Introduction

Welcome to our FAQ on personal data protection and the GDPR. This page aims to answer your questions about how we collect, use and protect your personal data in accordance with the GDPR.

“LYRA” and “We” refer to LYRA NETWORK, LYRA COLLECT and all European subsidiaries.

1. What is the GDPR?

Regulation No. 2016/679, known as the General Data Protection Regulation (GDPR), applies to any organisation based within or outside the European Union (EU) that processes the data of individuals residing in the EU.

The GDPR is a European regulation that aims to strengthen the protection of personal data of European Union citizens. It gives individuals greater control over their personal data and imposes obligations on companies that process this data.

2. What are your responsibilities?

  • LYRA is responsible for the Personal Data it manages. Regulations require proof of proper data management and protection.

To this end, LYRA has appointed a DPO to monitor and manage data and act as the sole point of contact for its customers. The DPO has been registered with the CNIL (French Data Protection Authority). (No. DPD-166956 for LYRA NETWORK & No. DPD-166957 for LYRA COLLECT)

  • LYRA NETWORK, as a payment solutions provider, acts as a Processor within the meaning of the GDPR. This subcontracting is carried out within the framework of a contractual relationship with its customers, who are themselves data controllers within the meaning of the GDPR.
  • The LYRA COLLECT entity, as a payment institution, acts as a Subcontractor for the personal data of service users (purchasers from merchants) within the meaning of the GDPR. This subcontracting is carried out within the framework of a contractual relationship with our merchant customers, who are themselves data controllers within the meaning of the GDPR.
  • The subcontracting of personal data is carried out on the basis of contractual provisions between the merchant Data Controller and Lyra Collect, the Data Processor, in accordance with Article 28-3.
  • LYRA COLLECT is also jointly responsible for data processing in relation to the prevention of money laundering and terrorist financing (AML/CFT).

3. What personal data do you collect from your merchant customers as a Data Controller?

We only collect personal data that is necessary to provide our services or respond to your requests.

We may collect different categories of personal data from you, including:

  • information relating to your identity, that of your legal representative, beneficial owners and necessary to contact you (surname, first name, business email address, business telephone number, or signature in a contractual context);
  • identification and authentication data, particularly when using your Merchant Back Office (technical logs, computer traces, security information).

The personal data we use may be collected directly from you or obtained from the following sources for the purpose of verifying or enriching our databases:

  • publications/databases made available by official authorities;
  • our partners or service providers;
  • third parties such as commercial information and anti-fraud organisations, in accordance with data protection regulations.

4. What personal data do you collect from service users (purchasers) as a Processor?

We only collect personal data that is necessary to provide our services, perform technical analyses of payment transactions to ensure their proper functioning, or respond to requests from our merchant customers.

We may collect different categories of transaction-related data (surname, first name, email address, encrypted card number, card expiry date, basket, amount, IP address).

The personal data we use may be collected from the merchant’s website via payment forms specifically dedicated to these interactions.

5. How do you use the personal data of your merchant customers?

We use your personal data for the purpose of providing our services, informing you about our products and services, responding to your enquiries, sending you marketing communications (with your consent where applicable), and complying with legal obligations.

Thus,

LYRA NETWORK uses your personal data to:

  • Ensure the accurate execution and management of contracts entered into.
  • Process payments.
  • Manage support requests.
  • Handle complaints and disputes concerning payment transactions made by your customers.
  • Oversee debt collection.
  • Carry out operations related to prospecting and commercial solicitations.
  • Manage requests to exercise rights relating to the use of your data.

LYRA COLLECT uses your personal data to:

  • Ensure the accurate execution and management of contracts entered into.
  • Open and ensure the proper management of Payment Accounts on behalf of the Merchant.
  • Provide payment services.
  • Manage support requests.
  • Process complaints and disputes concerning payment transactions made by your customers.
  • Supervise debt collection.
  • Combat fraud, money laundering and terrorist financing.
  • Carry out operations related to prospecting and commercial solicitations.
  • Manage requests to exercise your rights regarding the use of your data.

6. How do you use the personal data of service users (purchasers)?

LYRA NETWORK uses your personal data for the following purposes:

  • to process payment transactions that you initiate on our merchant customers’ websites, to perform technical analyses of payment transactions to ensure their proper functioning or to respond to requests from our merchant customers, and to comply with legal obligations.
  • Manage support requests from our merchant customers.
  • Process complaints and disputes relating to payment transactions initiated by our merchant customers.
  • Manage requests to exercise rights relating to the use of your data.

