1b of the RGPD: The processing is necessary for the execution of pre-contractual measures

Art. 6.1a of the RGPD: the consent of the person for the collection and analysis of banking data called "open banking"

Development and training of the algorithm used for the validation of a financing offer

Art. 6.1f RGPD: The processing is necessary for the legitimate interests pursued by PLEDG, which are to improve the accuracy of the predictions of its algorithm and its success rate

Customer relationship management: Provision of the payment schedule, payment management, management of reminders before debits, management of refunds, management of complaints (Relations with consumers)

Art. 6.1b GDPR: Processing is necessary for the performance of a contract

Prevention and fight against fraud:

- Detection of acts carried out within the framework of the activities presenting an anomaly, an inconsistency or having been reported as being potentially related to fraud
- Management of alerts (which consists of carrying out verifications, requesting explanations or justifications)
- Constitution of a list of persons duly identified as perpetrators of acts qualified as fraud or attempted fraud

Art. 6.1f of the GDPR: The processing is necessary for the purposes of the legitimate interests pursued by PLEDG, which are to prevent, limit or stop any voluntary act that would make it possible to take unlawful advantage of a deferred or split financing contract

Management of unpaid invoices and collection:

- Identification of proven unpaid invoices
- Identification of unpaid persons for the purpose of exclusion from all future transactions (registration on a list with automated decision on D+4 of non-payment of a scheduled due date)
- Collection of debts
- Send automated calls and SMS to customers in a situation of late payment or unpaid invoices in order to put them in contact with Pledg agents

Art. 6.1b GDPR: The processing is necessary for the performance of a contract to which the person is party

Management of requests to exercise rights (RGPD)

Art. 6.1c of the RGPD: The processing is necessary to comply with a legal obligation to which the company PLEDG is subject

Management of obligations relating to identification and customer knowledge (KYC):

- Collecting, via video streaming sessions, proof of identity of users
- Verifying the integrity of identity documents provided
- Verifying that the person presenting the identity documents is indeed the person corresponding to the said documents

Art. 6.1c of the RGPD: The processing is necessary to comply with a legal obligation to which the company PLEDG is subject

Art. 6.1a of the RGPD: the consent of the person for the collection of the video of his face (Explicit consent in the presence of a biometric data)

Fight against money laundering and terrorist financing (LCB-FT)

Art. 6.1c of the RGPD: The processing is necessary to comply with a legal obligation to which the company PLEDG is subject

Management of staff recruitment:

- Receipt of applications sent to PLEDG
- Management of recruitment procedures and responses to candidates
- Creation of a CV-library

Art. 6.1b of the RGPD: The processing is necessary for the execution of pre-contractual measures

Art. 6.1a of the RGPD: The consent of the candidate for the constitution of a CV-library

Management of the electronic signature of documents via the PandaDoc solution

Art. 6.1b GDPR: processing is necessary for the performance of pre-contractual measures

4. Profiling and fully automated decision making

The company PLEDG, within the framework of the provision of its financing services, wishes to inform you that it carries out processing of personal data that may lead to the adoption of a fully automated decision with regard to the persons concerned and producing effects in their respect such as the loss of the benefit of obtaining a credit or the exclusion for any future transactions.

In principle and in accordance with the applicable regulations on the protection of personal data, every person has "the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar manner". Nevertheless, this rule does not apply when the decision is necessary for the conclusion or performance of a contract between the data subject and the PLEDG.

With regard to automated processing for the purpose of validating a financing offer :

When the PLEDG receives a new application for financing, a refusal decision based exclusively on automated processing using its algorithm may be adopted. This decision, which is necessary for the conclusion of a financing contract, has the consequence of depriving the person concerned of obtaining a financing service.

In accordance with the applicable regulations, the person concerned is informed of the adoption of a decision to refuse to grant a financing service taken against him/her and of the reasons justifying this decision. On this occasion, the PLEDG company reminds the data subject that he/she has the right to obtain human intervention, to express his/her point of view, to obtain explanations about the decision taken and to contest it, under the conditions provided for in point 9 of the present privacy policy.

Regarding the underlying logic of the algorithm used leading to a fully automated decision, PLEDG would like to inform you of the following:

In order to assess the reliability of a data subject and to decide whether or not to allocate a financing plan to him, PLEDG implements a machine learning trained algorithm developed from a gradient boosting algorithm. This algorithm has been trained on the historical basis of transactions financed by PLEDG by providing the input data and the fact that the financing plan has or has not resulted in default.

