Preamble
LégalPrivacy policy

Privacy policy

Last update: 04/14/2023

Preamble

This Privacy Policy is intended to inform Users about how their personal information may be collected and processed.

Respect for privacy and personal data is a priority for Swile, which is why we are committed to processing them in strict compliance with the applicable regulations on the protection of personal data (hereinafter the "Applicable Regulations"), in particular the French Data Protection Act of 6 January 1978 (hereinafter the "LIL") as amended and the General Data Protection Regulation (EU) of 27 April 2016 (hereinafter the "GDPR").


As such, Swile ensures:
- To respect privacy by default and by design of its applications;
- To process data lawfully, fairly and transparently for legitimate and specified purposes;
- To allow, at any time, the exercise of Users' rights.

In addition, Swile undertakes to :
- Under all circumstances, not to sell your personal data;
- Apply a demanding process for the selection of its processors and ensure that they have an adequate level of personal data protection through appropriate organisational and technical measures;
- Host data securely, in accordance with the recommendations of the protection authorities.

Article 1. Definitions

Affiliate : means the Swile merchant partner who can accept the use of the Swile Card as a means of payment in its point(s) of sale, website(s), online platform(s) and/or application(s), in accordance with the eligibility conditions defined by Swile.

Beneficiary : means the person benefiting from Swile's services, who is an employee of a company belonging to the Client's group.

Swile Card : means the nominative smart card offered by Swile to the Beneficiaries allowing them to pay at eligible merchants in accordance with the regulations applicable to the Services.

Client : refers to the company or the Social and Economic Committee (the "CSE") having subscribed to one of the offers proposed by Swile with a view to using the Services and making them available to the Beneficiaries.

"EME": Depending on the settings made by Swile and according to the Services, means :
(i)or the company Treezor SAS, an electronic money institution, approved by the Autorité de Contrôle Prudentiel et de Résolution, 4 Place de Budapest 75436 PARIS CEDEX 09, available at www.regafi.fr under number 16798.
(ii)or the company Swile Payment, an electronic money institution, approved by the Autorité de Contrôle Prudentiel et de Résolution, 561 rue Georges Melies 34000 Montpellier, which can be consulted on www.regafi.fr,under number 17508.

Beneficiaries' Space : means the configuration interface made available to the Beneficiary by Swile.

Customer Space : means the administration interface made available to the Customer by Swile.

Identifier : means both the e-mail address and the password chosen by the Beneficiary or the Client when registering on the Platform and which must be entered in order to connect to the Beneficiary's Space.

Platform : means the website accessible at www.swile.co and the mobile application "Swile", published by Swile, as well as all their graphic, sound, visual, software and textual components. The Platform is the exclusive property of Swile.

Third-party service platforms : refers to all intermediaries providing all types of Services and to which the Beneficiary may have recourse (meal delivery platform, etc.).

Services : means the services offered by Swile, in particular via the Platform. The Services are detailed in the applicable conditions.

Swile : refers to the company Swile, a simplified joint stock company with a capital of 61,233.30 euros, whose registered office is located at @7Center, Immeuble L'Altis, Bâtiment A, 561 rue Georges Meliès -34000 Montpellier, registered in the Montpellier Trade and Companies Register under the number 824 012 173, represented by Mr Loïc Soubeyrand.

Users : refers to all categories of users of the Platform. The following are thus considered as Users :
- The Beneficiaries ;
- The Clients ;
- The Affiliates.

"Wallet(s)": means an electronic money account opened by a Beneficiary in the EME's books for the purposes of the Wallet Service. It may be personal ("Personal Wallet") and/or associated with a pot ("Pot Wallet") for a particular corporate event.

Article 2. What personal data is processed by Swile ?

The required or optional personal data collected and the possible consequences of failure to reply are indicated at the time of collection on the associated forms.

You can consult the details of the personal data that we may process below.

💼 Customer identification data :

Details of personal data processed :
- Names, first names and email addresses of directors and/or officers;
- Data required for Customer authentication (KYB).

Persons concerned :
- Administrators within Clients (HR departments and ESCs).

Categories of processing concerned :
- 🎛Management and use of the Platform ;
- 🤝Accounting and commercial management of the relationship with the Clients ;

- 📬 Marketing operations.

