Preamble
LégalPrivacy policy

Privacy policy

Last update: 01/13/2025

Preamble

This Privacy Policy is addressed to Users and aims to inform them about how their personal information may be collected and processed.

Respecting privacy and personal data is a priority for Swile, which is why we are committed to processing such data in full compliance with the applicable regulations on personal data protection (hereinafter referred to as the “Applicable Regulation”), particularly the French Data Protection Act of January 6, 1978 (hereinafter the “LIL”), as amended, and the General Data Protection Regulation (EU) of April 27, 2016 (hereinafter the “GDPR”).

In this regard, Swile ensures:

  • Respect for privacy protection by default and from the design stage of its applications;
  • Lawful, fair, and transparent data processing for legitimate and specific purposes;
  • Enabling Users to exercise their rights at any time.

Additionally, Swile commits to:

  • Never selling your personal data under any circumstances;
  • Applying a rigorous process for selecting its subcontractors and ensuring they have an adequate level of personal data protection through appropriate organizational and technical measures;
  • Hosting data securely, in accordance with the recommendations of data protection authorities.

Article 1. Definitions

Affiliate: Refers to the partner merchant of Swile who can accept the use of the Swile Card as a means of payment at its point(s) of sale, website(s), online platform(s), and/or application(s), in accordance with the eligibility conditions defined by Swile.

Entitled Persons: A natural person belonging to the tax household of a Beneficiary.

Beneficiary: Refers to the individual receiving Swile’s services, an employee within a company that is part of the Client's group.

Swile Card: Refers to the nominative chip card offered by Swile to Beneficiaries, allowing payments to eligible merchants in accordance with the regulations applicable to the Services.

Client: Refers to the company or the Social and Economic Committee (the "CSE") that has subscribed to one of the offers proposed by Swile for the use of the Services and the provision of the Services to Beneficiaries.

"EMI": Depending on the configuration made by Swile and according to the Services, refers to :

(i) either Treezor SAS, an electronic money institution authorized by the Autorité de Contrôle Prudentiel et de Résolution, 4 Place de Budapest 75436 PARIS CEDEX 09, listed on www.regafi.fr under the number 16798;

(ii) or Swile Payment, an electronic money institution authorized by the Autorité de Contrôle Prudentiel et de Résolution, 561 rue Georges Melies 34000 Montpellier, listed on www.regafi.fr under the number 17508.

Beneficiary Space: Refers to the configuration interface made available to the Beneficiary by Swile.

Client Space: Refers to the administration interface made available to the Client by Swile.

Identifier: Refers to the combination of the email address and password chosen by the Beneficiary or the Client during their registration on the Platform, which allows access to their Space.

Platform: Refers to the website accessible at www.swile.co and the mobile application “Swile,” published by Swile, as well as all its graphical, audio, visual, software, and textual components. The Platform is the exclusive property of Swile.

Third-Party Service Platforms: Refers to all intermediaries providing various types of Services accessible to the Beneficiary (meal delivery platforms, etc.).

Services: Refers to the services offered by Swile, particularly through the Platform. The Services are detailed in the applicable conditions.

Swile : Refers to Swile, a simplified joint-stock company, whose registered office is located at @7Center, Immeuble L’Altis, Bâtiment A, 561 rue Georges Meliès – 34000 Montpellier, registered with the Trade and Companies Register of Montpellier under number 824 012 173, represented by M. Loïc Soubeyrand.

Users: Refers to all categories of users of the Platform. The following are considered Users:

  • Beneficiaries;
  • Clients;
  • Affiliates.

"Wallet(s)": Refers to an electronic money account opened by a Beneficiary in the records of the EMI for the purposes of the Wallet Service.

Article 2. Why Swile Processes Your Personal Data (Description of Purposes, Data Subjects, Categories of Data Processed, Legal Basis, and Retention Period)

Depending on the level of determination by Swile regarding the purposes and means of data processing, Swile will alternatively act as either a data controller or a data processor on behalf of the Client or the EMI.

