Personal data protection policy

WE PROTECT
your personal data
Personal data security is among our top priorities.
We make use of protective measures such as firewalls and encryption to secure your personal data.

WE DO NOT SELL
your personal data
We may possibly transfer your personal data to our service providers in order to offer you the most suitable products and services. The data will be used exclusively for the purposes agreed to and previously approved, and not for commercial purposes.

WE USE
your data to improve our products and services
We make use of your personal data to continually improve our services and offer you more suitable investment products.
SUMMARY
Introduction
Definitions
Overview of the framework for personal data processing by Ofi Invest
Our commitments regarding your personal data
Your rights
Review of this policy
Annex 1 : description of your rights regarding processed data
Introduction
Ofi Invest, a member of Aéma Groupe, places great importance on privacy protection and ensures the safeguarding of personal data collected and processed by the various entities of the Group in the course of their activities.
In general(1), the entities that make up Ofi Invest are subject to the applicable regulations on personal data protection, particularly the European General Data Protection Regulation No. 2016/679 of April 27, 2016 (known as the "GDPR") and Law No. 78-17 of January 6, 1978, on information technology, files, and civil liberties (known as the "French Data Protection Act"), as well as all national and European legal provisions introduced since then to supplement, clarify, or amend the aforementioned regulations.
This policy (hereinafter referred to as the "Policy") governs how Ofi Invest collects and/or uses the personal data of its clients, prospects, suppliers, and service providers. It reflects Ofi Invest’s commitment to implementing appropriate technical and organizational measures throughout the entire data processing cycle —whether during the collection, use, storage, or deletion of your data—to ensure their fair and responsible use.
1. Definitions
- Cookie and tracker: refers to a block of data/files that is not used for identification purposes but serves to collect information related to a user's navigation on a website. This facilitates the user’s navigation on the company’s website during subsequent visits, allows for the provision of content better suited to their experience, preferences, and interests, and optimizes certain functionalities.
- Data Protection Officer (DPO): the Data Protection Officer, or "DPO," of Ofi Invest is responsible for ensuring compliance with personal data protection regulations by Ofi Invest and its subsidiaries.
The DPO implements this personal data protection policy and ensures, in particular, that processing activities are properly documented in projects that impact data protection. They identify risks of non-compliance with the French Data Protection Act and the GDPR and recommend appropriate corrective measures. The DPO is also responsible for raising awareness among stakeholders regarding personal data protection issues. Finally, they participate in defining second-level controls and developing the audit plan for relevant aspects. As a reference point for CNIL-related matters, the DPO is also the primary contact in the event of regulatory audits concerning personal data. - Personal Data (or Personal Information): refers to any information that directly or indirectly identifies a natural person (e.g., name, email address, phone number, mailing address, etc.).
- Ofi Invest: In this document, "Ofi Invest" refers to Ofi Invest, a French holding company, and its controlled subsidiaries, as determined by the provisions of Article L233-3 of the French Commercial Code. When we use "we," "our," or "us," we refer collectively or individually to the aforementioned entities.
Ofi Invest is part of Aéma Groupe. For more information about Aéma Groupe companies, please visit https://aemagroupe.fr/.
- Data Subject refers to the individual whose data is being processed.
- Related Person: refers to a person or entity about whom you or a third party provide us with information and/or whom we become aware of in connection with our business relationship. A Related Person may include, but is not limited to: (i) a director, executive, or employee of a company, (ii) a trustee, settlor, or protector of a trust, (iii) a nominee or beneficial owner of an account, (iv) a holder of substantial interests in an account, (v) a controlling entity or individual, (vi) a recipient of a specific payment, or (vii) any representative or agent (e.g., a person with power of attorney or information rights on an account). In general, it is your responsibility to inform any Related Person that their information has been shared with us and to provide them with a copy of this Policy and/or, if applicable, the specific Data Protection Policy of the relevant Ofi Invest Group entity.
- Data Controller: the natural or legal person who determines the purposes and means of processing personal data.
- Processor: a natural or legal person, public authority, agency, or other entity that processes personal data on behalf of the Data Controller.
- Processing: any operation performed on personal data, whether automated or not, concerning the collection, recording, organization, storage, modification, comparison, retrieval, consultation, extraction, use, disclosure, alignment, combination, analysis, archiving, as well as blocking, erasure, or destruction of personal data.
2. Overview of the framework for personal data processing by Ofi Invest
General Framework of the Policy
In accordance with the General Data Protection Regulation and the amended French Data Protection Act of 1978, we are committed to respecting and protecting your personal data.
As part of this commitment, we have established this Policy to describe the measures in place within Ofi Invest regarding personal data protection. It also outlines the conditions under which these entities, in their capacity as data controllers (or as processors on behalf of other Ofi Invest entities or, where applicable, third-party entities), collect and process personal data as part of and/or for the purposes of their activities, or subcontract data processing to third parties. At the forefront of this framework, in compliance with current regulations, is the record of processing activities implemented for the various Ofi Invest entities. This record lists the data processing activities we carry out and allows us to monitor the use of the personal data collected in each subsidiary.
This Policy also aims to specify:
- on the one hand, the individuals who may be concerned, the nature of the personal data involved, the methods by which such data is collected, the purposes of processing, and the lawfulness of the processing;
- on the other hand, the ways in which individuals concerned by such processing can exercise the rights they have regarding such data under the current regulations.
The individuals concerned
Given the nature of the activities conducted by the various Ofi Invest entities, the following individuals may be affected by the data processing activities we carry out:
- On one hand, Ofi Invest clients (or their heirs or beneficiaries), representatives, shareholders, or ultimate beneficial owners of these clients, as well as their prospects and, more generally, individuals who visit their websites or provide their contact details to them/us through any means for the purpose of obtaining services related to the activities of each Ofi Invest entity or associated services. Personal data may be collected either directly from you or from third parties authorized by you to provide us with such data, or from external sources such as publications or databases (Official Journal, BODACC, RCS, INPI, etc.), fraud prevention organizations, authorities, or institutions.
- On the other hand, and for example (without this list being exhaustive), if you:
- Work with us as a supplier, service provider, or subcontractor;
- Have a relationship with our company within the framework of a partnership;
- Are part of our request for proposals (RFP) process to submit an offer for new projects;
- Visit an office or register to attend an event we organize or sponsor;
- Are introduced to us by third parties for legitimate marketing purposes; or
- Participate in a contest or event we organize or sponsor.
Nature of the Data Collected
In compliance with applicable regulations, we collect and use only the personal data necessary for our activities. This may include:
- Your identity: First name, last name, gender, date and place of birth, nationality, signature specimen, photograph, etc.
- Your contact details: Mailing address, email address, phone number, etc.
- Your appearance (image, voice): Particularly when attending events organized by Ofi Invest, as well as when required by regulations.
- Tax-related data concerning you.
- Your professional status: Job title, company, etc.
- Your economic and financial situation: Bank account details (RIB), tax status, origin of assets/funds, etc.
- Your investor profile: Data related to subscribed products and services.
- Transactions carried out, including data related to beneficiaries or ordering parties.
- Data from exchanges and interactions: Interviews, phone calls, letters, emails, chats, access to our social media pages, or any other type of communication.
- Browsing data collected via cookies or trackers, of any kind.
- More generally, connection data related to the use of online services, including identification and authentication data.
- Data from video surveillance systems (i.e., cameras installed in premises we occupy).
- Data necessary for engaging in pre-contractual procedures or for concluding and/or executing contracts with an entity.
- Data related to criminal offenses, subject to the strict conditions defined by data protection regulations.
- Where applicable and in the context of our business relationships, your hobbies and interests.
Methods of Data Collection
The collection of this data is most often carried out directly from you or through cookies and similar technologies (trackers, pixel tags, links, etc.) when you visit our website. In particular, these technologies facilitate your navigation during future visits and enable us to offer the most suitable service and the best possible user experience. To learn more about these technologies and how you can use your browser settings to manage your privacy preferences, please refer to our Cookie Policy.
Data collection may also occur when you contact us through one of our offline channels (e.g., inquiry forms, phone, or email), when you visit one of our sites, or when you participate in an event. In certain cases, your data may also be provided to us by third parties, either directly or upon our request. For example, many clients invest in our products through a financial advisor or one of our business partners; these intermediaries may therefore provide us with personal data about the relevant client. Other third parties (lawyers, trustees, family members, directors, partners, authorized signatories, beneficial owners, and other relevant contacts within your organization, etc.) may also provide us with personal data about individuals involved in a transaction (such as shareholders, associates, owners, beneficiaries, guarantors, etc.).
In some cases, particularly when it is necessary to conduct specific research, we may rely on public agencies to assess your creditworthiness (including financial accessibility), determine product suitability, verify your identity, manage your account, track debtors or beneficiaries, and prevent criminal activity. For example, when we invest in assets, we may collect information about the owner of the property we plan to acquire to fulfill our obligations in anti-money laundering compliance. We also collect data on individuals who rent or reside in the property (or, when the tenant is an organization, on key members of that organization, such as its directors or partners). Some of these checks may involve verifying public registers, conducting online searches using websites, social networks, and other information-sharing platforms, and utilizing databases managed by credit agencies and other reputable organizations (we can provide further details about these sources upon request).
For your full awareness, please note that we may process your personal data without notifying you and/or without your consent when required or permitted by law or regulation. Additionally, we may collect data about you from publicly accessible websites where such data is available, particularly for initiating commercial outreach if, based on identified information, you might have an interest in Ofi Invest’s products or activities.
However, we do not collect, use, or transfer information related to investment platform clients. The providers/investment platforms are solely for processing all personal data you share with them. If you are a client of one of these providers or platforms, please refer to their Data Protection Policy or equivalent document.
Important Reminders:
- If you choose not to provide the required information, we may not be able to fulfill our obligations, which could impact the services we provide to you.
- If you provide us with personal data about a third party, you must formally inform that individual and ensure that they consent to the sharing of their data and are satisfied with the data you have shared with us.
Purposes of Processing Collected Data
Regardless of the circumstances surrounding the collection of personal data, it is always carried out in compliance with applicable regulations. In most cases, the collected data is used for the following purposes:
- For the conclusion or execution of a contract that binds us ("contractual necessity").
- More broadly, for managing client relationships, particularly as part of our duty to provide advice (which may involve gathering your needs and, consequently, personal data).
- For prospecting, commercial management, promotional, and customer loyalty operations, including marketing activities and sending communications.
- For the preparation of statistics, including commercial analyses, actuarial studies, or other research and development analyses; in such cases, processing is based on the data controller’s legitimate interest while respecting the rights and interests of the client/investor.
- To improve the quality of our services.
- To respond to any requests you have made to us.
- For your participation in an event, regardless of its nature, that we organize or sponsor.
- When we must comply with a legal, regulatory, or administrative obligation ("legal compliance"), such as fulfilling our customer due diligence obligations, verifying your identity, helping detect and prevent fraud, and combating financial crime. These obligations include all necessary measures to comply with the Anti-Money Laundering (AML) Directive, which states that the fight against money laundering and terrorist financing must be considered a matter of public order.
- To meet reporting obligations, particularly to regulatory authorities, supervisory bodies, or public authorities such as tax administrations.
- To retain necessary evidence in case of regulatory audits by the French financial regulator (AMF), in accordance with AMF regulations and established guidelines.
- To ensure the security of the premises where we operate (video surveillance).
- To manage and track complaints and potential disputes.
Lawfulness of Processing
If the processing activities are not justified by contractual or regulatory obligations (such as those listed above), they are based either on our legitimate interest (after a preliminary analysis considering both the positive and negative impacts such processing may have on your rights and freedoms) or on your consent, which we will have obtained in advance.
To protect privacy rights and enable our clients and prospects to control the use of their personal data, you may request at any time to opt out of direct marketing activities targeting you. To facilitate this, all our marketing communications include unsubscribe links to help you manage your marketing preferences.
Please note that opting out of one type of marketing (e.g., email or phone) does not mean you are unsubscribed from all marketing communications. Kindly consider this when managing your preferences.
In general, we recommend that you regularly review the Data Protection Policy and the preference settings available on the websites, platforms, and social media networks you use, as these dictate how advertisements and other messages are displayed and shared on these media.
3. Our commitments regarding your personal data
Ensuring the Protection of Your Data
The security of your personal data is a priority. Therefore, we implement appropriate organizational and technical security measures (firewalls, encryption, etc.), aligned with industry best practices and the state of knowledge, to ensure a level of security appropriate to the risks. This helps prevent personal data that we process from being accidentally lost, used or accessed without authorization, altered, or disclosed.
We limit access to your personal data to employees (and, where applicable, to our service providers/processors) whose role justifies such access. All these individuals are bound by a contractual confidentiality obligation. However, in certain circumstances, we may be required or obliged to share your data with third parties, including (but not limited to):
- Public and governmental authorities, regulatory bodies, etc
- Example: The French Financial Markets Authority (AMF)
- Financial market participants
- Example: Account custodians
- Fraud prevention organizations to conduct identity checks, detect and prevent fraud, and combat financial crime
- Auditors or legal advisors
- Example: Lawyers
- Processors and service providers
- Example: Customer Relationship Management (CRM) software providers
- Business partners
- Other entities within Ofi Invest or Aéma Groupe
These third parties are also subject to data protection obligations (and, more broadly, compliance with the General Data Protection Regulation - GDPR), either by law, regulation, or specific contractual clauses.
We have established procedures to handle actual or suspected data breaches, ensuring a prompt and appropriate response. This includes, where necessary, notification to the French Data Protection Authority (CNIL). If data has been shared with third parties, we have measures in place to take appropriate action in the event of a data breach involving your personal data.
