1. Introduction
The main purpose of this document is to provide concise, transparent, understandable, and easily accessible information about the data processing carried out by A3BC Group (hereinafter “A3BC Group” or “we”) to enable you to understand the conditions under which your data is processed when using the TrustMe mobile application.
2. Fair and transparent collection of your data
In order to ensure fair and transparent data collection, we take care to provide information about each processing operation we carry out.
Data is collected fairly. No data is collected without the knowledge or information of the data subjects.
3. Legitimate and proportionate use of your data
When we process data, we do so for specific purposes: each data processing operation is carried out for a legitimate, specific, and explicit purpose.
For each processing operation carried out, we undertake to collect and use only data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
We ensure that data is kept up to date and implement procedures to enable the erasure or rectification of inaccurate data.
4. The personal data we process
In the context with the processing of personal data for the purposes set out below, A3BC Group collects and processes the following categories of data concerning you:
- your login details, such as your password associated with your TrustMe account, your fingerprints, and your telephone number;
- your identification details, such as your gender, first and last name, date and place of birth, email address, postal address, and identity photo;
- your technical data such as the date and time of creation, modification, or deletion of your credentials and your identification and authentication information.
- your banking data such as your IBAN, RIB, and other banking details.
5. What are the legal bases and purposes of our processing?
The processing carried out by A3BC Group has the following purposes and legal basis:
| No. | Purpose | Sub-purpose | Legal basis |
| 1. | Management of user digital identity creation | TrustMe account management (creation, recovery, and deletion) | Performance of contracts and performance of pre-contractual measures taken at the request of the persons concerned |
| Management of credentials required for the user's digital identity (creation, update, and deletion) | Performance of the contract and performance of pre-contractual measures taken at the request of the persons concerned | ||
| 2. | Management of the use of digital identities created by users | Management of documents and other additional items (creation, update, and deletion) | Performance of contracts and performance of pre-contractual measures taken at the request of the persons concerned |
| Management of the proof of age | Performance of a contract and taking steps at the request of the data subject prior to entering into a contract | ||
| Management of data sharing with third parties | Consent (from Article 6 of the GDPR) | ||
| 3. | Computing of fingerprint template | Consent (from Article 6 of the GDPR) | |
| 4. | Technical data management | Performance of contracts and performance of pre-contractual measures taken at the request of the persons concerned | |
| 5. | Support and user contact | Collection and verification of phone number or email address | Performance of contracts and performance of pre-contractual measures taken at the request of the persons concerned |
| 6. | Responses to court orders and other requests from competent authorities | Legal obligations |
6. Recipients of your data
The recipients of your data are:
- authorized members of the A3BC Group;
- service providers and subcontractors of the A3BC Group for the processing operations that concern them;
- third parties in the context of identification and authentication to share your data.
We ensure that, among these recipients, only authorized people have access to this data. A3BC Group applies a strict authorization policy that ensures that the data it processes is only transmitted to people authorized to access it.
7. Transfers of your data
We may transfer personal data outside the European Union in connection with the technical tools we use for our activities.
These transfers can only be made after A3BC Group has taken measures to secure them, for example by ensuring that the standard contractual clauses defined by the European Commission are in place to regulate the resulting cross-border flows.
8. Retention periods of your data
We ensure that data is only stored in a form that allows the identification of data subjects for as long as is necessary for the purposes for which it is processed.
The retention periods we apply for your personal data are proportionate to the purposes for which it was collected.
More specifically, we organize our data retention policy as follows:
| No. | Category of data | Data details | Active storage period | Intermediate archiving |
| 1. | General personal data | Account data | Until the TrustMe account is deleted | None |
| Identification data (other than postal address) |
The shortest period between: - until the TrustMe account is deleted - 5 years from the validation of the digital identity |
The shortest period between: - 1 year from the deletion of the TrustMe account - the end of the 5-year period from the validation of the digital identity |
||
| Postal address | 3 months from the date of issue of the proof of address | 1 year from the end of the 3-month active period | ||
| Bank details |
The shortest period between: - Until the TrustMe account is deleted - 10 years |
1 year from the end of the 10-year period in active service. | ||
| 2. | Documents stored in the digital safe box | Any type of data | Until the TrustMe account is deleted | None |
| 3. | Special categories of personal data | Fingerprint templates | Until the TrustMe account is deleted | None |
| 4. | Technical data | Account activity history | Until the TrustMe account is deleted | 1 year from the deletion of the TrustMe account |
9. Security of personal data
We attach particular importance to the security of personal data.