👨‍💼 A. Swile as Data Controller

🎛 Management and Use of the Platform

💳 Functioning of the Swile Card and Associated E-Wallets

✚ Additional Features Based on the Subscribed Offer

🤝Accounting and Commercial Management with Clients and Affiliates

📬Marketing Operations

👷‍♂️B. Swile as Data Processor 

1. Swile as a Processor for the Client

👉Common Purposes in the Provision of Meal Vouchers, Gift Vouchers, and Mobility Offer

🍔Purposes Specific to the Provision of Meal Vouchers

🎁Purposes Specific to the Provision of Gift Vouchers and Cultural Checks

🫂Purposes Specific to the Provision of the "Mon CSE" Offer

🚲 Purposes Specific to the Provision of the Mobility Offer

2. Swile as a Data Processor for the EMI

🏛️ Purposes Specific to Swile as a Data Processor for the Electronic Money Institution

You can find below the details of the personal data concerning you that we may process :

💼 Client Identification Data
Details of personal data processed:

  • Names, first names, and email addresses of administrators and/or executives;
  • Data necessary for client authentication (KYB).

🙋 Beneficiary Identification Data
Details of personal data processed:

  • Title;
  • Last name;
  • First name;
  • Phone number;
  • Email address (professional or personal, depending on the case);
  • Personal postal address, if applicable;
  • Internal identification code;
  • Date of birth.

    👋🏻 Personal Life Data of Beneficiaries
    Details of personal data processed:
  • Marital status;
  • Dependent children;
  • Identification data of entitled persons;
  • Official documents.

👔 Professional Life Data
Details of personal data processed:

  • Professional email address, if applicable;
  • Company where the Beneficiary works;
  • In the case of Client representatives, the position held within the Client's company.

📱 Technical Data Related to the Use of the Platform
Details of personal data processed:

  • IP address;
  • Mobile identifier;
  • Unique identifier generated by Swile;
  • Logs;
  • Cookies;
  • Connection data.

Optional Data:

  • Geolocation.

💰 Financial and Transactional Data
Details of personal data processed:

  • Bank account details (RIB);
  • Transaction history;
  • Donations to associations;
  • Payment methods;
  • Information related to a transaction;
  • Information regarding shared funds and reimbursements.

Article 3. How Personal Data is Collected?

As part of providing the Services, Swile collects personal data concerning Users either directly or indirectly for the purposes mentioned below.

Indirectly Collected Data :

  • Collected by the Client concerning the Beneficiary : When the Client subscribes to the Services, certain data of the Beneficiaries is directly imported by the Client to allow them access to the features of the Platform.

Directly Collected Data :

  • Collected from the Beneficiary : When the Beneficiary fills in or updates their personal information in their Space, when they browse the Platform, and when a transaction is carried out using the Swile Card.
  • Collected from the Client and the Affiliate : When they provide the necessary data for the execution of the contracts they enter into with Swile.

Article 4. Who Are the Recipients of the Data ?

Swile may transmit your data to its processors solely for the purpose of performing part of the Services.

Swile conducts prior audits and documents all organizational and technical measures implemented by its processors.

Swile systematically ensures the implementation of sufficient security measures to maintain an adequate level of protection throughout the data lifecycle.

As a result, Swile ensures that processed personal data is not readable in plain text and is systematically encrypted. Therefore, without the encryption key, the data remains inaccessible, even to a foreign judicial or administrative authority.

Swile also ensures the establishment of strong contractual guarantees by imposing a Data Processing Agreement (DPA) adapted to its sector of activity.

You may request access to documents ensuring appropriate contractual safeguards by contacting our Data Protection Officer (DPO) via email at dpo@swile.co, or by mail addressed to Swile – DPO Service, IMMEUBLE L'ALTIS BATIMENT A @ 7CENTER, 561 RUE GEORGES MELIES, 34000 MONTPELLIER, FRANCE.

Within the scope of their respective roles and for the specified purposes, the individuals who may have access to your data are as follows:

  • Authorized personnel from our research and development, marketing, sales, administrative, logistics, legal, and IT departments, responsible for improving our services, customer relations, prospecting, and quality control;
  • Authorized personnel from our processors.

    It is important to note that all these individuals are subject to an obligation of competence and confidentiality and face disciplinary, judicial, and/or administrative sanctions in the event of misuse of the data for purposes other than those specified above.
  • Additionally, we maintain strong contractual guarantees regarding the processing of personal data by our processors, and access to such data must be justified and pre-approved by Swile.

🌐 How Does Swile Secure Data Transfers to Countries Outside the European Union, Including the United States ?

