Contents
01 Data Controller
The data controller responsible for personal data processed through the Shatale platform is:
623 Rue du Devois, 34160 Saint-Drézéry, France
privacy@shatale.com
This Privacy Policy applies to personal data we collect in connection with the Shatale platform, including shatale.com, our API, and related services.
02 Scope
This Policy covers:
- Visitors to shatale.com
- Publisher accounts: individuals who register and operate a Publisher account
- End users: individuals whose data is processed as part of payment authorization flows handled through our API
For end user data processed on behalf of Publishers, Shatale acts as a data processor under Article 28 GDPR. The applicable terms are set out in our Data Processing Agreement (DPA) with the Publisher.
03 Legal Basis (GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service (account management, API access) | Art. 6(1)(b) — Performance of a contract |
| KYB/AML verification | Art. 6(1)(c) — Compliance with legal obligation |
| Fraud prevention and security | Art. 6(1)(f) — Legitimate interests |
| Marketing communications | Art. 6(1)(a) — Consent |
| Improving the Service | Art. 6(1)(f) — Legitimate interests |
| Regulatory compliance | Art. 6(1)(c) — Compliance with legal obligation |
04 Data We Collect
4.1 Publisher Account Data
Legal entity name, registration number, registered address; authorized representative name, title, email; identity documents for KYB purposes; beneficial ownership information.
4.2 API Usage Data
API request logs (endpoint, timestamp, response code, latency); authorization events (agent ID, merchant, amount, currency, policy applied, outcome); webhook delivery logs; API credentials and usage statistics.
4.3 Payment Authorization Data (as Data Processor)
Payment card tokens (we do not store full card numbers — PCI DSS compliant); merchant name, MCC, amount, currency; transaction timestamp and outcome; policy trace and evaluation result; human approval records where applicable.
4.4 Website Data
IP address (anonymized after processing); browser type, OS, device type; pages visited, time on page, referrer; form submissions (early access applications).
4.5 Communications
Email content and metadata; support ticket history.
05 How We Use Your Data
| Data category | Purpose |
|---|---|
| Account data | Account creation, authentication, KYB verification, invoicing |
| API usage data | Service delivery, debugging, capacity planning, billing |
| Authorization data | Processing payment decisions, audit trail, compliance |
| Website data | Analytics, fraud detection, improving user experience |
| Communications | Customer support, product updates |
We do not sell personal data to third parties. We do not use personal data for automated decision-making with legal or similarly significant effects on individuals, except as part of payment authorization processing (which is the core function of the Service and disclosed to Publishers).
06 Cookies
| Category | Purpose | Opt-out? |
|---|---|---|
| Strictly necessary | Session management, security | No |
| Analytics | Understanding usage patterns (anonymized) | Yes |
| Marketing | Measuring campaign effectiveness | Yes |
You can manage cookie preferences via our cookie consent tool or your browser settings.
07 Sharing Personal Data
7.1 Service Providers (Processors)
We use third-party processors for cloud hosting, email delivery, analytics, fraud screening, and KYB verification. All processors are bound by data processing agreements and provide appropriate guarantees under GDPR.
7.2 Card Networks
Authorization requests are submitted to Visa/Mastercard networks as part of payment processing. These networks have their own data processing terms.
7.3 Legal and Regulatory Requirements
We may disclose data to regulatory authorities (ACPR, Banque de France), law enforcement, or courts when required by applicable law, including AML reporting obligations.
7.4 Business Transfers
If Youngtimers Payments SAS is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. We will notify affected parties in advance.
08 International Transfers
We are an EU-based company and primarily process data within the EEA. Where we transfer data outside the EEA, we rely on European Commission adequacy decisions or Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR. You may request a copy of applicable transfer safeguards by contacting privacy@shatale.com.
09 Data Retention
| Data type | Retention period |
|---|---|
| Publisher account data | Duration of contract + 5 years (legal obligation) |
| KYB/AML documents | 5 years after end of business relationship (AML directive) |
| Authorization logs | 5 years (PSD2 record-keeping requirement) |
| API logs | 12 months rolling |
| Website analytics | 13 months (CNIL recommendation) |
| Marketing opt-ins | Until withdrawal of consent + 3 years |
| Support communications | 3 years |
After the applicable retention period, data is deleted or anonymized.
10 Your Rights Under GDPR
Access (Art. 15)
Request a copy of personal data we hold about you
Rectification (Art. 16)
Request correction of inaccurate or incomplete data
Erasure (Art. 17)
Request deletion where no longer necessary or lawfully required
Restriction (Art. 18)
Request restriction of processing in certain circumstances
Portability (Art. 20)
Receive your data in a structured, machine-readable format
Objection (Art. 21)
Object to processing based on legitimate interests
To exercise any right, contact privacy@shatale.com. We will respond within 30 days. Note: certain rights are limited by AML/KYC legal obligations.
10.1 Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection authority. In France: CNIL — www.cnil.fr
11 Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- PCI DSS compliance for card data handling
- Access controls and least-privilege principles
- Regular security assessments and penetration testing
- Incident response procedures
In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the CNIL within 72 hours and affected individuals without undue delay (Articles 33–34 GDPR).
12 Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.
13 Changes to This Policy
We may update this Privacy Policy. Where changes are material, we will notify Publisher account holders by email at least 30 days before the effective date. The current version is always available at shatale.com/privacy.
14 Contact
privacy@shatale.com