LYRA COLLECT processes your personal data for the following purposes:

  • to execute payment transactions initiated by you,
  • To manage support requests from our merchant customers.
  • To process complaints and disputes relating to payment transactions initiated by our merchant customers.
  • To combat fraud, money laundering and terrorist financing.
  • Manage requests to exercise your rights relating to the use of your data.
  • Perform technical analyses of payment transactions to ensure they function properly
  • or respond to requests from our merchant customers and comply with legal obligations.

7. With whom is my personal data shared?

Your personal data may be shared within the LYRA Group, to which we belong, for the same purposes as those mentioned above.

It may be communicated to LYRA’s partners solely for purposes related to the performance and fulfilment of the contract. We ensure in advance that these partners comply with the regulations.

When we use a supplier, service provider or third-party agent, your data remains under our control and verification measures are put in place to ensure the adequate protection of your personal information.

It may also be shared with legally authorised administrative and judicial authorities, as well as regulated professions such as auditors.

8. How do third parties process my data?

Our partners and/or subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, in compliance with the GDPR and any appropriate security and confidentiality measures. We systematically sign specific contractual provisions with our service providers/subcontractors to whom we are required to transmit Personal Data.

9. How is my data protected when it is transferred outside the European Union?

In the event that we need to transfer your personal data outside the European Union, we ensure that we have safeguards in place, such as:

  • an adequacy decision by the European Commission concerning certain countries that provide an adequate level of protection;
  • standard contractual clauses (SCCs) from the European Commission.

10. How long do you keep my personal data?

The retention period for personal data is determined by our business requirements and legal constraints. We keep this information for as long as necessary for the purposes for which it was collected and for other authorised purposes.

For example:

  • Most of our merchant customers’ data is retained for the duration of the contractual relationship and for five years after the end of the contractual relationship.
  • The bank details of service users (purchasers) are retained for fifteen (15) months.

Once this data is no longer needed, we take one of two approaches:

  • Either we anonymise it irreversibly, thereby retaining the right to store and use it anonymously.
  • Or we destroy it securely.

11. How do you protect my personal data?

We take the security of your personal data very seriously. We implement technical and organisational security measures to protect your data against unauthorised access, loss, alteration or disclosure. These measures are implemented by LYRA NETWORK, which acts as a payment acceptance solution subcontractor for LYRA COLLECT.

LYRA NETWORK is PCI DSS certified and implements the following security measures, among others:

  • Information System security policy; ·
  • Buildings monitored and protected by access control;
  • Secure servers and backed-up data;
  • Regularly audited information system;
  • Highly secure hosting centres;
  • Highly secure firewalls;
  • Backup redundancy;
  • High-availability servers;
  • encryption of transferred data;
  • protection through authentication;
  • limited data access rights;
  • database backup procedures.

12. What are my rights as a LYRA merchant customer?

Within the limits of regulations and our legal obligations, and where applicable, the GDPR grants you the right to access, rectify, object to, restrict, erase and transfer your personal data.

These rights apply exclusively to the personal data of our customers and not to that of service users (purchasers), who are invited to contact their merchant.

13. What are my rights as a user of the LYRA service (Purchaser)?

As a user of the service, you have the same rights as those mentioned above (point 12). Please note that we act as a processor for the merchant, who is the data controller in accordance with the GDPR. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

14. How can I exercise my data protection rights?

To exercise your data protection rights, including the right to access, rectify, delete, restrict and transfer data, please contact us at [email protected].

15. How are cookies used?

Cookies are used to improve your experience on our website by recording information about your preferences and interactions.

To manage your cookie preferences, please consult our Cookie Management Policy on our website.

17. How can I find out more about your privacy policy?

To find out more about our privacy policy and how we process your personal data, please consult our Personal Data Protection Policy on our website .

If you have any further questions or concerns about data protection or our compliance with the GDPR, please do not hesitate to contact us at:

By post:

LYRA
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

Or

By email: [email protected]

18. How can I lodge a complaint?

In accordance with the applicable regulations, you can lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) in France.

Last update : 26/11/2025

For your press needs or to signify our partnership, you can download our logos here:

Introduction

When you interact with our solutions, we pay particular attention to cookie management. The purpose of this Cookie Management Policy is to inform you about how we use cookies. Below you will find detailed explanations for browsing the website, using the Back Office Client solutions, and the payment pages for service users.

