GDPR Compliance Policy

Last updated: May 30, 2026

DFNS is committed to the highest standards of data protection and to safeguarding the privacy of every individual whose personal data we process. This General Data Protection Regulation ("GDPR") Compliance Policy (the "Policy") explains how DFNS complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR"), the French Data Protection Act (Loi Informatique et Libertés n° 78-17 of 6 January 1978, as amended), and other applicable data protection laws.

This Policy supplements, and should be read together with, the DFNS Privacy Policy, the Terms and Conditions, and the Service Level Agreement. In the event of any conflict between this Policy and those documents in respect of the protection of personal data, this Policy prevails.

1. Scope and Application

This Policy applies to all processing of personal data carried out by DFNS where the GDPR applies, including:

  • visitors to and users of the DFNS website (dfns.co) and related web properties;
  • prospects, customers, and authorized representatives of customers who interact with DFNS in connection with our wallet-as-a-service platform and related services (the "Services");
  • individuals who contact us, subscribe to communications, or attend our events; and
  • any other natural person whose personal data DFNS processes in the course of its activities.

This Policy applies regardless of whether DFNS acts as a data controller or as a data processor. Where DFNS processes personal data on behalf of a customer in the course of providing the Services, DFNS acts as a data processor and the relevant data processing terms in the applicable DFNS agreement and Data Processing Agreement govern that processing.

2. Identity of the Data Controller

DFNS is a simplified joint-stock company (société par actions simplifiée) registered with the Trade and Companies Register of Paris under number 888 176 575, having its registered office at 142 rue de Rivoli, 75001 Paris, France ("DFNS", "we", "us", "our").

Where DFNS determines the purposes and means of the processing of personal data, DFNS is the data controller. Our data protection contact details are set out in Section 14.

3. Data Protection Principles

DFNS processes personal data in accordance with the principles set out in Article 5 of the GDPR. We ensure that personal data is:

  • Lawful, fair, and transparent: processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • Purpose-limited: collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • Data-minimized: adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
  • Accurate: accurate and, where necessary, kept up to date, with reasonable steps taken to erase or rectify inaccurate data without delay;
  • Storage-limited: kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing;
  • Secure: processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

DFNS is accountable for, and able to demonstrate compliance with, each of these principles.

4. Lawful Bases for Processing

DFNS relies on one or more of the following lawful bases under Article 6(1) of the GDPR for each processing activity:

Lawful basis Typical processing activities
Consent (Art. 6(1)(a)) Sending newsletters, marketing communications, and event invitations; the use of non-essential cookies and similar technologies.
Contract (Art. 6(1)(b)) Creating and managing user accounts; providing and operating the Services; processing payments; managing the business relationship and support requests.
Legal obligation (Art. 6(1)(c)) Compliance with accounting, tax, anti-money-laundering, know-your-customer, and other regulatory or statutory obligations to which DFNS is subject.
Legitimate interests (Art. 6(1)(f)) Registration and prospection; fraud prevention and platform security; personalization of our offers; network and information security; the establishment, exercise, or defense of legal claims.

Where DFNS relies on legitimate interests, we carry out a balancing assessment to ensure that our interests are not overridden by the interests or fundamental rights and freedoms of the data subject. You may request further information about any such assessment using the contact details in Section 14. Where we rely on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5. Categories of Personal Data Processed

Depending on your interaction with DFNS, we may process the following categories of personal data:

  • Contact data: email address, telephone number, and postal address.
  • Identification data: first name, surname, country, job title, and company name.
  • Account and relationship data: account credentials and authentication identifiers, subscription details, support and correspondence history, and contractual records.
  • Connection and technical data: IP address, browser type and version, operating system and other software in your environment, mobile platform, technical identifier(s), error reports, and execution data.
  • Usage and marketing data: preferences, communication and event-attendance history, and information derived from cookies and similar technologies.

DFNS does not seek to collect special categories of personal data (Article 9 GDPR) through its website or marketing activities. Where the provision of personal data is necessary to enter into or perform a contract, failure to provide it may prevent us from providing the Services.

6. Purposes of Processing

DFNS processes personal data for the following purposes:

  • providing, operating, maintaining, and securing the Services and the website;
  • creating and administering user accounts and authenticating users;
  • managing the business and customer relationship, including support and billing;
  • sending articles, newsletters, marketing materials, and event invitations, subject to applicable consent requirements;
  • registration and prospection, and personalization of our offers;
  • fraud prevention and ensuring the security and integrity of our systems;
  • complying with legal, regulatory, and contractual obligations; and
  • establishing, exercising, or defending legal claims.

7. Recipients of Personal Data

In accordance with the purposes set out in this Policy, DFNS may share personal data with:

  • duly authorized DFNS employees and managers, who are subject to strict confidentiality obligations and access controls on a need-to-know basis;
  • DFNS' affiliates and subsidiaries, where necessary to carry out the purpose for which the personal data was collected;
  • service providers acting as processors on DFNS' behalf, including hosting, email, telephony, analytics, payment, and identity-verification providers; and
  • administrative, judicial, or regulatory authorities and other authorized third parties, where required by applicable law or to protect our legal rights.