The use of the algorithm, based on the input data obtained from the merchant and our online payment management partner, allows us to assign a reliability score to the person concerned. The algorithm allows for the automated calculation of the rate of past non-payments according to different segmentations (in particular, the age of the customer, the content of the shopping cart, the bank issuing the payment card) and thus to evaluate in real time the risk of non-payment of new customers. Depending on the agreement with the merchant, financing is accepted from a certain threshold score. The establishment of this reliability score takes into account an evaluation of the solvency of the person concerned and of his credibility allowing PLEDG to reduce as much as possible the unpaid amounts due to insolvency and fraud.

For more information about the underlying logic of the algorithm used by PLEDG, you can contact our data protection officer, whose contact details can be found in point 10 of this privacy policy.

With regard to automated processing for the purpose of managing unpaid bills and, in particular, identifying persons in a situation of unpaid bills for the purpose of exclusion:

The company PLEDG wishes to inform you that the non-payment of a due date programmed by a financing plan automatically leads to the registration of the concerned person on a list dedicated to the identification of the persons in situation of unpaid. The inscription on this list has as consequence to exclude the concerned person for any future transaction, from the benefit of the financing services proposed by the company PLEDG.

The person concerned is informed about his inclusion in this list and the reasons for this decision. On this occasion, the PLEDG company reminds the data subject that he or she has the right to obtain human intervention, to express his or her point of view, to obtain explanations about the decision taken and to contest it, under the conditions provided for in point 9 of this Privacy Policy.

5. How long will your personal data be kept?

In accordance with the applicable regulations, PLEDG ensures that personal data are only kept for a period not exceeding that necessary for the purposes for which they are processed.

Nevertheless, the company PLEDG wishes to inform you that a longer retention of personal data is possible in certain cases and under the following conditions

  • That there is a legal obligation on the part of PLEDG to keep personal data for a fixed period;
  • That there is an administrative interest, in particular in case of litigation, justifying that PLEDG can keep the personal data, the time of the applicable rules of prescription, in particular in commercial, civil, penal and fiscal matters;
  • That the processing of personal data is carried out for statistical purposes.

In order to be as transparent as possible with regard to the retention periods applied to your personal data, you will find below a table containing all the retention periods according to the purposes of the processing carried out.

Purposes of the processing

Retention periods for personal data

Management of the subscriptions to the PLEDG newsletter

PLEDG retains the email address as long as the data subject does not unsubscribe (via the unsubscribe link embedded in the communications).

Management of the requests for assistance and demonstration of the PLEDG technological solution received via the collection forms accessible from the website

3 years from the last contact from the non-customer
3 years from the end of the commercial relationship for a customer

Management of commercial prospecting actions (B to B)
(Relations with merchants)

3 years from the last contact of the non-customer prospect

Customer relationship management
(Merchant relationship)

The data necessary for the management of a contract are in principle kept for the duration of the contractual relationship

Carrying out customer satisfaction surveys
(Merchant relations)

Duration necessary to achieve the purpose of the satisfaction survey or until the right to object is exercised

Management and processing of information requests received via the contact form accessible on the PLEDG page of the Trustfolio website

3 years from the last contact from the person concerned

Duration necessary for the management of the operations of invitation by email of the customers to provide an initial recommendation or until the exercise of the right of opposition

Duration necessary for the management of the operations of invitation by email of the customers to provide an initial recommendation or until the exercise of the right of opposition

Integration and maintenance support for PLEDG financing solutions
(Merchant relationship)

The data necessary for the management of a contract are in principle kept for the duration of the contractual relationship

Management of the validation of the deferred or split financing offer by means of a reliability score that can lead to a fully automated rejection decision and that takes into account:

- The automated assessment of the creditworthiness of the financing offer applicant made by a partner
- The automated assessment of the applicant's reliability made by the online payment management provider

(Consumer Relations)

The time required to make a decision on whether or not to grant the desired financing offer

Development and training of the algorithm used for the validation of a financing offer

The age of the data used to re-train the algorithm is less than 1 year

Customer relationship management: Provision of the payment schedule, payment management, management of reminders before debits, management of refunds, management of complaints

(Consumer relations)

The data necessary for the management of a deferred or fractional payment contract are in principle kept for the entire duration of the contractual relationship and up to 1 year from the complete payment of the instalments

Prevention and fight against fraud:

- Detection of acts carried out within the framework of the activities presenting an anomaly, an inconsistency or having been reported as being potentially related to fraud
- Management of alerts (which consists of carrying out verifications, requesting explanations or justifications)
- Constitution of a list of persons duly identified as perpetrators of acts qualified as fraud or attempted fraud

Any alert qualified as irrelevant is deleted without delay

5 years from the closing of the fraud file for relevant alerts.

In the event of legal proceedings, they are kept until the end of the proceedings

Management of unpaid invoices and collection:

- Identification of proven unpaid invoices
- Identification of unpaid persons for the purpose of exclusion from all future transactions (registration on a list with automated decision on D+4 of non-payment of a scheduled due date)
- Collection of debts
- Send automated calls and SMS to customers in a situation of late payment or unpaid invoices in order to put them in contact with Pledg agents

- In the event of regularization of the unpaid amount, the information relating to the person concerned is deleted from the file listing the persons in a situation of unpaid amount at the latest within 48 hours from the moment when the unpaid amount has effectively been settled

- In the event of non-regularization, the information is kept in the file listing the persons in an unpaid situation and thus excluding them from the benefit of a service for 3 years from the occurrence of the unpaid

- The personal data processed by the partner SPACINOV, allowing to send automated calls and SMS in the direction of the clients in a situation of late payment or unpaid in order to put them in contact with the PLEDG agents are kept for 12 months

Management of requests to exercise rights (RGPD)

5 years
Any identity documents transmitted are:

- Immediately deleted when the request did not require the transmission of an identity document

- Deleted following the completion of the identity check

Management of obligations relating to identification and customer knowledge (KYC):

- Collecting, via video streaming sessions, proof of identity of users
- Verifying the integrity of identity documents provided
- Verifying that the person presenting the identity documents is indeed the person corresponding to the said documents

6 months

96h for biometric data

6 months for connection and navigation data

Fight against money laundering and terrorist financing (LCB-FT)

The time necessary to implement the obligations of vigilance and up to 5 years from the termination of the customer relationship

Management of staff recruitment:

- Receipt of applications sent to PLEDG
- Management of recruitment procedures and responses to candidates
- Creation of a CV-library

- For successful candidates
:Personal data are kept for the duration of the recruitment procedure and may be reused for personnel management purposes

- For unsuccessful candidates :
Personal data are kept in principle for the duration of the recruitment procedure. However, subject to the acceptance of the unsuccessful candidate, the data may be kept for 2 years from the last contact in order to contact the candidate again in the event of a new opportunity

In all cases, and in order to protect against possible litigation, certain data necessary for evidentiary purposes may be kept in an intermediary database for up to 6 years from the date of the hiring decision

Management of the electronic signature of documents via the PandaDoc solution

In principle, PandaDoc keeps the personal data for the duration of the contract with PLEDG.

Nevertheless, provided that there is no longer any interest for PLEDG to keep them, some data can be deleted before the end of the contract.

6. Who are the recipients of the personal data?

In order to be able to provide its services and within the strict framework of each purpose of the treatments implemented by the company PLEDG, the following categories of recipient are likely to receive communication of the personal data:

  • The internal staff of PLEDG is subject to an obligation of confidentiality and is specially authorized to process personal data with regard to their functions.
  • The various suppliers, business partners and technical service providers of PLEDG, specially authorized to process personal data on its behalf and in accordance with the requirements of the applicable regulations.
  • The legally authorized authorities within the framework of their missions or the exercise of a right of communication.

7. Is personal data transferred to a country outside the European Union?

As a matter of principle, PLEDG takes care to minimize the situations in which personal data could be transferred to a country outside the European Union. Nevertheless, it may happen that the use of the services provided by a third party provider or application may involve, in the sense of the regulations, a transfer of data to a country outside the European Union. In these situations, PLEDG will ensure that processing involving a transfer of data outside the European Union can only take place on condition that a sufficient and appropriate level of protection of your personal data is ensured. In this respect, PLEDG, with the support of its data protection officer, will use one of the mechanisms provided for by the regulation allowing to frame these transfers unless it is possible to benefit from a derogation in particular situations and under specific conditions.

Nevertheless, following the recent evolutions of the European jurisprudence and in particular the invalidation of the "Privacy Shield" (an agreement that allowed the transfer of data between the European Union and American operators adhering to its data protection principles without any further formality), PLEDG will also ensure, in accordance with the recommendations of the European Data Protection Committee regarding measures that complement transfer mechanisms designed to ensure compliance with the EU's level of personal data protection, to assess the practical effectiveness of the chosen transfer mechanism with respect to the legislation of the third country. If this analysis shows that the chosen transfer mechanism does not provide a level of protection substantially equivalent to that of the EU, PLEDG will ensure, to the extent possible, that additional measures (technical, organizational or contractual) are put in place and regularly evaluated.

In order to be as transparent as possible, you will find below a table containing the processing operations carried out involving a transfer of data outside the EU, the transfer mechanism used and the means of accessing the relevant documentation.