“We” refers to LYRA NETWORK and LYRA COLLECT.

A cookie is a small text file containing information that is stored on the hard drive of your device (e.g. computer, tablet or mobile phone) when you visit a website using your browser.

It is transmitted by a website’s server to your browser.

The cookie file allows its issuer to identify the device on which it is stored, during the period of validity or storage of the cookie concerned.

Only the issuer of a cookie can read or modify the information contained therein.

2. Cookies on the lyra.com and payzen.eu websites (visitors)

2.1. Where cookies appear

When you browse our websites lyra.com and payzen.eu, data relating to your browsing may be stored in files called ‘cookies’. These are installed on your device (computer, tablet, smartphone, etc.), depending on the choices you make regarding the use of cookies, which you can adjust at any time.

2.2. Types of cookies used

Our websites use different types of cookies to improve your online experience, including Geo Redirection, which performs redirects based on IP address, security cookies (Captcha) used on certain pages to protect form entries from bots, and analytical cookies that help us track traffic and understand site usage. This combination ensures a personalised and secure experience on our online platforms.

2.3. Data retention period

Geo Redirection cookie data is retained for a period of 12 months, while security cookie data is retained for a period of 1 day. Information collected by analytical cookies is retained for a period of 14 months.

Choices on our Websites

When you first visit our websites, we ask you to accept the collection of your browsing data via an ‘Accept / Reject All / Manage my preferences’ button.

When you consent to the installation of cookies, a consent cookie is installed. Consent cookies must remain on your terminal equipment.

Please note that your preference is stored in a cookie. If you delete all cookies stored on your terminal (via your browser), we or our service providers will no longer know that you have chosen this option.

For all requests via one of our forms, you will be asked for your consent to the use of your personal data.

Configuring your browser

You can configure your browser software so that cookies are stored on your device or, conversely, are rejected either systematically or depending on their issuer. You can also configure your browser software so that you are asked to accept or refuse cookies on a case-by-case basis, before a cookie is likely to be stored on your device.

The configuration of each browser is different. It is described in your browser’s help menu.

However, please note that disabling cookies may affect your experience on our website and limit certain features.

3. Cookies on the docs.lyra.com and payzen.io websites (visitors)

3.1. Where cookies appear

When you browse our websites docs.lyra.com and payzen.io, data relating to your browsing may be stored in files called ‘cookies’. These are installed on your device (computer, tablet, smartphone, etc.), depending on your choices regarding the use of cookies, which you can adjust at any time.

3.2. Types of cookies used

Our websites use various types of cookies to improve your online experience. These cookies include analytical cookies, which are used to track traffic and analyse site usage, as well as cookies specifically dedicated to surveys (survey form).

3.3. Data retention period

Analytical cookie data is retained for a period of 14 months, while survey cookie data is retained for a period of 12 months.

Choices on our websites

When you first visit our websites, we ask you to accept the collection of your browsing data via an ‘Accept / Reject all / Manage my preferences’ button.

When you consent to the installation of cookies, a consent cookie is installed. Consent cookies must remain on your terminal equipment.

Please note that your preference is stored in a cookie. If you delete all cookies stored on your terminal (via your browser), we or our service providers will no longer know that you have chosen this option.

For all requests made via one of our forms, you will be asked for your consent to the use of your personal data.

Configuring your browser

You can configure your browser software so that cookies are stored on your device or, conversely, are rejected either systematically or depending on their issuer. You can also configure your browser software so that you are asked to accept or refuse cookies on a case-by-case basis, before a cookie is likely to be stored on your device.

The configuration of each browser is different. It is described in your browser’s help menu.

However, please note that disabling cookies may affect your experience on our website and limit certain features.

4. Cookies on the pos.status.lyra.com, payzen.status.lyra.com and status.lyra.com websites (visitors)

4.1. Where cookies appear

When you browse our websites pos.status.lyra.com, payzen.status.lyra.com and status.lyra.com, data relating to your browsing may be stored in files called ‘cookies’. These are installed on your device (computer, tablet, smartphone, etc.), depending on the choices you make regarding the use of cookies, which you can adjust at any time.

4.2. Types of cookies used

On these websites, a single type of cookie is used: analytical cookies, which are used to track traffic and analyse website usage.

4.3. Data retention period

Analytical cookie data is retained for a period of 14 months.

