Privacy policy and protection of personal data

CREACARD (hereinafter “we”) collects personal data and uses it in various automated processing operations. The implementation of automated processing of personal data is governed in particular by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the “GDPR“, as well as by Law nᵒ 78-17 of January 6, 1978 relating to information technology, files and freedoms.

This is CREACARD’s Privacy Policy and is intended to inform you about how we protect your personal data. It applies uniformly to all products and services marketed by CREACARD.

CREACARD is a limited company with a capital of 6,532,960 euros, registered in the Paris Trade and Companies Register under number 520 833 302, with its registered office at TSA 11765, 75771 PARIS CEDEX 16, FRANCE

CREACARD is an electronic money distributor offering PCS MASTERCARD® reloadable payment solutions and cards, issued by EML Payments, an electronic money institution licensed by the UK Financial Conduct Authority (FCA).

CREACARD, as the party responsible for processing your data, hereby informs you of the personal data processed by CREACARD and the purposes for which it is used, as well as the manner in which it is collected and the rights you have in accordance with the applicable legislation, in particular the GDPR.


The person in charge of processing your personal data is the company CreaCard, whose head office is located at TSA 11765, 75771 PARIS CEDEX 16, FRANCE


We collect and use the personal data that are strictly necessary for our business to provide you with personalized and quality products and services.

We may collect various categories of personal data from you, including:

  • identification and contact information (surname, first name, gender, Kbis extract, city, department, country of birth and date of birth, photo, nationality, professional status and sector of activity, gender, age, signature, identity card and passport numbers, and more generally identity documents)
  • contact information (postal and e-mail address, telephone number, proof of address);
  • identification and authentication data, especially when using the online account services (technical logs, computer traces, information on the security and use of the terminal, IP address);
  • banking and financial information and transactional data (bank details, card number, etc.)
  • transactional data, including information about money transfers
  • data related to the use of the products and services subscribed to (banking, financial and transactional data including wealth level, monthly income bracket, bank account data, transaction information);

CREACARD may collect information about you even though you are not a customer. This information may include

  • Identification of the principal(s) or beneficiary(ies) of a transaction who are not CREACARD clients;
  • Identification of persons hosting CREACARD clients


When you subscribe to the payment services marketed by CREACARD, your personal data are processed for the following purposes:

a. To comply with our legal and regulatory obligations

Your personal data is processed for the purpose of fulfilling various legal and regulatory obligations, including

  • the fight against money laundering and the financing of terrorism, ;
  • compliance with applicable legislation on international sanctions, asset freezes and embargoes
  • the fight against money laundering, abuse of services and tax fraud;
  • responses to official requests from duly authorized public or judicial authorities, in the context of the prevention and/or detection of offences and crimes.

b. To perform a contract with you or provide you with pre-contractual information at your request

We use your personal data to enter into and perform our contracts, including to:

  • provide you with information about our products and services;
  • provide you with assistance in connection with our products and services, including banking transactions;
  • provide you with prepaid card services subject to our contractual obligations;
  • provide you with e-wallet services;
  • provide you with IBAN account services;
  • provide the foregoing services to you through a mobile application;
  • process your account information;
  • verify your identity;
  • assist you with requests;
  • manage the customer relationship, including the management and execution of the products and services we market;
  • improve the products and services we provide to you.

c. To pursue our legitimate interests

Finally, we use your personal data to implement and develop our products or services, including for the purposes of :

  • preservation of proof of transactions or operations ;
  • risk management;
  • updating customer knowledge, including prospecting, analysis of data for targeting or marketing purposes
  • monitoring transactions to identify those that appear unusual
  • development and improvement of our products and services.


By consenting to this Privacy Policy you are giving us permission to process your personal data for the purposes specifically identified above. Consent is required in order for CREACARD to process your personal data, but it must be given explicitly. When we ask you for sensitive information, we will always tell you how and why we use your information.

If you are giving consent on behalf of a minor under the age of 16, we remind you that children need specific protections regarding their personal data. They may be less well informed about the risks, consequences and security features involved, or their rights regarding the processing of their data in connection with our services. By consenting to this privacy notice on behalf of a minor, you authorize their data to be used for the purposes described above.

The above described uses are based on:

  • the performance of the contract you enter into with CREACARD,
  • legal and regulatory requirements (this is particularly the case for all processing related to customer knowledge, the fight against money laundering, the financing of terrorism, the fight against fraud, compliance with international sanctions, etc.),
  • our legitimate interest (e.g. risk prevention, development of CREACARD’s business (commercial prospecting operations),
  • in the case of more specific uses, on the basis of your consent.

