HiPay Privacy Policy
Version dated 8 October 2025
Introduction
HiPay is a payment institution licensed by the ACPR.
In the course of its activities, HiPay attaches paramount importance to the protection of personal data and complies with all applicable laws and regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).
The purpose of this Privacy Policy is to describe all processing activities carried out by HiPay in relation to End Users as well as the following digital spaces (here in after the “Websites”):
I. Definitions
All definitions below include the singular and the plural.
These definitions apply to this entire policy.
End User: means any natural person who visits the Websites or who has made purchases from HiPay's Clients.
Client: means any merchant entity using HIPAY’s payment services.
The other capitalized terms used in this policy correspond to those defined in the GDPR.
II. What individual rights do you have ?
You may exercise your individual rights at any time and in particular request:
Access to your Personal Data in a clear and understandable format so that you can know the information processed about you,
- Rectification leading to the modification of any Personal Data that is incomplete or incorrectly processed by HiPay,
- Restriction of the processing of Personal Data under the conditions set by the applicable regulations,
- Erasure of Personal Data under the conditions set by the applicable regulations,
- Objection to the processing of Personal Data by stating the legitimate grounds on which it should be granted,
- Portability of Personal Data in a clear, machine-readable format, with the possibility of transmitting such Personal Data to another organization,
- Instructions setting out what should happen to your Personal Data in the event of death, by sending such directions to HiPay
All these rights may be exercised by email at [email protected] or by postal mail at:
HiPay – Data Protection Officer (DPO)
94 rue de Villiers, 92300 LEVALLOIS-PERRET, France.
III. What personal information does HiPay process ?
HiPay carries out all of its Personal Data Processing in compliance with the applicable rules, in particular:
- the General Data Protection Regulation No. 2016/679, effective as of 25 May 2018;
- the French Data Protection Act No. 78-17 of 6 January 1978 (“Loi Informatique et Libertés”) as amended.
- Management of HiPay’s Websites:
In managing the Websites, HiPay acts as Controller insofar as the company determines the purposes and means of the Processings.
The Personal Data Processings carried out for the operation of the Websites adheres to the principles of fairness, lawfulness and transparency. HiPay therefore undertakes to provide clear, complete and easily accessible information on how such Processings are carried out.
Below are the Personal Data Processing activities relating to the management of the Websites:
Purpose of Processing | Personal Data processed by HiPay | Legal Basis for Processing | Retention Period |
| Handling requests submitted via the contact form https://hipay.com/fr/#contact | Last name, First name, Email address, Telephone number, and any other data processed in the contact form message | Consent | Retention for 5 years from the last contact with the prospect or until withdrawal of consent |
| Handling recruitment applications at HIPAY | Last name, first name, email, address, telephone number, current position, level of experience, field of activity, interview notes and, more generally, all personal data contained in your CV, cover letter or any other document you give us access to as part of your application | HiPay's legitimate interests | If your application is unsuccessful, retention of your data for 2 years from the last contact, with your consent, renewable |
| Managing Client reviews and feedbacks published on the website https://hipay.com/fr/ | Email, Last name, First name, Telephone number, Profession | Client’s consent | Retention until the Client withdraws consent, then deletion |
| Managing commercial prospecting carried out by HiPay | Email, Last name, First name, phone number, Profession | Data subject’s consent or HiPay’s legitimate interests where the communication relates to the profession of the person approached | Retention for 5 years from the last contact with the data subject, or until the data subject objects |
| Handling support requests via the Zendesk form https://support.hipay.com/hc/fr/requests/new | Email address, Last name, First name, and any other data transmitted in the support form message | Execution of the contract between HiPay and the Client / Legitimate interests for any other requests from End Users | Retention for 5 years from the closure of the request |
| Handling requests via the online chat in the support area “Assistance” https://support.hipay.com/hc/fr/requests/new | Email address, Last name, First name, and any other data transmitted in the support form message | Performance of the contract between HiPay and the Client / Legitimate interests for any other requests from End Users | Retention for 5 years from the closure of the request |
| Managing the analysis of and responses to individual rights requests and “GDPR” requests | Last name, First name, End User’s Company, Email address, Postal address of the End User / of the company to which the End User belongs | HiPay’s legal obligation | Retention for 10 years from the closure of the individual rights request |
| Managing the activity and traffic of HiPay’s Websites | End User’s IP address, information relating to the End User’s connections | HiPay’s legitimate interests | Retention for a maximum period of 13 months from the End User’s connection |
In the event of a dispute, the data necessary to manage the litigation is retained until the case is finally resolved, then archived for the applicable statutory limitation period.