Browser settings

You can configure your browser software so that cookies are stored on your device or, conversely, are rejected either systematically or depending on their issuer. You can also configure your browser software so that you are asked to accept or refuse cookies on a case-by-case basis before a cookie is likely to be stored on your device.

The configuration of each browser is different. It is described in your browser’s help menu.

However, please note that disabling cookies may affect your experience on our website and limit certain features.

5. Cookies on Back-office solutions (customers)

5.1. Where cookies appear

When using our customer Back-office solutions, information related to your browsing may also be recorded using ‘cookies’. These files are installed on your device, and your consent to their use can be adjusted according to your preferences at any time.

5.2. Types of cookies used

Back offices mainly use two types of cookies: cookies necessary for operation, which ensure that the payment context is stored and retrieved throughout the transaction, as well as the traceability of the payment initiation on a specific machine; and session authentication cookies, which ensure the security of the user session.

5.3.   Data retention period

For the first type of cookies, which ensure the preservation of the payment context and the traceability of the initiation, the data is retained for a period of 30 minutes. As for session authentication cookies, their retention period corresponds to the duration of the session, extended to one day.

Browser settings

You can configure your browser software so that cookies are stored on your device or, conversely, are rejected either systematically or depending on their issuer. You can also configure your browser software so that you are asked to accept or refuse cookies on a case-by-case basis before a cookie is likely to be stored on your device.

The configuration of each browser is different. It is described in your browser’s help menu.

However, please note that disabling cookies may affect your experience and limit certain features (with a high risk of failure).

6. Cookies on redirect payment pages (service users)

6.1. Where cookies appear

When using payment pages (with redirection), information relating to your browsing may be recorded using “cookies”.

6.2. Types of cookies used

When making payments via redirection, two types of cookies are used to ensure the transaction runs smoothly: cookies necessary for operation, which guarantee that the payment context is retained throughout the transaction, while allowing the machine that initiated the payment to be identified; and Captcha security cookies, technical cookies that identify users who have already used Captcha, thus ensuring that the customer’s session is tracked. This combination guarantees a personalised and secure experience on our online platforms.

6.3. Data retention period

The data from cookies necessary for operation, ensuring that the payment context is preserved, is retained for a period ranging from 30 minutes to 25 and a half hours. At the same time, information from security cookies is retained for a period of one year.

Browser settings

You can configure your browser software so that cookies are stored on your device or, conversely, are rejected either systematically or depending on their issuer. You can also configure your browser software so that you are asked to accept or refuse cookies on a case-by-case basis before a cookie is likely to be stored on your device.

Each browser’s settings are different. They are described in your browser’s help menu.

However, please note that disabling cookies may affect your experience and limit certain features (with a high risk of failure).

7. Privacy Policy

For a more in-depth understanding of how data is processed, we encourage you to review our full privacy policy.

8. Contact

If you have any questions or concerns about our use of cookies, you can contact us at the following address:

By post:

LYRA
For the attention of the Data Protection Officer
109 rue de l’innovation
31670 LABEGE

Or

By email: [email protected]

9. Changes to the Policy

We reserve the right to change this Cookie Management Policy at any time. Any changes will be published on our website, and the date of the last update will be indicated at the top of the policy.

Last update: 26/11/2025

LYRA NETWORK, as a provider of remote and local payment acceptance solutions ‘PAYZEN’, and LYRA COLLECT, as a Payment Institution, attach great importance to the protection of the personal data of their customers and users. This Personal Data Protection Charter (the ‘Charter’) describes how we collect, use, store and protect your personal data in accordance with applicable laws and regulations.

All operations involving your personal data are carried out in compliance with the regulations in force, in particular Law No. 78-17 ‘Informatique, Fichiers et Libertés’ (Data Protection Act) of 6 January 1978, as amended, and European Regulation No. 2016/679 on Data Protection.

Chapter 1 – LYRA NETWORK PERSONAL DATA PROTECTION CHARTER

 « LYRA » or « We », refers to LYRA NETWORK and all of its European subsidiaries.

1. Persons Concerned and Associated Responsibilities

1.1. Persons concerned

The individuals affected by the collection of personal data are diverse and encompass a wide range of people. They fall into three distinct categories:

  • Prospects: This group includes individuals or companies that have expressed an interest in our services but have not yet established a formal business relationship with our company.
  • Customers: These individuals have already established a commercial relationship with our services. Typically, they are merchants.
  • Service users: This group includes anyone who interacts with our tools, products or platforms. In general, these are buyers who use the services provided by our merchant customers.

The collection of personal data from these different categories of individuals is an essential part of our commitment to them.

1.2.  Roles and responsibilities

LYRA NETWORK has various roles in relation to the processing of personal data:

  • Data controller for personal data of prospects and customers: As data controller, LYRA NETWORK is responsible for collecting, using and protecting the personal data of prospects and customers. It is responsible for determining the purposes and means of processing this data.
  • Personal data processor for service users: For service users, LYRA NETWORK acts as a processor. This means that the merchant is the primary data controller for this data, and LYRA NETWORK acts as a service provider to process this data in accordance with the merchant’s instructions.

2. Collection of Personal Data

2.1.  Sources of Collected Data

LYRA NETWORK collects Personal Data directly and indirectly, through various means such as contracts, legal obligations, consent of the individual, or legitimate interest of the company.

  • Prospects: Prospect data is collected through several channels, including incoming contacts such as contact forms on the Lyra.com website, emails, and telephone calls. In addition, this information comes from marketing activities such as newsletter subscriptions, participation in organised events, and interaction on social media.
  • Customers: Our customers’ data is acquired when the commercial relationship is initiated. This information comes from contact requests via contact or support forms or during conversations with our chatbot. In addition, this information also comes from marketing activities such as newsletter subscriptions and participation in organised events.
  • Service users: For service users, data is collected from the merchant’s e-commerce site via payment forms specifically dedicated to these interactions.

2.2. Data Collected

The term ‘Personal Data’ or ‘Data’ refers to any information relating to an identified or identifiable natural person, directly or indirectly, through a customer number or a set of elements specific to that person.

Here are the categories of personal data that you may be required to provide to us in different contexts:

As prospects:

  • Information such as your surname, first name, e-mail address, business telephone number and other details that you voluntarily provide in order to offer you a personalised service and respond effectively to your requests.

As a customer:

  • Data relating to your identity, technical, accounting and commercial contacts for communication purposes, including information such as your surname, first name, business email address, business telephone number or signature in a contractual context.
  • Identification and authentication information, particularly when using your private space (technical logs, computer traces, security-related information).

As an end user of our services:

  • Transaction data essential for the provision of the service and technical analysis of these operations, including details such as surname, first name, email address, encrypted card number, card expiry date, IBAN, amount, IP address.

2.3.   Purposes of Collection

The processing of personal data of prospects, customers and users of our service is carried out for the following purposes:

For prospects:

  • To carry out operations related to prospecting and commercial solicitations.
  • To manage requests to exercise rights related to the use of your data.

For customers:

  • Ensure the accurate execution and management of contracts entered into.
  • Process payments.
  • Manage support requests.
  • Process complaints and disputes concerning payment transactions made by your customers.
  • Oversee debt collection.
  • Carry out operations related to prospecting and commercial solicitations.
  • Manage requests to exercise rights relating to the use of your data.

For service users:

  • Process payment transactions initiated by you on the merchant site.
  • Manage support requests from our merchant customers.
  • Handle complaints and disputes relating to payment transactions initiated by our merchant customers.
  • Manage requests to exercise rights relating to the use of your data.

3. Use and subcontracting of Personal Data

Your personal data is used in a lawful and transparent manner for the purposes set out above. We would like to point out that we do not sell, rent or share your personal data for marketing purposes with third parties without your explicit consent. All personal information collected by LYRA NETWORK is considered strictly confidential.

However, Personal Data may be shared with subcontractors and third-party companies in the following cases:

  • To achieve objectives related to the performance of the contract.
  • When required by law, LYRA NETWORK may be required to transmit data to legal authorities in order to respond to claims made against it and to comply with administrative and judicial procedures, particularly in the context of the fight against money laundering and terrorist financing.
  • In order to comply with our legal obligations (e.g. to auditors).

We may be required to temporarily and securely transfer certain necessary personal data to third parties (subcontractors), in particular for the management of your customer file, the operation and maintenance of our services, or to carry out tasks essential to the performance of services, the fight against fraud, and more generally for any criminally punishable activity.

Our subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, our Personal Data Protection Charter, and all appropriate security and confidentiality measures. Contracts with our subcontractors systematically include clauses relating to the protection of personal data.

When we transfer your personal data outside the European Union, we ensure that we have framework mechanisms in place that comply with specific provisions:

  • An adequacy decision by the European Commission concerning certain countries that ensure an adequate level of protection.
  • The use of standard contractual clauses (SCCs) established by the European Commission.

