Privacy Policy

1. Introduction

SAS BEHINDER ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Sepabill website and services (the "Services").

This policy complies with the General Data Protection Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of January 6, 1978 (Loi Informatique et Libertés), as amended.

2. Data Controller

The data controller responsible for your personal data is:

3. Important Notice – Financial Services

Financial services accessible through Sepabill are provided by SWAN, a licensed payment institution. When you use financial services, SWAN acts as an independent data controller for your financial data. Please refer to SWAN's privacy policy for information about how they process your data.

SAS BEHINDER acts as a SWAN reseller/distributor and processes your data only for the purpose of providing our software services and facilitating access to SWAN's services.

4. Personal Data We Collect

5. Legal Bases for Processing

We process your personal data based on the following legal grounds:

• Contract performance (Article 6(1)(b) GDPR): To provide our Services to you
• Legal obligation (Article 6(1)(c) GDPR): To comply with legal and regulatory requirements
• Legitimate interests (Article 6(1)(f) GDPR): For security, fraud prevention, and service improvement
• Consent (Article 6(1)(a) GDPR): For marketing communications and non-essential cookies

6. Purposes of Processing

We use your personal data for the following purposes:

• Providing, maintaining, and improving our Services
• Creating and managing your account
• Processing transactions and facilitating access to payment services
• Communicating with you about your account and our Services
• Providing customer support
• Sending marketing communications (with your consent)
• Analyzing usage patterns to improve our Website and Services
• Preventing fraud and ensuring security
• Complying with legal obligations

7. Data Sharing and Recipients

We may share your personal data with:

• SWAN: Our payment services partner, for the provision of financial services
• Service providers: Hosting providers, analytics services, customer support tools
• Legal authorities: When required by law or to protect our rights
• Professional advisors: Lawyers, auditors, accountants

We do not sell your personal data to third parties.

8. International Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Duration of your account plus 3 years
• Transaction records: 10 years (legal obligation under French commercial law)
• Marketing data: Until consent is withdrawn or 3 years of inactivity
• Support communications: 5 years
• Log data: 12 months

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• SSL/TLS encryption for data in transit
• Encryption of sensitive data at rest
• Access controls and authentication mechanisms
• Regular security assessments and audits
• Employee training on data protection
• Incident response procedures

All employees and contractors with access to personal data are bound by confidentiality obligations.

11. Your Rights

Under the GDPR and French data protection law, you have the following rights:

• Right of access (Article 15): Request a copy of your personal data
• Right to rectification (Article 16): Request correction of inaccurate data
• Right to erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to restriction (Article 18): Request limitation of processing
• Right to data portability (Article 20): Receive your data in a structured format
• Right to object (Article 21): Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time for consent-based processing
• Right to lodge a complaint: File a complaint with the CNIL

To exercise your rights, please contact us at privacy@sepabill.com. We will respond within one month.

12. Automated Decision-Making

We may use automated systems for fraud detection and risk assessment. You have the right not to be subject to decisions based solely on automated processing that significantly affect you, except where necessary for a contract or authorized by law.

13. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

14. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Website and, where appropriate, by email. We encourage you to review this policy periodically.

15. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us:

You also have the right to lodge a complaint with the French data protection authority: