This document describes the processing of personal data operated by Alma in the context of the provision of its payment solution in several installments.
The following definitions apply to the entire Privacy and Data Management Policy:
Unless otherwise required by the context, definitions in the singular include the plural, and vice versa.
Alma may be entrusted by the Seller with personal data of Customers that Seller has collected directly. In this context, Alma acts as a subcontractor of the Seller, in the sense of the Regulations, for the following data:
Alma may collect personal data directly from Visitors and Customers. In this context, Alma acts as a data controller, in the sense of the Regulations, for the following data:
Alma also collects the personal data of the Sellers' members who use the Solution. In this context, Alma acts as a data controller, in the sense of the Regulations, for the following data:
|No.||Processing Operation||Purposes||Legal basis|
|1.||Identification of Customer||to identify the Customer when they use the Solution||performance of the contract to allow the Customer to pay in instalments|
|2.||payment||to enable the execution of payment transactions authorised by the Customer||performance of the contract to allow the Customer to pay in instalments|
|3.||risk assessment||to evaluate the financial risk borne by Alma, particularly in the event of default by the Customer||performance of the contract to allow the Customer to pay in instalments|
|4.||fraud||to prevent fraud and any financial scams of Customers, including, but not limited to, the use of stolen bank cards||Alma's legitimate interest in preventing fraud in the use of the Solution|
|5.||recovery||to allow for possible financial recovery, especially in the event of default by the Customer||Alma's legitimate interest in recovering the owed sums|
|6.||service improvement||to continuously improve Alma's tools, notably through statistics||Alma's legitimate interest in using data to improve the Solution|
|7.||prospection and analysis of Visitors||to identify the Visitors of the Website, in particular for marketing purposes and to make available the most suitable content according to the activity of the Visitors||consent|
|8.||Identification of Seller||to identify the Seller when they use the Solution||performance of the contract to enable the Seller to offer the Solution to Customers|
|9.||interactions with the Seller||to allow the follow-up of the contractual relationship and its development||performance of the contract to allow the Customer to pay in instalments|
|10.||fight against fraud and money laundering||enable Alma to fight against fraud and money laundering by Sellers||compliance with a legal obligation|
The personal data of the Concerned Persons are processed by Alma in the following ways (depending on the processing operation):
In the context of fraud risk and recovery management, the personal data of the Customers are processed by Alma via profiling tools. Alma implements in particular decisions based exclusively on automated processing producing legal effects or significantly affecting the Customer within the meaning of the Regulations.
These decisions make it possible to identify the Customers and the orders for which a Transaction can be carried out, which makes them necessary for the preparation and performance of a contract. These decisions are based on the analysis of different variables related, in particular, to the type of products or services ordered, to the Customer's profile but also on the taking into consideration of data deduced or derived by Alma. It is specified that no sensitive data in the sense of the list of special categories of data provided for by Article 9 GDPR is taken into consideration in these decisions taken in an exclusively automated way.
If, in view of these variables, the risk of fraud and non-payment is considered too great, the Transaction cannot be carried out. Regarding decisions based exclusively on automated processing, the Customer has the right to obtain human intervention, to express their point of view to the resource designated to process their file and to contest the automatic decision that has been opposed, by writing to Alma at the following address: email@example.com.
The personal data of the Concerned Persons are processed for the pursuit of all the aforementioned purposes and are exclusively intended for Alma's internal management services as well as, if necessary, for its Subcontractors (these Subcontractors offering in particular data hosting and fraud prevention services). These Subcontractors are bound to respect strict confidentiality, to ensure the security of the data to which they have access, to use it exclusively within the context of the missions entrusted to them and to respect the Regulations.
The personal data of the Customers are processed by Alma from the moment they are collected directly from them or from the moment they are transmitted by the Seller. The Customers' personal data are used by Alma throughout the contractual relationship and are stored for a period of 5 years, starting from the last monthly payment of the last Transaction.
The personal data of the members of the Sellers are collected from the conclusion of the general terms of sale or of any contract for the provision of the Solution and are stored for the duration of the contractual relationship. Starting from the end of the relationship with the Seller, this personal data is stored for a period of 5 years.
The personal data of the Concerned Persons are stored for the purposes of (i) prevention of bank fraud and non-payment; (ii) statistics and improvement of Alma's tools; (iii) prevention of disputes; (iv) administrative management of files; and (iv) compliance with legal obligations imposed on Alma.
The Concerned Person has the rights provided for by the Regulations, in particular the right to request from Alma access to personal data, the rectification or deletion thereof, or a restriction of the processing relating to the Concerned Person or the right to object to the processing and the right to data portability. Where processing is based on consent, you have the possibility to withdraw your consent at any time, without prejudice to the lawfulness of the processing based on consent carried out prior to the withdrawal thereof. These rights can be exercised by writing to the following address: firstname.lastname@example.org.
The exercise of the rights offered is not unlimited and each of them is subject to conditions imposed by the Regulations. As such, the following elements are specified:
These requirements must be met, otherwise applications will not be processed.
Any Concerned Person may contact the Commission nationale de l'informatique et des libertés (CNIL) if they believe that Alma has not complied with the Regulations (information on how to contact the CNIL is provided directly on their site).
Alma limits as much as possible the choice of Subcontractors who process personal data in a country outside the European Union. Nonetheless, in the context of the fulfilment of the purposes detailed in this Privacy and Data Management Policy, Alma may need to transfer personal data to countries outside the European Union that do not offer adequate protection. In this case, Alma undertakes to implement all appropriate technical and organizational measures to ensure the security of the personal data of the Concerned Persons. Furthermore, Alma requires the Subcontractors to comply with the obligations set forth in the Regulations.
A "cookie" is a small computer file, a tracer, deposited and read, for example, when consulting an Internet site, reading an email, installing or using a software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, object connected to the Internet, etc).
In accordance with Article 82 of the French Data Protection Act, any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless they have been informed beforehand, by the data controller or their representative of: (i) the purpose of any action aimed at accessing, by way of electronic transmission, information already stored in their electronic communications terminal equipment or at entering information into this equipment; and (ii) the means available to them to oppose such action. Such access or storage may only take place if the subscriber or user, after having received this information, has expressed their consent. Alma uses third-party cookies for which consent is requested.
It is also provided that these rules do not apply if the access to or entering of information in the user's terminal equipment: (i) is solely for the purpose of enabling or facilitating communication by electronic means; or (ii) is strictly necessary for the provision of an online communication service at the express request of the user.
Alma's Data Protection Officer can be contacted at the following address: email@example.com.