Furthermore, CREACARD will only keep your data for as long as is necessary for each of these purposes and/or in accordance with the relevant legal requirements.


Your data is primarily intended for CREACARD and for the purposes set out in this policy.

Your personal data may also be transmitted to the following third parties for the following purposes:

  • Issuer of PCS cards (the electronic money institution EML Payments) ;
  • legally authorized administrative and judicial authorities, for the performance of their duties, upon request and within the limits permitted by the regulations;
  • subcontractors, partners or service providers involved in the provision of products and services offered by CREACARD for the sole purpose of these activities;
  • certain regulated professions such as lawyers, notaries, bailiffs or auditors in the performance of their duties.


Personal data may, in the course of certain operations, be communicated to partners or subcontractors established in a foreign country.

When these transfers are made to countries that are members of the European Economic Area (EEA), the level of data protection is considered to be high, as is the case when the recipient country is the subject of a decision of adequacy to the EEA legislation issued by the European Commission.

In the case of transfers to other countries (outside the EU and EEA), data transfers are governed by standard contracts in accordance with the models developed by the European Commission.

In any event, we require that your personal information is protected in accordance with data protection standards and we ensure that adequate security safeguards are in place when we transfer or process your data outside the EEA.


Personal data is kept for the period of time necessary to provide the products and services offered by CREACARD, to comply with regulatory obligations and to preserve evidence in contractual matters until the rights of the parties have expired.

Type of processing Retention period Starting point of the retention
Supply of products and services, execution of the contract5 yearsFrom the end of the commercial relationship
Supply of products and services, execution of the contract5 yearsFrom the end of the commercial relationship
Product and service improvement3 yearsFrom the time of data collection
Accounting elements and supporting documents10 yearsAs of the end of the accounting period in question
Mobile apps5 yearsFrom the end of the commercial relationship
Commercial prospecting for an existing client5 yearsFrom the end of the commercial relationship
Commercial prospecting for a prospect3 yearsFrom the time of collection or last incoming contact of the data subject
Prevention and detection of offences and crimes and more generally treatment in relation to our legal and regulatory obligations6 yearsFrom the time the offence is established. In the event of legal proceedings, the data is kept until the end of the proceedings and then for the legal period of limitation applicable.
Recording of telephone conversations1 monthFrom the moment the conversation is recorded
Analysis of certain data for targeting purposesDuration of the contractual relationshipFrom the time of data collection
Cookies, trackers13 monthsFrom the time of data collection
Data collected through cookies25 monthsFrom the time of data collection
Marketing Duration of the contractual relationship / 3 years for non-customer individualsFrom the time of collection or the last contact from the prospect (e.g. request for information or documentation).

The above periods may be extended to meet our legal and/or regulatory obligations.

Once the retention period has expired, your personal data will be destroyed or anonymized.


You have the following rights as a data subject at any time we possess or process your personal data:

  • right of access – you have the right to request a copy of the information we hold about you;
  • right of rectification – you have the right to correct any data we hold about you that is inaccurate or incomplete;  
  • right to erasure – you may request that the personal data we hold about you be deleted from our records in certain situations; your financial transaction, account and card data may not be erased in accordance with national law regarding the prevention of fraud, money laundering, terrorist financing or the abuse of services for criminal purposes
  • right to withdraw your consent – you may, at any time, inform us of your wish to withdraw your consent to the processing of your data by CreaCard.
  • right to restrict processing – where certain conditions apply, you are entitled to restrict processing
  • right to object – you have the right to object to certain types of processing such as direct marketing and automatic processing, including profiling
  • right to give instructions on what to do with your data after your death.

Please note that the exercise of some of these rights may result in CREACARD being unable to provide the product or service on a case-by-case basis. You can contact us at for further information.

You may also, at any time and at no cost, without having to justify your request, object to your data being used for commercial prospecting purposes.

All of the above requests will also be transferred to third parties who may be involved in the processing of your personal data.


You may exercise your rights at any time by contacting CREACARD and enclosing a copy of your identity card with your request by post to the Data Protection Officer:


Délégué à la protection des données

TSA 11765

75771 PARIS CEDEX 16


Or by email at this address :

You also have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), the supervisory authority in charge of compliance with obligations regarding personal data:


This privacy policy may change from time to time. It is your responsibility to read the latest version of this document on our website. Any substantial modification of the present policy will be brought to your attention