We have implemented technical and organizational measures appropriate to the sensitivity of the personal data, to ensure the integrity and confidentiality of the data and protecting it against malicious intrusion, loss, alteration, or disclosure to unauthorized third parties.
10. Sub-processoors
Where we use a service provider, we will only disclose personal data to them after obtaining a commitment and guarantee from them that they will be able to meet security and confidentiality requirements.
In compliance with our legal and regulatory obligations, the contracts concluded with our processors set out precisely the terms and conditions of the processing of personal data by them in accordance with personal data protection laws.
11. Cookies
Cookies are subject to a cookie policy.
12. Your rights
A3BC Group is particularly concerned with respecting your rights in relation to the data processing it carries out, in order to guarantee fair and transparent processing, taking into account the specific circumstances and context in which your personal data is processed.
12.1 Your right to access your data
In this regard, you have the right to confirm whether or not your personal data is being processed and, if so, you have the right to request a copy of your data and information concerning:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients and, where applicable, if such communication is to be made, the international organizations to which the personal data have been or will be disclosed, in particular recipients established in third countries;
- where possible, the envisaged period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller, the rectification or erasure of your personal data, the right to request restriction of processing of your personal data, the right to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- information about the source of the data when it is not collected directly from the data subjects;
- the existence of automated decision, including profiling, and in the latter case, useful information concerning the underlying logic, as well as the significance and expected consequences of this processing for the data subjects.
12.2 Your right to rectify your data
You have the right to ask us, as the case may be, to rectify or complete your personal data that are inaccurate, incomplete, ambiguous or expired.
12.3 Your right to erase your data
You have the right to ask us to erase your personal data in the cases provided for by laws and regulations.
Please note, however, that the right to erasure is not a general right and can only be exercised if one of the reasons provided for in the applicable laws is met.
12.4 Your right to restrict the processing of your data
You have the right to request restriction of processing of your personal data in the cases provided for by laws and regulations.
12.5 Your right to object to the processing of your data
You have the right to object, on grounds relating to your particular situation, at any time to process of your personal data which is based on the legitimate interest pursued by the controller (see clause above on the legal bases for processing).
If you exercise your right to object, we will no longer process your personal data for the processing concerned unless we demonstrate compelling legitimate grounds for the processing which must override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
12.6 Your right to data portability
You have the right to portability of your personal data. Please note, however, that the right to data portability is not a general right.
Not all data from all processing operations are portable; the right to data portability only concerns processing carried out by automated means to the exclusion of manual or paper processing. This right is limited to processing based on your consent, on the performance of a contract or on the taking of steps prior to entering into a contract.
This right does not include derived or inferred data, which are personal data created by A3BC Group.
12.7 Your right to withdraw your consent
Where the processing of personal data we carry out is based on your consent, you have the right to withdraw your consent at any time.
We will then stop processing your personal data, but this will not affect the operations based on consent before its withdrawal.
12.8 Your right to lodge a complaint
You have the right to lodge a complaint with the CNIL (3 place de Fontenoy 75007 Paris) on the French territory without prejudice to any administrative or judicial remedy.
12.9 Your right to give post-mortem instructions
You have the right to give special instructions on how your personal data should be stored, erased and shared after your death. These special instructions only concern, and will be limited to, the processing carried out by us.
You also have the right, when that person will be designated by the executive branch, to give general instructions for the same purpose.
12.10 12.10 Exercising your rights
You may exercise the rights listed above by sending a request by email to contact.trustme@a3bc.io or by post to: A3BC Group located at 1 contour de la Motte 35000 Rennes France, by proving your identity by any means.
13. Change to this document
We invite you to consult this policy on our website regularly. It may be updated at any time.
