Privacy policy
1. Data controller
Flockopay SAS, address to be completed. Data protection officer: [email protected].
2. Data collected
- Identity: first name, last name, email, password (hashed).
- KYC: via Stripe Identity and Stripe Connect (Flockopay does not store the documents themselves).
- Payment: via Basis Theory (PCI tokenisation) and Stripe — no card data is stored by Flockopay.
- Browsing: technical logs, session cookies.
3. Purposes
Service delivery, billing, AML/KYC compliance, product improvement, customer support.
4. Legal basis
Contract (art. 6.1.b GDPR), legal obligation (art. 6.1.c GDPR), legitimate interest (art. 6.1.f GDPR).
5. Retention
- Active accounts: duration of the contractual relationship
- KYC data: 5 years after closure (AML obligation)
- Technical logs: 12 months
- Billing data: 10 years (accounting obligation)
6. Sub-processors
- Stripe Payments Europe (Ireland) — payment processing, KYC
- Vercel (USA) — application hosting, with Standard Contractual Clauses
- Turso (USA) — database, with Standard Contractual Clauses
- Postmark (USA) — transactional emails, with Standard Contractual Clauses
- Basis Theory (USA) — PCI tokenisation, with Standard Contractual Clauses
7. Your rights
Access, rectification, erasure, portability, objection, restriction. Contact [email protected] or the CNIL (cnil.fr) in case of dispute.
8. Security
TLS 1.3 encryption in transit, AES-256 at rest. Passwords hashed (Argon2). No card data or ID document stored on our servers.
9. International transfers
Some sub-processors are located in the United States. Transfers are covered by Standard Contractual Clauses and additional safeguards where applicable.
10. Children
The service is not aimed at people under 18. Flockopay does not knowingly collect data from minors.
11. Cookies
See our dedicated cookies policy.
12. Changes
This policy may be updated. Significant changes are communicated by email at least 30 days before they take effect.
© 2026 Flockopay SAS. All rights reserved.