However, it is important to note that due to the intrinsic nature of the Internet, data transmitted via our websites or through networks cannot be completely protected from the risks of interception or hacking. Ofi Invest entities cannot be held responsible for any such risks.
No Commercial Exploitation of Your Data
As previously mentioned, we may transfer your personal data to third parties, either because we are legally required to do so or to provide suitable products and services.
However, your data will only be used for the agreed-upon purposes that justify its processing by Ofi Invest and will not be used for commercial gain. We commit to never selling personal data to third parties.
No Unnecessary Retention of Your Data
Personal data should not be kept longer than necessary for the purpose of processing.
The retention period is determined based on:
- The duration of our relationship with you.
- The intended purpose of the data processing.
- Legal and regulatory requirements applicable to us.
- Statutory limitations for legal actions in the event of potential disputes.
For example, telephone recordings and chat conversations related to investment transactions conducted as part of our portfolio management activities are retained for a maximum of five years from the recording date, in compliance with the legal retention obligation set out in Articles 321-72 to 321-74 of the AMF General Regulation.
More generally, we only retain personal data for the period reasonably required to fulfill the stated purposes. However, in some cases, data may be retained beyond its original purpose if justified by another need, such as legal, regulatory, tax, or accounting obligations. For instance, if a dispute arises or is reasonably likely to occur at the end of a contractual relationship, data may be retained for a period necessary for handling such legal proceedings.
Taking Necessary Precautions for Potential Data Transfers Outside the European Union
As a member of Aéma Groupe, Ofi Invest is committed to ensuring that your personal data benefits from an adequate and consistent level of protection wherever it is transferred within the various Ofi Invest entities and, more broadly, within Aéma Groupe when applicable.
When we transfer your data to parties outside Aéma Groupe or to other companies that provide services to us, we obtain contractual commitments and assurances from them to protect your personal data.
Some organizations to which we transfer data may be located in jurisdictions where data protection laws differ from those in your country and may, in turn, transfer data to such jurisdictions.
We only transfer personal data to countries that are either: recognized as providing an adequate level of legal protection, or covered by alternative protective measures that ensure the safeguarding of your privacy rights.
If your personal data is transferred outside the European Union(2), Ofi Invest ensures that:
- The country receiving the personal data has been granted an adequacy decision by the European Commission. More information can be found at: CNIL website.
- A contract is in place referring to the European Commission’s Standard Contractual Clauses (SCCs) for personal data protection. More information is available at: CNIL website.
- An alternative protective mechanism is implemented in compliance with the recommendations of the French data protection regulator.
We are available to provide further details about the protective measures taken in this regard upon request.
4. Your rights
In accordance with current regulations, you may contact us regarding your personal data to:
- Verify whether we hold and use your data.
- Understand how we use it.
- Identify who receives your data.
- Determine if we transfer your data internationally.
- Learn how we protect your data.
- Know how long we retain your data.
- Understand how we obtained your data.
- Check whether we have made any automated decisions using your personal data.
- Request a copy of your data.
Additionally, beyond the right of access, you also have the ability to request correction and/or deletion of your personal data by Ofi Invest, where permitted by law. You may also exercise the following rights related to data processing: right to restrict processing, right to object to processing, right to data portability.
A detailed explanation of these rights and how to exercise them is provided in the annex to this Policy.
If you wish to exercise any of these rights or obtain further information, you can contact us at any time by sending your request to: contact.dpo@ofi-invest.com.
We may request proof of identity when processing such requests to ensure that we do not alter or disclose your data to unauthorized third parties.
If you have any general questions about this Data Protection Policy or how to exercise your rights, you may contact Ofi Invest’s Data Protection Officer (DPO):
- By email: contact.dpo@ofi-invest.com
- By mail: Attn: Data Protection Officer, Ofi Invest, 22 rue Vernier, 75017 Paris, France
If you are not satisfied with how we manage your personal data, our Data Protection Officer is available to address your concerns and provide the necessary clarifications.
We strive to respond to all requests within one month from the date of receipt. However, if the request is particularly complex, we may take longer; in such cases, we will inform you of the delay and respond as soon as possible. To expedite the processing of your request, we may ask you to provide additional details regarding the information you need or your specific concerns.
If you encounter difficulties or find our response unsatisfactory, you have the right to file a complaint with the French Data Protection Authority (CNIL):
- By mail: CNIL - 3 place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
- Online: www.cnil.fr
5. Review of this policy
This Policy came into effect on October 30, 2024 and may be revised as necessary based on legislative and regulatory developments or any changes in the conditions governing the processing of personal data.