Personal Data Protection Charter

Knowledge base > General > Personal Data Protection Charter

LYRA NETWORK, as a provider of remote and local payment acceptance solutions ‘PAYZEN’, and LYRA COLLECT, as a Payment Institution, attach great importance to the protection of the personal data of their customers and users. This Personal Data Protection Charter (the ‘Charter’) describes how we collect, use, store and protect your personal data in accordance with applicable laws and regulations.

All operations involving your personal data are carried out in compliance with the regulations in force, in particular Law No. 78-17 ‘Informatique, Fichiers et Libertés’ (Data Protection Act) of 6 January 1978, as amended, and European Regulation No. 2016/679 on Data Protection.

Chapter 1 – LYRA NETWORK PERSONAL DATA PROTECTION CHARTER

« LYRA » or « We », refers to LYRA NETWORK and all of its European subsidiaries.

1. Persons Concerned and Associated Responsibilities

1.1. Persons concerned

The individuals affected by the collection of personal data are diverse and encompass a wide range of people. They fall into three distinct categories:

Prospects: This group includes individuals or companies that have expressed an interest in our services but have not yet established a formal business relationship with our company.
Customers: These individuals have already established a commercial relationship with our services. Typically, they are merchants.
Service users: This group includes anyone who interacts with our tools, products or platforms. In general, these are buyers who use the services provided by our merchant customers.

The collection of personal data from these different categories of individuals is an essential part of our commitment to them.

1.2. Roles and responsibilities

LYRA NETWORK has various roles in relation to the processing of personal data:

Data controller for personal data of prospects and customers: As data controller, LYRA NETWORK is responsible for collecting, using and protecting the personal data of prospects and customers. It is responsible for determining the purposes and means of processing this data.
Personal data processor for service users: For service users, LYRA NETWORK acts as a processor. This means that the merchant is the primary data controller for this data, and LYRA NETWORK acts as a service provider to process this data in accordance with the merchant’s instructions.

2. Collection of Personal Data

2.1. Sources of Collected Data

LYRA NETWORK collects Personal Data directly and indirectly, through various means such as contracts, legal obligations, consent of the individual, or legitimate interest of the company.

Prospects: Prospect data is collected through several channels, including incoming contacts such as contact forms on the Lyra.com website, emails, and telephone calls. In addition, this information comes from marketing activities such as newsletter subscriptions, participation in organised events, and interaction on social media.
Customers: Our customers’ data is acquired when the commercial relationship is initiated. This information comes from contact requests via contact or support forms or during conversations with our chatbot. In addition, this information also comes from marketing activities such as newsletter subscriptions and participation in organised events.
Service users: For service users, data is collected from the merchant’s e-commerce site via payment forms specifically dedicated to these interactions.

2.2. Data Collected

The term ‘Personal Data’ or ‘Data’ refers to any information relating to an identified or identifiable natural person, directly or indirectly, through a customer number or a set of elements specific to that person.

Here are the categories of personal data that you may be required to provide to us in different contexts:

As prospects:

Information such as your surname, first name, e-mail address, business telephone number and other details that you voluntarily provide in order to offer you a personalised service and respond effectively to your requests.

As a customer:

Data relating to your identity, technical, accounting and commercial contacts for communication purposes, including information such as your surname, first name, business email address, business telephone number or signature in a contractual context.
Identification and authentication information, particularly when using your private space (technical logs, computer traces, security-related information).

As an end user of our services:

Transaction data essential for the provision of the service and technical analysis of these operations, including details such as surname, first name, email address, encrypted card number, card expiry date, IBAN, amount, IP address.

2.3. Purposes of Collection

The processing of personal data of prospects, customers and users of our service is carried out for the following purposes:

For prospects:

To carry out operations related to prospecting and commercial solicitations.
To manage requests to exercise rights related to the use of your data.

For customers:

Ensure the accurate execution and management of contracts entered into.
Process payments.
Manage support requests.
Process complaints and disputes concerning payment transactions made by your customers.
Oversee debt collection.
Carry out operations related to prospecting and commercial solicitations.
Manage requests to exercise rights relating to the use of your data.

For service users:

Process payment transactions initiated by you on the merchant site.
Manage support requests from our merchant customers.
Handle complaints and disputes relating to payment transactions initiated by our merchant customers.
Manage requests to exercise rights relating to the use of your data.

