Mis à jour le June 20, 2026

Privacy Policy

Personal Data Protection — GDPR Compliant

Introduction

YaniPay SAS ("YaniPay", "we", "us" or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store and protect your personal information when you use our services.

Our Commitment

We process your data in compliance with the General Data Protection Regulation (GDPR — EU 2016/679) and the French Data Protection Act (Loi Informatique et Libertés). Your trust is our priority.

This policy applies to all our services: website, mobile application, payment services, loyalty program and any other service offered by YaniPay.

French version available

La version française de cette politique est disponible à : /politique-confidentialite

Data Controller

The data controller for your personal data is:

Company name: YaniPay SAS
SIRET: 927 884 759 00014
Registered address: 5 Chemin Bras Pétard, 97412 Bras-Panon, La Réunion, France
Publication Director: Johan LEPINAY
Hosting: Vercel Inc., 340 Pine Street, Suite 900, San Francisco, CA 94104, USA
Privacy email: privacy@yanipay.com

Data Protection Officer (DPO)

Johan LEPINAY acts as interim DPO. You can contact our DPO for any question relating to your personal data:

dpo@yanipay.com

Data We Collect

We collect different categories of personal data depending on the services you use:

Identity data

• Full name, date of birth
• Nationality, place of birth
• Postal address, email, phone number
• Photograph (identity document, KYC selfie)
• Identity document number and copy

Financial data

• IBAN, card numbers (tokenised)
• Transaction history
• Account balance and movements
• Proof of income (where applicable)
• Occupation and financial situation

Technical data

• IP address, browser type and device
• Connection logs and activity logs
• Device identifiers (for security)
• Geolocation data (with consent)
• Cookies and trackers (see our Cookie Policy)

Sub-processors

Our key sub-processors include: Swan (BaaS — payment services), Onfido (KYC/identity verification), Resend (transactional email), Vercel (hosting, USA), Anthropic (AI assistant Y.A.N.I.). All sub-processors are bound by Data Processing Agreements (DPA) ensuring equivalent data protection.

Legal Basis and Purposes

We process your personal data for the following purposes, relying on different legal bases:

Contract performance

Art. 6.1.b GDPR

• Account creation and management
• Payment transaction execution
• UNIK card issuance and management
• Loyalty programme management
• Customer service and support

Legal obligations

Art. 6.1.c GDPR

• Identity verification (KYC/AML)
• Anti-money laundering and counter-terrorism financing
• Tax and regulatory reporting
• Response to judicial requests

Legitimate interests

Art. 6.1.f GDPR

• Fraud prevention
• System and data security
• Service improvement
• Anonymous statistical analysis

Consent

Art. 6.1.a GDPR

• Personalised marketing communications
• Analytical and advertising cookies
• Geolocation (optional)
• Sharing with partners (offers)

Data Retention

We keep your personal data only for as long as necessary for the purposes for which it was collected:

Data category	Retention period	Legal basis
Customer account data	Duration of relationship + 5 years	French Monetary Code
Financial transactions	10 years	French Commercial Code
KYC documents	5 years after account closure	AML/CTF Regulation
Connection logs	1 year	LCEN (French e-commerce law)
Consents	5 years	Compliance evidence
Analytics cookies	13 months	CNIL recommendation

Data Recipients

Your personal data may be shared with the following categories of recipients:

YaniPay internal teams

Authorised staff (customer service, compliance, IT) access your data strictly to the extent necessary for their duties.

Banking and payment partners

Authorised payment institutions, card networks (Visa, Mastercard), transaction processing providers — in particular Swan for BaaS services.

Technical service providers

Cloud hosting (Vercel — USA, with DPA and Standard Contractual Clauses), identity verification (Onfido), email delivery (Resend), AI services (Anthropic — Y.A.N.I.), error monitoring.

Competent authorities

ACPR, Tracfin, judicial authorities, tax administration — upon legal request or court order.

International transfers

Transfers to the USA (Vercel, Anthropic) are covered by Standard Contractual Clauses (SCCs) approved by the European Commission or the EU–US Data Privacy Framework. All sub-processors are bound by Data Processing Agreements.

Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption

• TLS 1.3 in transit
• AES-256 at rest
• Card data tokenisation

Authentication

• Strong authentication (2FA)
• Biometrics (fingerprint, Face ID)
• Suspicious device detection

Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15)

Obtain a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Have inaccurate or incomplete personal data corrected.

Right to erasure (Art. 17)

Request deletion of your data in certain circumstances (subject to legal retention obligations).

Right to restriction (Art. 18)

Request restriction of processing while a request is being verified.

Right to portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing for legitimate reasons or for direct marketing.

How to exercise your rights

Send your request to dpo@yanipay.com with a copy of your identity document. We will respond within one month. You may also lodge a complaint with the CNIL (French data protection authority) at www.cnil.fr/fr/plaintes.

Children

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from minors.

Reporting

If you believe a minor is using our services or that we have collected data about a child, please contact us immediately at dpo@yanipay.com.