🙋 Identification data of the Beneficiaries :

Details of personal data processed:
- Civility ;
- Name ;
- First name ;
- Telephone number ;
- Email address (business or personal as appropriate) ;
- Personal postal address if applicable ;
- Internal identification code ;
- Date of birthday.

Persons concerned :
- Beneficiaries

Categories of processing concerned :
- 🎛Management and use of the Platform ;
- 💳Operation of the Swile Card and associated e-wallets ;
- ✚Additional features depending on the offer subscribed to.

👔 Data on working life :

Details of personal data processed :
- Professional email address if applicable ;
- Company in which the Beneficiary works ;
- In the case of the Client's representatives, the position held within the Client's company.

Persons concerned :
- Users ;
- Prospects.

Categories of processing concerned :
- 🎛Management and use of the Platform ;
- 💳Operation of the Swile card and associated e-wallets ;
- ✚Additional features depending on the package subscribed to;
- 📬Marketing operations.

📱Technical data relating to the use of the Platform :

Details of personal data processed:
- IP address ;
- Mobile ID ;
- Unique identifier generated by Swile ;
- Logs ;
- Cookies ;
- Connection data.

Optional data :
- Geolocation.

Persons concerned :
- Users

Categories of processing concerned :
- 🎛Management and use of the Platform ;
- 💳Operation of the Swile card and associated e-wallets ;
- ✚Additional features depending on the offer subscribed to.

💰Financial and transactional data :

Details of personal data processed :
- Bank details ;
- Transaction history ;
- Donations to associations ;
- Terms of payment ;
- Information related to a transaction ;
- Information on shared pools and refunds.

Persons concerned :
- Users.

Categories of processing concerned :
- 🎛Management and use of the Platform;
- 💳Operation of the Swile card and associated e-wallets;
- 🤝Management of the accounting and commercial relationship with Clients and Affiliates.

Article 3. How is personal data collected ?

In the course of providing the Services, Swile directly or indirectly collects personal data about Users for the purposes mentioned below.

Data collected indirectly :

- By the Client concerning the Beneficiary : when the Client subscribes to the Services, certain Beneficiary data are directly imported by the Client to enable them to access the Platform's functionalities.

Data collected directly :

- From the Beneficiary : when the Beneficiary fills in or completes his/her personal information in his/her Space, when he/she navigates on the Platform as well as during a transaction made with the Swile Card ;
- From the Customer and the Affiliate : when they transmit the data necessary for the execution of the contracts they conclude with Swile ;

Article 4. For what purposes is the data collected ?

Depending on the degree of determination of Swile in the purposes and means of data processing, Swile will alternatively have the status of data controller or data processor of the Client or the EME.

A.Swile as data controller

🎛 Management and use of the Platform :
- General administration of the Platform, including the implementation of security measures;
- Carrying out statistics on the use of the Platform;
- Support and management of User requests;
- Subject to the Beneficiary's consent, geolocation allowing him/her to obtain the list of Affiliates around him/her;
- Fight against money laundering, fraud and terrorism, in accordance with its legal obligations;
- Deposit of cookies on the Platform, in accordance with the choices made by the User where applicable.

💳 Operation of the Swile Card and its associated e-wallets :
- Carrying out debit and/or credit transactions when using the Swile Card, both at Affiliates and on the Platform;
- Activation and management of the Beneficiary's meal vouchers and/or gift vouchers and/or personal Wallet;
- Management of Swile Card opposition requests ;
- Suspension or blocking of the use of the Swile Card and associated transactions in case of suspicious use ;
- Compliance with legal and regulatory obligations, including the fight against fraud (e.g. AML/CFT, PSD2);

✚Additional features depending on the package subscribed to :

1.Purpose of the top-up
- Association of the Swile Card with the Beneficiary's bank card in order to provide the top-up functionality.

2.Specific purpose of the provision of meal vouchers
- Management of donations of meal vouchers to associations by Beneficiaries.

3.Purpose specific to the e-commerce Platform
- Management of purchases on the e-commerce platform (including the delivery of purchased goods and/or services).

4.Purpose specific to the connect offer
- Provision of team life features (pots, celebrations, event creation etc.).

🤝Accounting and commercial management with Clients and Affiliates :
- Payment of Services and follow-up of invoicing ;
- Management of unpaid bills and disputes ;
- Maintenance of accounting records and legal documents ;
- Management of commercial follow-up.

