Thales CBDC Wallet mobile application documents

Privacy Policy for Thales CBDC Wallet

The protection of your personal data is a priority for Thales, which ensures that your personal data is processed with complete transparency and security

When using the CBDC Wallet Mobile Application (the “Application”) you will share your personal data with THALES DIS FRANCE SAS, a simplified joint stock company organized and existing under French law, with registered office at 6 Rue de la Verrerie, 92190 Meudon, France (“Thales”).

In this case, Thales acts as data controller, i.e. Thales determines the purpose and manner of processing your personal data.

1. What personal data do we collect and process?

Thales may process the following personal data when you use the Application:

Personal Information: email address of tester; Secure Element ID (SEID), a unique number identifier; information on the transaction made via the Application (amount of transaction, type, SEID, date, time).
Technical information (optional): information/logs on the device. There are two options to share this information. The first option is for the tester to authorize access to the information directly from the device, granting Thales access to the technical data. The second option is for the tester to send the required technical information via email if troubleshooting is required.

2. What are the purposes and legal basis for processing your personal data?

Your data may be used for the following purposes:

Personal information. Email address is collected to send the invitation to the Application tester. SEID and information about the transaction are collected to secure and ensure the performance of the transaction.
Technical information (optional) is collected to ensure the support to the tester of the Application.

The legal basis for the processing of your personal data is the End-User License Agreement to which you have been party since you downloaded the Application.

3. How long do we keep your personal data?

Personal information is kept until proof of concept of the Application is terminated.

The technical information is kept until the Application is deleted from the tester device, or the log is uploaded to server on tester action for technical/debug support.

4. Who receives your personal data?

Thales Group companies. In the context of such processing, the recipients of all or part of your personal data may be the personnel of Thales and other entities of its group in charge of the administration, supervision and management of Thales mobile application products and services management, as well as some personnel of third parties which provide services to Thales, in particular hosting and maintenance services of its information systems.

When your personal data is transferred by a Thales company established in the European Economic Area (hereinafter “the EEA”) or in the United Kingdom (hereinafter “the UK”) to a Thales company established outside the EEA or the UK, in a country that has not been recognized as offering an adequate level of protection by an adequacy decision of the European Commission or the UK, this transfer is based on the Binding Corporate Rules (hereinafter the “BCR”) adopted by Thales.

Thanks to the Thales BCR, wherever your personal data is processed within the Thales Group, it benefits from the same standard of protection. You can access the Thales BCR by clicking here.

Thales external suppliers and service provider. When your personal data is transferred by a Thales company established in the EEA to a third-party established outside the EEA, in a third country that has not been recognized as offering an adequate level of protection by an adequacy decision of the European Commission, Thales relies on Standard Contractual Clauses as adopted by the European Commission (hereinafter the “SCC”).

You can obtain a copy of the SCC signed by Thales by clicking here.

When your personal data is transferred by a Thales company established in the UK to a third-party established outside the UK in a third country that has not been recognized as offering an adequate level of protection by the UK, Thales relies on the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the SCC issued by the Information Commissioner’s Office.

5. What security measures are in place to protect your data?

Thales undertakes to implement the technical, organizational and contractual security measures necessary to protect your personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access.

6. What are your rights concerning your personal data?

Please note that you have the right to access your personal data and to request that your personal data be rectified or deleted. You are also entitled to request restriction of the processing of your personal data. In addition, you have the right to ask for receiving, in a structured and standard format, your personal data that you provided to Thales and which Thales processes by automated means. In case of any request or complaint, please send an email to your dedicated contact for the Application testing. You can also contact our Data Protection Officer by sending an email to the following address: dataprotection@thalesgroup.com.

7. Update of the Thales CBDC Wallet Privacy Policy

The present notice of the Application is updated regularly to take into account technological innovations as well as legislative and regulatory changes.

Date of last revision: March 2025

CBDC Wallet End-user Licence Agreement (EULA)
- 69.48 KB
- 27 Aug 2025
- PDF