Cirkkle Personal Data Protection Policy

Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, whose registered office is located at 249 rue Lecourbe, 75015 Paris, France, registered in the Paris trade and companies register under the number 918 626 193.

Aware of the importance of respecting the privacy and the fundamental freedoms and rights of its Users, Cirkkle is committed to being a trusted player in the processing of their personal data, outlining below its policy for the protection of personal data.

1. DEFINITIONS

Without prejudice to the specific definitions that may be contained in this data protection policy, the terms hereinafter have the following meanings:

Application: refers to the mobile application and website www.cirkkle.com allowing access to the Services.

Circle(s): has the meaning given to it in Article 4.3.2 of the Terms of Use.

Client Account: refers to the account and personal space that is reserved for the User after registration on the Application containing up-to-date information about the User, and allowing access to the Services.

General Terms of Use or GTU: refers to the general conditions of use for Users.

Data: refers to any information relating to an identified or identifiable natural person within the meaning of Article 4.1 of the GDPR.

Policy: refers to this data protection policy.

Regulation: refers to the set formed by Regulation (EU) No. 2016-679 of April 27, 2016 and the

Without prejudice to any specific definitions that may be included in this Personal Data Protection Policy, the terms below shall have the following meanings:

Application: refers to the mobile application and website www.cirkkle.com, which provide access to the Services.

Circle(s): has the meaning given to it in Article 4.3.2 of the Terms and Conditions of Use (TCU).

Customer Account: refers to the account and personal space reserved for the User after registration on the Application, containing up-to-date information about the User and providing access to the Services.

Terms and Conditions of Use or TCU: refers to the general terms and conditions of use for Users.

Data: refers to any information relating to an identified or identifiable natural person within the meaning of Article 4.1 of the GDPR.

Policy: refers to this Personal Data Protection Policy.

Regulations: refers to the set formed by EU Regulation No. 2016/679 of April 27, 2016, and the French "Informatique et Libertés" Law of January 6, 1978, in its latest version in force.

GDPR: refers to EU Regulation No. 2016/679 of April 27, 2016.

Service(s): refers to one or more services provided by Cirkkle, as defined in Article 3 of the TCU.

Website: refers to Cirkkle's website, accessible at the following address: www.cirkkle.com.

User(s): refers to individuals registered on the Application in accordance with the procedure set out in the TCU.

Without prejudice to the specific definitions that may be contained in this personal data protection policy, the terms below have the following meanings:

Application: refers to the mobile application and website www.cirkkle.com allowing access to the Services.

Circle(s): has the meaning given to it in Article 4.3.2 of the Terms of Use.

Client Account: refers to the account and personal space reserved for the User after their registration on the Application containing up-to-date information about the User, and allowing access to the Services.

General Terms of Use or GTU: refers to the general terms of use for Users.

Data(s): refers to any information relating to an identified or identifiable natural person as defined in Article 4.1 of the GDPR.

Policy: refers to this personal data protection policy.

Regulation: refers to the set formed by Regulation (EU) No. 2016-679 of April 27, 2016, and the "Data Protection Act" of January 6, 1978, in its latest version in force.

GDPR: refers to Regulation (EU) No. 2016-679 of April 27, 2016.

Service(s): refers to one or more services provided by Cirkkle as defined in Article 3 of the GTU.

Site: refers to the Cirkkle website, accessible at the following address: www.cirkkle.com.

User(s): refers to individuals registered on the Application according to the procedure provided for in the GTU.

Without prejudice to the specific definitions that may be contained in this data protection policy, the terms below have the following meanings:

Application: refers to the mobile application and website www.cirkkle.com providing access to the Services.

Circle(s): has the meaning given to it in article 4.3.2 of the TOS.

Client Account: refers to the account and personal space reserved for the User after their registration on the Application containing up-to-date information about the User, and allowing access to the Services.

General Terms of Use or TOS: refers to the general terms of use for Users.

Data: refers to any information relating to an identified or identifiable natural person within the meaning of article 4.1 of the GDPR.

Policy: refers to this personal data protection policy.

Regulation: refers to the set formed by the EU Regulation No. 2016-679 of April 27, 2016, and the "Informatics and Freedoms" Law of January 6, 1978, in its latest version in force.

GDPR: refers to the EU Regulation No. 2016-679 of April 27, 2016.

Service(s): refers to one or more services provided by Cirkkle as defined in article 3 of the TOS.

Site: refers to Cirkkle's website, accessible at the following address: www.cirkkle.com.

User(s): refers to the individuals registered on the Application according to the procedure laid out by the TOS.

2. OBJECT OF THIS PERSONAL DATA PROTECTION POLICY

The Policy applies to all Users, prospects of Cirkkle, and more generally to all consumers within the meaning of the preliminary article of the Consumer Code.