📬Marketing operations :
- Carrying out BtoB prospecting campaigns (email, telephone, mail);
- Sending promotional emails (on a continuous basis or on specific operations);
- Participation in competitions;
- Compilation of statistics ;
- Conducting satisfaction surveys;
- Conducting surveys on a theme related to Swile's offers.

B.Swile as a processor

1.Swile as processor of the Client

👉Common features in the provision of meal vouchers, gift vouchers, the mobility offer and the connect offer:

- Setting up the Client's corporate environment, including :

Management of the list of Beneficiaries ;
Support in setting up Beneficiaries' user accounts.
- Managing requests to exercise Beneficiaries' rights for subcontracted processing operations.

🍔 Specific purposes for the provision of meal vouchers :
- Management of the request to issue meal vouchers ;
- Management of meal voucher reimbursement operations at the request of the Client, in the event of a Beneficiary leaving the company.

🎁 Purposes specific to the provision of gift vouchers :
- Provision of the communication tools (email, blog, etc.);
- Provision of statistical reports for the Client;
- Management of the request for the issuance of gift certificates ;
- Management of the financing by the Client of services/products determined by the latter for the Beneficiaries;

🚲 Purposes specific to the provision of the mobility offer :
- Management of the request to load the mobility account ;
- Provision of supporting documents (invoice, receipt etc.) to the Customer;
- Management of mobility claims, including :
Credential management ;

Verification of eligibility for the mobility solution.

👂Purposes specific to the provision of the listen service (alone or as part of the ultimate offer) :
- Provision of survey tools and employee surveys ;
- Provision of a personal messaging device ;
- Post-moderation of content published on the Platform.

2.Swile as processor of the EME

- Management of payment transactions within the framework of the various User accounts;
- Authentication of the Beneficiary through a "Know Your Customer" (KYC) process ;
- Authentication of the Client and/or Affiliate through a "Know Your Business" (KYB) process.

Article 5. What are the legal bases for the processing ?

As data controller, Swile processes data for the above purposes on the following legal bases:


- Execution of contractual and pre-contractual measures : operating in a B to B to C environment, Swile is contractually bound with Clients and Affiliates to provide, in particular, a service to the Beneficiary. Thus, the obligations arising from the provision of the various services are detailed in the contracts concluded between Swile and the Client, and the conditions applicable to each Service.

- Legal obligations : Swile is subject to specific legal obligations due to its specific regulated commercial activity, such as the fight against money laundering, the financing of terrorism and the fight against fraud, but also its accounting obligations.

- Legitimate interest : Beneficiaries' personal data may be processed in order to improve the service provided, in particular by the customer service. Clients' personal data may be processed in order to offer additional services and for commercial prospecting purposes.

- Consent : in certain cases, Swile may process Users' personal data subject to their prior express consent, in particular for the deposit of certain cookies, the reception of promotional offers or the activation of geolocation.

Article 6. Who are the recipients of the data ?

Swile may transmit your data to its processors for the exclusive purpose of performing part of the Services.

Swile audits and documents all organisational and technical measures implemented by its processors.

Swile systematically verifies that sufficient security measures are in place to maintain an adequate level of security throughout the data life cycle.

Consequently, Swile ensures that the personal data processed are not readable in clear text and are systematically encrypted. Therefore, in the absence of the encryption key, the data is inaccessible, even by a foreign judicial or administrative authority.

Swile also ensures that robust contractual safeguards are in place by imposing a Data Processing Agreement (DPA) tailored to its industry.

You may request access to documents ensuring appropriate contractual safeguards by making a request to our Data Protection Officer by email to dpo@swile.co, or by post to Swile -Service DPO, IMMEUBLE L'ALTIS BATIMENT A @ 7CENTER, 561 RUE GEORGES MELIES, 34000 MONTPELLIER.

Within the limits of their respective responsibilities and for the purposes for which they are responsible, the persons who may have access to your data are the following :

- Authorised personnel from our research and development, marketing, sales, administrative, logistics, legal and IT departments, responsible for improving our services, customer relations and prospecting and quality control;

- Authorised personnel from our processors.