Right to Complain

If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with the competent supervisory authority:

CNIL — Commission Nationale de l'Informatique et des Libertés

3 Place de Fontenoy — TSA 80715

75334 Paris Cedex 07, France

Tel: +33 1 53 73 22 22

www.cnil.fr/fr/plaintes

Policy Updates

We may update this Privacy Policy at any time to reflect changes in our practices or applicable law.

Notification of changes

In the event of a material change, you will be notified by email and/or in-app notification at least 30 days before the change takes effect.

Contact

For any questions about this Privacy Policy or your personal data:

Data Protection Officer

dpo@yanipay.com

General Privacy queries

privacy@yanipay.com

Postal address

YaniPay SAS — Data Protection
5 Chemin Bras Pétard
97412 Bras-Panon
La Réunion, France

See also our Legal Notice, Terms of Service and Cookie Policy. French version: Politique de Confidentialité.

Mis à jour le June 20, 2026

Privacy Policy

Personal Data Protection — GDPR Compliant

Introduction

Our Commitment

We process your data in compliance with the General Data Protection Regulation (GDPR — EU 2016/679) and the French Data Protection Act (Loi Informatique et Libertés). Your trust is our priority.

This policy applies to all our services: website, mobile application, payment services, loyalty program and any other service offered by YaniPay.

French version available

La version française de cette politique est disponible à : /politique-confidentialite

Data Controller

The data controller for your personal data is:

Company name: YaniPay SAS
SIRET: 927 884 759 00014
Registered address: 5 Chemin Bras Pétard, 97412 Bras-Panon, La Réunion, France
Publication Director: Johan LEPINAY
Hosting: Vercel Inc., 340 Pine Street, Suite 900, San Francisco, CA 94104, USA
Privacy email: privacy@yanipay.com

Data Protection Officer (DPO)

Johan LEPINAY acts as interim DPO. You can contact our DPO for any question relating to your personal data:

dpo@yanipay.com

Data We Collect

We collect different categories of personal data depending on the services you use:

Identity data

• Full name, date of birth
• Nationality, place of birth
• Postal address, email, phone number
• Photograph (identity document, KYC selfie)
• Identity document number and copy

Financial data

• IBAN, card numbers (tokenised)
• Transaction history
• Account balance and movements
• Proof of income (where applicable)
• Occupation and financial situation

Technical data

• IP address, browser type and device
• Connection logs and activity logs
• Device identifiers (for security)
• Geolocation data (with consent)
• Cookies and trackers (see our Cookie Policy)

Sub-processors

Legal Basis and Purposes

We process your personal data for the following purposes, relying on different legal bases:

Contract performance

Art. 6.1.b GDPR

• Account creation and management
• Payment transaction execution
• UNIK card issuance and management
• Loyalty programme management
• Customer service and support

Legal obligations

Art. 6.1.c GDPR

• Identity verification (KYC/AML)
• Anti-money laundering and counter-terrorism financing
• Tax and regulatory reporting
• Response to judicial requests

Legitimate interests

Art. 6.1.f GDPR

• Fraud prevention
• System and data security
• Service improvement
• Anonymous statistical analysis

Consent

Art. 6.1.a GDPR

• Personalised marketing communications
• Analytical and advertising cookies
• Geolocation (optional)
• Sharing with partners (offers)

Data Retention

We keep your personal data only for as long as necessary for the purposes for which it was collected:

Data category	Retention period	Legal basis
Customer account data	Duration of relationship + 5 years	French Monetary Code
Financial transactions	10 years	French Commercial Code
KYC documents	5 years after account closure	AML/CTF Regulation
Connection logs	1 year	LCEN (French e-commerce law)
Consents	5 years	Compliance evidence
Analytics cookies	13 months	CNIL recommendation

Data Recipients

Your personal data may be shared with the following categories of recipients:

YaniPay internal teams

Authorised staff (customer service, compliance, IT) access your data strictly to the extent necessary for their duties.

Banking and payment partners

Authorised payment institutions, card networks (Visa, Mastercard), transaction processing providers — in particular Swan for BaaS services.

Technical service providers

Cloud hosting (Vercel — USA, with DPA and Standard Contractual Clauses), identity verification (Onfido), email delivery (Resend), AI services (Anthropic — Y.A.N.I.), error monitoring.

Competent authorities

ACPR, Tracfin, judicial authorities, tax administration — upon legal request or court order.

International transfers

Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption

• TLS 1.3 in transit
• AES-256 at rest
• Card data tokenisation

Authentication

• Strong authentication (2FA)
• Biometrics (fingerprint, Face ID)
• Suspicious device detection

Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15)

Obtain a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Have inaccurate or incomplete personal data corrected.

Right to erasure (Art. 17)

Request deletion of your data in certain circumstances (subject to legal retention obligations).

Right to restriction (Art. 18)

Request restriction of processing while a request is being verified.

Right to portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing for legitimate reasons or for direct marketing.

How to exercise your rights

Children

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from minors.

Reporting

If you believe a minor is using our services or that we have collected data about a child, please contact us immediately at dpo@yanipay.com.

Right to Complain

If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with the competent supervisory authority:

CNIL — Commission Nationale de l'Informatique et des Libertés

3 Place de Fontenoy — TSA 80715

75334 Paris Cedex 07, France

Tel: +33 1 53 73 22 22

www.cnil.fr/fr/plaintes