It is regularly updated to reflect changes in Cirkkle's practices as well as potential changes in Regulation. Cirkkle invites its Users to consult it regularly to be aware of any modifications or updates made.

3. KEY PRINCIPLES

By this Policy, Cirkkle, in its capacity as data controller, wishes to inform its Users about the categories of Data collected, the processes carried out and the reasons for which they are carried out, as well as their rights and the means of contact or recourse available to them.

Attaching great importance to the protection and respect of the privacy of its Users, Cirkkle also wishes to inform them about the implementation of appropriate organizational and technical measures and the conduct of continuous controls to ensure the confidentiality and security of the Data.

Cirkkle strives with the utmost vigilance to maintain a high standard of security and confidentiality of its Users' Data by educating its employees and business partners and training its staff on Data protection, by implementing tools and establishing practices aimed at obfuscation, anonymization, encryption, and the cryptography of data to ensure the protection of the Data.

4. DATA CONTROLLER

The entity that collects and processes the Data is Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, registered with the Paris Trade and Companies Register under the number 918 626 193, whose registered office is located at 249 rue Lecourbe Paris 75015.

Cirkkle will collaborate, under mandate, with payment institutions and electronic money institutions accredited by the Prudential Control and Resolution Authority (ACPR), all jointly responsible for the processing of Users' personal data, within the meaning of Article 26 of the GDPR.

Thus, Cirkkle and these institutions jointly define the purposes and means of these processes. Users' Data are only shared with these co-responsible processors for the purpose of executing the contracts established between Users and Cirkkle.

The list of these service providers will be enumerated below as soon as the mandate contracts are completed:

  • CentralPay

Cirkkle and these entities are bound by mutual information obligations, particularly regarding the following events:

  • Any violation of Users' Data;

  • Any recourse to a new subcontractor performing processing of Users' Data outside the European Economic Area (EEA) and on behalf of Cirkkle

In the context of providing optional services, Cirkkle may also communicate Users' Data to its partners.

5. COLLECTION OF CONSENT

The Policy is brought to the Users' attention prior to their use of the Services, during their registration on the Application, any creation of a Client Account being subject to the acceptance by the User concerned of a form containing the following mention:

"I accept the T&Cs and the personal data protection policy"

6. TYPOLOGY OF INFORMATION COLLECTED BY CIRKKLE

As the data controller within the meaning of the GDPR, Cirkkle collects and processes various information.

These include:

  • Information provided directly by the User, particularly during registration for the Service and identity verification, when using the Services, and more generally the Application, or when contacting Cirkkle support;

  • Information collected indirectly during the User's use of the Service, particularly when making payment transactions, viewing certain content, and subscribing to certain additional services within the Application.

6.1 Information provided directly by the User

Creation of a Customer Account

As part of the creation of their Customer Account, the User is invited to provide the following information: last name, first name, title, email address, phone number, date and place of birth, country. They also choose their password and can associate a profile picture with their Customer Account.

Creation of Circles

As part of the creation of a Circle, the User can add a name to the Circle. This information will be disclosed to other Users participating in the Circle.

Identity Verification

In order to verify the User’s identity, as part of the Know Your Customer (KYC) procedure, and to comply with current regulations, Cirkkle may also collect the following information from the User: proof of identity, socio-professional category, country and city of birth, domicile address in France, IBAN and banking references.

6.2 Information collected indirectly while using the Services

Collection of Usage Information

Cirkkle collects information regarding the User's interactions with the Cirkkle application, such as content views, completed transactions, or more generally, their use of the application (for example, the date when the User linked their credit cards to the Application).

Connection and Device Data

Cirkkle automatically collects connection and device data when the User uses the Service. This information includes, among other things, their IP address, access dates and times to the Cirkkle Service, data about their computing or mobile device hardware, data associated with their device usage, unique identifiers, crash data, or cookies.

Transaction and Financial Data

Cirkkle collects the following information for each transaction made by card or bank transfer: date, amount, sender, recipient. Cirkkle collects the following information for each internal transfer made within the Application: type of transfer (from the User to the Circle or from the Circle to the User), date, and amount. As stated above, during the User's identity verification, they are required to provide their banking references and IBAN.

Contacts Using Cirkkle

The User can link their contact directories to the Application. To connect a contact present in the User's address book with a User who has just registered for the Application, Cirkkle needs to collect the numbers present in the User's address book. Cirkkle does not use this information for any other purpose and only needs a fingerprint of this Data. That is why this information is transmitted and stored encrypted, with a one-way public key. This feature can be disabled by the User from the application's Settings screen.

Communications with Cirkkle Support

Cirkkle retains the history of communications that the User may have had with Cirkkle support, such as email exchanges, phone conversations, or a summary of phone calls.