4. Data Retention

The retention period for personal data is determined by our business requirements and legal constraints. We retain this information for as long as necessary for the purposes for which it was collected and for other authorised purposes. For example:

  • Transaction data is retained for fifteen (15) months.
  • Complaint data is retained for thirteen (13) months from the date of the transaction.
  • Prospect data is retained for a period of three (3) years from the date of the last contact with the prospect.

Once this data is no longer needed, we take one of two approaches:

  • Either we anonymise it irreversibly, thereby retaining the right to store and use it anonymously.
  • Or we destroy it securely.

In the event of a dispute, the personal data collected, as well as any information, documents and items containing personal data relevant to the subject matter of the dispute, may be retained for the duration of the proceedings, which may exceed the time limits mentioned above.

5. Data Security

We implement appropriate security measures to ensure that your personal data is protected against unauthorised access, alteration, loss or disclosure.

LYRA NETWORK is PCI DSS certified and implements a series of security measures, including:

  • An information system security policy.
  • Buildings under surveillance and protected by access controls.
  • Server security and data backup.
  • Regular information system audits.
  • Highly secure hosting centres.
  • Highly secure firewalls.
  • Redundant backups.
  • High-availability servers.
  • Data encryption during transfers.
  • Authentication protection.
  • Restricted data access rights.

6. Your Rights

In accordance with Directive (EU) 2016/679 of 27 April 2016 on data protection, you have the right to exercise rights relating to all your data for legitimate reasons.

As a prospect or customer, acting as data controller, you have the following rights:

  • Right of access: Access information about your personal data being processed.
  • Right of rectification: Update or correct your personal data.
  • Right to object: Object to processing, especially in relation to commercial prospecting, except where legally required.
  • Right to erasure: Request the deletion of your personal data held by LYRA NETWORK, in accordance with applicable laws.
  • Right to restriction: Request the suspension of the processing of your personal data in specific cases, such as when you contest its accuracy or its unlawful processing, or for your legal rights.
  • Right to portability: Retrieve your personal data to transfer it to another data controller in a machine-readable format if the processing is based on your consent or a contract and is carried out by automated means.

To exercise these rights, you must prove your identity by providing a copy of an identity document to ensure data confidentiality.

LYRA NETWORK will respond to your request within one month of receipt. If necessary, this period may be extended by two months depending on the complexity and number of requests. In the event of an extension, you will be informed of the reasons for this additional delay within one month of receipt of your request.

In the event of disagreement, you have the option of filing a complaint with the CNIL, whose website is accessible at the following address: http://www.cnil.fr. The head office is located at 3 Place de Fontenoy, 75007 Paris.

As a user of the service, you have the same rights. Please note that we act as a processor for the merchant, who is the controller in accordance with the General Data Protection Regulation. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

7. Contact

If you have any questions or concerns regarding the protection of your personal data, you can contact us at the following address:

By post:

Lyra Network
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

Or

By email: [email protected]

8. Changes to the Policy

We reserve the right to change this Personal Data Protection Policy at any time. Any changes will be published on our website https://www.lyra.com, and the date of the last update will be indicated at the top of the policy.

These amendments are binding on you as soon as they are posted online. You should therefore consult this Policy regularly to familiarise yourself with the latest version.

Last update: 26/11/2025

CHAPTER 2 – LYRA COLLECT PERSONAL DATA PROTECTION POLICY

“We” refers to LYRA COLLECT.

1. Data Subjects and Associated Responsibilities

1.1. Data Subjects

The data subjects affected by the collection of personal data are diverse and encompass a wide range of individuals. They fall into three distinct categories:

  • Prospects: This group includes individuals or companies that have expressed an interest in our services but have not yet established a formal business relationship with our company.
  • Customers: These individuals have already established a commercial relationship with our services. Typically, they are merchants.
  • Service users: This group includes anyone who interacts with our tools, products or platforms. In general, these are buyers who use the services provided by our merchant customers.

The collection of personal data from these different categories of individuals is an essential part of our commitment to them.

1.2. Roles and responsibilities

LYRA COLLECT has different roles in the processing of personal data:

  • Data controller for the personal data of prospects and customers: As data controller, LYRA COLLECT is responsible for the collection, use and protection of the personal data of prospects and customers. It is responsible for determining the purposes and means of processing this data.
  • Processor of personal data for service users: For service users, LYRA COLLECT acts as a processor. This means that the merchant is the main data controller for this data, and LYRA COLLECT acts as a service provider to process this data in accordance with the merchant’s instructions.
  • Joint controller for data related to LCBFT: As joint controller for data related to the fight against money laundering and terrorist financing (LCBFT), LYRA COLLECT shares responsibility for this data with other entities or organisations to ensure compliance with regulations on combating these illegal activities.

