Introduction

Welcome to our FAQ on personal data protection and the GDPR. This page aims to answer your questions about how we collect, use and protect your personal data in accordance with the GDPR.

“LYRA” and “We” refer to LYRA NETWORK, LYRA COLLECT and all European subsidiaries.

1. What is the GDPR?

Regulation No. 2016/679, known as the General Data Protection Regulation (GDPR), applies to any organisation based within or outside the European Union (EU) that processes the data of individuals residing in the EU.

The GDPR is a European regulation that aims to strengthen the protection of personal data of European Union citizens. It gives individuals greater control over their personal data and imposes obligations on companies that process this data.

2. What are your responsibilities?

  • LYRA is responsible for the Personal Data it manages. Regulations require proof of proper data management and protection.

To this end, LYRA has appointed a DPO to monitor and manage data and act as the sole point of contact for its customers. The DPO has been registered with the CNIL (French Data Protection Authority). (No. DPD-166956 for LYRA NETWORK & No. DPD-166957 for LYRA COLLECT)

  • LYRA NETWORK, as a payment solutions provider, acts as a Processor within the meaning of the GDPR. This subcontracting is carried out within the framework of a contractual relationship with its customers, who are themselves data controllers within the meaning of the GDPR.
  • The LYRA COLLECT entity, as a payment institution, acts as a Subcontractor for the personal data of service users (purchasers from merchants) within the meaning of the GDPR. This subcontracting is carried out within the framework of a contractual relationship with our merchant customers, who are themselves data controllers within the meaning of the GDPR.
  • The subcontracting of personal data is carried out on the basis of contractual provisions between the merchant Data Controller and Lyra Collect, the Data Processor, in accordance with Article 28-3.
  • LYRA COLLECT is also jointly responsible for data processing in relation to the prevention of money laundering and terrorist financing (AML/CFT).

3. What personal data do you collect from your merchant customers as a Data Controller?

We only collect personal data that is necessary to provide our services or respond to your requests.

We may collect different categories of personal data from you, including:

  • information relating to your identity, that of your legal representative, beneficial owners and necessary to contact you (surname, first name, business email address, business telephone number, or signature in a contractual context);
  • identification and authentication data, particularly when using your Merchant Back Office (technical logs, computer traces, security information).

The personal data we use may be collected directly from you or obtained from the following sources for the purpose of verifying or enriching our databases:

  • publications/databases made available by official authorities;
  • our partners or service providers;
  • third parties such as commercial information and anti-fraud organisations, in accordance with data protection regulations.

4. What personal data do you collect from service users (purchasers) as a Processor?

We only collect personal data that is necessary to provide our services, perform technical analyses of payment transactions to ensure their proper functioning, or respond to requests from our merchant customers.

We may collect different categories of transaction-related data (surname, first name, email address, encrypted card number, card expiry date, basket, amount, IP address).

The personal data we use may be collected from the merchant’s website via payment forms specifically dedicated to these interactions.

5. How do you use the personal data of your merchant customers?

We use your personal data for the purpose of providing our services, informing you about our products and services, responding to your enquiries, sending you marketing communications (with your consent where applicable), and complying with legal obligations.

Thus,

LYRA NETWORK uses your personal data to:

  • Ensure the accurate execution and management of contracts entered into.
  • Process payments.
  • Manage support requests.
  • Handle complaints and disputes concerning payment transactions made by your customers.
  • Oversee debt collection.
  • Carry out operations related to prospecting and commercial solicitations.
  • Manage requests to exercise rights relating to the use of your data.

LYRA COLLECT uses your personal data to:

  • Ensure the accurate execution and management of contracts entered into.
  • Open and ensure the proper management of Payment Accounts on behalf of the Merchant.
  • Provide payment services.
  • Manage support requests.
  • Process complaints and disputes concerning payment transactions made by your customers.
  • Supervise debt collection.
  • Combat fraud, money laundering and terrorist financing.
  • Carry out operations related to prospecting and commercial solicitations.
  • Manage requests to exercise your rights regarding the use of your data.

6. How do you use the personal data of service users (purchasers)?

LYRA NETWORK uses your personal data for the following purposes:

  • to process payment transactions that you initiate on our merchant customers’ websites, to perform technical analyses of payment transactions to ensure their proper functioning or to respond to requests from our merchant customers, and to comply with legal obligations.
  • Manage support requests from our merchant customers.
  • Process complaints and disputes relating to payment transactions initiated by our merchant customers.
  • Manage requests to exercise rights relating to the use of your data.