Service provider (Processing)

Transfer mechanism used
(If applicable, additional measures adopted)

Provision of relevant documentation

STRIPE (Subcontractor)
stripe.com
Management of online transactions by credit card

European Commission's standard contractual clauses (SCC)
+
Additional contractual measures

Signed subcontract
Signed standard contractual clauses

ZENDESK (Subcontractor)
zendesk.fr
Customer care software

Standard contractual clauses of the European Commission (STC)
+
ZENDESK Binding Corporate Rules (BCR)

Subcontract signed

PANDADOC (Subcontractor)
pandadoc.com
Electronic signature tool for documents

Standard contractual clauses of the European Commission (STC)

Subcontract signed

8. How do we protect personal data?

PLEDG is committed to implementing all necessary security measures, both technical and organizational, to ensure the confidentiality, integrity and availability of personal data. These measures ensure that personal data is protected against unauthorized access, modification, alteration, disclosure, loss or destruction.

If we use a service provider acting on our behalf as a subcontractor, we ensure beforehand, with the support of our DPO, that the latter presents sufficient guarantees as to the implementation of appropriate security measures and guarantees the protection of the rights of the persons concerned.

9. What are the rights that data subjects can exercise over their personal data and in what way?

In accordance with Regulation (EU) 2016/679 on the protection of personal data (RGPD) and Law No. 78-17 of January 6, 1978 on data processing, files and freedoms, data subjects have, depending on the legal basis of the processing:

  • The right to ask PLEDG for access to your personal data. The right of access is your right to ask the company PLEDG whether we process personal data about them and to obtain a copy of this information;
  • The right of rectification, which allows you to obtain the modification of inaccurate or incomplete data;
  • The right to object at any time to the processing of personal data for commercial prospecting and when the processing is necessary for the legitimate interests pursued by the company PLEDG;
  • The right to erasure, also known as the "right to be forgotten", which allows to obtain, under certain conditions, the erasure of personal data;
  • The right to limit the processing of personal data and to obtain the suspension of the processing in certain cases provided for by the regulations;
  • The right to the portability of personal data, which allows the recovery of personal data provided or to request a direct transfer of such data to a new controller;
  • The right to withdraw their consent to the processing of personal data at any time, where consent is the legal basis for the processing;
  • The right to define directives relating to the conservation, deletion and communication of personal data after their death under the conditions provided for in Chapter V of Title II of Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms " Provisions governing the processing of personal data relating to deceased persons" ;
  • The right to present its observations, when it is informed of its inscription on a list of persons duly identified as authors of acts qualified as fraud or attempted fraud;
  • The right not to be subject to a decision based solely on automated processing (including profiling) with legal effects. With regard to this right, the company PLEDG takes this constraint into account automatically and therefore does not require any request for the exercise of the right from the person.

Nevertheless, the PLEDG wishes to point out that this right shall not apply if the fully automated decision is required for entering into, or the performance of, a financing contract between the data subject and the PLEDG.

However, in these situations, data subjects, informed of the adoption of a fully automated decision against them, have the right to obtain human intervention, to express their point of view, to obtain explanations about the decision and to contest it.

For more information on rights: https: //www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles

The persons concerned can exercise their rights by contacting us by post or by electronic means by proving their identity "by any means", at the following addresses

  • By mail : dpo@pledg.co
  • By mail : PLEDG - 95 rue de Saint-Lazare, 75009 Paris - FRANCE

Finally, if you feel, after having contacted us, that your "Data Processing and Liberties" rights are not being respected, you can file a complaint with the National Commission for Data Processing and Liberties (CNIL), https://www.cnil.fr/fr/adresser-une-plainte.

10. How to contact our Data Protection Officer (DPO)?

PLEDG has officially appointed a Data Protection Officer (DPO) in order to ensure compliance with all applicable regulations on the protection of personal data.

For any questions regarding the processing of your personal data, this policy and the exercise of your rights, you can contact our Data Protection Officer (DPO), using the following contact details

  • By mail, to the following address PLEDG - To the attention of the DPO - 95 rue Saint-Lazare, 75009 Paris - FRANCE
  • By mail : dpo@pledg.co

11. How do I obtain information about the use of cookies and similar tracking technologies?

We use cookies on our website https://pledg.co. To learn more about this, please see our cookie policy.

12. Is this Privacy Policy subject to change?

We may modify this privacy policy to incorporate changes in regulations and case law.

In case of minor changes, we will change the "last update" date to the date the changes were made.

In the event of a substantial change, we will inform you directly, through a specifically dedicated communication.