2. Collection of Personal Data

2.1.   Sources of Collected Data

LYRA COLLECT collects Personal Data directly and indirectly, through various means such as contracts, legal obligations, consent of the individual, or legitimate interest of the company.

  • Prospects: Prospect data is collected through several channels, including incoming contacts such as contact forms on the Lyra.com website, emails, and telephone calls. In addition, this information comes from marketing activities such as newsletter subscriptions, participation in organised events, and interaction on social media.
  • Customers: Our customers’ data is acquired when the commercial relationship is initiated. This includes the transmission of KYC and AML/CFT documents and analysis tools. In addition, this information comes from contact requests via contact forms, support forms, or conversations with our chatbot. Furthermore, this information also comes from marketing actions such as newsletter subscriptions and participation in organised events.
  • Service users: For service users, data is collected from the merchant’s e-commerce site via payment forms specifically dedicated to these interactions.

2.2. Data Collected

The term ‘Personal Data’ or ‘Data’ refers to any information relating to an identified or identifiable natural person, directly or indirectly, through a customer number or a set of elements specific to that person.

Here are the categories of personal data that you may be required to provide to us in different contexts:

As a prospects:

  • Information such as surname, first name, email address, business telephone number and other details that you voluntarily provide in order to offer you a personalised service and respond effectively to your requests.

As a customer:

  • Information related to the identity of the legal representative and beneficial owners for know your customer (KYC) purposes, including details such as surname, first name, postal address, date of birth, business email address, business telephone number or signature in a contractual context.
  • Data relating to your identity, technical, accounting and commercial contacts for communication purposes, including information such as surname, first name, business email address, business telephone number or signature in the contractual context.
  • Identification and authentication information, particularly when using your private space (technical logs, computer traces, security-related information).

As an end user of our services:

  • Transaction data, essential for the provision of the service and the technical analysis of these operations, including details such as surname, first name, email address, encrypted card number, card expiry date, IBAN, amount, IP address.

2.3.  Purposes of Collection

The processing of personal data of prospects, customers and users of our service is carried out for the following purposes:

For prospects:

  • To carry out operations related to prospecting and commercial solicitations.
  • Ensure verification in the context of fraud prevention, money laundering and the fight against terrorist financing.
  • Manage requests to exercise rights related to the use of your data.

For customers :

  • Ensure the accurate execution and management of contracts entered into.
  • Open and ensure the proper management of payment accounts on behalf of the Merchant.
  • Provide payment services.
  • Manage support requests.
  • Process complaints and disputes concerning payment transactions made by your customers.
  • Supervise debt collection.
  • Combat fraud, money laundering and terrorist financing.
  • Carry out operations related to commercial solicitations.
  • Manage requests to exercise rights relating to the use of your data.

For users of the service:

  • Execute payment transactions initiated by you on the merchant site.
  • Manage support requests from our merchant customers.
  • Process complaints and disputes relating to payment transactions initiated by you.
  • Combat fraud, money laundering and terrorist financing.
  • Manage requests to exercise your rights regarding the use of your data.
  • Perform technical analyses of payment transactions to ensure they function properly
  • or respond to requests from our merchant customers and comply with legal obligations.

3. Use and subcontracting of Personal Data

Your personal data is used in a lawful and transparent manner for the purposes set out above. We would like to point out that we do not sell, rent or share your personal data for marketing purposes with third parties without your explicit consent. All personal information collected by LYRA COLLECT is considered strictly confidential.

However, Personal Data may be shared with subcontractors and third-party companies in the following cases:

  • To achieve objectives related to the performance of the contract.
  • When required by law, LYRA COLLECT may be required to transmit data to legal authorities in order to respond to claims made against it and to comply with administrative and judicial procedures, particularly in the context of the fight against money laundering and terrorist financing.
  • In order to comply with our legal obligations (e.g. to auditors).

We may be required to temporarily and securely transfer certain necessary personal data to third parties (subcontractors), in particular for the management of your customer file, the operation and maintenance of our services, or to carry out tasks essential to the performance of services, the fight against fraud, and more generally for any criminally punishable activity.