3. Use and subcontracting of Personal Data

Your personal data is used in a lawful and transparent manner for the purposes set out above. We would like to point out that we do not sell, rent or share your personal data for marketing purposes with third parties without your explicit consent. All personal information collected by LYRA NETWORK is considered strictly confidential.

However, Personal Data may be shared with subcontractors and third-party companies in the following cases:

To achieve objectives related to the performance of the contract.
When required by law, LYRA NETWORK may be required to transmit data to legal authorities in order to respond to claims made against it and to comply with administrative and judicial procedures, particularly in the context of the fight against money laundering and terrorist financing.
In order to comply with our legal obligations (e.g. to auditors).

We may be required to temporarily and securely transfer certain necessary personal data to third parties (subcontractors), in particular for the management of your customer file, the operation and maintenance of our services, or to carry out tasks essential to the performance of services, the fight against fraud, and more generally for any criminally punishable activity.

Our subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, our Personal Data Protection Charter, and all appropriate security and confidentiality measures. Contracts with our subcontractors systematically include clauses relating to the protection of personal data.

When we transfer your personal data outside the European Union, we ensure that we have framework mechanisms in place that comply with specific provisions:

An adequacy decision by the European Commission concerning certain countries that ensure an adequate level of protection.
The use of standard contractual clauses (SCCs) established by the European Commission.

4. Data Retention

The retention period for personal data is determined by our business requirements and legal constraints. We retain this information for as long as necessary for the purposes for which it was collected and for other authorised purposes. For example:

Transaction data is retained for fifteen (15) months.
Complaint data is retained for thirteen (13) months from the date of the transaction.
Prospect data is retained for a period of three (3) years from the date of the last contact with the prospect.

Once this data is no longer needed, we take one of two approaches:

Either we anonymise it irreversibly, thereby retaining the right to store and use it anonymously.
Or we destroy it securely.

In the event of a dispute, the personal data collected, as well as any information, documents and items containing personal data relevant to the subject matter of the dispute, may be retained for the duration of the proceedings, which may exceed the time limits mentioned above.

5. Data Security

We implement appropriate security measures to ensure that your personal data is protected against unauthorised access, alteration, loss or disclosure.

LYRA NETWORK is PCI DSS certified and implements a series of security measures, including:

An information system security policy.
Buildings under surveillance and protected by access controls.
Server security and data backup.
Regular information system audits.
Highly secure hosting centres.
Highly secure firewalls.
Redundant backups.
High-availability servers.
Data encryption during transfers.
Authentication protection.
Restricted data access rights.

6. Your Rights

In accordance with Directive (EU) 2016/679 of 27 April 2016 on data protection, you have the right to exercise rights relating to all your data for legitimate reasons.

As a prospect or customer, acting as data controller, you have the following rights:

Right of access: Access information about your personal data being processed.
Right of rectification: Update or correct your personal data.
Right to object: Object to processing, especially in relation to commercial prospecting, except where legally required.
Right to erasure: Request the deletion of your personal data held by LYRA NETWORK, in accordance with applicable laws.
Right to restriction: Request the suspension of the processing of your personal data in specific cases, such as when you contest its accuracy or its unlawful processing, or for your legal rights.
Right to portability: Retrieve your personal data to transfer it to another data controller in a machine-readable format if the processing is based on your consent or a contract and is carried out by automated means.

To exercise these rights, you must prove your identity by providing a copy of an identity document to ensure data confidentiality.

LYRA NETWORK will respond to your request within one month of receipt. If necessary, this period may be extended by two months depending on the complexity and number of requests. In the event of an extension, you will be informed of the reasons for this additional delay within one month of receipt of your request.

In the event of disagreement, you have the option of filing a complaint with the CNIL, whose website is accessible at the following address: http://www.cnil.fr. The head office is located at 3 Place de Fontenoy, 75007 Paris.

As a user of the service, you have the same rights. Please note that we act as a processor for the merchant, who is the controller in accordance with the General Data Protection Regulation. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

7. Contact

If you have any questions or concerns regarding the protection of your personal data, you can contact us at the following address:

By post:

Lyra Network
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

By email: [email protected]

8. Changes to the Policy

We reserve the right to change this Personal Data Protection Policy at any time. Any changes will be published on our website https://www.lyra.com, and the date of the last update will be indicated at the top of the policy.