It should be noted that all these persons are subject to an obligation of competence and confidentiality and may be subject to disciplinary, judicial and/or administrative sanctions if they use the said data for purposes contrary to those set out above.

In addition, we have strong contractual safeguards regarding the processing of personal data by our processors and that access must be justified and authorised in advance by Swile.

🌐How does Swile secure data transfers to non-EU states, including the US ?


Swile favours the selection of processors located within the European Union and automatically subject to the obligations of the GDPR. In some cases, processors may be located and/or process certain data outside the European Union.

Swile ensures that all contracts with service providers processing personal data outside the European Union are concluded with adequate safeguards, in accordance with Article 46 of the GDPR, and that the European Commission's Standard Contractual Clauses in their most recent version are attached.

The latter systematically undertake to inform Swile in the event of receiving a judicial or administrative request for access to the data it holds. In these circumstances, Swile provides for internal measures to preserve the rights and freedoms of Users.

For any additional information on our processors, you can send a request for additional information to our Data Protection Officer (Article 9. Who to contact for all RGPD-related requests?).
- Financial organisations (banks, etc.) and supervisory bodies;
- Where appropriate, the relevant courts, mediators, accountants, auditors, lawyers, bailiffs, debt collection agencies;

- Third parties who may place cookies on your terminals (computers, tablets, mobile phones, etc.) when you give your consent (for more details, see our Cookie Management Charter);
- The Client employer of the Beneficiary and the Affiliates present on the Platform;
- Partner associations.

Your personal data will not be disclosed, exchanged, sold or rented without your prior express consent in accordance with the applicable legal and regulatory provisions.

👉 Main providers

In order to provide the Swile Card and the Platform, Swile uses processors. As part of its compliance, each of the processors is audited beforehand in order to determine the quality of the technical and organisational measures put in place as well as its level of security. Each relationship with a processor is governed by a specific data protection agreement and, if necessary, by Standard Contractual Clauses as specified above.

The main providers are :
- Amazon Web Service : for data hosting within the European Union (Datacenters are located in the Paris region, Ireland and Germany);
- Stripe : for the provision of the top-up functionality;
- Treezor : the EME, for the provision of a means of payment;
- Zendesk : for the processing of requests by the support service;
- Salesforce : for the processing of Customer and prospect identification data;
- Braze and Mailchimp : for sending emails (transactional and commercial) to Users.

Article 7. How does Swile keep your data safe ?

Swile takes to heart the preservation of the security of its information systems and the personal data it processes. Swile implements all technical and organisational measures necessary to ensure the security of our personal data processing and the confidentiality of the data we collect. This includes the implementation of the measures detailed below.

💻 Technical measures :

- Systematic encryption of data on the hosting servers during data transit (between the
application and the servers) and during storage.
- Strong password policy when creating the Beneficiary account and implementation of a captcha to limit attack attempts.

- Establishment of a dedicated SOC team for incident management, monitoring of security controls and continuous verification of the effectiveness of security measures
- Access to the Platform by Beneficiaries monitored and protected by a detection and prevention system :

- brute force attacks;
- access from multiple IP addresses;
- multiple accesses from a single IP address.

🕵 Organisational measures :

- Physical protection of premises and entry control ;
- Logging and traceability of connections ;
- Policy for the management of the authorisations of each staff member who may have access to the data;
- Authentication procedures for persons accessing the data with personal and secure access via confidential identifiers and passwords.

Article 8. For how long are the data kept ?

♻️ Data life cycle at Swile for a Beneficiary :

1) Onboarding : creation and administration of the Beneficiary account: data is processed and collected for the life of the account, until it is closed. 

2) Use of the Services : the data are collected and processed to ensure the performance of the Services kept, at least, for the duration of the use of the Services.

3) Off-boarding : Closing of the Beneficiary's account: archiving in an intermediate database until the limitation period in terms of the fight against fraud and/or money laundering has expired (5 years from the closing of the account).

4) Final data purge : Swile's internal purge mechanism for deletion from all databases.

The archived data are only accessible by the legal, compliance and IT departments in order to investigate fraudulent use of the Services.

🕔 Details of retention periods by category of data

Article 9. Who to contact for all requests related to RGPD ?

