Cauri Money Privacy Policy

Version applicable from 06/07/2022

Purpose and scope of this Policy 3
1. Purpose of this Policy 3
2. Scope of this Policy 3
Data collection 3
Use of collected data 4
Third parties 5
Security of storage and transmission to third parties 5
Legal rights 6

Purpose and scope of this Policy
1. Purpose of this Policy
  
  “CAURI MONEY” is the trading name of the company CAURI SAS.
  
  CAURI’s approach is represented by security, confidentiality and continuous protection of personal data (the “Data”) of the users of its services, in accordance with current French and European regulations, specifically the French Data Protection Law [Loi Informatique et Libertés] of 6 January 1978, as amended (LIL) and the General Data Protection Regulation of 27 April 2016 (GDPR).
  
  The purpose of this policy is to inform you of the rules that we apply with regard to Data protection. More specifically, it describes how we collect and process your personal data and how you can exercise your rights regarding this data.
  
  We apply a strict policy to ensure the protection of your Data; thus:
  - We do not sell your Data to third parties
  - We ensure that your Data is always safe and secure
2. Scope of this Policy
  
  This Policy covers the use of:
  - our cauri.money website
  - our iOS and Android mobile applications
Data collection

Data customers provide us with:
- Information submitted directly on our website or mobile applications to subscribe to our services or those of our partners (specifically, Aza Finance for international money transfers)
- Information collected over conversations with our customer support team over the phone, via email, or through social networks communication channels
  
  The category of data we process are as follows:
  - Identification and biometric data: first name, last name, place, date of birth, nationality, photo, ID document number, passport number or residence permit number, postal address, e-mail address, mobile phone number, gender, age, signature.
  - Authentication and identification: username, password, PIN code.
  - Geolocation, network, and device data (cookies, crash analytics, IP addresses)
  - Professional and tax data: employment status, working industry, working country and state, country of tax liability, and corresponding tax ID.
  - Banking and financial data: income, source of income, account usage, bank details, IBAN
  - Contacts (opt-in): mobile numbers and email addresses in the customer's address book
  - Communications: messages, emails, calls, interactions through our website, mobile apps, and social networks communication channels
  - Transaction data: date, transaction time, amount, counterparty, transaction wording, country, MCC (Merchant Category Code), notes.
Use of collected data

We only process personal data for specific, explicit, and legitimate purposes. The purposes pursued are as follows:
- For the management of bank accounts and payment instruments
- To secure account access and payment instruments
- To prevent, investigate and detect fraud, money laundering, and financing of terrorism schemes
- To deal with customer complaints
- To improve the quality of service and keep customers informed about the changes in the service, including new features or partnerships
- To have a better understanding of customer behavior through analytics
- To improve the user experience (UX) on our website and mobile applications and tailor content
- To manage loyalty programs, referrals, giveaways, or other promotional activities
Third parties

All of the Customers' data held are protected and kept confidential. CAURI SAS may share customers' personal data with its subcontractors to provide certain services and process transactions under the condition that these third parties guarantee a sufficient level of protection of the data shared in compliance with GDPR rules.

These partners only have access to the data that is strictly necessary for executing the contracts established with CAURI SAS.

The categories of recipients of the collected Data are as follows:
- Web hosting providers
- Communication Services
- Compliance
- Banking and financial services providers and payment solutions
- Customer service support systems
- Business intelligence solutions
- Auditors, lawyers, external legal advisers
- Anti-fraud and money laundering support systems
- Supervisory authorities, regulators, and public authorities
Security of storage and transmission to third parties
1. Data storage
  
  We have outsourced data storage activity to a market-leading service provider, Amazon Web Services (AWS). AWS provides data storage with high durability and availability.
  
  AWS offers storage choices for backup, archiving, and disaster recovery, as well as block and object storage.
2. Data storage period
  
  Customer Data is stored as long is necessary for the purposes for which it was collected.
  
  In accordance with the laws and regulations that fight against money laundering and the financing of terrorism, transaction data will be stored for a period of five years following the the end of contractual relationship.
3. Data security
  
  Data transmission is secured over HTTPS (SHA-256/RSA Encryption). Access to accounts is secured with a 2-factor authentication process (username and password and 4-digit passcode)
Legal rights

Under GDRP, customers have rights regarding the processing of their data (as detailed in Table 1: Legal rights). Under the law, CAURI MONEY commits to responding to any data-related requests within a reasonable timeframe.

Legal rights	Description
Right of access	Customers may request confirmation from CAURI MONEY whether their data are being processed or not and, if so, to obtain information on how these are being processed.
Right to portability	Customers may request a copy of their data in a structured, commonly used, machine-readable format. When technically feasible, customers may ask CAURI MONEY to transfer their data directly to another controller.
Right to rectification	Customers may ask CAURI MONEY to correct, modify, delete, or complete any incomplete or inaccurate data
Right to be forgotten	Under specific circumstances (as detailed in Article 17 of the GDPR), customers may request the deletion of their data, except for data necessary to comply with our legal obligations (e.g., money laundering reporting).
Right to object or request the restriction	Customers may ask CAURI MONEY to restrict the processing of their personal data. Customers can also object to CAURI MONEY using their data for specific automated processing, including direct marketing.
Right to withdraw consent	Customers have the right to withdraw their consent to processing their data at any time, which shall not render unlawful any prior processing based on such consent.

Right to lodge a complaint

Customers have the right to make a complaint at any time to the relevant supervisory authority (e.g., Commission Nationale de l'Informatique et des Libertés in France) or to obtain legal compensation if they consider that CAURI MONEY has not respected their rights.

Table 1: Legal rights

All questions, comments, requests, or complaints regarding data confidentiality shall be directed to the Data Protection Officer:

Email: dpo@cauri.money
Address : CAURI MONEY SAS, Délégué à la Protection des Données [Data Protection Officer], 62 avenue de Paris, 92320, Chatillon