- Management of legal obligations applicable to financial institutions, in particular those arising from financial regulation and the obligations to fight money laundering and terrorist financing:
As a payment institution licensed by the ACPR, HiPay is subject to the provisions of the French Monetary and Financial Code, including obligations to fight money laundering and terrorist financing (AML). In this context, HiPay acts as a Data Controller and conducts specific checks aimed at preventing and detecting fraud, money laundering, and the financing of terrorism.
Purpose of Processing | Personal Data processed by HiPay | Legal Basis for Processing | Retention Period |
| Management of fraud, money laundering and terrorist financing | Bank card number and expiry date, amount, date and time of the transaction, IP address, type of device used. Depending on the merchant or platform: first name, last name, email address, contact details, telephone number and shopping cart details. | Legal obligation, in particular to comply with anti-money laundering and counter-terrorist financing obligations (AML/CFT). | Retention for 5 years from the date of the transaction. |
For the processing of transactions on behalf of Clients, HiPay acts as a Processor. You are invited to consult your merchant’s privacy policy to obtain further information on how your data is managed in connection with your purchases.
IV. Where is your personal data stored ?
HiPay may store your Personal Data (and thus transmit it to Processors) for the following purposes:
- Management of support requests via the Zendesk form (https://support.hipay.com/hc/fr/requests/new),
- Management of requests via the online chat in the support area “Assistance” (https://support.hipay.com/hc/fr/requests/new),
- Management of recruitment applications within HiPay,
- Management of requests submitted via HIPAY’s contact form (https://hipay.com/fr/#contact),
- Management of the analysis of and responses to individual rights requests and “GDPR” requests,
- Management of Client reviews and feedback published on HiPay’s website,
- Management of the activity and traffic of the Websites,
- Management of commercial prospecting carried out by HiPay,
- Management of legal obligations applicable to financial institutions, in particular those arising from financial regulation and the obligations to fight money laundering and terrorist financing.
In this context, HiPay undertakes to verify the Processors’ compliance with personal data protection rules and to put in place an appropriate contractual framework, as required by the aforesaid rules.
HiPay may also provide certain information to authorized persons and entities internally (employees, management) and externally, particularly to third parties authorized under legal, administrative or judicial prerogatives.
In all of the aforementioned situations, HiPay may transfer your Personal Data outside the European Union. In the event of a transfer of data outside the EU, HiPay will apply the necessary and appropriate regulatory framework for the situation of such Transfer, ensuring:
- Transmission of Personal Data to a country providing an adequate level of protection; or
- Signature of the European Commission’s Standard Contractual Clauses (SCCs); or
- Any other safeguard deemed appropriate within the meaning of Article 46 GDPR.
With respect to any transfers to providers located in the United States, an adequacy decision was adopted on 10 July 2023 ensuring a level of protection equivalent to that of the European Union. This adequacy decision is valid for transfers to organizations that have committed to the new framework and are listed by the U.S. Department of Commerce.
Thus, in the event of a transfer of data to the United States, HiPay will ensure that the organization appears on the list published by the U.S. Department of Commerce, or that the transfer is governed by the other mechanisms mentioned above.
V. How does HiPay ensure the security of your Personal Data ?
HiPay undertakes, on a best-efforts basis, to implement all actions required to ensure the security of your Personal Data.
To this end, HiPay applies all technical and organizational measures within the meaning of Article 32 GDPR, which ensure the confidentiality, integrity and availability of Personal Data, and thus an adequate level of protection.
HiPay’s team is also made aware of and trained in personal data protection, including the implementation of appropriate measures.
VI. Does HiPay use cookies ?
A cookie is a text file that is placed on the End User’s terminal equipment—particularly in the browser—when visiting a website.
When you browse the Websites, HiPay may use cookies for the following purposes:
- To enable functional browsing and the optimal use of all pages and modules provided on the Websites, thereby ensuring a satisfactory user experience during the End User’s visit;
- To monitor the performance of the Websites and implement actions to improve their operation, subject to the End User’s consent;
- To implement actions aimed at achieving commercial, marketing and advertising objectives, subject to the End User’s consent.
HiPay pays particular attention to the implementation of cookies and trackers that store the End User’s technical data and updates its Cookie Policy whenever necessary.
VII. Updating the Privacy Policy
This Privacy Policy is reviewed and updated as necessary to reflect any changes in the Personal Data Processing activities carried out by HiPay.
PDF version history :