These amendments are binding on you as soon as they are posted online. You should therefore consult this Policy regularly to familiarise yourself with the latest version.

Last update: 26/11/2025

CHAPTER 2 – LYRA COLLECT PERSONAL DATA PROTECTION POLICY

“We” refers to LYRA COLLECT.

1. Data Subjects and Associated Responsibilities

1.1. Data Subjects

The data subjects affected by the collection of personal data are diverse and encompass a wide range of individuals. They fall into three distinct categories:

Prospects: This group includes individuals or companies that have expressed an interest in our services but have not yet established a formal business relationship with our company.
Customers: These individuals have already established a commercial relationship with our services. Typically, they are merchants.
Service users: This group includes anyone who interacts with our tools, products or platforms. In general, these are buyers who use the services provided by our merchant customers.

The collection of personal data from these different categories of individuals is an essential part of our commitment to them.

1.2. Roles and responsibilities

LYRA COLLECT has different roles in the processing of personal data:

Data controller for the personal data of prospects and customers: As data controller, LYRA COLLECT is responsible for the collection, use and protection of the personal data of prospects and customers. It is responsible for determining the purposes and means of processing this data.
Processor of personal data for service users: For service users, LYRA COLLECT acts as a processor. This means that the merchant is the main data controller for this data, and LYRA COLLECT acts as a service provider to process this data in accordance with the merchant’s instructions.
Joint controller for data related to LCBFT: As joint controller for data related to the fight against money laundering and terrorist financing (LCBFT), LYRA COLLECT shares responsibility for this data with other entities or organisations to ensure compliance with regulations on combating these illegal activities.

2. Collection of Personal Data

2.1. Sources of Collected Data

LYRA COLLECT collects Personal Data directly and indirectly, through various means such as contracts, legal obligations, consent of the individual, or legitimate interest of the company.

Prospects: Prospect data is collected through several channels, including incoming contacts such as contact forms on the Lyra.com website, emails, and telephone calls. In addition, this information comes from marketing activities such as newsletter subscriptions, participation in organised events, and interaction on social media.
Customers: Our customers’ data is acquired when the commercial relationship is initiated. This includes the transmission of KYC and AML/CFT documents and analysis tools. In addition, this information comes from contact requests via contact forms, support forms, or conversations with our chatbot. Furthermore, this information also comes from marketing actions such as newsletter subscriptions and participation in organised events.
Service users: For service users, data is collected from the merchant’s e-commerce site via payment forms specifically dedicated to these interactions.

2.2. Data Collected

Here are the categories of personal data that you may be required to provide to us in different contexts:

As a prospects:

Information such as surname, first name, email address, business telephone number and other details that you voluntarily provide in order to offer you a personalised service and respond effectively to your requests.

As a customer:

Information related to the identity of the legal representative and beneficial owners for know your customer (KYC) purposes, including details such as surname, first name, postal address, date of birth, business email address, business telephone number or signature in a contractual context.
Data relating to your identity, technical, accounting and commercial contacts for communication purposes, including information such as surname, first name, business email address, business telephone number or signature in the contractual context.
Identification and authentication information, particularly when using your private space (technical logs, computer traces, security-related information).

As an end user of our services:

Transaction data, essential for the provision of the service and the technical analysis of these operations, including details such as surname, first name, email address, encrypted card number, card expiry date, IBAN, amount, IP address.

2.3. Purposes of Collection

The processing of personal data of prospects, customers and users of our service is carried out for the following purposes:

For prospects:

To carry out operations related to prospecting and commercial solicitations.
Ensure verification in the context of fraud prevention, money laundering and the fight against terrorist financing.
Manage requests to exercise rights related to the use of your data.

For customers :

Ensure the accurate execution and management of contracts entered into.
Open and ensure the proper management of payment accounts on behalf of the Merchant.
Provide payment services.
Manage support requests.
Process complaints and disputes concerning payment transactions made by your customers.
Supervise debt collection.
Combat fraud, money laundering and terrorist financing.
Carry out operations related to commercial solicitations.
Manage requests to exercise rights relating to the use of your data.

For users of the service:

Execute payment transactions initiated by you on the merchant site.
Manage support requests from our merchant customers.
Process complaints and disputes relating to payment transactions initiated by you.
Combat fraud, money laundering and terrorist financing.
Manage requests to exercise your rights regarding the use of your data.
Perform technical analyses of payment transactions to ensure they function properly
or respond to requests from our merchant customers and comply with legal obligations.