Swile has appointed a Data Protection Officer who will be able to respond to all your requests, including the exercise of your rights, relating to your personal data.
You can reach him at :
- 📧 By email to the following address: dpo@swile.co ;
- 💌 By post: Swile -Service DPO, IMMEUBLE L'ALTIS BATIMENT A @ 7CENTER, 561 RUE GEORGES MELIES, 34000 MONTPELLIER.

Article 10. What are your rights ?

In accordance with the Applicable Regulations, you have the following rights (read more):

- right of access(article 15 RGPD), rectification (article 16 RGPD), update, completeness of your data;
- right to erasure(or "right to b e forgotten") of your personal data (Article 17 GDPR), where it is inaccurate, incomplete, equivocal, out of date, or where its collection, use, disclosure or retention is prohibited. The exercise of this right may be limited by a legal obligation to retain data for the purposes of combating fraud and/or money laundering;
- right to withdraw your consent at any time (Article 7 GDPR);
- right to restrict the processing of your data (Article 18 GDPR) in case of dispute;
- right to object to the processing of your data (Article 21 RGPD) systematically in the case of canvassing and subject to the justification of compelling legitimate reasons in other cases. To find out more about how to unsubscribe from Swile communications, see article 11 of our privacy policy ;
- right to portability of the data you have provided to us, where your data is subject to automated processing based on your consent or on a contractual commitment (Article 20 GDPR).

You can exercise your rights, provided you can prove your identity, by contacting our Protection Officer at the above addresses.

If you wish to close your Swile account and you are still an employee of the company that subscribed to a Swile offer, we invite you to contact your employer so that you can no longer benefit from the services subscribed to with Swile.

Finally, you may also lodge a complaint with the supervisory authorities, in particular the CNIL or any other competent authority.

Article 11. How to unsubscribe from Swile communications?

Swile may send you various communications.

1. Marketing/commercial communications

We may send you marketing/commercial communications in the context of :

- marketing campaigns (Swile news, etc.)

- sales prospecting campaigns

- competitions

You can opt out of receiving this type of communication at any time by clicking on the unsubscribe link (see below) included in each of our communications.

2. Customer satisfaction surveys

Once you have been in contact with our customer services, a satisfaction survey may be sent to you by email. Your feedback will enable us to continually improve.

An unsubscribe link is also included in these emails so that you do not receive them in the future.

3. Communications strictly related to our services

We may also send you communications relating to your transactions (payment failure, new credit on your meal vouchers, etc.) and to the operation of our services (development of a feature, maintenance operations, etc.).

You cannot unsubscribe from this type of communication, as it enables us to provide you with essential information about the services you use.

If you continue to receive e-mails from Swile after unsubscribing

As mentioned above, if you unsubscribe from marketing communications or satisfaction surveys, we will continue to use the contact information you have provided to send you communications strictly related to our services.

Please note that once you close your Swile account, you will no longer receive the above communications from Swile. To learn more about closing your account, please see sections 9 and 10 of our privacy policy.

Article 12. Why does Swile keep certain data for anti-fraud and/or anti-money laundering purposes after your account has been closed ?

Swile has legal and regulatory obligations to prevent :
- Tax fraud (required by Article 1649 AC of the General Tax Code);
- Money laundering and terrorist financing (LCB-FT) (required by Article L561-12 of the Monetary and Financial Code).

Thus, some of your data cannot be permanently deleted after the closure of your account and will be archived for a period of 5 years after the closure of your account.

As part of these obligations, Swile retains the following personal data, where applicable:
- Personal data that you have communicated to us, such as your identification data, your professional situation (status of employee or ex-employee of a Swile client company), your economic or banking information;
- The data collected in the context of the subscription and use of your accounts and products subscribed to, such as banking operations and transaction data, type of product subscribed to, method of payment, etc;
- The data collected when browsing our sites or applications;
- Data from correspondence and communications.

Article 13. Connection data, cookies

For the proper functioning of the Platform and Services, we use connection data (date, time, Internet address, visitor's computer protocol, page consulted) and cookies (small files saved on your computer) to identify you, to remember your visits, and to benefit from audience measurements and statistics, particularly relating to the pages consulted.

Some cookies are "unnecessary" and allow us to improve the quality of our Service and to offer you solutions in line with your needs and habits.

For the latter, Swile obtains your consent prior to their deposit through a dedicated banner when you first connect to the Platform.
For more information you can consult our Cookie Management Policy.