Swile prioritizes the selection of processors located within the European Union, who are by default subject to the obligations of the GDPR. In certain cases, processors may be located and/or process some data outside the European Union.

Swile ensures that all contracts with service providers processing personal data outside the European Union include appropriate safeguards in accordance with Article 46 of the GDPR and attach the most recent version of the European Commission’s Standard Contractual Clauses (SCCs).

These providers are systematically required to notify Swile if they receive any judicial or administrative request for access to the data they hold. In such circumstances, Swile has implemented internal measures to safeguard the rights and freedoms of the Users.

Your personal data is neither disclosed, exchanged, sold, nor rented without your prior explicit consent, in accordance with applicable legal and regulatory provisions.

🔋 Main Service Providers

To provide the Swile Card and the Platform, Swile relies on subcontractors. As part of its compliance process, each subcontractor is audited beforehand to assess the quality of the technical and organizational measures implemented, as well as their security level. Each relationship with a subcontractor is governed by a specific Data Processing Agreement (DPA) and, when necessary, by Standard Contractual Clauses as specified above.

The main service providers are as follows:

  • Amazon Web Services (AWS): For data hosting in France.
  • Treezor or Swile Payment: The EMI (Electronic Money Institution) for providing a payment solution.
  • Zendesk: For handling support requests.
  • Salesforce: For processing Client and prospect identification data.
  • Braze: For sending emails (transactional and commercial) to Users.

Article 5. How Does Swile Protect the Security of Your Data ?

Swile is committed to preserving the security of its information systems and the personal data it processes. Swile implements all necessary technical and organizational measures to ensure the security of personal data processing and the confidentiality of the data it collects. This includes the implementation of the measures detailed below :

🧑‍💻 Technical Measures

  • Systematic encryption of data on hosting servers during data transmission (between the application and servers) and data storage;
  • Strong password policy for Beneficiary account creation, along with a captcha system to limit attack attempts;
  • Establishment of a dedicated Security Operations Center (SOC) team for incident management, security control monitoring, and continuous verification of the effectiveness of security measures;
  • Beneficiary access to the Platform is monitored and protected by a detection and prevention system against:
  • - Brute-force attacks;
  • - Access from multiple IP addresses;
  • - Multiple access attempts from a single IP address.

🕵️‍♂️ Organizational Measures

  • Physical protection of premises and entry control;
  • Logging and traceability of connections;
  • Authorization management policy for personnel with access to data;
  • Authentication procedures for personnel accessing data, with secure personal access using confidential credentials and passwords.

Article 6. What Is the Lifecycle of Personal Data at Swile ?

♻️ Data Lifecycle at Swile for a Beneficiary

Onboarding: Account Creation and Administration

The employer provides Swile with the personal data of its employee Beneficiaries necessary for account creation.

Swile processes this data for the entire duration of the Beneficiary's account life, until its closure.

  1. Use of Services:
  2. Data is collected and processed by Swile to ensure the proper functioning of the Services.
  3. These data are kept in the active database for the duration of the Services’ use.
  4. Off-boarding:
    Account Closure:     A Beneficiary account can be closed if:
  5. A Beneficiary requests it and is no longer employed by the Client using Swile's services.
  6. A Beneficiary is inactive (e.g., death, no account activity for a certain period).
  7. A Client requests Swile to close a Beneficiary account.

⏳Data Retention

- When Swile acts as Data Controller :

From the account closure date, data necessary for the prevention of external fraud, money laundering, and terrorist financing (AML/CFT) is archived for 5 years after account closure.

Archived data is accessible only to the legal, compliance, and IT departments to conduct investigations into fraudulent use of the Services.

Final Data Deletion: All data stored in intermediate archives is permanently deleted 5 years after account closure.

- When Swile acts as Data Processor :

Data processed in this capacity is retained according to the Client’s instructions and no later than the end of the contractual relationship with the Client.

Upon contract termination, Swile deletes and, when feasible and relevant, returns the data processed as a data processor to the Client.

Article 7. Who to Contact for GDPR-Related Requests ?

Swile has appointed a Data Protection Officer (hereinafter referred to as the “DPO”) who can respond to all your requests, including the exercise of your rights concerning your personal data.

You can contact the DPO :

📧 By email: at the following address: dpo@sociétéA.com
💌 By mail: Swile – DPO Service, IMMEUBLE L'ALTIS BATIMENT A @ 7CENTER, 561 RUE GEORGES MELIES, 34000 MONTPELLIER, FRANCE

Article 8. What Are Your Rights ?