DFNS enters into written data processing agreements with all processors in accordance with Article 28 of the GDPR. DFNS does not sell personal data.

8. International Data Transfers

DFNS processes personal data primarily within the European Economic Area ("EEA"). Where personal data is transferred to a country outside the EEA, DFNS ensures that an appropriate safeguard under Chapter V of the GDPR is in place, which may include:

  • a decision of the European Commission recognizing that the recipient country ensures an adequate level of protection (an "adequacy decision");
  • Standard Contractual Clauses adopted by the European Commission;
  • binding corporate rules; or
  • another lawful transfer mechanism permitted under the GDPR.

You may request a copy of the relevant safeguards, or information about where you can obtain a copy, using the contact details in Section 14.

9. Data Retention

DFNS retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The principal retention periods are:

Purpose Retention period
Management of prospect information Three (3) years from the date of collection or from our last contact with the prospect.
Customer relationship and contractual data For the duration of the contractual relationship and thereafter as required to comply with legal obligations and to defend legal claims.
Fraud prevention and legal claims Only data necessary for pre-litigation or litigation purposes is archived until the applicable statute of limitations expires. The statute of limitations in civil and commercial matters is five (5) years. In the event of litigation, data is kept for the duration of the procedure and until the expiry of all ordinary and extraordinary remedies.
Management of cookies The retention period for cookie data shall not exceed thirteen (13) months.

At the end of the applicable retention period, personal data is securely deleted or anonymized.

10. Your Rights as a Data Subject

Subject to the conditions and exceptions set out in the GDPR, you have the following rights in relation to your personal data:

  • Right of access: to obtain confirmation of whether we process your personal data and, if so, to obtain a copy of that data and information about the processing;
  • Right to rectification: to have inaccurate personal data corrected and incomplete data completed;
  • Right to erasure: to request the deletion of your personal data in certain circumstances (legal or regulatory provisions or legitimate grounds may require us to retain it);
  • Right to restriction of processing: to request that we restrict the processing of your personal data in certain circumstances;
  • Right to object: to object to processing based on our legitimate interests, and to object at any time to processing for direct-marketing purposes;
  • Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible;
  • Right to withdraw consent: to withdraw any consent you have given at any time, without affecting the lawfulness of prior processing; and
  • Rights relating to automated decision-making: not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, except as permitted by law.

DFNS does not carry out automated decision-making that produces legal or similarly significant effects on data subjects.

11. Exercising Your Rights

You may exercise your rights, and contact our data protection function, by email at legal@dfns.co or by post to: Data Privacy — 142 rue de Rivoli 75001, Paris.

To protect your personal data, we may ask you to provide an official identity document to verify that you are the person concerned by the request. DFNS will respond to any request without undue delay and in any event within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests; in that case, we will inform you of the extension and the reasons for it within one (1) month of receipt of your request.

If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at www.cnil.fr.

12. Data Security

DFNS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are designed to protect the confidentiality, integrity, and availability of personal data and include, where appropriate:

  • encryption of personal data in transit and at rest, and pseudonymization or anonymization where suitable;
  • strict access controls and authentication, granting access on a need-to-know basis;
  • network and information security controls, monitoring, and logging;
  • regular testing, assessment, and evaluation of the effectiveness of our security measures, including audits and penetration testing; and
  • contractual confidentiality and security obligations imposed on employees and partners.

DFNS applies privacy-by-design and privacy-by-default principles when developing new products, services, and processing activities.

13. Personal Data Breach Notification

DFNS maintains procedures to detect, investigate, and respond to personal data breaches. In the event of a personal data breach, DFNS will, where the GDPR so requires:

  • notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
  • communicate the breach to affected data subjects without undue delay where it is likely to result in a high risk to their rights and freedoms; and
  • document the facts relating to the breach, its effects, and the remedial action taken.

Where DFNS acts as a data processor, it will notify the relevant data controller without undue delay after becoming aware of a personal data breach.

14. Data Protection Contact

For any question regarding this Policy or the processing of your personal data, or to exercise your rights, please contact DFNS' data protection function:

  • By email: legal@dfns.co
  • By post: Data Privacy — 142 rue de Rivoli 75001, Paris

15. Cookies and Similar Technologies

DFNS uses cookies and similar technologies on its website. Strictly necessary cookies are used on the basis of our legitimate interest in operating the website securely. Non-essential cookies, including analytics and marketing cookies, are placed only with your consent, which you may withdraw at any time through the cookie settings on our website. Cookie data is retained for no longer than thirteen (13) months.

16. Children's Data

The DFNS website and Services are intended for businesses and professional users and are not directed at children. DFNS does not knowingly collect personal data from children. If you believe that we have inadvertently collected personal data from a child, please contact us using the details in Section 14 and we will take appropriate steps to delete it.

17. Changes to this Policy

DFNS may update this Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with a revised "Last updated" date. Where required by law, we will provide additional notice of, or seek your consent to, material changes. We encourage you to review this Policy regularly.

Contact us