3. Use and subcontracting of Personal Data

However, Personal Data may be shared with subcontractors and third-party companies in the following cases:

To achieve objectives related to the performance of the contract.
When required by law, LYRA COLLECT may be required to transmit data to legal authorities in order to respond to claims made against it and to comply with administrative and judicial procedures, particularly in the context of the fight against money laundering and terrorist financing.
In order to comply with our legal obligations (e.g. to auditors).

Our subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, in compliance with our Personal Data Protection Charter, and with all appropriate security and confidentiality measures. Contracts with our subcontractors systematically include clauses relating to the protection of personal data.

When we transfer your personal data outside the European Union, we ensure that we have framework mechanisms in place that comply with specific provisions:

An adequacy decision by the European Commission concerning certain countries that ensure an adequate level of protection.
The use of standard contractual clauses (SCCs) established by the European Commission.

4. Data Retention

Transaction data is retained for fifteen (15) months.
Data relating to complaints is retained for thirteen (13) months from the date of the transaction.
Prospect data is retained for a period of three (3) years from the date of the last contact with the prospect.

Once this data is no longer needed, we take one of two approaches:

Either we irreversibly anonymise it, thereby retaining the right to store and use it anonymously.
Or we destroy it in a secure manner.

It is important to note that payment data, collected by an organisation subject to anti-money laundering requirements in order to provide a remote payment solution, may be retained until the account is closed. Thereafter, in accordance with legal obligations, it may be archived. (Reference: Article 4.3 of CNIL Deliberation No. 2018-303 dated 6 September 2018).

5. Data Security

We implement appropriate security measures to ensure that your personal data is protected against unauthorised access, alteration, loss or disclosure. These measures are implemented by LYRA NETWORK, which acts as a payment acceptance solution subcontractor for LYRA COLLECT.

LYRA NETWORK is PCI DSS certified and implements a series of security measures, including:

A security policy for the Information System.
Buildings under surveillance and protected by access controls.
Server security and data backup.
Regular audits of the information system.
Highly secure hosting centres.
Highly secure firewalls.
Redundant backups.
High-availability servers.
Data encryption during transfers.
Authentication protection.
Restricted data access rights.

6. Your Rights

In accordance with Directive (EU) 2016/679 of 27 April 2016 on data protection, you have the right to exercise rights relating to all your data for legitimate reasons.

As a prospective customer or customer, acting as data controller, you have the following rights:

Right of access: Access information about your personal data being processed.
Right of rectification: Update or correct your personal data.
Right to object: Object to processing, especially in the case of commercial prospecting, except in cases of legal obligation.
Right to erasure: Request the deletion of your personal data held by LYRA COLLECT, in accordance with applicable laws.
Right to restriction: Request the suspension of the processing of your personal data in specific cases, such as when you contest its accuracy or its unlawful processing, or for your legal rights.
Right to portability: Retrieve your personal data to transfer it to another data controller in a machine-readable format if the processing is based on your consent or a contract and is carried out by automated means.

To exercise these rights, you must prove your identity by providing a copy of an identity document to ensure data confidentiality.

LYRA COLLECT will respond to your request within one month of receipt. If necessary, this period may be extended by two months depending on the complexity and number of requests. In the event of an extension, you will be informed of the reasons for the additional delay within one month of receipt of your request.

In the event of disagreement, you have the option of lodging a complaint with the CNIL, whose website is accessible at the following address: http://www.cnil.fr. The head office is located at 3 Place de Fontenoy, 75007 Paris.

As a user of the service, you have the same rights. Please note that we act as a processor for the merchant, who is the controller in accordance with the General Data Protection Regulation. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

7. Contact

If you have any questions or concerns regarding the protection of your personal data, you can contact us at the following address:

By post:

Lyra Collect
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

By email: [email protected]

8. Changes to the Policy

These amendments are binding on you as soon as they are posted online. You should therefore consult this Policy regularly to familiarise yourself with the latest version.

Last update: 26/11/2025

Pricing

Payment: how to approach the French e-commerce market?

Personal Data Protection Charter

Chapter 1 – LYRA NETWORK PERSONAL DATA PROTECTION CHARTER

CHAPTER 2 – LYRA COLLECT PERSONAL DATA PROTECTION POLICY

Start
with an expert

Certifications

Our payment solutions

Developers

About us