LYRA COLLECT processes your personal data for the following purposes:

  • to execute payment transactions initiated by you,
  • To manage support requests from our merchant customers.
  • To process complaints and disputes relating to payment transactions initiated by our merchant customers.
  • To combat fraud, money laundering and terrorist financing.
  • Manage requests to exercise your rights relating to the use of your data.
  • Perform technical analyses of payment transactions to ensure they function properly
  • or respond to requests from our merchant customers and comply with legal obligations.

7. With whom is my personal data shared?

Your personal data may be shared within the LYRA Group, to which we belong, for the same purposes as those mentioned above.

It may be communicated to LYRA’s partners solely for purposes related to the performance and fulfilment of the contract. We ensure in advance that these partners comply with the regulations.

When we use a supplier, service provider or third-party agent, your data remains under our control and verification measures are put in place to ensure the adequate protection of your personal information.

It may also be shared with legally authorised administrative and judicial authorities, as well as regulated professions such as auditors.

8. How do third parties process my data?

Our partners and/or subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, in compliance with the GDPR and any appropriate security and confidentiality measures. We systematically sign specific contractual provisions with our service providers/subcontractors to whom we are required to transmit Personal Data.

9. How is my data protected when it is transferred outside the European Union?

In the event that we need to transfer your personal data outside the European Union, we ensure that we have safeguards in place, such as:

  • an adequacy decision by the European Commission concerning certain countries that provide an adequate level of protection;
  • standard contractual clauses (SCCs) from the European Commission.

10. How long do you keep my personal data?

The retention period for personal data is determined by our business requirements and legal constraints. We keep this information for as long as necessary for the purposes for which it was collected and for other authorised purposes.

For example:

  • Most of our merchant customers’ data is retained for the duration of the contractual relationship and for five years after the end of the contractual relationship.
  • The bank details of service users (purchasers) are retained for fifteen (15) months.

Once this data is no longer needed, we take one of two approaches:

  • Either we anonymise it irreversibly, thereby retaining the right to store and use it anonymously.
  • Or we destroy it securely.

11. How do you protect my personal data?

We take the security of your personal data very seriously. We implement technical and organisational security measures to protect your data against unauthorised access, loss, alteration or disclosure. These measures are implemented by LYRA NETWORK, which acts as a payment acceptance solution subcontractor for LYRA COLLECT.

LYRA NETWORK is PCI DSS certified and implements the following security measures, among others:

  • Information System security policy; ·
  • Buildings monitored and protected by access control;
  • Secure servers and backed-up data;
  • Regularly audited information system;
  • Highly secure hosting centres;
  • Highly secure firewalls;
  • Backup redundancy;
  • High-availability servers;
  • encryption of transferred data;
  • protection through authentication;
  • limited data access rights;
  • database backup procedures.

12. What are my rights as a LYRA merchant customer?

Within the limits of regulations and our legal obligations, and where applicable, the GDPR grants you the right to access, rectify, object to, restrict, erase and transfer your personal data.

These rights apply exclusively to the personal data of our customers and not to that of service users (purchasers), who are invited to contact their merchant.

13. What are my rights as a user of the LYRA service (Purchaser)?

As a user of the service, you have the same rights as those mentioned above (point 12). Please note that we act as a processor for the merchant, who is the data controller in accordance with the GDPR. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

14. How can I exercise my data protection rights?

To exercise your data protection rights, including the right to access, rectify, delete, restrict and transfer data, please contact us at [email protected].

15. How are cookies used?

Cookies are used to improve your experience on our website by recording information about your preferences and interactions.

To manage your cookie preferences, please consult our Cookie Management Policy on our website.

17. How can I find out more about your privacy policy?

To find out more about our privacy policy and how we process your personal data, please consult our Personal Data Protection Policy on our website .

If you have any further questions or concerns about data protection or our compliance with the GDPR, please do not hesitate to contact us at:

By post:

LYRA
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

Or

By email: [email protected]

18. How can I lodge a complaint?

In accordance with the applicable regulations, you can lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) in France.

Last update : 26/11/2025