Tracking Actions Taken by Cirkkle Employees

Cirkkle employees may be required to intervene in the management of Customer Accounts. In this case, the actions taken are also kept in the form of comments (for example, a Customer Account may be temporarily blocked if fraud is suspected).

7. PURPOSES OF THE INFORMATION COLLECTED BY CIRKKLE AND RETENTION PERIOD

The legal basis allowing Cirkkle to process the Data depends on the purpose for which it is collected. Cirkkle may be required to process User Data in order to:

Cirkkle may be required to process User Data in order to:

When the collection is carried out on the basis of a contract:

  • Allow them to create and/or manage their Customer Account;

  • Verify their identity in the context of creating a Customer Account;

  • Keep them informed about their ongoing, completed, and upcoming transactions and about the Services;

  • Provide them with the Services;

  • Allow them to communicate with Cirkkle Support in order to get answers to their questions or requests;

  • Inform them that some of their contacts are using the Cirkkle application.

In this context, the Data may be retained for a period of 5 years from the end of the business relationship or, where applicable, following any recovery and/or judicial procedure, or upon the expiration of applicable limitation periods.

When the collection is carried out on the basis of the User's consent:

  • Manage reward programs, lotteries, contests, or other promotional activities or events supported or managed by Cirkkle or its business partners;

  • Calculate levels of progress and reward entitlements based on payment transactions made with Cirkkle Services.

In this context, the Data may be retained for a period of 5 years from the end of the business relationship, except in the case of commercial prospecting, where the Data may be retained for a period of 3 years from the end of the business relationship, or for prospects, from the last contact.

When the collection is carried out on the basis of Cirkkle's legitimate interests:

  • Make any necessary changes to the Terms of Service and the Policy;

  • Resolve any disputes that Cirkkle may have with its users and enforce contracts established with third parties;

  • Manage the reliability and security of transactions;

  • Assess the effectiveness of messages sent by Cirkkle and adapt them to users;

  • Identify Users to allow them to access the services they have subscribed to (for example, in case they forget their password) and authenticate their identity information (for example, by comparing the photo of their identity document with another photo taken by the User using their mobile phone);

  • Understand and analyze how Users use the services and the Cirkkle application in order to offer and/or develop new offers in line with their needs.

In this context, the Data may be retained for a period of 5 years from the end of the business relationship or, where applicable, following any recovery and/or judicial procedure, or upon the expiration of applicable limitation periods.

When the collection is carried out on the basis of legal obligations:

  • Respond to any request from a competent authority (governmental, regulatory, administrative, or judicial);

  • Detect and prevent criminal offenses, fraud, abuse, security incidents, and other activities unauthorized by Cirkkle (for example, gambling, the sale of means of payment);

  • Ensure the protection of the Data and respect for Users' rights over the Data;

  • Enable Cirkkle to ensure compliance with the law and regulations, particularly its obligations regarding customer knowledge (Know Your Customer) or financial security (anti-money laundering and counter-terrorism financing).

In this context, the Data may be retained for a period ranging from 5 to 20 years from the event generating the obligation as provided by the applicable regulation.

8. RECIPIENTS OF THE DATA
8.1 Initial recipient

The recipient of the Data is, first and foremost, Cirkkle in its capacity as data controller.

The Data is not subject to any transfer and/or disclosure to third parties except for those designated below.

8.2 Internal and affiliated recipients

The data may be processed by the internal collaborators of Cirkkle, its employees, and legal representatives.

8.3 Partners, operational service providers, subcontractors, and suppliers of Cirkkle

Some data may be transmitted and/or disclosed by Cirkkle to its partners, operational service providers, subcontractors, and suppliers, provided that these recipient third parties:

  • Are subject to regulations ensuring a sufficient level of protection, particularly in the context of combating money laundering and the financing of terrorism, and comply with the requirements of the Regulation;

  • Implement all necessary technical and organizational measures continuously to retain the data and ensure a sufficient level of protection, particularly in the context of combating money laundering and the financing of terrorism.

In any case, these recipient third parties only have access to the data that is strictly necessary for the execution of the contracts established with Cirkkle.

As of today, Cirkkle's partners and service providers are as follows:

  • CentralPay,

  • Onfido,

  • Prelude,

  • Brevo,

  • Amazon Web Services.

8.4 Legal or regulatory disclosure

Cirkkle may transmit and/or disclose information related to its Users, including their Data, to competent authorities (governmental, regulatory, administrative, or judicial), if the law requires or permits it, or if such disclosure is reasonably deemed necessary:

  • In the context of Cirkkle's compliance with its legal and regulatory obligations;

  • In order to respond to any request, claim, action, or complaint made against Cirkkle;

  • For the purposes of executing and administering Cirkkle's General Terms of Use;

  • To protect the rights, property, or personal safety of Cirkkle, its employees, its users, or the public.