Our subcontractors within and outside the EU process your personal data on our behalf, in accordance with our instructions, in compliance with our Personal Data Protection Charter, and with all appropriate security and confidentiality measures. Contracts with our subcontractors systematically include clauses relating to the protection of personal data.

When we transfer your personal data outside the European Union, we ensure that we have framework mechanisms in place that comply with specific provisions:

  • An adequacy decision by the European Commission concerning certain countries that ensure an adequate level of protection.
  • The use of standard contractual clauses (SCCs) established by the European Commission.

4. Data Retention

The retention period for personal data is determined by our business requirements and legal constraints. We retain this information for as long as necessary for the purposes for which it was collected and for other authorised purposes. For example:

  • Transaction data is retained for fifteen (15) months.
  • Data relating to complaints is retained for thirteen (13) months from the date of the transaction.
  • Prospect data is retained for a period of three (3) years from the date of the last contact with the prospect.

Once this data is no longer needed, we take one of two approaches:

  • Either we irreversibly anonymise it, thereby retaining the right to store and use it anonymously.
  • Or we destroy it in a secure manner.

It is important to note that payment data, collected by an organisation subject to anti-money laundering requirements in order to provide a remote payment solution, may be retained until the account is closed. Thereafter, in accordance with legal obligations, it may be archived. (Reference: Article 4.3 of CNIL Deliberation No. 2018-303 dated 6 September 2018).

In the event of a dispute, the personal data collected, as well as any information, documents and items containing personal data relevant to the subject matter of the dispute, may be retained for the duration of the proceedings, which may exceed the time limits mentioned above.

5. Data Security

We implement appropriate security measures to ensure that your personal data is protected against unauthorised access, alteration, loss or disclosure. These measures are implemented by LYRA NETWORK, which acts as a payment acceptance solution subcontractor for LYRA COLLECT.

LYRA NETWORK is PCI DSS certified and implements a series of security measures, including:

  • A security policy for the Information System.
  • Buildings under surveillance and protected by access controls.
  • Server security and data backup.
  • Regular audits of the information system.
  • Highly secure hosting centres.
  • Highly secure firewalls.
  • Redundant backups.
  • High-availability servers.
  • Data encryption during transfers.
  • Authentication protection.
  • Restricted data access rights.

6. Your Rights

In accordance with Directive (EU) 2016/679 of 27 April 2016 on data protection, you have the right to exercise rights relating to all your data for legitimate reasons.

As a prospective customer or customer, acting as data controller, you have the following rights:

  • Right of access: Access information about your personal data being processed.
  • Right of rectification: Update or correct your personal data.
  • Right to object: Object to processing, especially in the case of commercial prospecting, except in cases of legal obligation.
  • Right to erasure: Request the deletion of your personal data held by LYRA COLLECT, in accordance with applicable laws.
  • Right to restriction: Request the suspension of the processing of your personal data in specific cases, such as when you contest its accuracy or its unlawful processing, or for your legal rights.
  • Right to portability: Retrieve your personal data to transfer it to another data controller in a machine-readable format if the processing is based on your consent or a contract and is carried out by automated means.

To exercise these rights, you must prove your identity by providing a copy of an identity document to ensure data confidentiality.

LYRA COLLECT will respond to your request within one month of receipt. If necessary, this period may be extended by two months depending on the complexity and number of requests. In the event of an extension, you will be informed of the reasons for the additional delay within one month of receipt of your request.

In the event of disagreement, you have the option of lodging a complaint with the CNIL, whose website is accessible at the following address: http://www.cnil.fr. The head office is located at 3 Place de Fontenoy, 75007 Paris.

As a user of the service, you have the same rights. Please note that we act as a processor for the merchant, who is the controller in accordance with the General Data Protection Regulation. Your data is stored and deleted in accordance with the merchant’s instructions. To exercise your rights, please contact the merchant directly, who is responsible for processing your data.

7. Contact

If you have any questions or concerns regarding the protection of your personal data, you can contact us at the following address:

By post:

Lyra Collect
For the attention of the Data Protection Officer
109 rue de l’Innovation
31670 LABEGE

Or

By email: [email protected]

8. Changes to the Policy

We reserve the right to change this Personal Data Protection Policy at any time. Any changes will be published on our website https://www.lyra.com, and the date of the last update will be indicated at the top of the policy.

These amendments are binding on you as soon as they are posted online. You should therefore consult this Policy regularly to familiarise yourself with the latest version.

Last update: 26/11/2025