In accordance with the Applicable Regulation, you have the following rights (learn more):

  • Right of access (Article 15 GDPR), rectification (Article 16 GDPR), updating, and completion of your data.
  • Right to erasure (or "right to be forgotten") of your personal data (Article 17 GDPR) when the data is inaccurate, incomplete, ambiguous, outdated, or when its collection, use, communication, or retention is prohibited. The exercise of this right may be limited by a legal obligation to retain data for fraud prevention and/or anti-money laundering purposes.
  • Right to withdraw your consent at any time (Article 7 GDPR).
  • Right to restrict processing of your data (Article 18 GDPR) in cases of dispute.
  • Right to object to the processing of your data (Article 21 GDPR), which is automatic for direct marketing purposes and requires justification of compelling legitimate reasons in other cases. To learn more about unsubscribing from Swile communications, see Article 11 of our Privacy Policy.
  • Right to data portability for the data you have provided to us, when the data is subject to automated processing based on your consent or a contractual agreement (Article 20 GDPR).

You can exercise your rights, provided you verify your identity, by contacting our DPO.

If you wish to close your Swile account while still employed by a company that has subscribed to Swile’s services, we recommend reaching out to your employer to stop receiving services from Swile.

Finally, you also have the right to lodge a complaint with the supervisory authorities, including the CNIL (French Data Protection Authority) or any other competent authority.

Article 9. How to Unsubscribe from Swile Communications ?

At Swile, we may send you various types of communications.

1. Marketing/Commercial Communications

We may send you marketing and commercial communications, particularly in the context of :

  • Marketing campaigns (Swile news, updates, etc.)
  • Commercial prospecting campaigns
  • Contest and promotional events

You can opt out of receiving these types of communications at any time by clicking the unsubscribe link (see below) included in each of our messages.

2. Customer satisfaction surveys

When you have interacted with our services, a satisfaction survey may be sent to you by email. Your feedback helps us continuously improve our services.

An unsubscribe link is also included in these emails, allowing you to opt out of receiving future surveys.

3. Communications strictly related to our services

We may also send you communications strictly related to your transactions (e.g., payment failure, new credit of your meal vouchers) and the operation of our services (e.g., feature updates, maintenance notifications).

You cannot unsubscribe from these communications, as they provide essential information about the services you use. 

If You Continue to Receive Emails from Swile After Unsubscribing

As mentioned above, if you unsubscribe from marketing communications or satisfaction surveys, we will still use the contact details you provided to send you service-related communications only, as these are essential for the proper use of our services.

Please note that once your Swile account is closed, you will no longer receive the communications mentioned above from Swile. For more information about account closure, please refer to Articles 9 and 10 of our Privacy Policy.

Article 10. Why Does Swile Retain Certain Data for Fraud Prevention and Anti-Money Laundering Purposes After Your Account Is Closed ?

Swile is subject to legal and regulatory obligations aimed at preventing:

  • External fraud – as a data controller.
  • Money laundering and terrorist financing (AML/CFT) – as required by Article L561-12 of the French Monetary and Financial Code.

As part of these obligations, Swile retains the following personal data, when applicable:

  • Personal data you have provided, such as your identification data, professional status (e.g., current or former employee of a Swile client company), and economic or banking information.
  • Data collected during the subscription and use of your accounts and subscribed products, such as transaction and banking operation data, product types, and payment methods.
  • Data collected during your navigation on our websites or applications.
  • Data from correspondence and communications.

Therefore, some of your data cannot be permanently deleted after the closure of your account and will be archived for 5 years from the date of account closure, in compliance with legal obligations.

Article 11. Connection Data and Cookies

For the proper functioning of the Platform and Services, we use connection data (date, time, IP address, protocol of the visitor's computer, pages viewed) and cookies (small files stored on your device) that help identify you, remember your visits, and provide audience measurement and statistical analysis, particularly concerning the pages you have viewed.

Some cookies, referred to as "non-essential", help us improve the quality of our Service and offer solutions tailored to your needs and habits.

For these non-essential cookies, Swile obtains your prior consent through a dedicated banner displayed during your first visit to the Platform.

For more information, you can consult our Cookie Management Policy.