8.5. Applicable principles for Data Transfers

Cirkkle stores User Data in the European Union. However, it is possible that the Data may be transferred and/or disclosed to other countries, including outside the European Union or the European Economic Area (EEA).

In such cases, Cirkkle ensures that the processing is carried out in accordance with the Policy and framed by a contractual arrangement that guarantees a level of protection similar to that ensured by the Regulation.

9. COMMERCIAL PROSPECTING

In accordance with applicable legislation and with the User's consent where required, Cirkkle may use the personal data of its Users for marketing purposes (for example, to send them newsletters, invitations to events, or any other communication that may interest them and display targeted advertisements on social media platforms or third-party sites).

Regarding the newsletter communicated by email, the User can withdraw their consent to receive it at any time by adjusting their preferences in the Application, by clicking on the unsubscribe link provided in each of Cirkkle's communications, or by contacting Cirkkle support via email at: contact@cirkkle.com.

Regarding targeted advertising on social networking platforms (for example, Facebook, Instagram, X), the User can object to this processing at any time by configuring the advertising settings of their account on those platforms.

10. USERS' RIGHTS

In accordance with the Regulation, Users have the following rights regarding the collection and processing of their Data:

  • Right of access: the right to obtain from Cirkkle confirmation as to whether or not the Data is being processed and, where applicable, to obtain information about such processing; the right to request a copy of the Data being processed;

  • Right of rectification: the right to request the update of the Data when it is incorrect or incomplete;

  • Right to erasure (right to be forgotten): the right to request, in certain cases, the deletion of the Data;

  • Right to restriction of processing and to object: the right to object to the processing or to request, in certain cases, to restrict all or part of the processing;

  • Right to data portability: the right to obtain the Data in a structured, commonly used, and machine-readable format;

  • Right to withdraw consent when the processing is based on it.

The exercise of these rights is carried out according to the procedures established in Article 12 of the Policy.

11. LINKS TO OTHER WEBSITES AND SOCIAL NETWORKS

Cirkkle communications may occasionally contain links to the websites of its partners or third-party companies (social networks).

These websites have their own privacy policies, and Cirkkle disclaims any responsibility for the use made by these sites of the information collected when the User clicks on or follows these links to external content.

12. CONTACT

For any questions regarding this personal data privacy policy or for any requests regarding personal data, the User can contact the Data Protection Officer of Cirkkle:

  • By email at the address contact@cirkkle.com;

  • By mail at the following address: Cirkkle, 249 rue Lecourbe, 75015 Paris.

Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, whose registered office is located at 249 rue Lecourbe, 75015 Paris, France, registered in the Nanterre trade and companies register under number 918 626 193, is registered with ORIAS as a crowdfunding intermediary (IFP) under number 23004412. Cirkkle is a payment service provider (#736637) of CentralPay, an authorized electronic money institution (CIB 17138) in France and regulated by the ACPR (Prudential Control and Resolution Authority, 4 place de Budapest – CS 92459 – 75436 PARIS Cedex 09).

Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, whose registered office is located at 249 rue Lecourbe, 75015 Paris, France, registered in the Nanterre trade and companies register under number 918 626 193, is registered with ORIAS as a crowdfunding intermediary (IFP) under number 23004412. Cirkkle is a payment service provider (#736637) of CentralPay, an authorized electronic money institution (CIB 17138) in France and regulated by the ACPR (Prudential Control and Resolution Authority, 4 place de Budapest – CS 92459 – 75436 PARIS Cedex 09).

Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, whose registered office is located at 249 rue Lecourbe, 75015 Paris, France, registered in the Nanterre trade and companies register under number 918 626 193, is registered with ORIAS as a crowdfunding intermediary (IFP) under number 23004412. Cirkkle is a payment service provider (#736637) of CentralPay, an authorized electronic money institution (CIB 17138) in France and regulated by the ACPR (Prudential Control and Resolution Authority, 4 place de Budapest – CS 92459 – 75436 PARIS Cedex 09).

Cirkkle, a simplified joint-stock company with a capital of 17,335 euros, whose registered office is located at 249 rue Lecourbe, 75015 Paris, France, registered in the Nanterre trade and companies register under number 918 626 193, is registered with ORIAS as a crowdfunding intermediary (IFP) under number 23004412. Cirkkle is a payment service provider (#736637) of CentralPay, an authorized electronic money institution (CIB 17138) in France and regulated by the ACPR (Prudential Control and Resolution Authority, 4 place de Budapest – CS 92459 – 75436 PARIS Cedex 09).